Just today, Comodo Antivirus popped up with a warning that it had found the virus TrojWare.JS.TrojanClicker.Linker.H@14996 in several locations (all something like C:\Windows\SoftwareDistribution\Download\c0d181c8a9fb0e511c4472c233088a92\BITD950.tmp).
I quarantined the files in question, then deleted them, and I’ve been searching for more info on this virus to try and figure out how it got on my computer. I run a clean system, I don’t download software that I don’t have good reason to trust, and I stay up to date on software updates. So I’m a little concerned how this got on here, and if I could learn more about the virus I might be able to track down how it got on my machine.
But, all my searches are coming up blank–I can’t find anything on the virus “TrojWare.JS.TrojanClicker.Linker.H@14996”.
You just need to search a little diferent, in Google. Whit and without this " in your search.
If you search for only this > “Trojan.JS.” or by this “TrojanClicker.Linker.H”
( [at]14996 is maybe where it’s located at ?? )
“Trojan.JS.” is like a group name / first name… and “TrojanClicker.Linker.H” is a specific name / like a surname.
A rootkit virus, trojan, spyware and worm is a malware program that may have administrator level access,
to all the network system.
What it does is, it burrow itself deep into the system and hide itself, making it almost invisible and hard to be removed and detected by antivirus.
However Rootkits which doesn’t work in Safe Mode won’t be detected, this way.
Don’t know if you really have a Rootkit or not, or if it is just was a False Positive ( aka FP ).
Best of Luck and
Regards Ohke P.S.
I can higly Recommend this Program, to run in Safe Mode, it’s a good deep scanner. ( and it’s free ) Norman Malware Cleaner
( run’s under OS ( operating systems ) Windows 98, Me, NT, XP, Vista and Windows 7 )
I actually did find that page in my searching, but it doesn’t really give any useful information. It says it’s a Trojan, but that was obvious from the name. I suppose knowing it was a rootkit might possibily be helpful, but despite the page title, it doesn’t have any removal information, and it also has no information about attack vectors, or what the virus actually does once it gets on your machine. Is it a key logger? Is it part of a botnet? Or what?
Thanks for the other links, I will run some more scans with various pieces of software.
How would it have gotten in C:\Windows\SoftwareDistribution\Download? I would have thought that it would be in a temporary internet files folder or something. I thought C:\Windows\SoftwareDistribution\Download was for actual executable binaries that got downloaded, e.g., desktop apps, windows updates, etc. Not JS or other web content?
Ok, I manually looked through my SoftwareDistribution\Download folder and found three more files that trigger this same error.
Unfortunately, I can’t figure out how to actually get at the files. Every program I open them in either says the file does not exist or gives me an empty file (I think because it thinks the file does not exist).
I can’t copy them, I get “access denied” or “file does not exist” errors.
So, for the time being I’ve got them in Comodo AV’s quarantine. How do I get at them from there? Where are these files?
You cannot retrieve the files because CIS denied the access to them. These next steps have to be carefully done in order to retrieve them.
Temporarily disable the Antivirus, open CIS and go to Antivirus → Quarantined Items, check the location of the files, click the ones that you belive they’re false positives and hit restore.
Navigate to the mentioned location and create an archive protected by a password with these files, reactivate Antivirus and then submit the archive here in order to verify whether they’re malware or false positives.
We have seen the link,but can’t get the sample from the video.Pls do as what ionelp said,and closed the realtime scanner of CIS briefly,zipped the file,and upload it to the forum.So that we can have a look at it.