Avast msg: JS:ScriptIP-INF (TRJ)

[schubed1]

Hello. I just loaded Avast Home 4.8 yesterday. It scanned on re-boot & gave me this message.
Said location was:
FileC:\Documents&Settings\Owner\LocalSettings\tempintfiles\content.IES\2n98I7WH\default[1].htm  is infected with JS:ScriptIP-INF (TRJ).

Also - since loading Avast yesterday my computer is sooooo incredibly slow. When starting this morning it will basically freeze up for bit (blue avast ball stops spinning) as if it's thinking....then it takes off again.

I appologize in advance as I'm an old fart who's new to this arena.  Thanks so much!  Deb

[polonus]

Hi schubed1,

This is in a temp file that you can cleanse with for instance ATF Cleaner 3.0.0.2, download here:
http://majorgeeks.com/downloadget.php?id=4949&file=15&evp=72ef5a5e927b2276e6a5bc34c89d005a

 JS:ScriptIP-INF (TRJ) can be a scanner alert from a site that has been cracked, and this could look a bit like this:

Code: [Select]

<script language="JavaScript">
<!--
// Hit counter code for Webstat.net
var data = '&r=' + escape(document.referrer)
+ '&n=' + escape(navigator.userAgent)
+ '&p=' + escape(navigator.userAgent)
+ '&g=' + escape(document.location.href);
if (navigator.userAgent.substring(0,1)>'3')
data = data + '&sd=' + screen.colorDepth + '&sw=' +
escape(screen.width+'x'+screen.height);
document.write('<img alt="Website Counter" width="0" height="0"
border="0" hspace="0" '+'vspace="0"
src="hxxp://www.webstat.net/basic/counter.php?i=70739' + data + '">');
// -->
</script>
<a href="hxxp://www.webstat.net/" target="_blank"><img alt="Website
Counter" src="70739.png" border="0" hspace="0" vspace="0"></a>
<noscript><br/><a href="hxxp://www.webstat.net">Free
Counter</a><br>The
following text will not be seen after you upload your website, please
keep it in order to retain your counter functionality <br> <a
href="hxxtp://www.acsr.com" target="_blank">online casino</a>
</noscript>
-------
Almost any scanner would flag the downloaded src="70739.png here.
So delete your IE temp files, and also post a hjt logfile txt as an additional txt to your following posting, so we can have a look what could have made your machine that slow lately.
Download HijackThis from here: http://www.filehippo.com/download_hijackthis/download/58170ee6e58bba306c943f5b6d745c99/

polonus

[DavidR]

Something on your system has infected the default[1].htm or the likelihood is that it was an infected file when downloaded into your browser cache and your other AV didn't detect it. avast is very hot (and accurate) on this type of web infection which is becoming more prevalent.

Have (or did) you another AV installed in this system, if so what was it and how did you get rid of it ?

[schubed1]

Something on your system has infected the default[1].htm or the likelihood is that it was an infected file when downloaded into your browser cache and your other AV didn't detect it. avast is very hot (and accurate) on this type of web infection which is becoming more prevalent.

Have (or did) you another AV installed in this system, if so what was it and how did you get rid of it ?

I'm running XP. I fell by the wayside & never renewed my McAfee protection. Last wk I purchased ParetoLogic AntiVirus Plus software from internet. Once downloaded, my computer froze up & could not access anything. After research I saw they had bad rep/problems... so I went to Add/Remove Programs & removed it from my system.  Then downloaded the Avast 4.8 yesterday.  Question: on almost a daily basis I go to Control Panel,Int Options, Browsing History & delete Temp Int Files, History & Cookies.  Is that what is meant by I need to delete temp files?   Thanks. 

