JS/Downloader.Agent in Windows 98SE(RESOLVED)

SMCorp · #1 (**permalink**) 14-11-2007, 09:29 AM

Hi, I have found this forum and a number of others by searching the web, and I tried to work the methods given to other people before posting the exact same question, but I have to post a new topic because none of the solutions work for me.

A brief background on the PC:

I have used Windows 98SE FAT32 for 7 years and 11 months and have much invested in it. Every time I have switched to a newer system (ME, XP, Vista), I have switched back, and I have dumped computers that can't run 98SE. I am happy with the hardware and software and wish things wouldn't keep changing, but they do. I used Norton AV as long as I could update a version from 1999 (and OEM that would mistakenly do a free live update for six years), but it expired and I bought a 2005 version, which was the last version that would work with 98SE. It was the worst piece of software I had ever used, it not only slowed the PC down up to 100%, but it damaged many applications by "fixing" problems it found (in programs that had run fine for 2-4 years). Once uninstalled, it took a month to rebuild my computer to what it was, but I was missing a lot of cache stuff. I switched to AVG free because people had been recommending it for years. It put minimal load on the PC so I didn't hate it, though I don't know how great it is. I now have the first threat I have had in at least 4 years (and that one in 2003 may have been a false alarm). I use two AMD PCs, a 1.4ghz and a 2.4ghz and swap a pullout IDE drive between them and back up to other pullout IDE drives. I will be switching over to a Intel Celeron 3.2ghz as soon as I can get this cleaned out. It accesses DSL through a Speedstream DSL modem and an Airlink router with hardware firewall. I relaxed the settings just enough to let me use an ftp program (FireFTP) to upload files to my websites.

Five days ago, AVG free alerted me to a threat in a daily scan. It showed two occurrences of JS/Downloader.Agent in two .html files in a folder in My Documents. BTW, those files had been there for at least four months without causing any alerts to sound off, and I have the daily AVG free update and scan. Now, AVG free alerts me to it daily for the past five scans, but never fixes it. AVG vcleaner.exe doesn't find it, even if renamed.

I searched for solutions to this problem and found a lot of people with the same problem, and I tried to work the methods given to other people, but none of the solutions work for me because I can't even work the steps. Much of it is that I am running 98SE, and most of the "install and run this" instructions don't work because XP or Vista is required. The rest of it is that my box (the 1.4ghz AMD w/768mb RAM) won't run the Trend Micro Housecall scan. It gives me an error saying that I don't have enough memory and to close other applications. This is nonsense because I have closed everything in the system tray except Explorer before trying to run this scan from a web browser. I have run that scan countless times in the past with both computers and a 450mhz PIII that I had, but it won't work now. I normally use Firefox 2.0.0.6 in this attempt, but it also fails in IE. I have a bad feeling that my occasional use of IE (for videos and such that won't run in FF) might be what led to this JS/Downloader.Agent infection in the first place, but that might just be a prejudiced suspicion. I don't click on any e-mail attachments I haven't requested, and I don't use Outbreak Express, I use Thunderbird 2.0.0.6.

Can you suggest a method to clean this out? I have downloaded HiJackThis but I'm not bright enough to analyze the output. Thank you.

P.S. Another (possibly related) problem sprang up exactly the same day as this, the BitTorrent client I use for missed TV episodes became almost totally nonfunctional. I use uTorrent and it suddenly stopped working. If I boot fresh and start it, it will start working, ramping up download speed to 30K or 60K, then after 2-5 minutes, it will stop doing any uploading or downloading at all. Closing it and restarting it does not help, it fails immediately. I can reboot the PC and try again, but it only gets me a few minutes of activity.

Neal · #2 (**permalink**) 14-11-2007, 08:52 PM

I need to see a hijackthis log and a link is available in my signature, just scroll down until you find it and follow instructions and post the uninstall list also. Thanks.

Also, online trojan scanner available here:

http://www.windowsecurity.com/trojanscan/

SMCorp · #3 (**permalink**) 28-11-2007, 03:16 AM

Hi Neal, thanks for the reply.

First, let me thank you for referring me to a scanning engine that actually works with 98SE. It confirmed what AVG said, plus found some benign cookie stuff.

Second, after this first post, and before your reply came in, I was searching for a Wordpad file with certain text in it, and when it searched through that folder (music/others), AVG activated and blew up on it. It told me there was a threat in two files, just as it had in all the daily scans, but this time, it asked me if I wanted to move them to the virus vault. I clicked okay. They don't appear in my daily scans anymore. I then emptied the virus vault for the first time ever.

Third, after this first post, I noticed something in the add/remove programs list called WinPcap 3.1. It is a packet sniffer application that I never heard of, so I never knowingly installed it. It may have been bundled with something else, but I never saw it before now and I look in there pretty often. I uninstalled it. It did not reappear. I cleared the Java cache from control panel>Java>temporary internet files.

