Hello! It's been 3 years since I last visited, so I'm afraid I have forgotten the etiquette of using this forum, but I remember how helpful you all were last time!

The problem this time is that lately I've been getting pop ups from trend micro telling me that they've detected these trojans, always in the localsettings - temp folder, but that they can't be cleaned and only deleted manually, but have been quarantined. When I go back to the temp folder, I can't find anything that's been listed.

I've deleted everything in my cache, temp folder, temporary internet files folder, and whatever was left in the quarantine, but STILL they return, often more than last time (ALWAYS in twos, and sometimes as often as 16. Troj_clicker.agd and Troj_bohmini.r_)

I've run Trendmicro housecall, and that ran perfectly until the final "clean" part, where it malfunctioned and wouldn't work (very frustrating after running it for near 7 hours).

I've run Spybot, but it claims that there are no infections.

I don't think it's anything really to worry about, or anything seriously dangerous, but the constant pop ups telling me about the infections are starting to get to me (it's as if they're taunting your efforts to delete them, I tell you!)


This is a very recent development, as the computer has been surprisingly clean since my last visit, aha!

Any help? (should I be posting this somewhere else? I'm sorry if this isn't the right place!)

The best thing to do is to follow this http://wiki.castlecops.com/MRP

If you think you're still infected with malware post a Hijackthis log in this forum.

/f67-Hijackthis_Spyware_Viruses_Worms_Trojans_Oh_My.html

I also suggest you install Windows Defender (if you use Windows XP), which is free and is available from http://www.microsoft.com/athome/security/spyware/software/default.mspx

Thank you so much for the help, I'll get to doing that right in the morning! *bookmarks all the links*

I have been working on it for a week now. I found a ton of tasks in the ctrl panel task scheduler. Deleted them all. Tried House Call. Even wiped out the entire directory PCC says it is in to no avail. PC-cillin still reports the directory even though it does not exist.
Problem seems to be this is something new and I cannot find exact removal instructions. Lucky us!
In desperation I may have to try a restore point and reload new programs I installed. I am now working on two date modified suspicious executables I found in windows system 32 folder. (holding them in recycle bin just in case)
If I find anything I will post it.
bob

Ok
Looks like it is you and me against the entire world.
Without altering a single file in your computer I need you to check 3 things.
First going into control panel (classic) and clicking on Scheduled tasks do you see a huge amount starting with AT(and a number).
Second Go to control panel again and click on adminstrative tools then pick Event viewer then click the tab to the far right that says System. Scroll down and click in the red ones. See how it failed to start a scheduled task because PC_cillin already destroyed it? Note the day that happened
Now the third is tricky using the the day of the first failed event in step two go to windows program explorer and into the folder Windows and select the subfolder System32. Click on the date last modified to sort then sort the file type. (exe is called program)
See any Executable files there that look a bit strange. Names like iJA4Bc9.exe that matches the time. (example only) There will be a pair of those of course. Thats the source. Now don't delete anything. In order to figure this out these guys on this forum will need to tell you how to run the logger program hijackthis. Now that we know what to look for. I deleted my files like a "mad dog" so I have no proof if I am right.
I am no expert and if you do not match all three of the above questions I am barking up the wrong tree.
Good luck and please ... please respond back to my 3 questions.
bob

I will attempt to assist you since it seems you are in need of help. I will answer asap and do some reasearch on your trojans.

I have found little info here, supposdly Trend Micro house cleaner can remove it.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FCLICKER%2EAGD&VSect=Sn

From what i have found your, Troj_bohmini.r is a fairly new trojan released around the beginning of september. Trend micro clams to be able to get rid of it with there house cleaner.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_BOHMINI.R

I think deleting those 2 files may have worked. 19 hours now and no more trojans. Whether there is another file or two lurking around remains to be seen. The worst thing is I got this surfing respected websites. Too bad no other antivirus but Trend has a pattern for it yet this thing will definately spread with no detection in place. It must be installing like the malware "antivirus 2008" except it doesnt give me time or warning enough to hit the power off switch. Not recommended, I know, but I saw that one coming at me fast.
bob

Hi
I decided to join to prevent any fraud or deception from here on. Otherwise anyone could post in my name and cause possible harm to somebodys computer. Better safe than sorry!
So far running great. So good in fact I even created a new restore point for the system. Fingers are crossed. Can't find that darn rabbits foot.
Just a test Ignore all of the above.
bob

Well im happy that I was able to help you. I hope all goes good for you from here on out.

I appreciate the help rlbob and Nithryok, but my computer didn't seem to follow the same pattern as yours rlbob, and I already mentioned Housecall doesn't seem to work for me for some reason :c

I have posted a HijackThis log now, because I think I'll be needing some really thorough cleaning. Could you advise anything from it?
/p1113620-Persistent_stubborn_mule_Trojans_and_Pop_Ups.html#1113620

Hey, I have the EXACT same problem as rlbob had. I went through his three steps and everything matched except for the last one. I looked at the files and found a suss pair alright, but the last modified date for one of the files says the 7th of September, while the first error occured on the 20th (but the other file's last modified date is today). I guess it was just a delayed action on the trojan's part.

What should I do? Just delete the files like rlbob did? The file's names begin with seemingly random letters and numbers, and end in ".exe.a_a". Whats with the 'a_a'? Looks like a smiley face. There are also 'application' files with the same name. I would post the whole file name but I feel like I shouldn't.

I am not authorized to work you HJT logs on this site. As for V yes I would get rid of them if you have the same problem sa bob did.

Lost my password
Any how it looks like my solution worked for me. Unfortunately I no longer have an infected machine so I cannot duplicate or test anything.
The rundown is this:
1. see if task scheduler is full of tasks starting with AT(then a
#)
2. Look in event viewer for the start of the infection.
3. Go to windows/System32 folder and sort by date then file type.
4. Look for a (generated nonsense type) name of a exe file that matches the time of the infection. (actually its a pair of those) That appears to be the source files.
If unsure I would recommend saving them somewhere else but I do not know if copying them might not spread the infection.
5. Disable the two exe's by whatever means you like and then wipe out the task scheduler entries.
Hope that works.
good luck
bob

I am not sure of how to do this
But if the two files are indeed the source. If someone could send a copy of them to Trend Micro that would help. Then they could wipe out the whole shebang in their next pattern file. I am not trying to endorse them but since they are the only ones detecting this new threat the need the info.
bob