Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: Is this a "false positive" or a real virus?

  1. #1
    dlawrence Guest

    Default Is this a "false positive" or a real virus?

    Occasionally, when ZoneAlarm runs a scan, it identifies a file as a virus when in fact it turns out not to be. Usually, I do a quick search of the forum and discover that the file is indeed non-harmful.

    Today I received the following virus warning, and I cannot find any mention of it on the Zone Alarm website or forum, nor on any other website:

    WIN32.Trojan.Clicker.Agent.ii Risk: Medium Path: C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe

    I've quarantined it for now, but would like confirmation.


    Operating System:Windows XP Home Edition
    Software Version:7.0
    Product Name:ZoneAlarm Pro

  2. #2
    nangka Guest

    Default Re: Is this a "false positive" or a real virus?

    My ZAP anti-spyware scan reported C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe as being Win32.Trojan.Clicker.Agent.ii today as well

    The complete report mentioned the following:
    File: C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe
    GUID: {D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}
    RegistryKey: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D4304BC F-B8E9-4B35-BEA0-DC5B522670C2}

    My DAT-file version is 01.200803.3545

    I'm puzzled as well.


  3. #3
    just_me Guest

    Default Re: Is this a "false positive" or a real virus?

    There's another thread on this here:
    If you suspect it's a false positive you can
    submit a report here
    did a little earlier):

  4. #4
    sknkwrks Guest

    Default Re: Is this a "false positive" or a real virus?

    I'm getting same thing after 3.24.08 ZAP spyware update (engine version; dat version: 03.200803.3545). Ran ZAP
    spyware scan two days ago w/no issues.
    I quarantined file and rebooted. Ran AVG and SpySweeper scans
    nothing found. Even specifically scanned "C:\WINDOWS\system32\Macromed\Flash" w/these 2 apps.
    Can ZA provide confirmation if this is a false positive or what action is recommended?
    HiJackThis log:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:33:41 PM, on 3/24/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: NormalRunning processes:
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe
    C:\Program Files\Protector Suite QL\psqltray.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
    C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
    C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
    C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://notepad%20c/WINDOWS/PUNAELC.CMD
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [NVRotateSysTray] "rundll32.exe" C:\WINDOWS\system32\nvsysrot.dll,Enable
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
    O4 - HKLM\..\Run: [LtMoh] "C:\Program Files\ltmoh\Ltmoh.exe"
    O4 - HKLM\..\Run: [TAudEffect] "C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe" /run
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
    O4 - HKLM\..\Run: [DDWMon] "C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe"
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [ThpSrv] C:\WINDOWS\system32\thpsrv /logon
    O4 - HKLM\..\Run: [TMERzCtl.EXE] "C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE" /Service
    O4 - HKLM\..\Run: [TMESRV.EXE] "C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE" /Logon
    O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
    O4 - HKLM\..\Run: [SmoothView] "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe"
    O4 - HKLM\..\Run: [Pinger] "c:\toshiba\ivp\ism\pinger.exe" /run
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [TOSCDSPD] "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O20 - Winlogon Notify: TosBtNP - C:\WINDOWS\SYSTEM32\TosBtNP.dll
    O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
    O23 - Service: Intel(R) Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\niecee\LOCALS~1\Temp\hpdj.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Intel(R) Active Management Technology Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: pinger - Unknown owner - C:\TOSHIBA\IVP\ISM\pinger.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation
    - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
    O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
    O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
    O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe
    O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    O23 - Service: Intel(R) Active Management Technology User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\AMT\UNS.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe--
    End of file - 10535 bytes

  5. #5
    salcarmen Guest

    Default Re: Is this a "false positive" or a real virus?