[schubed1]

Hi schubed1,

This is in a temp file that you can cleanse with for instance ATF Cleaner 3.0.0.2, download here:
http://majorgeeks.com/downloadget.php?id=4949&file=15&evp=72ef5a5e927b2276e6a5bc34c89d005a

 JS:ScriptIP-INF (TRJ) can be a scanner alert from a site that has been cracked, and this could look a bit like this:

Code: [Select]

<script language="JavaScript">
<!--
// Hit counter code for Webstat.net
var data = '&r=' + escape(document.referrer)
+ '&n=' + escape(navigator.userAgent)
+ '&p=' + escape(navigator.userAgent)
+ '&g=' + escape(document.location.href);
if (navigator.userAgent.substring(0,1)>'3')
data = data + '&sd=' + screen.colorDepth + '&sw=' +
escape(screen.width+'x'+screen.height);
document.write('<img alt="Website Counter" width="0" height="0"
border="0" hspace="0" '+'vspace="0"
src="hxxp://www.webstat.net/basic/counter.php?i=70739' + data + '">');
// -->
</script>
<a href="hxxp://www.webstat.net/" target="_blank"><img alt="Website
Counter" src="70739.png" border="0" hspace="0" vspace="0"></a>
<noscript><br/><a href="hxxp://www.webstat.net">Free
Counter</a><br>The
following text will not be seen after you upload your website, please
keep it in order to retain your counter functionality <br> <a
href="hxxtp://www.acsr.com" target="_blank">online casino</a>
</noscript>
-------
Almost any scanner would flag the downloaded src="70739.png here.
So delete your IE temp files, and also post a hjt logfile txt as an additional txt to your following posting, so we can have a look what could have made your machine that slow lately.
Download HijackThis from here: http://www.filehippo.com/download_hijackthis/download/58170ee6e58bba306c943f5b6d745c99/

polonus

Thank you polonus. QUESTION-trying to do your suggested cleanse download above, it's asking me to select files to delete-Windows Temp,Current & All User Temp,Cookies, Temp Int Files, History,Prefetch,Java Casche, Recycle or all.   What do you want me to choose? Note:  on almost a daily basis I go to Control Panel-Int Options,Browsing History & then I delete Temp Int Files, History & Cookies.   Thank you.

[schubed1]

POLONUS - I tried to paste my HIJACKTHIS log results but it said that it exceeded the max characters allowed.  I saved it in Notepad as a .txt file.  Please see attachment & let me know if you have a problem opening it.  I may need to paste results in 2 diff replies.  Thanks so much.   :   )

[DavidR]

Well first having two resident anti-virus applications installed is a no, no, not only will that put a serious crimp in your system performance as both would be scanning the same files. Here comes the more serious bit they could conflict and cause anything from just duplicate scanning slowing performance to a conflict that could lock your system, similar I guess to what you said you were experiencing.

So you have to decide what is going to be your resident anti-virus program and uninstall the others.

McAfee may also have left remnants even if uninstalled (we have seen this in the forums), so you need to ensure al of it is gone.

McAfee has an uninstall tool that you could run to ensure any possible remnants are removed.
http://download.mcafee.com/products/licensed/cust_support_patches/VSCleanupTool.exe Or http://majorgeeks.com/McAfee_Consumer_Product_Removal_Tool_d5420.html
 
2007 version - http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe
 
Also see - How do I uninstall SecurityCenter? http://ts.mcafeehelp.com/faq3.asp?docid=71525

[polonus]

Hi schubed:

Follow DavidR's advice here.
Furthermore you can fix this one using HJT:

O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)

A survey of your active tasks, you should not have only ONE resident av solution, also only ONE software firewall, so see what you want to keep there...
Update this file to virustotal: C:\Program Files\Sygate\SEA\smc.exe

