Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Malware/trojan infection. (JS:Trojan.JS.Agent.TRY)

Ran a full scan with Bitdefender (yeah... I know. But at least I have a scanner).


During full scan, it found these:



Should I be concerned? Were my passwords and other personal data stolen? Maybe some remote-access trojan was installed? Or is it false positive?


I ran EtreCheck several days before, but no such things were detected. And I ran MalwareBytes (free version) before running Bitdefender, but did not detect anything.


Thanks in advance.

Posted on Jan 21, 2020 8:20 PM

Reply
Question marked as Top-ranking reply

Posted on Jan 28, 2020 11:30 AM

I think I found a better answer online.


There is no Mac malware called JS:Agent. That's a generic name usually used to refer to JavaScripts of a malicious nature, which are typically found on a website. These scripts may be designed to display a tech support scam pop-up, use your computer's CPU time to mine cryptocurrency, perform some kind of tracking operations for a shady advertising service, or even exploit a vulnerable Windows PC to install malware. (There are no vulnerabilities currently known to be used on Mac to deliver malware in this manner.)


In other words, a site you're visiting is indeed dumping these files on your Mac, but they only affect Windows computers. But it would still be kind of nice to find out what site keeps putting this file on your Mac.

16 replies
Sort By: 
Question marked as Top-ranking reply

Jan 28, 2020 11:30 AM in response to Kurt Lang

I think I found a better answer online.


There is no Mac malware called JS:Agent. That's a generic name usually used to refer to JavaScripts of a malicious nature, which are typically found on a website. These scripts may be designed to display a tech support scam pop-up, use your computer's CPU time to mine cryptocurrency, perform some kind of tracking operations for a shady advertising service, or even exploit a vulnerable Windows PC to install malware. (There are no vulnerabilities currently known to be used on Mac to deliver malware in this manner.)


In other words, a site you're visiting is indeed dumping these files on your Mac, but they only affect Windows computers. But it would still be kind of nice to find out what site keeps putting this file on your Mac.

Reply

Jan 22, 2020 9:20 AM in response to 93164

It's a JavaScript action that downloaded to your browser cache from whatever site you visited it resided on.


If you haven't already, open Safari's preferences and click on the Advanced tab. Turn on the bottom check box to show the Develop menu. Close the preferences.


Now all you need to do is press Command+Option+E. That will clear all of the current browser cache data. Close Safari and relaunch it. That should be all you need to do.


It seems to be version specific, too. That folder (WebKitCache) has been moved to the user account Containers folder.


I'm going to quick test to see if this folder gets emptied out with the above command.


Edit: And - it does. Went from 100MB down to 4MB. Just clearing the cache should do it. Until you visit whatever site that came from again.

Reply

Jan 28, 2020 10:11 AM in response to 93164

They likely won't show up in MalwareBytes because they're just JavaScript cache data and not considered a threat.


After finding these, did you use the Develop menu, Command+Option+E keystroke with Safari open to clear its cache files? Are these JavaScript files gone afterwards? They should be.


Assuming they're now gone, they can only be returning from one of two places.


  1. A site you're visiting has this JavaScript action as part of the page's code, so they naturally end up in your cache again.
  2. You have a third party Safari extension installed that's downloading them.
Reply

Jan 27, 2020 8:01 PM in response to 93164

Two more found...



I do not visit shady websites. The only websites I visit are Gmail, YouTube, Reddit, Amazon and other known websites. And of course, I do not download torrent or pirated stuff....


Could something else ("queen trojan") have been downloaded on my computer to multiply these minion trojans? (if that makes sense at all).


Reply

Jan 22, 2020 9:32 AM in response to Kurt Lang

Kurt Lang wrote:



It seems to be version specific, too. That folder (WebKitCache) has been moved to the user account Containers folder.

Thank you for the helpful reply.


Is it bad that it was moved to containers folder? Were my personal data and passwords stolen? Or was my computer being monitored?

Reply

Jan 22, 2020 9:42 AM in response to 93164

All kinds of apps put your data, settings and other stuff in the Containers and Group Containers folders. Do not remove them!


It's neither good, nor bad. Apple simply changed the location of the browser cache folder in Catalina. They may have done it in Mojave. I never looked.


There are some sites suggesting a malicious JavaScript action can steal your cookies. Many of which the sites you visit save to "remember" your login passwords. But, as they also go on to say, that would be a massive security failure of any browser to allow such access in the first place. JavaScript is intended for display purposes only.

Reply

Jan 22, 2020 11:36 AM in response to 93164

Safari doesn't store your passwords, KeyChain Access does. Those are encrypted and can only be accessed by supplying your admin password. Cookies save simpler login data, but are mostly just to "remember" you. Like when you go to amazon.com, and even without logging in, it says "Hello, (your name)" towards the top right.


There's no point, or purpose at all in changing your router's password.

Reply

Jan 28, 2020 10:44 AM in response to Kurt Lang

Yes, I cleared Safari cache, history, web data, etc., although Bitdefender deleted the files for me.


I have only one extension installed - adblocker called "Wipr." I've had it for a year now.


And I suspect the trojans could be from Reddit.

Reply

Jan 28, 2020 11:05 AM in response to 93164

Empty Safari's cache.


Open these two cache folders on the desktop and just leave them there in list view.


/Users/Q/Library/Caches/com.apple.Safari/WebKitCache/Version 12/Blobs/

/Users/Q/Library/Caches/com.apple.Safari/WebKitCache/Version 12/Records/


Now start visiting the sites you typically view and see which one adds the file Trojan.JS.Agent.TRY


It won't start with JS: since the colon is not allowed as any part of a file or folder character name. The OS uses the colon as a path separator.

Reply

Jan 31, 2020 2:13 PM in response to 93164

Then I would agree. I went there when you first mentioned it, but didn't have that JavaScript action download. But it would be hit or miss. You can follow all kinds of links from within Reddit. All depends on which ones you go to, I would imagine.

Reply

Malware/trojan infection. (JS:Trojan.JS.Agent.TRY)

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.