Avast msg: JS:ScriptIP-INF (TRJ)

Hello. I just loaded Avast Home 4.8 yesterday. It scanned on re-boot & gave me this message.
Said location was:
FileC:\Documents&Settings\Owner\LocalSettings\tempintfiles\content.IES\2n98I7WH\default[1].htm is infected with JS:ScriptIP-INF (TRJ).

Also - since loading Avast yesterday my computer is sooooo incredibly slow. When starting this morning it will basically freeze up for bit (blue avast ball stops spinning) as if it’s thinking…then it takes off again.

I appologize in advance as I’m an old fart who’s new to this arena. Thanks so much! Deb

Hi schubed1,

This is in a temp file that you can cleanse with for instance ATF Cleaner 3.0.0.2, download here:
http://majorgeeks.com/downloadget.php?id=4949&file=15&evp=72ef5a5e927b2276e6a5bc34c89d005a

JS:ScriptIP-INF (TRJ) can be a scanner alert from a site that has been cracked, and this could look a bit like this:

<script language="JavaScript">
<!--
// Hit counter code for Webstat.net
var data = '&r=' + escape(document.referrer)
+ '&n=' + escape(navigator.userAgent)
+ '&p=' + escape(navigator.userAgent)
+ '&g=' + escape(document.location.href);
if (navigator.userAgent.substring(0,1)>'3')
data = data + '&sd=' + screen.colorDepth + '&sw=' +
escape(screen.width+'x'+screen.height);
document.write('<img alt="Website Counter" width="0" height="0"
border="0" hspace="0" '+'vspace="0"
src="hxxp://www.webstat.net/basic/counter.php?i=70739' + data + '">');
// -->
</script>
<a href="hxxp://www.webstat.net/" target="_blank"><img alt="Website
Counter" src="70739.png" border="0" hspace="0" vspace="0"></a>
<noscript>
<a href="hxxp://www.webstat.net">Free
Counter</a>
The
following text will not be seen after you upload your website, please
keep it in order to retain your counter functionality 
 <a
href="hxxtp://www.acsr.com" target="_blank">online casino</a>
</noscript>
------- 

Almost any scanner would flag the downloaded src="70739.png here.
So delete your IE temp files, and also post a hjt logfile txt as an additional txt to your following posting, so we can have a look what could have made your machine that slow lately.
Download HijackThis from here: http://www.filehippo.com/download_hijackthis/download/58170ee6e58bba306c943f5b6d745c99/

polonus

Something on your system has infected the default[1].htm or the likelihood is that it was an infected file when downloaded into your browser cache and your other AV didn’t detect it. avast is very hot (and accurate) on this type of web infection which is becoming more prevalent.

Have (or did) you another AV installed in this system, if so what was it and how did you get rid of it ?

I’m running XP. I fell by the wayside & never renewed my McAfee protection. Last wk I purchased ParetoLogic AntiVirus Plus software from internet. Once downloaded, my computer froze up & could not access anything. After research I saw they had bad rep/problems… so I went to Add/Remove Programs & removed it from my system. Then downloaded the Avast 4.8 yesterday. Question: on almost a daily basis I go to Control Panel,Int Options, Browsing History & delete Temp Int Files, History & Cookies. Is that what is meant by I need to delete temp files? Thanks.

Thank you polonus. QUESTION-trying to do your suggested cleanse download above, it’s asking me to select files to delete-Windows Temp,Current & All User Temp,Cookies, Temp Int Files, History,Prefetch,Java Casche, Recycle or all. What do you want me to choose? Note: on almost a daily basis I go to Control Panel-Int Options,Browsing History & then I delete Temp Int Files, History & Cookies. Thank you.

POLONUS - I tried to paste my HIJACKTHIS log results but it said that it exceeded the max characters allowed. I saved it in Notepad as a .txt file. Please see attachment & let me know if you have a problem opening it. I may need to paste results in 2 diff replies. Thanks so much. : )

Well first having two resident anti-virus applications installed is a no, no, not only will that put a serious crimp in your system performance as both would be scanning the same files. Here comes the more serious bit they could conflict and cause anything from just duplicate scanning slowing performance to a conflict that could lock your system, similar I guess to what you said you were experiencing.

So you have to decide what is going to be your resident anti-virus program and uninstall the others.

McAfee may also have left remnants even if uninstalled (we have seen this in the forums), so you need to ensure al of it is gone.

McAfee has an uninstall tool that you could run to ensure any possible remnants are removed.
http://download.mcafee.com/products/licensed/cust_support_patches/VSCleanupTool.exe Or http://majorgeeks.com/McAfee_Consumer_Product_Removal_Tool_d5420.html

2007 version - http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe

Also see - How do I uninstall SecurityCenter? http://ts.mcafeehelp.com/faq3.asp?docid=71525

Hi schubed:

Follow DavidR’s advice here.
Furthermore you can fix this one using HJT:

O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)

A survey of your active tasks, you should not have only ONE resident av solution, also only ONE software firewall, so see what you want to keep there…
Update this file to virustotal: C:\Program Files\Sygate\SEA\smc.exe

smss.exe

System task

Session Manager Subsystem
winlogon.exe

System task

Microsoft Windows Logon Process
services.exe

System task

Windows Service Controller
lsass.exe

System task

Local Security Authority Service
svchost.exe

System task

Microsoft Service Host Process
svchost.exe

System task

Microsoft Service Host Process
svchost.exe

System task

Microsoft Service Host Process
smc.exe

Firewall

Sygate Personal Firewall

snac.exe Symantec connect

background task

Unknown task
aswUpdSv.exe

Virusscan

Avast Anti-Virus Component
ashServ.exe

Virusscan

Avast
spoolsv.exe

System task

Microsoft Printer Spooler Service
Explorer.EXE

System task

Microsoft Windows Explorer
AOLacsd.exe

Application

AOL Connection Driver
AppleMobileDeviceService.exe

Backgroundtask

Apple Mobile Device Service
FireSvc.exe

Virusscan

BitGuard Firewall
FrameworkService.exe

Virusscan

Network Associates EPOAgent
FireTray.exe

Firewall

McAfee Desktop Firewall Traybar Helper
shwiconem.exe

Driver

Digital Media USB Reader Assistant
igfxtray.exe

Application

Intel Graphics configuration and diagnostic application
hkcmd.exe

Application

Intel multimedia devices
PDVDServ.exe

Backgroundtask

PowerDVD Remote Control
SOUNDMAN.EXE

Backgroundtask

Realtek Avance Logic Inc
ALCWZRD.EXE

System task

RealTek High Definition audio driver related
vstskmgr.exe

Virusscan

McAfee VirusScan Task Manager

PRISMXL.SYS Prism deploy

System task

System task
lxcgmon.exe

Backgroundtask

Device Monitor
ezprint.exe

System task

Printer driver
svchost.exe

System task

Microsoft Service Host Process
ViewpointService.exe

Backgroundtask

View Manager Service
AOLSoftware.exe

Backgroundtask

AOL Service Libraries
wanmpsvc.exe

Application

America Online, Inc. Wan miniport (ATW) service
UdaterUI.exe

Virusscan

Common User Interface
SHSTAT.EXE

Virusscan

McAfee VirusScan Shstat
McTray.exe

Virusscan

McAfee Security Agent Taskbar Extension
qttask.exe

Application

Apple QuickTime Tray Icon
qttask.exe

Backgroundtask

qttask.exe

SmcGui.exe Symantec Agent Firewall

Backgroundtask

Backgroundtask
ashDisp.exe

Virusscan

Avast AntiVirus
SsAAD.exe

Backgroundtask

Sonic Stage Module
ctfmon.exe

System task

Alternative User Input Services
TeaTimer.exe

Application

Spybot S&D Realtime Scanner

AOLSP Scheduler.exe

Unknown task

Unknown task
ashMaiSv.exe

Virusscan

Avast Anti-Virus Component
iexplore.exe

Application

Microsoft Internet Explorer
ashWebSv.exe

Virusscan

avast! Web Scanner
lxcgcoms.exe

Driver

Printer Communication System
ashMaiSv.exe

Virusscan

Avast Anti-Virus Component
AolTbServer.exe

Backgroundtask

AOL IE Toolbar Server
mcshield.exe

Virusscan

McAfee VirusScan
AcroRd32.exe

Application

Acrobat Reader
WISPTIS.EXE

Application

Windows Ink Services Platform Tablet Input Subsystem
rundll32.exe

System task

Microsoft Rundll32
HijackThis.exe

Application

Hijackthis 2.0.2

pol

Hello Polonus & David. Thanks for your replies. So…are you both saying that my problems are due to having 2 AV programs & more than 1 firewall on my system?

Note: after doing the hijack log, I did see MS LIVE ONE CARE was loaded from last week when I did a scan. I have removed that.

Unfortunately I’m not very tech-oriented so I’m a little confused by your directions Polonus: Furthermore you can fix this one using HJT &
update this file to virustotal: C:\Program Files\Sygate\SEA\smc.exe

1.) I do see I have McAfee Virus Scan Enterprise. Should I remove?
2.) I also see McAfee Firewall 8.5 - but I don’t see another firewall program. Can you give me further help on the firewall issue? Not really sure what to look for or remove. I really appreciate your help!

It depends on which problem you are talking about, certainly not that of the title, that is down to the other AVs having not even detected the JS:ScriptIP-INF (TRJ) malware in your temp internet files, but avast did when installed.

The other problems you mentioned outside of that in the title:
“Also - since loading Avast yesterday my computer is sooooo incredibly slow. When starting this morning it will basically freeze up for bit (blue avast ball stops spinning) as if it’s thinking…then it takes off again.”

“my computer froze up & could not access anything.”

They are almost certainly a factor, in the freezes, etc. as the AVs fight for control over the scanning of your system like two dogs fighting over a bone and you have three dogs fighting over that one bone.

  1. Yes.
  2. You also have Sygate, which is also a firewall.

Ok…I’ll remove the McAfee AV…but not sure where the Sygate Firewall came from. Should I remove that & leave the McAfee firewall?

My main concern is whether or not the TRJ msg that I posted in title is a virus-Trojan? If so, does that mean someone possibly was able to obtain my personal identity info, etc…& how to remove it. :cry:
Thanks

Undoubtedly, McAfee is updating its firewall, while Sygate is out of development for year.
I suggest McAfee firewall. But, you need to uninstall the antivirus part to use avast.

This article provides the steps to remove SecurityCenter from your computer.
http://ts.mcafeehelp.com/faq3.asp?docid=71525
Also for direct download: http://download.mcafee.com/products/licensed/cust_support_patches/VSCleanupTool.exe
and http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe (2007)

Sometimes, McAfee won’t be completely removed if, before, you do not uninstall Avast, including the use of its “Uninstall Application” if necessary (www.avast.com/eng/faq-install-uninstall-avast.html).

Yes, you should remove Sygate (check add remove programs), it is no different to having more than one resident AV, you should only have one firewall.

Removing McAfee AV by my counting would still leave two, as you also have “Last wk I purchased ParetoLogic AntiVirus Plus software from internet.”

There is no way to tell what the payload of that may have been, because it usually contains a URL to another site that contains the payload.

If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

You have 2 entries in your HJT log, which appear odd.

O4 - HKUS\S-1-5-18..\RunOnce: [SSAWrapper] C:\WINDOWS\TEMP\sg_rd.bat (User ‘SYSTEM’)

O4 - HKUS.DEFAULT..\RunOnce: [SSAWrapper] C:\WINDOWS\TEMP\sg_rd.bat (User ‘Default user’)

If after removing your extra AV’s and firewall, you are still running slow, I would fix these entries. To me they look extremely odd.
Do they mean anything to you

I didn’t look at the log, but as Micky said they look strange, mainly because having an item run from the Temp folder, that and being a batch file there would be a number of commands inside the file.

If you can find the sg_rd.bat, open it with notepad (don’t run it) and paste the contents, it might give a clue on what it is about.

I have a suspicion it may be related to spywareguard which is another rogue security application, as far as I can see.

Ok guys - I’m back.
Remove Sygate-when I go to Add/Remove Programs - Sygate is not listed. From what I can tell it was packed w/ Norton AV that originally came on my Gateway…But I UN-installed Norton yrs ago, so there is no Norton or Sygate showing when I go into Programs menu or the Add/Remove. QUESION: Could Sygate still be on the computer masking in another area?

Hi David - see list per you above instructions:

1.) I went to remove Sygate, but while Sygate firewall shows in my log…it does not show in my Programs or Add/Remove Program options. So I copied Polonus’ above file name C:\Program Files\Sygate\SEA \smc.exe" & did Explore/Search. It found the hidden folder: SMC, which houses this file. QUESTION: Should I right click on this folder/contents & select DELETE???
2.) I used Add/Remove tp UN-installed Avast AV, then I also UN-installed all McAfee from my system. (I had already UN-installed the Paratologic software).
3.) I see that under my Windows Security - Windows Security FIREWALL is active/on. QUESTION: should I leave this active or should I use a different firewall??
4.) I will be running your other suggestions for SuperAntiSpyware & MalwareBytes & post my logs.
5.) Do you believe that the msg I recvd: JS:ScriptIP-INF (TRJ) is some type of trojan virus?? Should I be concerned about my online info safety right now???

I will be back in a bit to post my log from your above suggestion. Thanks so much - I’m about to pull my hair out!

:frowning:

David - I ran the SuperAntiSpyware…Here is my log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/20/2009 at 05:59 AM

Application Version : 4.26.1000

Core Rules Database Version : 3853
Trace Rules Database Version: 1805

Scan type : Quick Scan
Total Scan Time : 00:08:32

Memory items scanned : 542
Memory threats detected : 0
Registry items scanned : 580
Registry threats detected : 0
File items scanned : 7644
File threats detected : 28

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@edge.ru4[2].txt
C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt
C:\Documents and Settings\Owner\Cookies\owner@imrworldwide[2].txt
C:\Documents and Settings\Owner\Cookies\owner@tacoda[2].txt
C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt
C:\Documents and Settings\Owner\Cookies\owner@specificclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@zedo[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ar.atwola[2].txt
C:\Documents and Settings\Owner\Cookies\owner@c7.zedo[1].txt
C:\Documents and Settings\Owner\Cookies\owner@interclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@richmedia.yahoo[1].txt
C:\Documents and Settings\Owner\Cookies\owner@at.atwola[1].txt
C:\Documents and Settings\Owner\Cookies\owner@revsci[2].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt
C:\Documents and Settings\Owner\Cookies\owner@collective-media[1].txt
C:\Documents and Settings\Owner\Cookies\owner@linksynergy[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ar.atwola[1].txt
C:\Documents and Settings\Owner\Cookies\owner@statse.webtrendslive[2].txt
C:\Documents and Settings\Owner\Cookies\owner@specificmedia[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[2].txt
C:\Documents and Settings\Owner\Cookies\owner@atwola[2].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt
C:\Documents and Settings\Owner\Cookies\owner@invitemedia[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@partner2profit[2].txt
C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@revsci[2].txt

Norton can be a real pig to remove, though I would be very surprised if Sygate came with it years ago. Though having said that the snac.exe and smc.exe files relate to Symantec Network Access Control, so it could well have come packaged. I can’t remember but I believe Symantec bought out Sygate, but that wasn’t years ago, but more recently.

A link worth looking at, which is a program removal tool that can remove the remnants of a number of different Norton Programs:
Removing your Norton program using SymNRT

The Windows Security Center should say which firewall is active, if you also uninstalled the McAfee firewall element, then it would be the Windows XP firewall, which doesn’t have outbound protection, essential.

Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

  • There are many freeware firewalls such as, Comodo (care required now it is a suite not to install the anti-virus element), PCTools Firewall Plus, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.

See A Forum discussion on free firewalls http://forum.avast.com/index.php?topic=30808.0
See http://www.matousec.com/projects/firewall-challenge/results.php.
Many forum users are using all of the above:
PC Tools Firewall seems to have the least user headaches as it doesn’t seem to be constantly asking the user questions about this and that.
I think you can see by my comments on Zone Alarm free you have to be careful that you are not using the pro trial version.
Online Armor for the most parts fine but it has caused some users grief after avast program updates and that is something you have to watch out for.
Comodo is now a suite and you have to do a custom install so as not to install the antivirus element, of all the firewalls listed this seems to be the noisiest in asking questions, depending on settings and elements used, so it could be daunting for those not to familiar with firewalls or their systems.

The SAS log is fine as cookies are a minor issue and not a security one, you shouldn’t accept third party cookies (from sites other than the one you are visiting at the time) in you browsers settings. I would also suggest periodically clearing both your Temporary Internet Files and Cookies.

As I said “There is no way to tell what the payload of that may have been, because it usually contains a URL to another site that contains the payload.” That is why I suggested the other two security applications to be a second/third opinion as to your systems cleanliness.

Hi David. Per your above suggestion, I ran Bleeping Computer Malwarebytes thorough scan. Please see ATTACHED file log to view the 3 INFECTED files: 1 Rogue.WinAntivirus & 2 Adware. SHOULD I REMOVE THESE? Thanks so much.