Jump to content

JS/Agent.piv


Recommended Posts

I have been trying to access akc.org and get a message that ESET has removed a threat when trying to access the website.  I have scanned my computer but nothing was found.  I am running ESET NOD Antivirus 14.2.24.0 using Edge.  AKC has now blacklisted my IP address.  How do I fix this?

 

image.png

Link to comment
Share on other sites

  • Administrators

You can inform the owner of the domain that it was compromised and a malicious javacsript is injected in some js files.

Detecting the malware could not cause your IP address to be banned.

Link to comment
Share on other sites

  • Administrators
10 hours ago, Lee P said:

Gretchen6205, the same thing just happened to me and I did the same thing you did but nothing has helped.  Were you able to get this resolved?

What website was the threat detected on? Are you the owner or administrator of the website in question?

Link to comment
Share on other sites

On 10/28/2021 at 1:56 PM, gretchen6205 said:

I have been trying to access akc.org and get a message that ESET has removed a threat when trying to access the website. 

This web site is heavily infected. Below are the detections encounter when I accessed the web site. My concern is Eset did not block access to the web site using Firefox as it stated it did.

hxxps://www.akc.org/wp-includes/js/jquery/jquery.min.js?ver=3.6.0
hxxps://www.akc.org/wp-content/plugins/gigya-socialize-for-wordpress/gigya.js?ver=5.8.1
hxxps://www.akc.org/wp-content/plugins/gigya-socialize-for-wordpress/features/raas/gigya_raas.js?ver=5.7.3.4
hxxps://www.akc.org/wp-includes/js/wp-embed.min.js?ver=5.8.1
hxxps://www.akc.org/wp-includes/js/wp-emoji-release.min.js?ver=5.8.1

Eset_Malware.thumb.png.b9869569e90c84dd3159a62fda48f6c4.png

Edited by itman
Link to comment
Share on other sites

  • Administrators

The connection was indeed terminated; the downloaded script ends with "function(e){S(this).wrapInner(n.call", ie. it's incomplete and thus not working, ie. it could not run and do anything malicious.

Link to comment
Share on other sites

10 minutes ago, Marcos said:

The connection was indeed terminated; the downloaded script ends with "function(e){S(this).wrapInner(n.call", ie. it's incomplete and thus not working, ie. it could not run and do anything malicious.

From this reply, I infer that Eset is no longer blocking access to the entire web site when malware is found?

Link to comment
Share on other sites

On 10/31/2021 at 2:31 PM, Lee P said:

Gretchen6205, the same thing just happened to me and I did the same thing you did but nothing has helped.  Were you able to get this resolved?

No, I haven't done anything.  One solution is to get another IP address, but I'm concerned about what cascading effect this might have.  Otherwise, my plan is to just wait to see if it resolves itself.

Link to comment
Share on other sites

On 10/28/2021 at 12:00 PM, Marcos said:

You can inform the owner of the domain that it was compromised and a malicious javacsript is injected in some js files.

Detecting the malware could not cause your IP address to be banned.

I tried contacting akc.org and the customer service desk was not helpful.  I did not try to discuss the matter with the IT dept., however, I sent an email to akc and they asked for my IP address.  I have not heard anything back yet

Link to comment
Share on other sites

On 10/28/2021 at 12:00 PM, Marcos said:

You can inform the owner of the domain that it was compromised and a malicious javacsript is injected in some js files.

Detecting the malware could not cause your IP address to be banned.

I do not have the expertise to go back to akc to tell them their website has been compromised, they'll only ask for more details that I do not have.  Is it possible for ESET to advise them of the issue?  Does akc already know the website has been compromised?  Since it's such a mess, should I give up (for now) trying to log into my account at akc.org?

Link to comment
Share on other sites

  • Most Valued Members
6 hours ago, gretchen6205 said:

I do not have the expertise to go back to akc to tell them their website has been compromised, they'll only ask for more details that I do not have.  Is it possible for ESET to advise them of the issue?  Does akc already know the website has been compromised?  Since it's such a mess, should I give up (for now) trying to log into my account at akc.org?

If the website isn't yours , and still you want to help , all you need to do is send them an email with the detection message screenshot attached, that's all you can do from your side.

Link to comment
Share on other sites

  • 1 month later...
  • Administrators
3 hours ago, Malika said:

Having the same issues for https://baysuit.org
This is my website and I have scanned all my files no virus
What should I do?

Searching for "if(ndsw===undefined)" should help you locate the malicious javascript.

Link to comment
Share on other sites

On 12/24/2021 at 5:45 AM, Marcos said:

Searching for "if(ndsw===undefined)" should help you locate the malicious javascript.

Tried searching the string and I found over 700 strings having the same thing, what do you think I should do

Link to comment
Share on other sites

  • 1 month later...

Hi all,

recently I accessed a Google website and it triggered my ESET Antivirus that I have downloaded on my PC. It said that the threat has been found because of JS/Agent.PIV trojan, the access has been blocked and connection terminated. The page never opened, I deleted it from Chrome history and didn't access again. After that I saw the threat is stored in my ESET quarantine, I guess that means it can't create any damage. Is my computer fully safe and what would happen if I delete it from quarantine? Will it be deleted from my computer fully or put back? Also, do I need to manually delete the stuff from quarantine, or is ESET going to do that after some time? Thank you.

Kind Regards.

Link to comment
Share on other sites

  • Administrators
41 minutes ago, mmila said:

It said that the threat has been found because of JS/Agent.PIV trojan, the access has been blocked and connection terminated.

ESET blocked the threat, your computer is safe.

Link to comment
Share on other sites

Thanks @Marcos,

that's a relief. What about my question about quarantine. What will happen if I delete it from quarantine, will I manage to remove it fully from my computer, or is ESET going to do that after some time?

Link to comment
Share on other sites

  • Administrators

Files in quarantine are stored in an encrypted form so they don't pose any risk. Feel free to delete quarantined files unless you suspect them to be false positives which is not the case.

Link to comment
Share on other sites

  • 4 weeks later...
  • Administrators
22 minutes ago, Stefano1045 said:

the same message came to me when I tried to access my blog. I temporarily uninstalled ESET web protection and entered my blog (in wordpress), but wordpress says the site is ok. So?

Searching for "token=function()" should help you locate the malicious JavaScript.

Link to comment
Share on other sites

2 hours ago, Stefano1045 said:

Thank you, but: maybe i have to search some other way?

I scanned your domain, hxxps://librilettiscritti.it/, at Quttera. It contains 10 malicious files. The scan report: https://quttera.com/detailed_report/librilettiscritti.it , contains all the detail you need to find the malicious code references.

If you don't have the technical skills to remove this malware, you will have to hire someone; e.g. Quttera, to remove the malware for you.

In your case however, it appears this would be the webmaster responsibility since the malicious code is being injected from a remote source. That is, the web server is not properly secured and is probably infected.

Edited by itman
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...