    Hello, this is my first post and it is about this same problem.
    This is what I have, this first one seems to be the same as the ones posted already,
    One shows up as

    Win32 Trojan.Proxy.Cimuz.h
    and the other as

    Win32 Trojan.Clicker.Agent.ii

    GUID: {5E2121EE-0300-11D4-8D3B-444553540000}
    RegistryKey: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{5E2121E E-0300-11D4-8D3B-444553540000}
    RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved\{5E2121EE-0300-11D4-8D3B-444553540000}
    But I also get this one,
    File: C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe
    GUID: {D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}
    RegistryKey: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D4304BC F-B8E9-4B35-BEA0-DC5B522670C2}
    RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\.mfp\Content Type
    RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\.sol\Content Type
    RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\.sor\Content Type
    RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\Macromedia\FlashPlayer ActiveX
    RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights
    RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TypeLib\{D27CD B6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32\(Default)

    If I qurantine or delete them then my
    Adobe's Flash Player is disabled and I have to shut down my firewall to install it again.
    Without shutting down it will not install.
    Then to get it running I have to do a rstore to a point to somewhere before
    the problem started

    Windows XP Pro.
    This may be overkill but that is what I have had to do to have the player work again.

    I was thinking of setting the anti-spyware to ignore the two the next time that I get it all running again.

    Is this a good idea??

  6. #6
    avon Guest

    Default Re: Is this a "false positive" or a real virus?

    I have the same problem:
    Before yesterday, scan with DAT file version: 01.200803.3535 = All in order, no virus warning.
    Yesterday scan with DAT file version:

    01.200803.3545 = I received the following virus warnings:

    1. Win32 Trojan.Clicker.Agent.ii

    (File: C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe )
    2. Win32 Trojan.Proxy.Cimuz.h

  7. #7
    avon Guest

    Default Re: Is this a "false positive" or a real virus?

    <hr>sknkwrks wrote:Can ZA provide confirmation if this is a false positive or what action is recommended?<hr>

    Probably the same confirmation as we received here
    X-( =

  8. #8
    naivemelody Guest

    Default Win32.Trojan.Clicker.Agent.ii = False Positive as 3-25-08

    As of 3-25-08 with spyware definitions &gt; .3555Anti-spyware engine version:
    Anti-spyware signature DAT file version:01.200803.3555<hr>&gt; Win32.Trojan.Clicker.Agent.ii = is a false postive. This false positive will be fixed by the above spyware update. If you had inadvertently deleted the false positive - you may have deleted your Adobe Flash Player - you
    will have to re-install a new version &gt;
    - thanks to avon and SlyFox
    for your assistance. Please carefully read thru link ^.<strike></strike><hr>If for some reason you have detected
    Win32.Trojan.Clicker.Agent.ii with anti-spyware definitions of 'Anti-spyware signature DAT file version:01.200803.3545 - Please choose &quot;ignore once&quot; - do not delete/ nor quarantine. And then please update your spyware defintions to at least &gt; 01.200803.3555 and then you should not have any more detections for this item. [ If for other reasons you can not update, please choose &quot;always ignore&quot; until you can resolve your anti-spyware update issue ].<hr><strike>Joined the club with anti-spy def from 3-24-08 &gt; .3545</strike><strike></strike><hr><strike>File: C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe
    GUID: {D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}
    RegistryKey: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{D4304BC F-B8E9-4B35-BEA0-DC5B522670C2}
    RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\.mfp\Content Type
    RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\.sol\Content Type
    RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\.sor\Content Type
    RegistryKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights</strike><strike></strike><hr><strike>There has been problems with flash players being exploited in the past; requiring us to upgrade Adobe or use Adobe patches/ fixes. I may 'admit' to not having kept up. So either we all have 'a real detection or a</strike> false postive' <strike>- I don't know for sure. I will 'ignore once' and wait for further confirmation. </strike><hr>:8} NaiveMelody NYC 3-25-08 - Don't Let Me Be Misunderstood - The Animals

    Message Edited by NaiveMelody on 05-03-2008 09:36 PM

  9. #9
    avon Guest

    Default Re: Win32.Trojan.Clicker.Agent.ii - ?

    Confirm that I have the last Flash Player vesion: and the ZA
    Anti-spyware virus warning.

  10. #10
    jzombie Guest

    Default Re: Win32.Trojan.Clicker.Agent.ii - ?

    Looking at the other posts and circumstances this definitely seems to be a false positive.
    I have my system locked down tight and only the other day performed full system scans using Norton and ZA products...
    I allowed ZA to delete this 'offender' and now Adobe Flash player 9
    won't work - if you're based in the UK this means no BBC iPlayer streaming TV.
    Am about to reinstall AFP9 directly from Adobe and will then run another ZA scan to see if this is picked up again.
    Will repost to this forum afterwards.

Page 1 of 3 123 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts