TechSpot

Cannot get rid of js/downloader.agent infection

By dave.vp
May 14, 2008
Topic Status:
Not open for further replies.
  1. Hi, I need help to get rid of JS/downloader.agent . So far this virus has disabled the liveupdate for my antivirus, disabled adaware, and takes forever to boot.

    I have windows 2000, downloaded AVGfree. Everytime I open Windows Explorer, AVG catches the virus and I click move to vault. When I use Firefox, the popup occurs less frequently.

    Can someone help me get rid of this virus?

    Thanks in advance.
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Hi dave.vp,

    Welcome to Techspot!

    My name is Blind Dragon and I will be helping you with your Malware problem. During the course of our interactions please be sure to follow all instructions carefully, and ask questions if you are unsure of how to proceed at any point.

    Please have a read here-> Is your system infected? Read this before Cleaning or Formatting

    If you decide to clean your system please follow these Viruses/Spyware/Malware, preliminary removal instructions and post back in this thread with the requested logs. There should be at least 3.

    1)MBAM or SAS log
    2)Combofix log
    3)Hijackthis log (Step 15)

    This thread is for the use of dave.vp only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  3. dave.vp

    dave.vp TS Rookie Topic Starter

    followed directions from blind dragon

    I followed the directions -- the system works better now and I can get windows updates, symantec av works and updates now. HOwever, I still get the AVG warning that JS/downloader.agent is a threat.

    rootkits were negative.

    combofix did not work on this system, so I used dss.

    attached are the logs, thanks for your help! What else can I do to get rid of JS/downloader.agent?
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Disable Teatimer
    • Right click the Spybot -SD Resident Icon located in your system tray, Select Exit Spybot - S&D Resident
    • Open Spybot S&D
    • Click on Mode at the top and make sure that Advanced is checked
    • Expand the Tools tab in the left pane
    • Single click on the Resident Icon also in the left pane
    • Uncheck Resident "TeaTimer" (Protection of over-all system settings) Active
    • Close spybot

    -------------------------------------------------------------------------------------

    Update your Java Runtime Environment
    • Click the following link
      Java Runtime Environment 6 Update 6
    • The 5th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_06 folder

    -------------------------------------------------------------------------

    We need to get rid of one of the services running on your machine. To do this, copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.

    Code:
    @echo off
    sc stop Viewpoint Manager Service
    sc delete Viewpoint Manager Service
    del service.cmd and exit
    Save it to your desktop as File name: service.cmd
    Save as type: All Files

    Once done, double click service.cmd to run it. A command window will open briefly, then close. This is quite normal.

    ------------------------------------------------------------------------

    You should either print this section or copy and paste it into notepad then save it to the desktop so that you have it while in safe mode

    Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\j2re1.4.2_08\bin\ssv.dll (file missing)
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll (file missing)
    O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)

    Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

    Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

    Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

    j2re1.4.2_08
    FlashGet
    Viewpoint


    Please note any other programs that you don't recognize in that list in your next response.

    Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

    C:\Program Files\Java\j2re1.4.2_08
    C:\Program Files\FlashGet
    C:\Program Files\Viewpoint


    Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

    C:\windows\system32\blank.htm

    After that, Reboot, and post a new HijackThis log here in a reply

    ------------------------------------------------------------------------------

    You can reinstall Flashget downloader if you use it.

    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply with a fresh Hijackthis log


    This thread is for the use of dave.vp only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.