Finally, please see my hijackthis log and uninstall list below. Thank you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:06:22 PM, on 11/27/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NETWORK ASSOCIATES\PGP\IKESERVICE.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUSCHEDULERSVC.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\COMMON FILES\ACRONIS\SCHEDULE2\SCHEDUL2.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CYBERLINK\POWERDVD\PDVDSERV.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\PROGRAM FILES\ACRONIS\TRUEIMAGE\TRUEIMAGEMONITOR.EXE
C:\PROGRAM FILES\COMMON FILES\ACRONIS\SCHEDULE2\SCHEDHLP.EXE
C:\WINDOWS\SYSTEM\SISTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\PDESK\PDESK.EXE
C:\WINDOWS\TWAIN_32\PAPRPORT\3100B\FLATBED.EXE
C:\PROGRAM FILES\NERO\DATA\XTRAS\MSSYSMGR.EXE
C:\WINDOWS\SYSTEM\PDESK\PDMMD.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\PGP\PGPTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\MOZILLA THUNDERBIRD\THUNDERBIRD.EXE
C:\WINDOWS\CDPLAYER.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WheelMouse] 4dmain.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM\SISTRAY.EXE
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\SYSTEM\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [PP3100B] C:\WINDOWS\twain_32\paprport\3100b\flatbed.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [IKEService95] C:\Program Files\Network Associates\PGP\IKEService.exe
O4 - HKLM\..\RunServices: [ALU Scheduler Service] C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [NBJ] "C:\PROGRAM FILES\AHEAD\NERO BACKITUP\NBJ.EXE"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\NERO\DATA\XTRAS\MSSYSMGR.EXE
O4 - HKCU\..\Run: [Matrox MultiDesktop] C:\WINDOWS\SYSTEM\PDESK\PDMMD.EXE /Startup
O4 - HKUS\.DEFAULT\..\Run: [NBJ] "C:\PROGRAM FILES\AHEAD\NERO BACKITUP\NBJ.EXE" (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\NERO\DATA\XTRAS\MSSYSMGR.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Matrox MultiDesktop] C:\WINDOWS\SYSTEM\PDESK\PDMMD.EXE /Startup (User 'Default user')
O4 - .DEFAULT Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGP\PGPTray.exe (User 'Default user')
O4 - .DEFAULT Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM\sistray.exe (User 'Default user')
O4 - Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGP\PGPTray.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM\sistray.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_12\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_12\BIN\SSV.DLL
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab

--
End of file - 5775 bytes

---------------------------------------------------------------------

AC3Filter (remove only)
ACDSee
Ace Media Player
Acronis True Image
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat 5.0
Adobe Acrobat and Reader 6.0.3 Update
Adobe Acrobat and Reader 6.0.4 Update
Adobe Acrobat and Reader 6.0.5 Update
Adobe Acrobat and Reader 6.0.6 Update
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Photoshop 5.0
Adobe Reader 6.0.1
AVG 7.5
Dan Elwell's Broadband Speed Test
Dual Wheel Mouse 4D V5.5
GSpot Codec Information Appliance
HijackThis 2.0.2
HSP56 MR Drivers
Internet Explorer Q891781
J2SE Runtime Environment 5.0 Update 12
LiveUpdate 3.0 (Symantec Corporation)
Matrox Graphics Software (remove only)
Memorex External DVD (All) Win98SE USB 2.0 Drivers Setup
Microsoft .NET Framework 1.1
Microsoft Internet Explorer 6 SP1 and Internet Tools
Microsoft Outlook Express 6
Microsoft VGX Q833989
Microsoft Windows Critical Update Notification
ML-1710 Series
Mozilla (1.7.13)
Mozilla Firefox (2.0.0.6)
Mozilla Thunderbird (2.0.0.9)
Nero PhotoShow Express
Nero Suite
oggcodecs 0.71.0946
Opera 9.02
Outlook Express Q837009
PGPfreeware 6.5.8
PowerDVD
ProSavageDDR and Utilities
Remove Unofficial Universal USB 2.0 Stack
S3Display
S3Gamma2
S3Info2
S3Overlay
SiS 900 PCI Fast Ethernet Adapter Driver
SiS Audio Driver
SiS Audio Driver
SiS VGA Utilities
SiS630_730 V2.00c.01
SiSAGP driver
TextPad 4.7
TravelDrive 2C
VIA Audio Driver Setup Program
Visioneer 3100b Scanner Driver
Visioneer PaperPort 5.3
Windows 98 KB891711 Update
Windows 98 KB896358 Update
Windows 98 KB908519 Update
Windows 98 KB918547 Update
Windows 98 Q823559 Update
Windows 98 Q888113 Update
Windows Media Player system update (9 Series)
WinZip
WM Recorder 11.2
Xvid 1.1.2 final uninstall

Neal · #4 (**permalink**) 28-11-2007, 07:49 AM

Everything looks good from here.

