JS:Agent-Q [Trj]

Viruses and worms
1

Good morning all,

Today when i turned on my computer i got a warning that JS:Agent-Q [Trj] was found but that Avast! stopped it. Here is an image of the log.

http://i6.photobucket.com/albums/y213/skatox/trojan.jpg

I have 2 questions:

  1. Did avast! remove it or just stopped it.
  2. Should i be paranoid and re-format my machine?

Thanks for any reply and thanks Avast! for making such a great product.

2

It’s difficult to say. Most probably WebShield blocked it before it was even saved to the computer.

For sure not.
Just run a thorough scanning or schedule a boot time scanning with avast.
Do you use any other security (antispyware) product?

3

Thanks for the quick reply.

I did a boot-scan and nothing came up. I downloaded the antispyware you guys recommend (the one that AVG just bought).
It did look like it Webshield blocked it, it said that i didn’t need to worry because Avast blocked it but i don’t know if it was blocked before infection or if the request came from inside my computer, meaning i would already be infected. I’ve had Avast for over 3 months though and it was the first thing i installed after a fresh reformat.

In conclusion, boot-scan found nothing so i should be safe for now?

4

Now it happened on my laptop as well!

http://i6.photobucket.com/albums/y213/skatox/trojanfound.jpg

What gives?

5

Hi Miroresh,

This warning is typical of a ‘Storm’ worm malware download site.

You are either clicking on a link in a spam mail, which is taking you there, or you are visiting an infected site which is diverting you to the malware site.

At least that is what I suspect.

6

Yeah, what’s odd is that it happened when i opened firefox by itself, didn’t get a chance to visit any website when this came up. Have to keep monitoring to see what is causing this.

Thanks all for your suggestions.

7

The file name given in the image shows it was detected on the internet and not your HDD.

So something on your system connected to that URL, you by clicking on a link or something directing you there as FWF mentions.

The IP in the image is for (PeterHost.Ru Hosting Provider)

The fact that a boot-time scan and avg-as didn’t find anything it may be that there is a hidden process responsible for the redirection, etc.

HIJACKTHIS - Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis - HJT Information HiJackThis Tutorial 1.

You could post the contents of the hijackthis.log file here, you may need to use two or more posts to do this.

8

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:27:34 PM, on 9/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7Pro\IE7Pro.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: InlineSearchHandleHotKey - {B6FFE2AE-4D12-451F-B457-FE6125FFB1CF} - C:\Program Files\IEForge\Inline Search\InlineSearch.dll
O4 - HKLM..\Run: [IntelZeroConfig] “C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe”
O4 - HKLM..\Run: [IntelWireless] “C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” /tf Intel PROSet/Wireless
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [Google Desktop Search] “C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1078081533-1214440339-839522115-1005..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User ‘Jamie’)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dll
O9 - Extra ‘Tools’ menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1187460881078
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187460969078
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


End of file - 7057 bytes

9

:slight_smile: Hi Miroresh :

  So is your AVG Antispyware "Complete System Scan" detecting anything ?
  Best to have at least 2 antiSPYWARE/antiTROJAN programs on your 
  computer and the one that many Malware-fighting Experts recommend is
  the FREE ver of SUPERAntiSpyware from www.superantispyware.com .
   These 2 programs are best when it comes to dealing with "Trojans".

   Have you "Updated" your RealPlayer program recently ? If not, it would be
  wise to do so .

   Let me congratulate you on having an up-to-date Sun Java; it is rare
   we see that on these Forums.
10

Nothing obvious in the log. I suggest you look for and remove any rootkits (hidden malware):

Panda Antirootkit
Blacklight
AVG Anti-Rootkit

11

Awesome suggestions, will do that.

I also found that it was being triggered by a website I surfed to. I sent a msg to their webAdmin but no reply so far.

Thanks again all!

12

I did a rootkit scan and found nothing:

http://i6.photobucket.com/albums/y213/skatox/rootkit.jpg

13

So one down, continue the process, FWF gave links for three which are the more user friendly and efficient/successful options.

14
I also found that it was being triggered by a website I surfed to.

As I suspected earlier, you were visiting an infected site. A number of sites have been infected with Storm worm malware recently.

It’s probably not a rootkit infection then, as the Panda scan confirms, but it won’t hurt to run the other scans.

15

Is avast protecting us from these nasties?

16

It seems like they are, i’ve gotten the “There’s no reason to worry” pop up whenever i come across with this malware. Don’t quote me though as i don’t work for Avast! but it sure seems like it’s protecting us. My main concern though is the other malware like this that it might not catch.

I think i’m too paranoid :-[

17

Here’s a list of the nasties typically served up by an infected site:

Email-Worm.Win32.Agent.l Rootkit.Win32.Agent.dw Rootkit.Win32.Agent.ey Trojan-Downloader.Win32.Agent.cnh Trojan-Downloader.Win32.Small.ddy Trojan-Proxy.Win32.Agent.nu Trojan-Proxy.Win32.Wopla.ag Trojan.Win32.Agent.awz Trojan-Proxy.Win32.Xorpix.Fam Trojan-Downloader.Win32.Agent.ceo Trojan-Downloader.Win32.Tibs.mt Trojan-Downloader.Win32.Agent.boy Trojan-Proxy.Win32.Wopla.ah Trojan-Proxy.Win32.Wopla.ag Rootkit.Win32.Agent.ea Trojan.Pandex Goldun.Fam Backdoor.Rustock Trojan.SpamThru Trojan.Win32.Agent.alt Trojan.Srizbi Trojan.Win32.Agent.awz Email-Worm.Win32.Agent.q Trojan-Proxy.Win32.Agent.RRbot Trojan-Proxy.Win32.Cimuz.G TSPY_AGENT.AAVG (Trend Micro) Trojan.Netview

http://sunbeltblog.blogspot.com/2007/08/breaking-bank-of-india-seriously.html

I don’t know if avast! detects all these. Hope so.

18

Maxx, any info from the virus analysts?

19

No update?

20

I also received a similar instance, with the same warning coming up and avast! blocking the connection.

My log file says the following:

Sign of “JS:Agent-Q [Trj]” has been found in “http://80.93.48.74/zxdqweasdqw/” file.

The warning popped up when I was on the “post bulletin” function on MySpace, so I guess there could possibly be a problem there?

I assume avast! stopped the problem before it did any harm to my system, but should I still be worried about it? This gets me a tad nervous and I obviously - like all of you - want to keep my system as safe as possible. I immediately did a full scan with avast!, with the results showing that my system is totally clean.

Also, I’m currently running Spybot - Search & Destroy and AdAware as my spyware scanners. The subsequent scans with those programs also came up clean. Are those two programs adequate enough, or should I be running something else in addition/instead of those programs?