Please help, infected with JS/Downloader.Agent

[shaq9919]

I have the AVG Free Edition on my new computer

No problems in the month I have had it until last night, the AVG is now showing "Virus Found JS/Downloader.Agent" in two seperate line items when it runs it's scan.

One is named "0[1].html" and the other is named "8[1].html"

I am not very tech smart with this kind of thing, but I do use my computer to pay bills, bank, etc. so I need to fix this.

Is there anyone here who is familiar with this who could advise me on what to do?

I would greatly appreciate your help, thank you in advance.

 

[Blind Dragon]

Hi,

Welcome to Techspot and thank you for starting your own thread.

JS/Downloader.agent is related to Java Script. Please clear your Java Script cache. See how here Clearing the Java Runtime Environment (JRE) Cache

Can you also please post a Hijackthis log
Highjackthis Instructions

• Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
• Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
• After installing, the program launches automatically, select Scan now and save a log
• After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.
  ***Under no circumstances should you add any items to the HJT ignore list. Under no circumstances should you change the directory that highjackthis downloads to. Under no circumstances should you Fix anything without specific instruction to do so. Under no circumstances should you click any buttons other that specified in the directions including AnalyzeThis!***

This thread is for the use of shaq9919 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[shaq9919]

Hi Blind Dragon,

Thank you so much for responding, I really do appreciate it. I cleared the Java (hopefully) per your instruction and I think correctly attached my Hijack this log.

Also, item 020 in the log, the antiwpa.dll came up as a virus when i ran the TrendMicro HouseCall program that I saw listed in another thread here on this. The HouseCall program could not clear that virus so I think that one may need to be cleared somehow?

Thanks again!

 

[DelJo63]

I would suspect
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe

as these online games (an pron sites) are known to be causes of infections.

caveat emptor.

 

[Blind Dragon]

It appears you may have a Cracked copy of windows

 

[shaq9919]

Sorry, not very tech smart obviously

What does a "cracked" copy of windows mean? Do I need to reload XP?

And do you think I should try and have the Hijackthis program try and fix that line item 020 I mentioned above?

 

[Blind Dragon]

Do you have a legitimate copy of windows that you purchased at the store or did somebody make the disk for you? The reason I ask is because the entry you inquired about is used to bypass copy protection for Windows. So I am just making sure that you have a legit purchased copy

 

[shaq9919]

I bought this computer from an Ebay PowerSeller about a month ago.

It was advertised to have WindowsXP, the free AVG software, etc. as part of the deal.

This seller appears to have sold thousands of computers, I would be very surprised if it was not licensed properly.

http://cgi.ebay.com/ws/eBayISAPI.dl...sid=m37&satitle=180197248215&category0=&fvi=1

Do you think I should contact the seller? If so, what do I request....a registration number for the software or something?

 

[Blind Dragon]

Lets find out. Are you able to get updates through the following website using internet explorer ->www.update.microsoft.com

While I go through the rest of your log please do the following

First
Update your Java Runtime Environment

• This new release will overwrite previous installations and automatically update browsers to use this new release. The configuration files and program files folder used by Java Web Start have changed, but all your settings will remain intact after the upgrade, since Java Web Start will translate your settings to the new form.
  
  Java SE Runtime Environment 6 Update 4 First Customer Ship
  
  Simply enter your operating system and check agree to terms of service. Select ok
  Then click directly on the file to download
  This downloads the installer (hopefully to your desktop)
  Locate and double click the installer jre-6u4-windows-i586-p-iftw.exe (or whichever installer you chose)

Next
Ad-aware

• Download and install the latest version of Ad-Aware (currently 2007 7.0.2.6
• If you download the file to your desktop, simply click on the installer icon. If you download to another folder navigate to it through my computer and doubleclick on aaw2007.exe
• Follow the prompts to install the software and when it asks if you would like to do a "Standard" or "Advanced" Installation, select the Standard installation. Keep following the prompts and after the program has finished installing select Finish
• If the program is starting for the first time, it will prompt you to enter your registration information. As we are using the free version of Ad-Aware 2007, we simply press the Cancel button at the screen asking us to enter our license information. Ad-Aware 2007 Free will now open. If you already have this version please open it.
• Before running a scan, you should always make sure that Ad-Aware is up-to-date with the latest program files and malware definitions. This allows the software to recognize as much malware as it can when scanning your computer. To update Ad-Aware 2007 Free click on the Web Update section in the left pane. now click on the Update button
• If an update is found it will tell you and you should click on the Yes button and let it download the update.
• You can now click on the OK button to go back to the Ad-Aware status screen. When you are checking for updates, Ad-Aware may also alert you that there are new Program updates available. If so, select Yes to download these updates
• Now click on the Scan tab in the left pane, select Full Scan then click Scan in the bottom right corner
• When you are presented with your scan results, put a tick mark in the boxes to the left of the results, select the privacy objects tab and also put a tick in these boxes.
• After all objects are selected you can hit Remove

After these 2 steps post a new hijackthis log

 

[shaq9919]

Lets find out. Are you able to get updates through the following website using internet explorer ->www.update.microsoft.com

While I go through the rest of your log please do the following

First
Update your Java Runtime Environment

• This new release will overwrite previous installations and automatically update browsers to use this new release. The configuration files and program files folder used by Java Web Start have changed, but all your settings will remain intact after the upgrade, since Java Web Start will translate your settings to the new form.
  
