JS/Downloader.Agent is a detection for JavaScript files that may have malicious intent to download and execute additional malware onto the computer. When it enters the computer, JS/Downloader.Agent will inject itself on Internet Explorer that may lead to web browser redirection. This Trojan also reduces overall system performance of the PC when running its own processes. Other activity includes excessive pop-up advertisement and constant communication to remote IP address. JS/Downloader.Agent is similarly utilized to spread rogue security software. In these cases, the Trojan will disguise as legitimate software update.

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Windows Vista

When executed, JS/Downloader.Agent will inject harmful code on certain running processes. This gives the Trojan to run on itself when the infected process starts. It works its way to communicate to a distant host to download additional threats. JS/Downloader.Agent will also attempt to update configuration files and performs malicious activities on the infected computer.

  • Steal sensitive information like computer name and password
  • Gather FTP credentials including address, user name, and password
  • Access web files through FTP accounts of the infected computer user
  • Inject malicious code into header of .PHP, .HTML, .HTM and other web file formats that may result the whole web site to be compromised.

When user visits infected web sites, the injected script will trigger certain harmful actions including the following.

  • Drop malware on visitor’s computer
  • Download and install rogue security software
  • Redirect search result to predefined web sites
  • Display pop-up alerts and advertisements
  • Disable security applications including anti-virus and firewall

This Trojan will spread through the Internet in a variety of ways. Because the Trojan has so many variants, each type has its own usual way of distribution process. Infected web sites are the main channel to propagate JS/Downloader.Agent. Others are sent as an attached file to spam email messages or link contained within a message of instant messenger programs.

59 Responses

  1. precisesecurity says:

    1. Please use SmitfraudFix to remove this threat.

  2. Sharon says:

    I used this removal tool and it worked. All the threats are gone. I do have a question for you though. AVG showed changed DLL files before it found the actual threats. It is now listing them again. Is this because they have been changed back to the originals or is there still some work that I have to do? Thanks for the great fix tool!


  3. Denver says:

    Sharon, it would be great if you would elaborate more on your questions. If your AVG is having errors it advised to reinstall it and don’t forget to always update it.

  4. Kenny says:

    It did not work for me. My company had 40 computers that get this virus. AVG showed “virus found JS/downloader.agent” and we choose “move to vault”. I had tried to scan my computer by Norton, Trend Micro, Kaspersky, McAfee,
    Bit Defender, Spybot S&D, Spyware Doctor, AVG Anti-Spyware, Ccleaner, SmitFraudFix, and many other tools but still can’t remove this virus. This virus seems to spread from the network and can’t identify the root.
    Please help!

  5. precisesecurity says:

    It is harder to remove a virus particularly if it is capable of spreading over the network. It may be difficult but I guess you have to scan each computer while disconnected from the network.

    One more special tool to use is TrendMicro’s Sysclean.

  6. Kenny says:

    Thanks for your help! As I found that while the infected computer was switched off, the threat alert was gone. So I expected the infected computer will spread the script (flash.958167.com/main.js)to those computers accessing Internet only.
    I am tried to isolate the infected computer and scan again.

  7. Sue says:

    Thanks, thanks and more thanks! SmitfraudFix was very easy to install and the instructions were very easy to follow. After rebooting and AVG Free running again: NO Viruses! I’ll now search for where I can make a small donation to help defray costs.

  8. Sue says:

    Hi — I found the link to donate, BUT, it kept putting my US dollar amount as EUR pounds. Since I didn’t want Eur amount on my credit card I cancelled. Is there a way to donate in US dollars using a credit card? Thanks

  9. precisesecurity says:

    Sue, I’m sorry I cannot answer your question. This is not my tool and I have no direct connection with the author SiRi. Kindly visit his site and contact him.

  10. BoFoSho says:

    Thanks, this program is a life saver I was on my room mates laptop and all the sudden it just popped up when I tried to download a codex. I spent 3 hours trying to fix it before finding this, 15 min later it’s gone. expect a great donation from me.

  11. Karen says:

    I used the Trend Micro SysClean to solve my problem with the JS Downloader.Agent virus and it worked great! No more virus. Thanks so much for the link for it.

  12. Heather says:

    I too have the virus, when I try to click on the link for the download it brings me to a page DNS.org… It does this whenever I try to click on any links. Could it be part of the virus. I have tried typing the link directly into the address bar, to no avail. Help! I’m ready to throw my computer out the window!

  13. Sc says:

    Hi. While I was using the Yahoo Messenger, some link pop-up and started spreading through my computer with the other person. I scanned and found out this virus but the problem is I am not able to heal the virus with the help of AVG.
    Does this virus affect the Internet connection by any chance?
    Kindly help ASAP.
    Thank you.

  14. Don says:

    I used Trend Micro’s house call to check and clean my system that had been acting funny for a good week anyway. I use AVG anti-virus and it never picked up the virus j/s download agent. I went through the procedure on Trend Micro to remove the virus but my AVG program picked it. Back up 2 days later so i don’t think Trend Micro got rid of it.

  15. David says:

    Last week AVG detected JS downloader agent but was unable to remove it. Thankfully the laptop remained working allowing me to find this helpful information. I downloaded Smitfraudfix from the link at the beginning of this thread. Then followed the procedure exactly… i.e. boot up in safe mode. And it completely eliminated the threat.

    Thank you for the help.

  16. Michael says:

    I got this virus a few weeks ago but although AVG said there had been a healing error it moved the virus to the vault which I then cleared. I also cleaned the disc of temp Internet files etc and the virus appears to have gone. Two days ago while on the net an AVG pop-up warned that the virus was present at that site I immediately shut the Internet down cleaned off temp folders again and emptied the vault where AVG had put the virus. Scans since have not detected any presence.

  17. sandeep says:

    I will use it as i am also facing same problem.

  18. kwatra says:

    I have repeatedly tried to remove JS downloader.agent virus with the help of Smitfraudfix. While, It has helped in removing and cleaning the virus from the computer, but the moment I log on to Internet, again the virus threat messages come. They are content.ie5wdafk5m3\ads(1)js, ads(2)js, w8w9csu\ads(1)js. Please advise and help in removing repetitive onslaught of virus threat.

  19. kam says:

    Try these steps:

    1) Uninstall everything (including antivirus software) from your PC only keep your client software which is used to connect to the Internet.
    2) Download and install AVG spyware doctor and get latest update installed. Don’t perform any scan now.
    3) Go to safe mode.
    4) Open administrator account.
    5) Then do a final full system scan using AVG spyware doctor in safe mode.
    6) If this Trojan is present it will be shown as Trojan downloader.small.js
    7) As recommended action set delete on reboot. Reboot your computer
    8) You have done it.

    note: in these steps we have assumed that there is only one Trojan is present on machine that is JS/downloader.agent

  20. kam says:

    If you want to try other scanner please scan after uninstalling other software form your PC otherwise it will come again. This Trojan have embedded code in it, through which it have the ability to attach itself with other software files and hide with them so in order to completely remove it, first uninstall every other software including antivirus software before scanning

  21. Nick says:

    I believe if AVG finds this virus it’s a “false positive.” It happened a few times before, I never heal it, and the virus is gone. Also, it detected a Trojan from a World of Warcraft file, and it was confirmed that it was a false positive.

  22. eddy says:

    I’m using AVG and it has a couple of viruses in its virus bank.I’m not sure if I’m supposed to leave it alone or delete the files. I’m having trouble with my computer shutting off randomly and I’m not sure if the virus can cause it or its in the virus bank.

  23. Rob says:

    I used SmitFraudFix and followed all the instructions, but when I checked my AVG program following the scan, it says that the virus is still in the vault. Do I have to remove it from the vault so that SmitFraudFix can remove it? Or is it removed, but still showing up in AVG for some reason?

  24. GigB says:

    I’m running Vista and AVG detected this virus on my machine. SmitFraudFix says it works with XP and Windows 2000, does anyone know if it works with Vista?

  25. precisesecurity says:

    Rob, You have to empty the vault first.

    GigB, SmitFraudFix does not have a version for Vista.

  26. Kevin says:

    Trying to get rid of JS/downloader on Windows 98SE. Downloaded SmitFraudFix.exe to desktop, copied instructions, restarted in SafeMode, tried to start SmitfraudFix but nothing happened. Any suggestions? Thanks!

  27. Marlee says:

    After an AVG virus scan today, it detected JS/Downloader Agent. I clicked on the link to put it in the AVG Virus Vault. AVG’s Help states: “When you moved the file to the AVG Virus Vault it was deleted from its original location, coded, and then saved as a non-executable file in a hidden folder. Your PC is no longer infected.” Othere scans using different programs have found no viruses since then. The Help instructions go on to say: “If you are not missing any data files and your applications are running, then you can delete these vaulted files from the AVG Virus Vault.”

