Sudden appearance of js/Agent.NKW Trojan

[kevinp]

I've been working on a new installation of ps 1.5.6.2 when, all of a sudden, on testing a product view I get an ESET Smart Security warning that the site has this nasty js/Agent.NKW Trojan.

 

I've been unable to find any other references in the forum, and haven't been able to locate the offending file on my site.

 

The ESET Smart Security log tells me the first 'sighting' was 3:21pm yesterday, and it's url is >> http://bornstorytellers.net/shop/index.php?id_product=5&controller=product » GZ » file.htm

 

The warning appears no matter which product is clicked on, but it is only when I click on a product that it happens.

 

I have since changed my password and the admin folder name, but that's a bit like shutting the gate after the horse has bolted.

 

I need to find and get rid of the nasty, can anyone help point me in the right direction? Much appreciated.

[vekia]

hello

tried to check your website,

it's blank:

[kevinp]

Thanks vekia,

 

That's what happens at the product page link ... on my computer it says it's because ESET terminates the connection because of the trojan. Perhaps your security does the same? I don't know.

 

You can go to http://bornstorytellers.net/shop

 

The home page will load but when you try to get a product page, it just goes blank. Thanks for looking.

 

K

[vekia]

can you check this file please: http://bornstorytellers.net/shop/themes/js/product.js

for me it's blank, weirdy, my eset doesnt inform me about wiruses etc.

[kevinp]

I replaced that file with one from the downloaded ps ... still the same problem, still get the virus warning.

 

Weird.

 

I did a filezilla search for the two items identified by ESET ... 'GZ' and 'file.htm' The only gz files were en.gzip and fr.gzip in translations and the only single name for 'file' found was a folder in modules/trustly/phpselib There didn't seem to be any file called 'file.htm'

 

Could it be in the 'controller' part of the string?

 

Thanks

Edited March 3, 2014 by kevinp (see edit history)

[kevinp]

Here's what appears in the java console >>

 

Uncaught SyntaxError: Unexpected token } index.php?id_product=1&controller=product:1

Failed to load resource: net::ERR_CONNECTION_RESET http://bornstorytellers.net/shop/index.php?id_product=1&controller=product

 

 

When I click on the link under 'network' I get the following report >>

 

1.  

1. Request URL:
   http://bornstorytellers.net/shop/index.php?id_product=4&controller=product
2. Request Method:
   GET
3. Status Code:
    
