Antivir found TR/Clicker.CP

Discussion in 'other anti-virus software' started by duke1959, Aug 17, 2006.

Thread Status:
Not open for further replies.
  1. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    I was actually running a SuperAntispyware scan and not an Antivir scan when soon after SA began scanning the Windows System 32 folder Antivir Guard popped up with a warning of a TR/Clicker.CP in pcmgrnet exe. It did this again when scanning with Ewido as well. I now have it quarantined after googling it, but all I could find on the pcmgrnet exe was that it could be a possible spyware since it was residing in my Windows system32 folder. Although I also read this exe wasn't a core component of Windows XP, I was still concerned if it was needed or not. Thanks for any explanation about this, and if it would be okay to eventually delete the Windows/system32/pcmgrnet exe. file in my quarantine. I will send it to Antivir, after I figure out how. Take care everyone.
     
  2. SUPERAntiSpy

    SUPERAntiSpy Developer

    Joined:
    Mar 21, 2006
    Posts:
    1,088
    If you would like to send the file to samples AT superantispyware.com I will be happy to take a look at the file for you.

    Nick Skrepetos
    SUPERAntiSpyware.com
    http://www.superantispyware.com
     
  3. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    duke, use this form to submitt that file to Avira. :)
     
  4. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    Thanks for the quick responses. I don't believe this is a problem with SA, as the same thing happened when scanning with Ewido. I will however try to send it off as soon as I can. I am currently babysitting my 11 month old Grandson, and although I love him I must say he can be more of a handful than any Trojan. LOLOL. Take care and thanks again. P.S I will use the form to also send to Antivir. There was no info on this Clicker in there definitions.
     
    Last edited: Aug 17, 2006
  5. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Send it to Avira first. It seems like a FP from their side. ;) Or it could be a real threat. :)
     
  6. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    It doesn't sound like an FP. Remember it was detected by signature not
    heuristics. When Superantispyware started the scan, as AntiVir guard was
    also active, it was scanning everyfile before handing it over to the other
    scanner i.e. Superantispyware.

    Although sending it to both parties is a good idea.
     
  7. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    I will send to Avira first, and thanks for the form pykko. I also however, want to thank Nick Skrepetos for his offer. I just now got a chance to check this Forum, and found the same TR/Clicker.CP alert from Antivir. This time though it was in a System Volume Information exe file. I have deleted those before without concern, but it does worry me a slight bit that the pcmgrnet exe. is needed for something I don't know about. I read that Trojans and other Malware will sometimes "Masquerade" as this file. Thanks again I will send the TR/Clicker. CP out soon. My pc seemed to be running fine before this, and I had SKPF 4.2.3 set for outbound protection, with Application Behavior Blocking enabled. Everything also seems to be running fine with the files in quarantine as well. That's why I too wonder if it's not a false positive, although I only have the Guard set to scan as Macrovirus heuristics and not Win32 heuristics. I guess time will tell. Thanks again everyone.
     
  8. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    You can also try to get the file scanned by multiple softwares.

    1. www.virustotal.com

    2. virusscan.jotti.org
     
  9. ASpace

    ASpace Guest

    I also think it isn't false-positive alarm .
    As AMRX said while SAS and Ewido were scannig Anti-Vir was scanning , too .

    Either Avira's scanner is much faster than Ewido and SAS or Ewido and SAS doesn't detect it :D :D :D

    Scanning in Safe Mode with all security softwares ~snip~ should help :thumb:
     
    Last edited by a moderator: Aug 17, 2006
  10. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    If its a trojan then its the duty of the AV to detect it. The low level hook
    of the software allows every file to be scanned by the realtime scanner
    before its been read or written by some other software. Its not that Avira
    is faster, its just that Avira has its claws deeper in the guts of the OS.
     
  11. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    Like I said that's why I too don't think it is a false positive. (LOLO) Oh well I tried to belieive it was one, but you have all convinced me it may not be, and I have sent it to Avira. I had to restore the file first though and then use the browse feature in the form pykko gave me, to go to Windows and the system32 folder and then of course add the pcmgrnet exe. The reason I'm telling you this is as I was doing it, Antivir alerted me once again as the Guard of course scanned that file. I wonder if I should turn off the Guard and then use SA or Ewido to scan after restoring the file again? One more thing. Do any of you know what the pcmgrnet exe is, or what it may be used for? Oh and a P.S for Nick Skrepetos. I really like SuperAntiSpyware.
     
  12. Arin

    Arin Registered Member

    Joined:
    May 1, 2004
    Posts:
    997
    Location:
    India
    You can do that but make sure you are not connected to the Net at that
    moment. I have no clue what the file is or does. I just know that I don't
    have it on my XP system and this file is not from Microsoft. Have you
    checked the two web pages I mentioned? Why don't you scan the file
    with multiple scanners? If its really a trojan than Kaspersky shouldn't miss
    it ;).
     
  13. Antus

    Antus Registered Member

    Joined:
    Apr 8, 2006
    Posts:
    76
    Duke very interesting on what avira found.....when I ran a scan on my pc avira found TR/Hooker.bb........ I also scanned my system with my trojan scanner and nothing showed up....will be interested on what the results will show when avira reports back to you
     
  14. QBgreen

    QBgreen Registered Member

    Joined:
    Jan 1, 2005
    Posts:
    627
    Location:
    Queens County, NY
    In a related situation, I recently visited a legit site and FSAVCS's http scanner flagged a variant of the trojan you've received. Trojan-Clicker.HTML.Agent.a. The offender was adsrevenue.net. Nice banner adverts dropping (or trying to) trojans on unsuspecting users. The site's owner was clueless and downright nasty when I informed him that his advertisers are malware pushers. To bad for him.
     
  15. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    Hey everyone, I will scan the file on jotti.org tomorrow and let everyone know the results. Do I have to restore it again to do this, or is there a way to do it when it's in quarantine? Also what about it also being in System Volume Restore? Is it in there because my system made a back up of it for the restore option?
     
  16. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    well, Avira makes usually more FPs than other scanners, and I have also detections by sugnature which are FPs. ;)
     
  17. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    I just wish I could find out what the pcmgrnet exe file is, that the TR/Clicker.CP was found in. Going to use the "jottie" sometime today to run virus scan of this file. Take care everyone. Just used the jottie scan with all the available Antiviruses, and only Antivir showed finding TR/Clicker.CP. I also sent file to Virustotal.com, but at this point not sure that this file is anything to worry about. I must add that both Avast and AVG Free found this TR/Clicker.CP in one of my System Volume Restore exe files when I had them recently, but seperately installed. They did not pick it up in the pcmgrnet exe file in my Windows\system32 folder however, like Antivir did. Wether this is good or not remains to be seen. I'm sticking with Antivir though. Looking for more input from everyone, until then take care.
     
    Last edited: Aug 18, 2006
  18. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    Hey everyone. Avira confirmed that this is indeed a virus and that Antivir does indeed detect it. See ya.
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    great
     
  20. A1SteakSauce

    A1SteakSauce Registered Member

    Joined:
    Jul 25, 2006
    Posts:
    88
    More power to AntiVir!
     
  21. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    thx for the news duke. If you're kind please send the sample to other AVs also to add detection: NOD32, Kaspersky, etc. :)
     
  22. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    I want to add that both Avast and AVG free did find TR/Clicker.CP in a Volume System Information file with their scans. I just never ran SA with either one installed so I don't know if AVG Free or Avast Realtime Shields would have found the "pcmgrnet exe" in the Windows system32 folder like Antivir did. See ya all.
     
Thread Status:
Not open for further replies.