How to remove Trojan.js.Agent.bay

by Rich on January 26, 2010

Due to a recent attack on our blogs here from a virus that seems to be affecting a lot of people, we worked hard for a few days cleaning our machines and re-writing data on our server, but what if you are infected too? How should you get rid of it, well this is a detailed guide which should hopefully help you to remove it in a few hours rather than a few days.
Obviously the quick way to do this would be to re-upload the whole website again after first deleting everything on the database, but this won’t work for sites that are updated on a daily basis since some information could be lost due to time lapses on backups. So what if you can’t use this method?
A massive help to us during this attack was Kaspersky Antivirus which seemed to find viruses’ that Norton Antivirus didn’t, surprised? This isn’t the first time Norton has failed on us personally around the office too. So first step is to download that onto your computer and update it, restart your PC then keep repeating this process until its databases are up to date.
The next part for us in removing the virus was downloading all our files on the database with Kaspersky turned off (if it is on you will lose files from your website that will be hard to recover afterwards) then making a copy of this and storing it in a different location, one will be used to backup certain files and the other to find the viruses for us, just so we can see how the virus is reacting.
Next you’re going to want to re-enable protection from Kaspersky, then right click the folder being used to scan with and choose to scan with Kaspersky, depending on how big your site/blog is will depend on how long it will take, but patience will you give you the results that you could be dreading.
Infected? That’s unfortunate but here is what to do now, you should now have a compiled report from Kaspersky which will include file paths to the viruses, hitting the “View detailed report” button then “save” in the top right corner will allow you to print this information off.
After printing you should now be able to go through the files on the other version of the download that wasn’t scanned (the previous one will have files removed after scan) and delete all that are infected (Follow the paths indicated by Kaspersky) and scroll right to the bottom of the file once opened (We found it was files with the extension .JS and Index files that was mainly infected) and you will see a script tag with a random string of numbers placed there, all you need to do is open that file and then delete the bottom few lines with the script tag.
Once you have gone through all files which could be up to about 200 or more you should try re-scanning them just to be sure then scanning your computer to make sure it is not on there either, when you are finished re-upload the core files of WordPress by simply downloading the newest version and unzipping it, then overwrite the data already on your blog by just making it “Overwrite all” through your FTP client.
After the upload you should have access to the wp-admin area now, to gain access just go to http://www.WEBSITENAME.com/BLOG/wp-admin.php replacing “WEBSITENAME” with the name of your site and “BLOG” with all the extensions that lead to the blog, the main bit is adding the wp-admin.php and the end. You should now see a familiar login page.
We did have preventive measures and various security plugins which seemed not to work so we found that the best thing for us was to go to the tab on the left called “Tools” then “Export” this should give you an XML file that will keep all your posts and data still available, this should be kept on your computer for the time being.
Next is the gruelling task of wiping the data off the server that you have fixed and deleting the database off the server that is being used, once finished you can create a new database and once again upload WordPress and this time upload your theme, you should still have all the images used (From the backup made at the start) which will also include all your style sheets, so now you just re-upload these on the server and you should be good to go. For reinstalling WordPress I would suggest using this guide here which was written by WordPress.
After all is well with your styles and image, you just need to re-upload that XML file you download earlier by going to tools again and this time “import”.
With a few other adjustments to the blog, like filling out SEO details you are now back to normal with a nice and clean blog, time to tell people that can visit you again!
Happy Blogging!
Due to a recent attack on our blogs here from a virus that seems to be affecting a lot of people, we worked hard for a few days cleaning our machines and re-writing data on our server, but what if you are infected too? How should you get rid of it, well this is a detailed guide which should hopefully help you to remove it in a few hours rather than a few days.
Obviously the quick way to do this would be to re-upload the whole website again after first deleting everything on the database, but this won’t work for sites that are updated on a daily basis since some information could be lost due to time lapses on backups. So what if you can’t use this method?
A massive help to us during this attack was Kaspersky Antivirus which seemed to find viruses’ that Norton Antivirus didn’t, surprised? This isn’t the first time Norton has failed on us personally around the office too. So first step is to download that onto your computer and update it, restart your PC then keep repeating this process until its databases are up to date.
The next part for us in removing the virus was downloading all our files on the database with Kaspersky turned off (if it is on you will lose files from your website that will be hard to recover afterwards) then making a copy of this and storing it in a different location, one will be used to backup certain files and the other to find the viruses for us, just so we can see how the virus is reacting.
Next you’re going to want to re-enable protection from Kaspersky, then right click the folder being used to scan with and choose to scan with Kaspersky, depending on how big your site/blog is will depend on how long it will take, but patience will you give you the results that you could be dreading.
Infected? That’s unfortunate but here is what to do now, you should now have a compiled report from Kaspersky which will include file paths to the viruses, hitting the “View detailed report” button then “save” in the top right corner will allow you to print this information off.
After printing you should now be able to go through the files on the other version of the download that wasn’t scanned (the previous one will have files removed after scan) and delete all that are infected (Follow the paths indicated by Kaspersky) and scroll right to the bottom of the file once opened (We found it was files with the extension .JS and Index files that was mainly infected) and you will see a script tag with a random string of numbers placed there, all you need to do is open that file and then delete the bottom few lines with the script tag.
Once you have gone through all files which could be up to about 200 or more you should try re-scanning them just to be sure then scanning your computer to make sure it is not on there either, when you are finished re-upload the core files of WordPress by simply downloading the newest version and unzipping it, then overwrite the data already on your blog by just making it “Overwrite all” through your FTP client.
After the upload you should have access to the wp-admin area now, to gain access just go to http://www.WEBSITENAME.com/BLOG/wp-admin.php replacing “WEBSITENAME” with the name of your site and “BLOG” with all the extensions that lead to the blog, the main bit is adding the wp-admin.php and the end. You should now see a familiar login page.
We did have preventive measures and various security plugins which seemed not to work so we found that the best thing for us was to go to the tab on the left called “Tools” then “Export” this should give you an XML file that will keep all your posts and data still available, this should be kept on your computer for the time being.
Next is the gruelling task of wiping the data off the server that you have fixed and deleting the database off the server that is being used, once finished you can create a new database and once again upload WordPress and this time upload your theme, you should still have all the images used (From the backup made at the start) which will also include all your style sheets, so now you just re-upload these on the server and you should be good to go. For reinstalling WordPress I would suggest using this guide here which was written by WordPress.
After all is well with your styles and image, you just need to re-upload that XML file you download earlier by going to tools again and this time “import”.
With a few other adjustments to the blog, like filling out SEO details you are now back to normal with a nice and clean blog, time to tell people that can visit you again!
Happy Blogging!

Tweet This Tweet this or Stumble ThisStumble this or Delicious ThisDelicious this

Leave a Comment

Spam protection by WP Captcha-Free

Previous post:

Next post: