JS:Agent-Q (svchost)

[angryjames]

Just been hit with: JS:Agent-Q [Trj], with an attempt to access http:/58.65.239.138/sobchak/index.php.

Avast (4.7 Home Ed) jumped on it and gave me the option to abort the connection.

I noticed a few days back some protection faults during the day in svchost. I ignored them at the time, but when Avast threw this up I did a bit of digging.

I used SysInternals Autoruns to locate an undesirably entry: c:\windows\system\svchost.exe in start-up. Not your regular svchost found in system32.

I then used SysInternals Process Explorer and noticed a svchost.exe child process of explorer. Normally these run under services.exe. This svchost contained no services and had three threads running. It also had (prior to the Avast connection abort) a TCP/IP connection.

Avast scan on this file showed nothing. The file was modified/created about two weeks ago.

SuperANTISpyware scan found Trojan.Downloader-Gen/SVCHost-Fake.

Sadly I'm unaware how this has managed to get onto the machine, certainly Avast cannot detect it.

All the best,
James

[DavidR]

If you are not getting a virus warning that you believe is a new, undetected virus then if you can zip and password protect ('virus', will do) the suspect file and send it to virus @ avast.com (no spaces).
Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a either a new, undetected virus and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.

[angryjames]

Thanks for the info. I will do that. Just one slight snag, I'm a GMail user and that means I cannot send executables. They even search through ZIP files and I believe they check the file contents, so a simple extension rename does not work.

I have since checked with SuperANTISpyware, my Program Files directory and sub-dirs, and nothing is infected. Perhaps this was delivered in a set-up program, although I'm at a loss to know which since I rarely install anything.

The alternative is that it came over the web, seems unlikely unless it came from a trusted site (nothing runs native unless I approve it)?!?

Possible JavaScript breach?!? Also seems impossible to me.

James

[DavidR]

If you password protect the zip file as mentioned it can't check the files in the zip folder but it may be able to see the .exe file name but not examine the file.

So a file rename to suspectfile.old something like that might work as the password protection should stop the file being opened to identify the file type or scan the file.

[Maxx_original]

angryjames: you can send executables.. but you must put them to encrypted rar and CHECK the ENCRYPT FILE NAMES option ..

[angryjames]

Thank you both for the advice. I will send the file over asap.

James

[angryjames]

The file has been sent.

Now I'm going to try to discover the delivery mechanism and report back with anything I thing.

James

[DavidR]

Thank you both for the advice. I will send the file over asap.

James

No problem, glad we could help.

Welcome to the forums.