  28. Mariano says:

    I´m from Argentina. I don’t know very well the language (English). My PC detected JS/Downloader.Agent and my AVG can’t delete it. I have Windows Vista. What can I do?

  29. dave says:

    My AVG scans every day, is this right? Its just started telling me I’ve got JS/downloader.agent. It’s been put in the virus vault. Am I supposed to do anything with it? Everything seems to be OK now. I’m using Windows Vista and sort of computer illiterate.

  30. andy says:

    I have used smitfraud fix with vista and it works fine. Just make sure you’re in safe mode. I got rid of jsdownloader agent by deleting temp Internet files.

  31. Dan Catlin says:

    I got the disks to reload my 1 year old laptop, it formatted the hard drive, after all is done, I downloaded AVG and bang within minutes there is JS downloader agent? Is this a false-positive? I am going crazy with this. Has anyone else got this virus without running AVG?

  32. cara says:

    My computer is infected with js/downloader agent. It’s affecting my Internet explorer. I am unable to open Internet explorer so unable to download and use smitfraudfix. How do I go about removing the infection? My computer runs on Windows Vista.

  33. louie says:

    AVG scans found the JS/dl virus on my CPU. AVG could not heal it so I looked at the path of the virus and deleted all my temporary Internet files and re-scanned. The virus was not detected again although I will re-scan tomorrow just to be sure.

  34. momen says:

    I joined the Internet by network (with a lot of other computers) and one of the member had that virus called JS.Downloader. When I’m surfing the net it always shows an alert message. I don’t know which computer is infected. I need to know the option in the AVG that can delete that virus automatically.Please help.

  35. Ali says:

    Dear friends,
    I have a Java script virus JS/Ddlr.Agent.ZY detected by Avira Antivir, but this Antivirus can not remove it.
    Consequently, It is impossible to open any web site with JAva script element.

    I need help.
    Thank you

  36. Scott says:

    That’s not good, what kind of virus is this? I see that its “LOW” on the meter of Viruses.
    Somebody help me get rid of this for good!

  37. Priscilla says:

    I had the js/downloader virus as well. Avg could not put it in the vault, so I went to my temporary Internet files and deleted them. Ran the scan again and it showed no virus. So does that mean that it is gone? Also, now when I run AVG, this pops up…
    file infection path hosts change C:/WINDOWS/system32/drivers.

  38. Joe says:

    Had both the js/downloader virus and an exploit virus. Don’t know if AVG have put out update that fixed the problem, but was able to move them to virus vault and delete them. Have done another scan and they seem to be gone. Fingers crossed, hopefully they are gone from my PC.

  39. candice says:

    I met this virus today. However, I moved it to vault and I don’t know how to do with it then. By the way, may I know what is the symptom when JS/Downloader.Agent working?

  40. Dan Williams says:

    I have a problem with the JS\Downloader Agent. I still use Windows 98 SE, I can’t afford to update my OS at this time. Is there any downloads out there for Windows 98SE that will get rid of this JS Downloader Agent. Thanks, Dan

  41. Buster says:

    I had JS/Downloader agent and moved it to AVG Vault. I then deleted it, deleted all temp Internet files and Java temp Internet files then did full AVG scan. Fingers crossed it seems ok now.

  42. Anne Potruff says:

    I have not been able to access my e-mail or Internet in over a week. Can the JS virus cause this to happen suddenly or am I dealing with two separate things. Without the Internet I cant get to smitfraudfix.

  43. JustAGuy1 says:


    I have this problem and suddenly another JS thing comes up in my AVG test results. But after few minutes the virus is gone.. I wonder why really. Is it hiding in my computer and I should remove it as fast as possible or should I just leave it there? Anyway I cant move any virus to the vault cause every scan is ended it says: Error healing files. Please help me as fast as possible.

  44. JustAGuy1 says:

    Suddenly I got a new virus Trojan Horse Generic10.AYOS. I moved this file to Virus Vault and removed it. I hope this is gone now. Somehow this is connected to JS/Downloader.Agent. Still I cant find any virus or the JS/Downloader.Agent. I deleted all my temporary Internet files and re-scanned and found this Trojan Horse virus. I removed it and going to check for more virus. No wonder why my computer were a little slower.. Anyway if you guys see a virus called ruco.exe remove it by using any anti-virus program.

