Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


js/agent.ncu trojan

  • Please log in to reply
2 replies to this topic

#1 ZenZen


  • Members
  • 5 posts
  • Local time:06:35 AM

Posted 06 March 2011 - 04:53 PM

Hello everyone, I hope you may be able to help me out here and sorry about my lack of knowledge in a few questions I have.

Since last weekend I had quite a few attempted browser hijacks and rogue software download boxes pop up on my my computer, this was after the adverts that where injected with Malware, as reported on various websites last weekend. I had visited one of these websites and had multiple attempted re-directs. These however hadnt happened for a few days. However just this evening I was on Google and was about to click to enter a website, but noticed my browser was redirecting to a webpage antivirusscannerfeatures.com - this was intercepted by my antivirus software ESET and connection was momentarily disconnected. ESET reported this as a js/agent.ncu trojan.

I have ran Windows Defender, ESET antivirus and TDSSKiller, SAS in normal mode, not safe mode and all drew a blank.

Now my questions and again, sorry about my lack of knowledge on these matters. If there is an attempted browser redirect does this mean that when this happens, my computer is getting infected by trojans or would I have to download something to get infected?

As nothing is being detected by ESET, Windows Defender, SAS, MBAM, TDSSKiller - does this mean my machine is free of infections or could something still be present which is casuing these re-directs? If so what else do you recommend I do?

I'm running Windows XP Home with SP3.
Internet Explorer version 8.0

Thanks for all your help and assistance in advance.

Best wishes,

Edited by ZenZen, 06 March 2011 - 05:22 PM.

BC AdBot (Login to Remove)


#2 somni


  • Members
  • 2 posts
  • Local time:01:35 AM

Posted 07 March 2011 - 06:46 AM

I'm no expert at this. I had eset online scan report the same thing (JS/Agent.NCU trojan) on my system an hour ago. Unlike you, my PC showed no symptoms. I was running eset just because I had been dabbling with some potentially dangerous sites and files. Mine was in a temporary Internet file that I simply deleted.

That being said, I have a couple suggestions for you.

You stated that ESET intercepted and reported the problem. I am wondering if it also cleaned the problem at that time and that is why your subsequent runs of various scanners all drew a blank. I would think there would be an ESET log somewhere that could confirm whether the original detection was cleaned.

If you get the redirects consistently, try starting your browser with no addons. You may need to manually go in and deactivate or uninstall addons. I have seen redirectors masquerading as "search helper", "search optimizer", etc. Hard to distinguish the bad guys from the good guys.

As for whether the redirection in and of itself is malicious, I doubt it but again, I am no expert. I doubt that as you are being redirected you are also being infected. More likely you are simply being sent to sites where bad things reside, or even just to market a bunch of wares that you have no interest in. As you suggested, you would probably have to do something to get infected but I have seen malware, particularly roguewarem appear after just visiting a site without taking any of the actions I that would make one vulnerable.

That's my two cents.

Moderator Edit: HJT is not allowed to be used, or logs requested in this forum. Only trained technicians specified by this forum may request HJT logs or recommend its use. Reference has been deleted.

BleepingComputer Forums Moderator

Edited by rigel, 07 March 2011 - 12:56 PM.

#3 somni


  • Members
  • 2 posts
  • Local time:01:35 AM

Posted 08 March 2011 - 11:09 PM

Sorry. I can't believe I got in trouble on my FIRST POST! :blush:

Thanks for the new topic in which Blade Zephon explains what is out of bounds for regular members.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users