Recurring problem "Virus identified JS/Downloader.Agent" by AVG

By fracas!!
Feb 2, 2008
Topic Status:
Not open for further replies.
  1. Hello all!

    Whenever I open a new web browser page I get the following warning popup from AVG.

    Threat Detected!

    While opening file:c:\...Local Settings\Temporary nternet Files\content.IE%\0RJA30T5\wpad[1].htm
    Virus identified JS/Downloader.Agent

    I have moved countless files like this to the virus vault as they occur then delete them.
    I have gone through the the Virus Removal Preliminary Instructions posted on this site ad these ere my results:

    1.Panda Antirootkit found no rootkits. No problems were found.

    2.I had poblems starting combofix.(I got what looked like a memory error)....so used DSS and saved main.txt and extra.txt as required.

    3.At step 14 though, after AVG antispyware had run, there were a couple of problemns fund and one was quarantined but I then clicked on the wrong button and everything was cleaned before I could save the log file!!! I run AVG again and hence no offending files were detected. I have still attached the log file for that scan.

    4.My laptop was slow but now it's starting up and running even slower than before..i guess it is because of all the security docs I've now got running downloaded.

    5. Generally all scans showed no serious problems apart from a few cookies.

    I hope all this helps and I'm ready to perform any further scans/downloads if ayone can point me in the right direction.I still don't know what this warning means or what the file actually does to my laptop!!

    Thanks in advance.Hope I've posted this the right way. If not..apologies!


    fracas!!

    Attached Files:

  2. frankibo

    frankibo Newcomer, in training Posts: 83

    Try to do scanning in safe mode. The virus will probably not loaded then and you can delete it then.
  3. rf6647

    rf6647 TechSpot Maniac Posts: 931

    I am merely a novice who stumbled on this thread.

    HJT is a handy tool. Most 'fixes' performed by this tool are reversable by using the right-hand side of the window (other stuff ! backup ).

    Link to HJT usage.

    Suspicious:
    O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4CF96435-52DE-47F9-8321-CF88FA1E4941}: NameServer = 85.255.116.116,85.255.112.175
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9FA0C8E2-5B9D-4C86-94F2-AB09992951F5}: NameServer = 85.255.116.116,85.255.112.175

    Comments:
    O4 - this site is susceptible to malware
    O17 - Tracing route to 85.255.116.116-xbox.dedi.inhoster.com [85.255.116.116]
    O17 - Is inhoster.com known to user?
    O17 - Tracing route to resolver2.opendns.com [208.67.220.220]
    O17 - opendns.com seems to have good credentials.

    Based on your observaton, I am guessing that the browser brings a file into the temporary internet files directory, and AVG jumps on it. Use HJT to experiment. Zapp all 3 suspicious entries; open the IE browser; observe for AVG reaction. If AVG still barks, then I guessed wrong. Use HJT ! other stuff ! backups to reverse the fixes.

    I cannot validate the following:
    C:\WINDOWS\system32\inetsrv\inetinfo.exe

    AVG should have detected trojans attacks here.

    On my computer, folder 'inetsrv' is empty. However 'inetinfo.exe' is valid if MS Information Server (IIS) is running. I have not located an explanation for this.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.