Update: Removing JS/Downloader.Agent virus
Posted on Feb 02, 2008 under Security | 8 CommentsThis is just an update of my last post Removing JS/Downloader.Agent virus. I’m still not able to get rid of the problem but seems found the root of the problem.
The tool that I suggested in last post is just a temporary solution. Actual problem is that my computer is not infected, it is other infected computer(s) in our Cable networks LAN . AVG antivirus is just stopping the virus to infect my computer.
When I posted my problem on few other tech forums they said that either my computer is infected or I am regularly visiting some site which are infected or AVG is just identifying a normal file as a virus. Someone suggested me that I should use other anitivirus. So I downloaded Avast home edition which is a free to use antivirus software.
Avast also detecting the same virus just with different name, it also showing location from where it trying to download. Well it is http://g.asdafdgfgf.com/ads.js [don't visit this site].
When I did a search about this link, I found very helpful and informative thread at DevNetwork Forum..
There several peoples are complaining about the same problem. Going through each post, what I understood that:
At first it downloads a copy of ads.js file from http://g.asdafdgfgf.com/ [don't visit this site] in an unprotected computer. Then it downloads and execute ADS.EXE file.
ADS.EXE has been seen to perform the following behavior(s):
- Executes a Process
- Creates a TCP port which listens and is available for communication initiated by other computers
- The Process is packed and/or encrypted using a software packing process
ADS.EXE has been the subject of the following behavior(s):
- Created as a new Background Service on the machine
- Created as a process on disk
- Executed as a Process
- Added as a Registry auto start to load Program on Boot up
More information on this file can be found at : SpywareData.com and Prevx.com.
Since the problem is not in my computer and it is in someone else computer in our Cable networks LAN so only cable operator can help me in this matter.
Removing the infected computer(s) from LAN is the only solution of this problem. In the forum someone suggested a tool for cable operator that help in finding the infected computer. This tool can be downloaded from http://www.arechisoft.com/. A cable operator of Andheri/Mumbai, have explained how they were successfully get rid of this problem. Here is it if you wants to read: http://forums.devnetwork.net/viewtopic.php?p=438910#p438910
Since only the cable operator can help me in this matter, I’m trying to contact them, let’s see how long does it take.
February 8th, 2008 at 5:59 am
Even I am having the sam problem … what I have found is that when I am using ie avg keeps giving popups saying threat detected …if you see the location [C:\Documents and Settings\Arun Sharma\Local Settings\Temporary Internet Files\content.ie5\D8ZK64XL\ads[1].js ]
somehow this is only affecting i.e mozilla seems to be resilient .. what do you think …
February 8th, 2008 at 3:17 pm
Yes, I had the same problem, seems my cable operator is working on it. Problem is not solved 100% yet, still getting the warning occasionally. Seems there are still few infected PCs in our network.
February 21st, 2008 at 2:01 pm
This problem is caused by infected PC in your network spoofing in ARP.
This problem is explained at http://www.netoptima.in/arprotect/
There is a freeware tool available. You can download the tool from the above link to analyze the network and pinpoint where the problem is originated.
Anil Chandra K
February 21st, 2008 at 10:09 pm
Hi!
Thank you! Your explanation was the best on the net about this virus! So, now I can stop scanning without seeing results, because clearly the trouble is not in my machine.
All the best.
March 15th, 2008 at 9:04 am
my college lan is suffering from same problem we have isolated the comps which have the problem but how to clean them??
May 10th, 2008 at 8:12 pm
[...] JS/Downloader.Agent virus is keep changing it’s [...]
August 6th, 2008 at 2:11 am
Well, i had the same problem with my Network, but luckily my ISP provides a good antivirus as a compulsion. I had 3 infected PC’s in my Network. Whenever these PC’s were ON, i used to have this problem.
My Solution that worked for me:
1. Whenever you get this problem, Ping to your Gateway and check Latency
2. Scan for all the PC’s in the network using some third party software to determine their MAC address. Once done, note down the infected IP’s MAC Address and also note down the MAC Address of your .
2. Change your IP address
3. Disable your LAN Adapter
4. Reenable your LAN Adapter
5. In the Command Prompt, type “arp -s
EX: ARP -S 10.21.207.1 00-11-11-b9-57-66
6.Similarly use “ARP -S
7. Once done, type “ARP -A” to see the changes.
8. Change back your IP address and look for the Gateway Ping Latency. You can observer Relatively lower latency because all your data packets are directly reaching the Gateway instead of the Infected Computer.
9. In this way, i do it everytime i start my PC. I know the list of Infected PC’s so i just assign a Static ARP Entry so that they can spoof my ARP.
Hope this Helps!
December 15th, 2008 at 2:56 pm
JS/Download is a JA script that is being downloaded to your computer from infected wepages,If you edit our own a webserver or host a website on your own then more then likley the website has be compermized.
What I mean is you will find the the code below has been entered into evey HTML document on yor system remote or local and has to be removed.
[code]Code Removed[/code]
To remove the infection use the following tool in safe mode once you have run the tool you will have to clean all html files of the script code about.
http://www.precisesecurity.com/tools-resources/adware-tools/smitfraudfix/
Hope this helps
Chris