  Java SE Runtime Environment 6 Update 4 First Customer Ship
  
  Simply enter your operating system and check agree to terms of service. Select ok
  Then click directly on the file to download
  This downloads the installer (hopefully to your desktop)
  Locate and double click the installer jre-6u4-windows-i586-p-iftw.exe (or whichever installer you chose)

Next
Ad-aware

• Download and install the latest version of Ad-Aware (currently 2007 7.0.2.6
• If you download the file to your desktop, simply click on the installer icon. If you download to another folder navigate to it through my computer and doubleclick on aaw2007.exe
• Follow the prompts to install the software and when it asks if you would like to do a "Standard" or "Advanced" Installation, select the Standard installation. Keep following the prompts and after the program has finished installing select Finish
• If the program is starting for the first time, it will prompt you to enter your registration information. As we are using the free version of Ad-Aware 2007, we simply press the Cancel button at the screen asking us to enter our license information. Ad-Aware 2007 Free will now open. If you already have this version please open it.
• Before running a scan, you should always make sure that Ad-Aware is up-to-date with the latest program files and malware definitions. This allows the software to recognize as much malware as it can when scanning your computer. To update Ad-Aware 2007 Free click on the Web Update section in the left pane. now click on the Update button
• If an update is found it will tell you and you should click on the Yes button and let it download the update.
• You can now click on the OK button to go back to the Ad-Aware status screen. When you are checking for updates, Ad-Aware may also alert you that there are new Program updates available. If so, select Yes to download these updates
• Now click on the Scan tab in the left pane, select Full Scan then click Scan in the bottom right corner
• When you are presented with your scan results, put a tick mark in the boxes to the left of the results, select the privacy objects tab and also put a tick in these boxes.
• After all objects are selected you can hit Remove

Hi again BD,

Again, thank you for your time and effort to help me.

I seem to be able to get the MS updates, the only one it did was this:

Successful Updates
Windows Genuine Advantage Validation Tool (KB892130)

I then downloaded the Java, pretty sure I did that right.

I did the Ad-aware also, it is running that scan now. It has already found 117 items under Infections Detected so I may have a bigger problem than I thought.

Once I have done as you said, should I run a full scan again with Ad-Aware, with my free AVG or with something else to see if I got rid of that JSDownloadAgent thing?

UPDATE: Ad-Aware scan done, all 117 items are in the Privacy area. Will checkmark and remove per your instruction.

 

[Blind Dragon]

after adaware is done run a new Hijackthis Scan and save log

Attach the log here so I can look at it

 

[shaq9919]

Will do, I am having to do a 2nd Ad-Aware Scan as in the removal process Ad-Aware had some problem and only removed about half of the 117 flagged items

So as soon as that is done I will run that hijackthis log and post ASAP

Thanks again, you rock!

 

[shaq9919]

Here is the updated log, all Ad-Aware flagged items were removed after 2nd scan

 

[shaq9919]

BD, are you still there?

How does that log look now? Do you think the JS/Downloader.agent is still there?

Thanks!

 

[Blind Dragon]

1) Click Start -> Open My Computer.
Then Select the Tools menu and click on the Folder Options given.
Select the View Tab. Then under Hidden files and folders title, select the show hidden files and folders. Uncheck the Hide file extensions for the known file types. Uncheck the Hide protected operating system files option, which is recommended. Click yes to confirm. Click OK.

2) Download ATF cleaner (Don't run it yet)
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

3)Close all windows
Open Hijackthis
Select do a system scan only
Put a check mark next to the following
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
Select Fix checked
Close Hijackthis

4)Right click on start -> Select Explore -> Navigate to and delete the following:
C:\WINDOWS\system32\wyyimoj.dll <<< delete this file

5):Clean Temp Files:

• 
  Double-click ATF Cleaner.exe to open it.
  
  Under Main choose:
  • 
    Windows Temp
    Current User Temp
    All Users Temp
    Temporary Internet Files
    Prefetch
    Java Cache
    *The other boxes are optional*
    Then click the Empty Selected button.
  if you use Firefox:
  • 
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
  
  Click Exit on the Main menu to close the program

6)Restart the computer

7)Combofix

• Download Combofix to your desktop.
• Double click combofix.exe & follow the prompts.
• A window will open with a warning.
• Type "1" (and Enter) to start the fix.
• When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt

8)Run Hijackthis again and select Do a System Scan and Save Log file

***Your next reply should include a combofix log as well as a Hijackthis log after following the instructions above.***