  45. nomi says:

    I have not been able to get any fruitful results from all the above mentioned methods. I scanned my computer over and over again. I even had to format my C: drive twice. But it still don’t seem to work. Can anyone help me here please?

  46. danny says:

    I got js/downloader took a while to sort it finally deleted temporary Internet files. AVG no longer finds the virus but all my files now open the Internet with full toolbars. It seems that if this virus has left a backdoor this odd connection allows access to every file. When I close a file that may hold music the broken Internet connection produces a error message and my computer closes down and starts up almost in a flicker. This reproduces standard messages in starting my computer. how can I reset my files so as not to connect to Internet.


  47. its me says:

    Any kind of java virus can be removed by free Avira AntiVir. Because I have the same virus. I tried Avira and it was successful, its very good.

  48. Charlie Wang says:

    Hi precisesecurity,
    This virus seems difficult to remove from my PC. I tried SmitfraudFix and TrendMicro’s Sysclean, but could not clean up this problem. Very annoyed! Please give me other removal tool. Thanks a lot! Charlie

  49. Tarun sharma says:

    I want a solution for this JS/Downloader.agent as I tried all anti-virus and anti-spyware but no such solution to remove from my network. I tried to delete new link file of this virus and corrupts my system.

  50. thepearl says:

    This thing is the bloody pits! I post a lot of web pages in HTML, and it was writing long script files that I know didn’t come from my CPU. In any case, I downloaded and ran ( smitfraudfix ) in the Safe Mode, and it looks like the infection has been cleared. I’ll post again if it comes back, and thank you so much for the information.

  51. Elisha says:

    Question: After I scanned my computer AVG found 9 viruses. I think, and some warnings that I don’t understand, then it got moved from the virus vault, does that mean my computer is virus free? Was it healed automatically? Or does the viruses still remain in my computer? Thanks

  52. Debbie says:

    Hi, I was on the Internet when my computer suddenly flashed that JS/downloader Agent had been detected, I selected the option to move it into the virus vault, is this all that I have to do – or do I still need to run a removal tool? and is it okay to just leave it in the virus vault or should I do something with it?

  53. Burak says:


    I recently downloaded and installed a program called Graboid, Its meant to be for online streaming movies videos etc. After the installation my PC was affected with various amount of Trojans and this particular virus, I am wondering if it could have any connection with the Graboid program? I will try to use SmitFraudFix to see if it could help.

  54. Morgaine says:

    I am a webmaster and got some complaints from users about this js downloader agent. I started checking Google. I have Norton 360 and Sophos antivirus and did not get the message.
    Surprisingly I only found people using AVG that have this problem?
    Does this ring any bell’s? Maybe its an OK Free Virus scan but it comes with a virus.
    By the way, its a low priority virus.
    Thanks again. It should not be there.
    I think AVG is the problem and you should spend a little money on a virus scan that works ok?

  55. Larry says:

    My son’s laptop has this js/downloader agent virus. Found virus using AVG. downloaded both solutions mentioned in this thread. Cannot start in safe mode. Ran smithfraudfix any way and did get text file report as result. However virus still exists. Tried TrendMicro downloads but cannot run as desktop keeps refreshing and I cannot open zip file. will paste text file from smithfraud if anyone thinks they can help me. I am at my wits end with this. Help please!

  56. Christine says:

    Morgaine, I sincerely doubt AVG Free “comes with” or contains the JS/Downloader.Agent virus. I’ve been running it for eight years with no problems. In all that time, I’ve had only two viruses “attempting” to enter my computer, both of which AVG Free caught immediately. I then quarantined and removed.

  57. Niamh says:

    My avg has just found two viruses but i managed to send one to vault, its JS/Downloader .agent
    you talking about deleting Internet files
    what does this mean?
    I’ve been backing up all my documents and pictures just in case this virus deletes them what else should i be doing?

  58. Dawg says:

    I ran the program SmitfraudFix from here and now my clock is in military time and windows security center tells me I have no virus protection and no firewall. I’m running nortons for both…ohh and the virus is still on my comp! Now how do I fix all the new problems this program has created?

  59. Richard says:

    My computer just got hit with JS:Downloader-AJY. Any Sugeestions that have worked? Is in the vault now… am worried…

Leave a Reply

Your email address will not be published. Required fields are marked *