how to remove Trojan horse Clicker.AJRO | Spyware Removal Instructions

anti spyware,remove Spyware,spyware remove, free spyware removal,free spyware software

how to remove Trojan horse Clicker.AJRO

Posted by egomoo on June 30, 2010
Trojan, Worm

What’s about Trojan horse Clicker.AJRO

AVG discovered this “Trojan horse Clicker.AJRO” on my PC yesterday but could not remove it.

Infection: Trojan horse Clicker.AJRO
Object: c:\System Volume Information\Microsoft\services.exe
Result: Object is inaccessible

Infection: Trojan horse Clicker.AJRO
Object: c:\System Volume Information\Microsoft\smss.exe
Result: Object is inaccessible

It appears to open 3-4 iexplore.exe every 30mins and tries to connect to a specific website. (I won’t post the link unless requested.)

Clicker.AJRO also turns my Wave volume down every so often too. Not every 30mins like the IE thing but every 12hrs ish it’ll turn the volume down every few mins for a while then go back to normal.

I’ve run Malwarebytes Anti-Malware, rkill, SuperAntiSpyware, and Spybot Search and Destroy and they pick up nothing. Hitman is the only thing to pick up two problems in the C:\System Volume Information\Microsoft folder. I’ve gained access to it by changing view and security settings and tried to manually delete the two files (which are labeled as “File Loaders” and “Black Internet”). It always says ‘access is denied,’ even when using Unlocker. Any attempt to delete upon reboot using Unlocker hasn’t worked.

Sorry,Until now no tool could fix the problem(included mbr.exe from Gmer).

It’s a MBR infected virus.

XueTr will alter that “a mbr rootkit infected”,But in my test, Partition Table was broken after xuetr fix it.
So it is very dangerous that normal folks use it to remove the virus.

Tags: C:\System Volume Information\Microsoft\services.exe, Downloader.Generic9.CAXD, Troj/Unruy-Gen, Trojan horse Clicker.AJRO, Trojan-Clicker.Win32.Cycler.ajsm, Trojan-Clicker.Win32.Cycler.ajsx!A2, Trojan.Cycler, Trojan.Generic.4139913, w32.unruy!gen1, Win32/TrojanDownloader.Unruy.BV

5 Comments to how to remove Trojan horse Clicker.AJRO

David
July 21, 2010 IP:90.219.180.218

HI, i have the same malware, if anyone knows how to get rid of these then please let me know. Running anti malwarebytes has not worked and my avg does not get rid of it either. any help is much appreiciated.

john
July 21, 2010 IP:122.236.29.206

only one way,take your PC to a tech guy,let him fix your disk MBR

David Reply:
July 21st, 2010 at 8:08 am

Hi John, thank you for that.

To fix the MBR can i put the XP disc in and select recovery consolse and then type fixmbr? Would i also need to fixboot? OR am i sounding like an idiot and actually take it to a tech guy?

pJohn
July 21, 2010 IP:60.183.12.135

yes,I think you could try it out by fixmbr command

Coypu
July 27, 2010 IP:75.65.38.209

Trojan Horse Clicker.AJRO
The payload consists of two executables:
c:\System Volume Information\Microsoft\services.exe
c:\System Volume Information\Microsoft\smss.exe

AVG was successfully preventing the payloads from launching, however it was only partially successful in healing the infector.
This trojan also has a Master Boot Record component which reloads the payload on each reboot.
If you have physical access to the machine, it is possible to fix by loading the Recovery Console (if you don’t load the recovery console on all your systems, please do so – it is worthwhile) and running the fixmbr utility. This would rewrite a new MBR on the disk.

I was working remotely and could not access the recovery console, so I read the c:\boot.ini file just to make sure I knew the partition and disk layout.
Then I downloaded MBRWizard from here: http://mbrwizard.com/
Unzip the file to a directory (here we’ll use c:\temp
Preparatory: Open c:\boot.ini in Notepad – just make sure you’re aware of the disks and partitions.
If you’re not familiar with boot.ini – research it. Worthwhile stuff to learn.

Then perform the following steps:
1. Right-click My Computer and click Properties.
2. Go to System Restore and turn off System Restore. (gets rid of files in C:\System Volume Information and makes them more accessible).
3. Use AVG or another good scanner to scan C:\System Volume Information Delete the payload files. AVG will tell you that you must reboot to get rid of them – they’re flagged for deletion at this point.
4. Drop out to a command prompt.
5. Go to c:\temp (or the directory where you unzipped MBRWizard.
6. Run the command
mbrwiz.exe /Repair=1
This will overwrite the MBR with a standard Windows 2000/XP MBR.
7. Exit the command prompt.
8. Reboot.
9. After reboot log back in.
10. Re-scan c:\System Volume Information and verify the payloads have not been re-written.
11. Right-click My Computer and click Properties.
12. Go to System Restore and turn on System Restore.
Done.

Leave a comment

Powered by Max Banner Ads