JS:Agent-Q [Trj]

Lisandro · 2007-09-01T12:35:01.000Z

Miroresh post:1:

I have 2 questions:

Did avast! remove it or just stopped it.

It’s difficult to say. Most probably WebShield blocked it before it was even saved to the computer.

Miroresh post:1:

Should i be paranoid and re-format my machine?

For sure not.
Just run a thorough scanning or schedule a boot time scanning with avast.
Do you use any other security (antispyware) product?

system · 2007-09-01T15:36:34.000Z

Thanks for the quick reply.

I did a boot-scan and nothing came up. I downloaded the antispyware you guys recommend (the one that AVG just bought).
It did look like it Webshield blocked it, it said that i didn’t need to worry because Avast blocked it but i don’t know if it was blocked before infection or if the request came from inside my computer, meaning i would already be infected. I’ve had Avast for over 3 months though and it was the first thing i installed after a fresh reformat.

In conclusion, boot-scan found nothing so i should be safe for now?

system · 2007-09-01T15:42:21.000Z

Now it happened on my laptop as well!

http://i6.photobucket.com/albums/y213/skatox/trojanfound.jpg

What gives?

FreewheelinFrank · 2007-09-01T16:02:20.000Z

Hi Miroresh,

This warning is typical of a ‘Storm’ worm malware download site.

You are either clicking on a link in a spam mail, which is taking you there, or you are visiting an infected site which is diverting you to the malware site.

At least that is what I suspect.

system · 2007-09-01T16:38:19.000Z

Yeah, what’s odd is that it happened when i opened firefox by itself, didn’t get a chance to visit any website when this came up. Have to keep monitoring to see what is causing this.

Thanks all for your suggestions.

DavidR · 2007-09-01T16:40:46.000Z

The file name given in the image shows it was detected on the internet and not your HDD.

So something on your system connected to that URL, you by clicking on a link or something directing you there as FWF mentions.

The IP in the image is for (PeterHost.Ru Hosting Provider)

The fact that a boot-time scan and avg-as didn’t find anything it may be that there is a hidden process responsible for the redirection, etc.

HIJACKTHIS - Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis - HJT Information HiJackThis Tutorial 1.

You could post the contents of the hijackthis.log file here, you may need to use two or more posts to do this.

system · 2007-09-01T18:31:59.000Z

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:27:34 PM, on 9/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7Pro\IE7Pro.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: InlineSearchHandleHotKey - {B6FFE2AE-4D12-451F-B457-FE6125FFB1CF} - C:\Program Files\IEForge\Inline Search\InlineSearch.dll
O4 - HKLM..\Run: [IntelZeroConfig] “C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe”
O4 - HKLM..\Run: [IntelWireless] “C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” /tf Intel PROSet/Wireless
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [Google Desktop Search] “C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1078081533-1214440339-839522115-1005..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User ‘Jamie’)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dll
O9 - Extra ‘Tools’ menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1187460881078
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187460969078
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

–
End of file - 7057 bytes

system · 2007-09-01T18:59:28.000Z

Hi Miroresh :

  So is your AVG Antispyware "Complete System Scan" detecting anything ?
  Best to have at least 2 antiSPYWARE/antiTROJAN programs on your 
  computer and the one that many Malware-fighting Experts recommend is
  the FREE ver of SUPERAntiSpyware from www.superantispyware.com .
   These 2 programs are best when it comes to dealing with "Trojans".

   Have you "Updated" your RealPlayer program recently ? If not, it would be
  wise to do so .

   Let me congratulate you on having an up-to-date Sun Java; it is rare
   we see that on these Forums.

FreewheelinFrank · 2007-09-01T19:19:35.000Z

Nothing obvious in the log. I suggest you look for and remove any rootkits (hidden malware):

Panda Antirootkit
Blacklight
AVG Anti-Rootkit

system · 2007-09-02T12:29:24.000Z

Awesome suggestions, will do that.

I also found that it was being triggered by a website I surfed to. I sent a msg to their webAdmin but no reply so far.

