Trojan-Clicker.Win32.Tiny.h
Trojan-Clicker.Win32.Tiny.h is an imaginary Trojan name used to threaten and trick users into buying the rogue anti-spyware application PC Antispy. The user gets infected after downloading the video codec that infects the computer with a nasty Trojan. This Trojan then displays a fake "Windows Security Alert" message which recommends to download a software (most probably PC Antispy) to resolve the issue. The message reads:
"Windows Security Alert
To help protect your computer, Windows Firewall has detected activity of harmful software. Do you want to block this software from sending data over the internet?
Name: Trojan-Clicker.Win32.Tiny.h
Risk Level: CRITICAL
Description: This is spy trojan that installs itself to the system, hides itself and then captures screen images and saves them to disk files in encrypted form. Thus it allows to a hacker to watch screen images."
PC Antispy or whatever software the fake Trojan-Clicker.Win32.Tiny.h alert message recommends will not fix your PC but might actually expose you to more security threats.
File System Modifications
- The following files were created in the system:
# File Name 1 %programfiles%\pccleanpro\pccleanpro.dll 2 %programfiles%\pccleanpro\pccleanpro.exe 3 ASpyPopUpBlk.dll 4 ASpyStBlk.dll 5 lphcv34j0eacn.exe 6 PC-Antispy.exe 7 PCAntispy_Installer_eng[1].exe
Registry Modifications
- The following newly produced Registry Values are:
HKEY..\..\..\..{RegistryKeys}Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{60B244BE-559D-4269-B96E-CD264D828EC9}Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\PC-AntispyMicrosoft\Windows\CurrentVersion\Run\PC-Antispy{60B244BE-559D-4269-B96E-CD264D828EC9}HKEY_LOCAL_MACHINE\Software\[APPLICATION]\Microsoft\Windows\CurrentVersion\Uninstall..{Uninstaller}PC-Antispy
I had used the free version of spyware doctor to get the files and registry locations of the one virus (2008XPvirus?)and corrected the 50 some things that it determined, files and registy. That got rid of the things that were happening on that one but I kept getting pops on viruses that were found making it look like a Microsoft security posting. When you clicked on enable it took you to an antivrus software site and they coukd remove this problem at a cost. (Well if you hadn\'t put it there, I wouldn\'t have the problem!) The names in the popup variedTrojanclicker win 32 to the same but with keylogger to HTML-bankfraud. Not disastarous but enoying having this popop every few minutes. Finally went to windows/system32 arrange the icons by modified and searched down to find where there was alot of files with the same date. Could not delete them without going into safe mode because I would get the messages that are gotten when the file is in use and I could not find the one that was using them. Once they were deleted in safe mode, I have not had any problems.