Your right about 98se not having available tools for it like XP or 2000 to scan and remove malware.

Vista is in the same boat but will eventually catchup.

For junk cleaning:

Please download ATF Cleaner by Atribune to desktop.
http://www.atribune.org/public-beta/ATF-Cleaner.exe

Double-click ATF-Cleaner.exe to run the program.

If you would like to keep your cookies don't check that item

* Under Main "Select Files to Delete" choose: Select All.
* Click the Empty Selected button.
* If you use Firefox browser click Firefox at the top and choose: Select All
* Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
* If you use Opera browser click Opera at the top and choose: Select All
* Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

How is it going now?

SMCorp · #5 (**permalink**) 09-12-2007, 08:02 AM

Thanks for the reply. After AVG put the Js/Downloader.Agent in the virus vault, things started acting normal again, not slow and strange on the internet. So, I think it is fine now and I thank you for your help.

SMCorp · #6 (**permalink**) 09-12-2007, 08:30 AM

I just sent $5 by Paypal for the help. Thanks again.

Neal · #7 (**permalink**) 10-12-2007, 12:13 AM

Thanks for the donation and thanks for stopping by.

If you are no longer having any more trouble here is some preventative measures for you.

Be sure to re-hide hidden files/folders if you were asked to unhide them

Here are some preventive measures you can take to keep your computer from getting infected again. also keep all these and Ad-awareSE and SpybotS&D updated.

Read This First - IMPORTANT Instructions

Flush your restore points in ME and XP, by turning System Restore off and then back on.
This will create a fresh restore point.

Explained Here:
Windows XP: http://vil.nai.com/vil/SystemHelpDoc...ysRestore.aspx

Explained Here
Microsoft ME:
http://service1.symantec.com/SUPPORT...rc=sec_doc_nam

Please download ATF Cleaner by Atribune to desktop.
http://www.atribune.org/public-beta/ATF-Cleaner.exe

Double-click ATF-Cleaner.exe to run the program, to clean junk files off your PC.

If you would like to keep your cookies don't check that item

* Under Main "Select Files to Delete" choose: Select All.
* Click the Empty Selected button.
* If you use Firefox browser click Firefox at the top and choose: Select All
* Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
* If you use Opera browser click Opera at the top and choose: Select All
* Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

RegProtect

This small registry protection tool will save you hours of heartache by notifying you when some program good or bad is trying to access your registry.

You have the option of allowing(good) items or blocking(bad)items.

http://www.diamondcs.com.au/index.php?page=regprot

To reduce the re-infection potential for malware and protect yourself against spyware, here are a few helpful suggestions:

1. Keep Windows and Internet Explorer current with the latest critical security updates from Microsoft. This will patch many of the security holes through which attackers can gain access to your computer. You CANNOT complete this update using an alternate browser.
http://v5.windowsupdate.microsoft.co....aspx?ln=en-us

http://www.microsoft.com/windows/ie/default.asp

2. Run your antivirus software regularly, and to keep its definitions up-to-date. If you are thinking about switching, there are a some good free Antivirus programs that are decent, including AVG and Avast!.
AVG: http://free.grisoft.com/doc/1

Avast: http://www.avast.com/eng/avast_4_home.html

3. In addtion to using Ad-aware consider using another free malware scanning/removal program:
Windows Defender

http://www.microsoft.com/athome/secu...e/default.mspx

4. Consider using a free firewall if you are not already using one. Some good free ones are:
Kerio

Sunbelt

Comodo Personal Firewall:

Comodo

5. Consider using an alternate free browser for general web surfing but you must use IE for windows update.
Mozilla Firefox: www.mozilla.org/products/firefox/

6. Consider increasing your browser security by using these programs:
SpywareGuard will protect your homepage from being hijacked: http://www.javacoolsoftware.com/spywareguard.html
SpywareBlaster will increase browser protection by blocking Thousands of known malware sites by adding them to IE's restricted sites zone. Download it here:

http://www.javacoolsoftware.com/spywareblaster.html

If you use SpywareBlaster, you can also use a customblocklist to add even more entries into IE restricted sites zone. Go to this site for the current list and how to use instructions: http://customblockinglist.cjb.net/

IE-SPYAD is similar in that it adds thousands more known malware sites to IE's restricted zone. Download it here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm

Block access to Untrustworthy Sites

You can prevent your computer from visiting a myriad of untrustworthy sites and ad-servers by installing a customised hosts file. One of the best available is the: MVPS Hosts File. Simply follow the instructions to install the file in the correct location. This will not only make surfing safer but will improve website load times and block popups from many of the large ad-servers.

*Remember just like your primary anti-virus software, it is important to keep all of these programs up-to-date and use them on a regular basis. It's Free