Unsolved
This post is more than 5 years old
14 Posts
0
11351
Resolution Re: TROJ_GENERIC.ADV
In the HijackThis form and in this form there are several threads regarding a low threat trojan picked up by PC-Cillan. Namely the file ~df394b.tmp triggers a "TROJ_GENERIC.ADV" warning. This can occur repeatedly if certain sound applications are used. The file in question is located in a subdirectory with a name of the form clclean.000*.* of the users local settings (C:\Documents and Settings\{user name here}\Local Settings\Temp). Local Settings is a hidden directory.
This directory is created by some Creative Labs products, apparently as part of some license verification scheme. According to other threads on TROJ_GENERIC.ADV on this forum and the HijackThis form, Trendmicro is working on a fix for PCCillan.
It seems to me that their only conceivable fix is to not identify this file as a trojan, when in fact it may well access the internet without a user's explicit permission. As such, I personally have decided in principal to shut off these products. Here is how to stop the clclean.000* directories from being created. I have noticed no lack of functionality, although I guess I did pay $20 extra for the machine to get this software, which I will no longer use.
Big Picture:
1. Turn off the start-up items: (1) Rundll32 CTMBHA.DLL,MBMon and (2) CTSysVol
2. Turn off the service "Creative Labs Licensing".
After completing this, you may need to go in to the control panels, select the sound settings, and check the box asking for a volume control to be put in the taskbar as the above steps shut off the fancy Creative Labs sound control software. The windows sound control is unaffected.
Details:
1. Log in as an administrator.
2. To turn off the start-up items:
a: click the start button and click "Run"
b: type msconfig and hit return
c: in the system configuration utility that comes up, click on the startup tab
d: uncheck the two start up items.
e: click ok.
f: click 'Exit without Restart' (you'll need to restart for the changes to take effect)
3. To turn off the service item:
a: Click on control panels
b: click on administrative tools (or in the category view, performance and maitenance and then administrative tools)
c: click on services
d: in the window, scroll till you find the service Creative Labs Licensing. Right click on it and select properties.
e: in the properties box, change service startup status to 'Disabled'.
Close things up and reboot.
You may need to add the windows sound icon to the task bar using the sound settings as described above.
I have experienced no trouble with this fix, although I can no longer use most or all of the Creative Labs Sound Blaster Audiology software. Good Riddance in my view. Your mileage may vary.
Message Edited by rleduc on 03-08-2007 09:46 AM
This directory is created by some Creative Labs products, apparently as part of some license verification scheme. According to other threads on TROJ_GENERIC.ADV on this forum and the HijackThis form, Trendmicro is working on a fix for PCCillan.
It seems to me that their only conceivable fix is to not identify this file as a trojan, when in fact it may well access the internet without a user's explicit permission. As such, I personally have decided in principal to shut off these products. Here is how to stop the clclean.000* directories from being created. I have noticed no lack of functionality, although I guess I did pay $20 extra for the machine to get this software, which I will no longer use.
Big Picture:
1. Turn off the start-up items: (1) Rundll32 CTMBHA.DLL,MBMon and (2) CTSysVol
2. Turn off the service "Creative Labs Licensing".
After completing this, you may need to go in to the control panels, select the sound settings, and check the box asking for a volume control to be put in the taskbar as the above steps shut off the fancy Creative Labs sound control software. The windows sound control is unaffected.
Details:
1. Log in as an administrator.
2. To turn off the start-up items:
a: click the start button and click "Run"
b: type msconfig and hit return
c: in the system configuration utility that comes up, click on the startup tab
d: uncheck the two start up items.
e: click ok.
f: click 'Exit without Restart' (you'll need to restart for the changes to take effect)
3. To turn off the service item:
a: Click on control panels
b: click on administrative tools (or in the category view, performance and maitenance and then administrative tools)
c: click on services
d: in the window, scroll till you find the service Creative Labs Licensing. Right click on it and select properties.
e: in the properties box, change service startup status to 'Disabled'.
Close things up and reboot.
You may need to add the windows sound icon to the task bar using the sound settings as described above.
I have experienced no trouble with this fix, although I can no longer use most or all of the Creative Labs Sound Blaster Audiology software. Good Riddance in my view. Your mileage may vary.
Message Edited by rleduc on 03-08-2007 09:46 AM
ky331
3 Apprentice
3 Apprentice
•
15.3K Posts
0
March 8th, 2007 13:00
Message Edited by ky331 on 03-08-2007 11:20 AM
rleduc
14 Posts
0
March 8th, 2007 13:00
Likewise, the old services are still listed by the services control panel and can be restarted by hand at any time.
rleduc
14 Posts
0
March 10th, 2007 00:00
It stands to reason that adding something back in, such as the Creative Labs Licensing Service will not cause the clclean object to disappear again, but I have not tested this.
The reason I stopped the Creative Labs licensing service in the first place is that Security Task Manager identified the clclean.0001 etc. as being created by Macrovision's Cleanup, a tool for license management. See here:
http://www.file.net/process/clclean.0001.html
and from Macrovision's own forums here:
http://community.macrovision.com/archive/index.php?t-141781.html
I can't speak for other users, but I know I choose not to have (1) an antivirus warning popping up frequently (or at all) for this program and (2) a licensing program that is identified, perhaps quite correctly, by the antivirus software as a trojan. There are malware you pick up from the world at large and what I would term malware from corporate entities that the corporate entity may well believe is legitimate.
Users who do not care about item (2) may well find this a useful temporary fix to avoid the frequent antivirus warnings until Trendmicro turns off detection of this item [Lord knows, they can't "fix it" in the sense of (2)].
In retrospect, I find I've lost absolutely zero functionality by not having the Creative Labs Audiology software installed. If it has other features, I have been completely unaware of them, hence probably don't need them. If I had to do it all over again, I would not have selected the Audiology option as part of my Dell purchase.
ky331
3 Apprentice
3 Apprentice
•
15.3K Posts
0
March 10th, 2007 11:00
ky331
3 Apprentice
3 Apprentice
•
15.3K Posts
0
March 10th, 2007 11:00
rleduc
14 Posts
0
March 10th, 2007 19:00
As to the connection with Macrovision: Security Task Manager's documentation says it identifies the title and description "contained in the file [i.e. the process clclean etc.]; for a visible window the title corresponds to the text in the window's title bar." This information identifies the program as Cleanup from Macrovision. Either this is correct, or the program spawned by the Creative Labs software is lying. Believing it is from Macrovision would make sense, since the Creative Labs software clearly uses some licensing software scheme and that's what Macrovision's Cleanup does according to Macrovision's own website.
As to false positives: I'm well acquainted with the concepts of specificity and sensitivity. Why should this be considered a false positive? Apparently, simply that the clclean stuff comes from a "trusted source", Creative Labs. I'm not so trusting - my criteria is functional. If a program is accessing the internet without my knowledge, I personally consider it malware. That's a personal choice, and I'm not alone in believing this way.
ky331
3 Apprentice
3 Apprentice
•
15.3K Posts
0
March 10th, 2007 21:00
lailokenZen
7 Posts
0
March 11th, 2007 00:00
ky331
3 Apprentice
3 Apprentice
•
15.3K Posts
0
March 11th, 2007 12:00
rleduc
14 Posts
0
March 12th, 2007 20:00
After a perusal of these boards and searching for 'sound blaster audigy MB', I've found more than enough complaints from users to be of the opinion that there are plenty of people who could do without this product.