Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Js/downloader.agent


  • Please log in to reply
5 replies to this topic

#1 VirusHeatEvil

VirusHeatEvil

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 18 May 2008 - 02:15 AM

Hi There

I am running WINXP and both myself and my wife use different log-ins.

My wife was logged in when AVG Scan found JS/Downloader.agent. The strangest part is that if you log into XP as me then even though this can shows in AVG is does not show the virus being detected. It only shows the detection if you look at the same scan, but logged in as my wife.....

Anyway, I downloaded SmitFraudFix, updated and rebooted in safe mode.
I then ran SmitFraidFix and after that Superantispyware and Spybot which found nothing. AVG (also in safe mode) found some kind of registry change but I don't know how to copy and paste that here.

Could you please give me some ides as to what I should do next??

Thanks so much!

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:52 AM

Posted 18 May 2008 - 07:37 AM

JS/Psyme Trojan (JS/Downloader.agent) is is a variant of the JavaScript downloader exploit which is built in to HTML pages and detected in Temp Internet files. For removal instructions see AVG FAQ 1317: JS/Psyme found in "Temporary Internet Files" folder.

If your using IE, Netscape, Mozilla, Opera, or AOL, also see the instructions for Clearing your Web Browser Cache. If your using Sun Java, follow the instructions for Clearing the Java Runtime Environment (JRE) Cache.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 VirusHeatEvil

VirusHeatEvil
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 19 May 2008 - 04:09 AM

Thanks for that.

I am still detecting a Registry Change in AVG that I never used to receive beforehand (it is now appearing everytime I scan with AVG).

Is there anything else you recomend?

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:52 AM

Posted 19 May 2008 - 06:56 AM

What type of registry change? What is the actual detection alert you are receiving?

Are you using AVG7 or AVG8?

If you have AVG8 and the infection is detected in "ActiveX Compatibility" registry key, then that may be related to a known issue if your also using SpywareBlaster, Spybot S&D's Immunize Feature. See AVG FAQ 1198: Infection detected in "ActiveX Compatibility" registry key
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 VirusHeatEvil

VirusHeatEvil
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 20 May 2008 - 04:19 AM

Thanks for your reply

As I said I am afraid I do not know how to copy paste the AVG reports so I have copied the event below:

C:\Windows\system32\drivers\etc\hosts

Result:Changed
Status:Changed

I think I am running AVG7 but do not know how to confirm this. I have been running Spybot and AVG together for a while and have only started receiving this registry change detection notice since I picked up the JS.downloader.agent the other day.

Thanks again for your help!

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:52 AM

Posted 20 May 2008 - 08:41 AM

When you launch AVG, go to the Help tab and click on About to see your version. You should also be able to see the version in Add/Remove Programs via Control Panel.

AVG does not change your HOSTS file but it will alert you that it has changed since the last scan. Although malware can be responsible for altering the HOSTS file in an attempt to redirect your browser, it does not do so without infecting other areas of your system. There are several legitimate security programs like SpySweeper and Spybot S&D which can add numerous entries to the HOSTS file and that action may be detected as a change. If you downloaded and used a custom HOSTS file or made edits that too would trigger a change detection. If you did not make any changes or do not have security programs with these features, then you need to investigate what the changes are.

The HOSTS file should not show as changed unless the user is aware of a program needing a change made to it and is aware that it is being altered. Protection softwares and also Malware's will often change this file so they can affect where a computer goes to on the internet.

This is one reason why the user on this system needs to look at the file to make certain that something didn't change it and if so determine if it is a good or bad change...

General system maintenance can change the file even when it isn't apparent by visual inspection. AVG uses a checksum to compare a file before and after and a minor change or correction to the file could have caused it to appear changed.

Re: C:\WINDOWS\system32\drivers\etc\hosts
Host file changed
What`s the hosts file for?

The HOSTS file is a text file that has no extension and can be viewed using notepad. At the top is an explanation of the simple syntax. Each line is an IP address, a domain name, and an optional comment placed after a # sign. A HOSTS file maps an IP address to a name. Please read Hosts File FAQS.

To view the folder containing your Hosts file, go to Start > Run and type: %windir%\system32\drivers\etc\

The Hosts file has as no extension. The easiest way to access and view the contents is by using notepad.
  • Double-click on the HOSTS file.
  • A message will appear saying Windows can't open the file or Choose the program you want to open this file.
  • Scroll down the list of programs until you see Notepad.
  • Select it and click OK.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users