TrojWare.JS.TrojanClicker.Linker.H@14996 -- what is this virus?

Hi All,

Just today, Comodo Antivirus popped up with a warning that it had found the virus TrojWare.JS.TrojanClicker.Linker.H@14996 in several locations (all something like C:\Windows\SoftwareDistribution\Download\c0d181c8a9fb0e511c4472c233088a92\BITD950.tmp).

I quarantined the files in question, then deleted them, and I’ve been searching for more info on this virus to try and figure out how it got on my computer. I run a clean system, I don’t download software that I don’t have good reason to trust, and I stay up to date on software updates. So I’m a little concerned how this got on here, and if I could learn more about the virus I might be able to track down how it got on my machine.

But, all my searches are coming up blank–I can’t find anything on the virus “TrojWare.JS.TrojanClicker.Linker.H@14996”.

Anybody got a pointer for me?


Hey it sounds like it MAY be a FP. Upload the sampled to and post back the results please…

What is an FP?

Also, the site comes up as not found for me. Did you mean a different site?

My mistake… I was typing inbetween talking to my girlfriend ;D
^ Has multiple virus scanners you can scan a single file online this will help you tell whether the file is malacious or not… FP = False Positive (false detection)

Well, I would do that… except I already deleted the files! :o

Guess that wasn’t a smart thing to do. :-\

Hi jbeall

You just need to search a little diferent, in Google. Whit and without this " in your search.
If you search for only this > “Trojan.JS.” or by this “TrojanClicker.Linker.H”
( [at]14996 is maybe where it’s located at ?? )

You find that is a Rootkit.Torjan.JS.TrojanClicker.Linker.H you found and deleted…
Look see here > Sunbelt Malware Research Lab

“Trojan.JS.” is like a group name / first name… and “TrojanClicker.Linker.H” is a specific name / like a surname.
A rootkit virus, trojan, spyware and worm is a malware program that may have administrator level access,
to all the network system.
What it does is, it burrow itself deep into the system and hide itself, making it almost invisible and hard to be removed and detected by antivirus.
However Rootkits which doesn’t work in Safe Mode won’t be detected, this way.
Don’t know if you really have a Rootkit or not, or if it is just was a False Positive ( aka FP ).

But there is a lot of programs from well-known Sites that have Rootkit / stealth malware detectores,
GMER is one of them, but it so hard to do i by your self, if you don’t know how to do it.
Read at this Page and find out some more…

Best of Luck and
Regards Ohke
I can higly Recommend this Program, to run in Safe Mode, it’s a good deep scanner. ( and it’s free )
Norman Malware Cleaner
( run’s under OS ( operating systems ) Windows 98, Me, NT, XP, Vista and Windows 7 )

I actually did find that page in my searching, but it doesn’t really give any useful information. It says it’s a Trojan, but that was obvious from the name. I suppose knowing it was a rootkit might possibily be helpful, but despite the page title, it doesn’t have any removal information, and it also has no information about attack vectors, or what the virus actually does once it gets on your machine. Is it a key logger? Is it part of a botnet? Or what?

Thanks for the other links, I will run some more scans with various pieces of software.

Look at the name.

JS means Java Script. TrojanClicker comes with a webpage that if you click any where it will ask you to download a file as far I have noticed. Linker i guess it links to a download.

This is nothing big no need to worry, and im very sure its not a FP.

How would it have gotten in C:\Windows\SoftwareDistribution\Download? I would have thought that it would be in a temporary internet files folder or something. I thought C:\Windows\SoftwareDistribution\Download was for actual executable binaries that got downloaded, e.g., desktop apps, windows updates, etc. Not JS or other web content?

Hi jbeall,

Can you reproduce the steps you had prior to this event or somehow retrieve the file that you mentioned in your posts?

Having the file at our disposal will give us the opportunity to check whether it is malware or false positive.


Ok, I manually looked through my SoftwareDistribution\Download folder and found three more files that trigger this same error.

Unfortunately, I can’t figure out how to actually get at the files. Every program I open them in either says the file does not exist or gives me an empty file (I think because it thinks the file does not exist).

I can’t copy them, I get “access denied” or “file does not exist” errors.

So, for the time being I’ve got them in Comodo AV’s quarantine. How do I get at them from there? Where are these files?


Hi jbeall,

You cannot retrieve the files because CIS denied the access to them. These next steps have to be carefully done in order to retrieve them.

Temporarily disable the Antivirus, open CIS and go to Antivirus → Quarantined Items, check the location of the files, click the ones that you belive they’re false positives and hit restore.

Navigate to the mentioned location and create an archive protected by a password with these files, reactivate Antivirus and then submit the archive here in order to verify whether they’re malware or false positives.


No luck getting at the file, even with Comodo closed. Here’s a recording:

The files are in Comodo’s quarantine again–after recording this video, I restarted Comodo, had it scan those files, and when it picked up a virus I had it quarantine the files.

Hi jbeall,

We have seen the link,but can’t get the sample from the video.Pls do as what ionelp said,and closed the realtime scanner of CIS briefly,zipped the file,and upload it to the forum.So that we can have a look at it.


What I show in the video is what happens when I disable CIS–namely, I still cannot access the file in any way. The video shows my attempts to do so and the errors I get.


Pls check the version of CIS.if u use the old version,pls uninstall it and download the lastest version in this link:,this would be ok.


Ok, I got it! I restored the file, and then chose “ignore–permanently” when the “virus detected” warning popped up, and then I was able to get at the file.

See attached. Sorry, no password–Vista’s zip utility doesn’t let you set a password.

[attachment deleted by admin]

Hi jbeall,

We are going to have a look at it and will get back to you after investigation.


Hi jbeall,

The sample you upload is not virus,and it’s not detected by CIS 3.10.102363.531,DB 1799.Pls check it,if any problems,pls let us know.