Thanks again all!

system · 2007-09-02T12:37:50.000Z

I did a rootkit scan and found nothing:

http://i6.photobucket.com/albums/y213/skatox/rootkit.jpg

DavidR · 2007-09-02T12:53:59.000Z

So one down, continue the process, FWF gave links for three which are the more user friendly and efficient/successful options.

FreewheelinFrank · 2007-09-02T21:38:41.000Z

I also found that it was being triggered by a website I surfed to.

As I suspected earlier, you were visiting an infected site. A number of sites have been infected with Storm worm malware recently.

It’s probably not a rootkit infection then, as the Panda scan confirms, but it won’t hurt to run the other scans.

Lisandro · 2007-09-02T22:45:35.000Z

FreewheelinFrank post:14:

A number of sites have been infected with Storm worm malware recently.

Is avast protecting us from these nasties?

system · 2007-09-03T04:09:13.000Z

Tech™ post:15:

FreewheelinFrank post:14:

A number of sites have been infected with Storm worm malware recently.

Is avast protecting us from these nasties?

It seems like they are, i’ve gotten the “There’s no reason to worry” pop up whenever i come across with this malware. Don’t quote me though as i don’t work for Avast! but it sure seems like it’s protecting us. My main concern though is the other malware like this that it might not catch.

I think i’m too paranoid :-[

FreewheelinFrank · 2007-09-03T06:11:34.000Z

Tech™ post:15:

FreewheelinFrank post:14:

A number of sites have been infected with Storm worm malware recently.

Is avast protecting us from these nasties?

Here’s a list of the nasties typically served up by an infected site:

Email-Worm.Win32.Agent.l Rootkit.Win32.Agent.dw Rootkit.Win32.Agent.ey Trojan-Downloader.Win32.Agent.cnh Trojan-Downloader.Win32.Small.ddy Trojan-Proxy.Win32.Agent.nu Trojan-Proxy.Win32.Wopla.ag Trojan.Win32.Agent.awz Trojan-Proxy.Win32.Xorpix.Fam Trojan-Downloader.Win32.Agent.ceo Trojan-Downloader.Win32.Tibs.mt Trojan-Downloader.Win32.Agent.boy Trojan-Proxy.Win32.Wopla.ah Trojan-Proxy.Win32.Wopla.ag Rootkit.Win32.Agent.ea Trojan.Pandex Goldun.Fam Backdoor.Rustock Trojan.SpamThru Trojan.Win32.Agent.alt Trojan.Srizbi Trojan.Win32.Agent.awz Email-Worm.Win32.Agent.q Trojan-Proxy.Win32.Agent.RRbot Trojan-Proxy.Win32.Cimuz.G TSPY_AGENT.AAVG (Trend Micro) Trojan.Netview

http://sunbeltblog.blogspot.com/2007/08/breaking-bank-of-india-seriously.html

I don’t know if avast! detects all these. Hope so.

Lisandro · 2007-09-04T03:47:29.000Z

FreewheelinFrank post:17:

I don’t know if avast! detects all these. Hope so.

Maxx, any info from the virus analysts?

system · 2007-09-07T17:12:44.000Z

No update?

system · 2007-09-23T07:42:32.000Z

I also received a similar instance, with the same warning coming up and avast! blocking the connection.

My log file says the following:

Sign of “JS:Agent-Q [Trj]” has been found in “http://80.93.48.74/zxdqweasdqw/” file.

The warning popped up when I was on the “post bulletin” function on MySpace, so I guess there could possibly be a problem there?

I assume avast! stopped the problem before it did any harm to my system, but should I still be worried about it? This gets me a tad nervous and I obviously - like all of you - want to keep my system as safe as possible. I immediately did a full scan with avast!, with the results showing that my system is totally clean.

Also, I’m currently running Spybot - Search & Destroy and AdAware as my spyware scanners. The subsequent scans with those programs also came up clean. Are those two programs adequate enough, or should I be running something else in addition/instead of those programs?

oldman960 · 2007-09-23T08:16:33.000Z

If you hit the abort connection button on the web shield warning then the connection would have been dropped before the file reached your hd.

You may want to consider one of the programs in Spiritsongs’ earlier post.

Announcements