   200 OK
4. Request Headersview source
   1. Accept:
      text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
   2. Accept-Encoding:
      gzip,deflate,sdch
   3. Accept-Language:
      en-US,en;q=0.8,en-AU;q=0.6
   4. Cache-Control:
      no-cache
   5. Connection:
      keep-alive
   6. Cookie:
      25d4004548b967339225fcbbb24b371a=QyNTCvoaawTfWeV%2B3aHqzUpNwtIfvV%2B1p9h%2FShVfl0LycDWI1P5oyihKJCWX4pUnCTwKb2hu9lyLKZv36yz2KQ%3D%3D000060; c89b1bffcb08ec0c354baae160ce5565=6OqidHvXtZj2cMF%2Fe723Jh%2FJI0%2FgekK%2FzK94%2Blhsw%2BdJfJq%2BcYLTkL13EI4uipgzCu%2By84lI2jmwmgPtvPZxXanGwqjuypL6SHfBIeEl6XNrvM0tZ5Ze0p60pRCMtaQq%2FNCJAFVRLBQCcznJB1K2iVNQAs7HSzCQK1mPyvkFQ996TAuYgaFnyXDc9y%2Fu15QeX9eBFqQxyJJ3xf4yoN8T0R3HQdcsoTXFqNz67zLJNhrOku3136OKXqGpMl4g6dYjraxZ00YF12NEr3q%2BioFUHLfe9zIeCSCElkzWsi%2FaelQ%3D000213; 5a2c67b4928ffe5745bb882ad7942d17=6OqidHvXtZj2cMF%2Fe723JlnqPDDv7ITxen5SPh1PblpskMSvaYNWrLqBgaX3N3CB4Y96iWpoXaJsxaeloy1CrHKOSRBQtQVc163Qq2%2FjjS9IawgNiqggQRelCeaRbQKG8yClHTT6i0QinO%2FSFacdGlg7Z0LkjW4FX7Nameg4aObNXBUM9CP3JH%2FeKR76%2BDVt04sRqxMYqvl2skVxPyon78TZVmEMqTcEhsFppdE2b981rAYeDaeM8DYJj3GVErqiXYL7vzPEI3I60yDBIPV6nVppaB3p%2BHKrvCyKNffEg%2BM%3D000211; d2cbd34e18ed49ff98c9b105647db9e5=qrB4Kqre9IUJMqho6oDGRcJaI56hA%2F4qxw%2FYWVQ06OURPYxfYKpa2avmLq1YJLvfGG0FhtuHwCGOyxv4jWvRQU%2F3ZQuSW7Rh5yiaFjQuyAU%3D000078; __cfduid=d3e86c1b9a4e31de43e59614b31d1418b1379928638433; wp-settings-1=editor%3Dtinymce%26mfold%3Do%26align%3Dcenter%26wplink%3D1%26imgsize%3Dmedium%26libraryContent%3Dbrowse%26urlbutton%3Dpost%26hidetb%3D1%26ed_size%3D702; wp-settings-time-1=1381527392; fbm_113787358789669=base_domain=.bornstorytellers.net; wordpress_logged_in_2e29a62ce762084efd956153eca11d51=kevin%7C1394582046%7Cbedebe54d062f3ba8d43243cb5525769; wp-postpass_2e29a62ce762084efd956153eca11d51=%24P%24Boebhw1rK4kR4BQ2uccOynkg.pICHG%2F; wp-settings-5=ed_size%3D568%26libraryContent%3Dbrowse%26align%3Dcenter%26imgsize%3Dfull%26urlbutton%3Dfile%26editor%3Dtinymce%26hidetb%3D1%26wplink%3D1%26wpfb_adv_uploader%3D1; wp-settings-time-5=1393562746; __switchTo5x=9; __atuvc=3%7C10; __unam=6cb5566-14161db97ef-5d584853-201
   7. Host:
      bornstorytellers.net
   8. Pragma:
      no-cache
   9. Referer:
      http://bornstorytellers.net/shop/index.php
   10. User-Agent:
       Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.117 Safari/537.36
5. Query String Parametersview sourceview URL encoded
   1. id_product:
      4
   2. controller:
      product
6. Response Headersview source
   1. Connection:
      keep-alive
   2. Content-Encoding:
      gzip
   3. Content-Length:
      15766
   4. Content-Type:
      text/html; charset=utf-8
   5. Date:
      Mon, 03 Mar 2014 02:34:51 GMT
   6. Keep-Alive:
      timeout=30
   7. P3P:
      CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
   8. Server:
      Apache/2
   9. Vary:
      Host,User-Agent,Accept-Encoding
   10. X-Powered-By:
       PHP/5.2.17

 

 

 

I really have no idea what;s going on here.

[vekia]

strange, now i see product page

 

my ESET says ... nothing. it's ok :/

[kevinp]

Solved. Looks like it was the Share This widget, turned on without a key triggered the page cancelled response, ESET (at least on my computer) thought it was a trojan. Thanks for your help Vekia.

[trancan]

hi!

I have some problem, my eset detect in my index page this JS/Agent.NNS troian!

Any product that you want to open the index page same message.

http://www.tattoosupply.ro/index.php?id_product=938&controller=product&id_lang=7 (infected JS/Agent.NNS troian)

http://www.tattoosupply.ro/index.php?id_product=938&controller=product&id_lang=1 (infected JS/Agent.NNS troian)

[syra crysti]

Trojan.MSIL.Injector.NEP is an unwanted trojan which should not be allowed to stay for long time in the system. If you are completely fed up with its presence then make use of Trojan.MSIL.Injector.NEP Removal Tool. It is capable to solve your PC problems.

 

Read More Information:- http://www.deletevirusspyware.com/delete-trojan-msil-injector-nep-how-to-remove-trojan-msil-injector-nep

[trancan]

 

Trojan.MSIL.Injector.NEP is an unwanted trojan which should not be allowed to stay for long time in the system. If you are completely fed up with its presence then make use of Trojan.MSIL.Injector.NEP Removal Tool. It is capable to solve your PC problems.

 

Read More Information:- http://www.deletevirusspyware.com/delete-trojan-msil-injector-nep-how-to-remove-trojan-msil-injector-nep

 

Trojan is on the server not in my pc. I download all folder on the website and i scan with eset, say no virus. I do not know what to do, please help.

Edited January 23, 2015 by trancan (see edit history)