A number of members are getting this warning JS/TrojanDownloader.Agent.NRL.Agent.
I run my site on a VBulletin board. Can anyone please tell me what this is and how to deal with it please
Hi Mariner1, welcome to the forum 
I am guessing that your site may have been hacked…
This kind of detection is very common these days, with many ‘legitimate sites’ becoming hacked to distribute malware:
Every 3.6 seconds a website is infected
Without the site, it will not be possible for anyone to possibly identify the threat, so could you post it?
NOTE:When you post the link, could you please modify it to make it unclickable (i.e. chage http to hXXp) to prevent others potentially becoming infected.
Hopefully someone will be able to spot the offending hack…
-Scott-
Hi
Thanks for the reply my site is hxxp://www.planetrocklosslessbootlegs.com
Hmmm…I don’t seem to get an alert. But then you say it is when people try to log in…
Do you have the exact alert location, or a screenshot?
Ok some members get this warning with eset JS/TrojanDownloader.Agent.NRL.Agent .1 member says every page he tries to open he gets the alert
but when he disallows the site with the “NoScript” addon it doesn’t appear.
Some members with Avast and Norton get this hxxp://www.planetrocklosslessbootlegs.com/clientscript/post_thanks.js.
Ive removed the mod from my site that caused the post_thanks.js prob.
The screen shot to my login for the site is here hxxp://safeweb.norton.com/report/show?url=planetrocklosslessbootlegs.com
As you can see various reports so i dont know where to start
Ok, that is a javascript file that (it seems) only appears when logged in…so it doesn’t load for me…
Do you have an original copy of that file? Can you replace it with the original?
It is quite likely that the file has been modified to include the malcious content. I would take a look at the file and see if there is any thing out of the ordinary…
Damn sorry no,it was totally removed and replaced.I thought getting rid of it would be the safest thing to do.
Well that was what I was getting at, I was suggesting to replace it with a clean copy of the file…is that what you did?
If it still comes back, a vulnerability may be being exploited somewhere…
A post worth reading by DavidR
Ok ive contacted our host and told him what you told me in the post above.
He said he doesnt know how to do this and he suggested we basically started again from scratch.
The only thing we did is change passwords to our accounts.
Starting again from scratch would be a complete nighmare.I would need to pay someone to do the work you suggested above.
Any ideas where i can find someone to do this work for us pls
I’m not too sure…I would have thought your host would have been more helpful… :o
So I presume that the infection in that .js file is still there?
Have you replaced it with a clean version?
Has it come back if you have replaced it?
-Scott-
Yes it has been removed.I did a clean install with a newer ver of the mod.
Do you still get alerts when logging in?
This is why people should always use NoScript. Do not deactivate it people, it might be annoying, but if you get used to it you see less and less ads, and in this case, Trojans.
I wonder how and why someone hacked your site, though. Might as well try and register as I have Avast IS and MalwareBytes to see if I get an alert.
Thanks for registering and checking this out.Im really frustrated at this as my host cant help and i dont know where to turn
No, there is no alert with or without NoScript. The website is clean, and nothing happens at login whatsoever.
Can you try browsing round the site,visit various pages etc
If you read this thread hxxp://www.planetrocklosslessbootlegs.com/showthread.php?t=11408 it will show you some of the probs some members are having
7.2.2010 г. 15:50:30 ч. hxxp://www.planetrocklosslessbootlegs.com/showthread.php?p=30072|>{gzip} [L] JS:Illredir-B [Trj] (0)
7.2.2010 г. 15:59:29 ч. hxxp://www.planetrocklosslessbootlegs.com/showthread.php?p=30072|>{gzip} [L] JS:Illredir-B [Trj] (0)
7.2.2010 г. 15:59:47 ч. hxxp://www.planetrocklosslessbootlegs.com/showthread.php?p=30072|>{gzip} [L] JS:Illredir-B [Trj] (0)
7.2.2010 г. 16:00:06 ч. hxxp://www.planetrocklosslessbootlegs.com/showthread.php?p=30072|>{gzip} [L] JS:Illredir-B [Trj] (0)
7.2.2010 г. 16:00:26 ч. hxxp://www.planetrocklosslessbootlegs.com/showthread.php?p=30072|>{gzip} [L] JS:Illredir-B [Trj] (0)
7.2.2010 г. 16:06:27 ч. hxxp://www.planetrocklosslessbootlegs.com/showthread.php?t=11408|>{gzip} [L] JS:Illredir-B [Trj] (0)
7.2.2010 г. 16:07:31 ч. hxxp://www.planetrocklosslessbootlegs.com/showthread.php?t=11408|>{gzip} [L] JS:Illredir-B [Trj] (0)
7.2.2010 г. 16:07:51 ч. hxxp://www.planetrocklosslessbootlegs.com/showthread.php?t=11408|>{gzip} [L] JS:Illredir-B [Trj] (0)
7.2.2010 г. 16:08:06 ч. hxxp://www.planetrocklosslessbootlegs.com/showthread.php?t=11408|>{gzip} [L] JS:Illredir-B [Trj] (0)
This is the avast! Log. I don’t get avast warnings but that’s what the real-time shield says.
Sorry, your site has a bad boy and it’s called Illredir JavaScript Trojan, strain B.
Which means almost, if not every page is infected with some form of malicious JavaScript code.
For comparison, it’s 16:14 here, right now.
Hi
Thanks for looking into this.Whats the best way to remove this place
I have no idea man, I’ve never dealt with website infections. You’re better off asking the evengelists.