smss.exe   

System task
   

Session Manager Subsystem
winlogon.exe   

System task
   

Microsoft Windows Logon Process
services.exe   

System task
   

Windows Service Controller
lsass.exe   

System task
   

Local Security Authority Service
svchost.exe   

System task
   

Microsoft Service Host Process
svchost.exe   

System task
   

Microsoft Service Host Process
svchost.exe   

System task
   

Microsoft Service Host Process
smc.exe   

Firewall
   

Sygate Personal Firewall

snac.exe Symantec connect
   

background task
   

Unknown task
aswUpdSv.exe   

Virusscan
   

Avast Anti-Virus Component
ashServ.exe   

Virusscan
   

Avast
spoolsv.exe   

System task
   

Microsoft Printer Spooler Service
Explorer.EXE   

System task
   

Microsoft Windows Explorer
AOLacsd.exe   

Application
   

AOL Connection Driver
AppleMobileDeviceService.exe   

Backgroundtask
   

Apple Mobile Device Service
FireSvc.exe   

Virusscan
   

BitGuard Firewall
FrameworkService.exe   

Virusscan
   

Network Associates EPOAgent
FireTray.exe   

Firewall
   

McAfee Desktop Firewall Traybar Helper
shwiconem.exe   

Driver
   

Digital Media USB Reader Assistant
igfxtray.exe   

Application
   

Intel Graphics configuration and diagnostic application
hkcmd.exe   

Application
   

Intel multimedia devices
PDVDServ.exe   

Backgroundtask
   

PowerDVD Remote Control
SOUNDMAN.EXE   

Backgroundtask
   

Realtek Avance Logic Inc
ALCWZRD.EXE   

System task
   

RealTek High Definition audio driver related
vstskmgr.exe   

Virusscan
   

McAfee VirusScan Task Manager

PRISMXL.SYS  Prism deploy
   

System task
   
System task
lxcgmon.exe   

Backgroundtask


Device Monitor
ezprint.exe   

System task
   

Printer driver
svchost.exe   

System task
   

Microsoft Service Host Process
ViewpointService.exe   

Backgroundtask
   

View Manager Service
AOLSoftware.exe   

Backgroundtask
   

AOL Service Libraries
wanmpsvc.exe   

Application
   

America Online, Inc. Wan miniport (ATW) service
UdaterUI.exe   

Virusscan
   

Common User Interface
SHSTAT.EXE   

Virusscan
   

McAfee VirusScan Shstat
McTray.exe   

Virusscan
   

McAfee Security Agent Taskbar Extension
qttask.exe   

Application
   

Apple QuickTime Tray Icon
qttask.exe   

Backgroundtask
   

qttask.exe

SmcGui.exe Symantec Agent Firewall
   

Backgroundtask
   

Backgroundtask
ashDisp.exe   

Virusscan
   

Avast AntiVirus
SsAAD.exe   

Backgroundtask
   

Sonic Stage Module
ctfmon.exe   

System task
   

Alternative User Input Services
TeaTimer.exe   

Application
   

Spybot S&D Realtime Scanner

AOLSP Scheduler.exe
   

Unknown task
   

Unknown task
ashMaiSv.exe   

Virusscan
   

Avast Anti-Virus Component
iexplore.exe   

Application
   

Microsoft Internet Explorer
ashWebSv.exe   

Virusscan
   

avast! Web Scanner
lxcgcoms.exe   

Driver
   

Printer Communication System
ashMaiSv.exe   

Virusscan
   

Avast Anti-Virus Component
AolTbServer.exe   

Backgroundtask
   

AOL IE Toolbar Server
mcshield.exe   

Virusscan
   

McAfee VirusScan
AcroRd32.exe   

Application
   

Acrobat Reader
WISPTIS.EXE   

Application
   

Windows Ink Services Platform Tablet Input Subsystem
rundll32.exe   

System task
   

Microsoft Rundll32
HijackThis.exe   

Application
   

Hijackthis 2.0.2


pol

[schubed1]

Hello Polonus & David.  Thanks for your replies. So...are you both saying that my problems are due to having 2 AV programs & more than 1 firewall on my system?
 
Note: after doing the hijack log, I did see MS LIVE ONE CARE was loaded from last week when I did a scan.  I have removed that.

Unfortunately I'm not very tech-oriented so I'm a little confused by your directions Polonus:      Furthermore you can fix this one using HJT    &
update this file to virustotal: C:\Program Files\Sygate\SEA\smc.exe

1.)  I do see I have McAfee Virus Scan Enterprise. Should I remove?
2.)  I also see McAfee Firewall 8.5 - but I don't see another firewall program. Can you give me further help on the firewall issue?  Not really sure what to look for or remove.     I really appreciate your help!

[DavidR]

It depends on which problem you are talking about, certainly not that of the title, that is down to the other AVs having not even detected the JS:ScriptIP-INF (TRJ) malware in your temp internet files, but avast did when installed.

The other problems you mentioned outside of that in the title:
"Also - since loading Avast yesterday my computer is sooooo incredibly slow. When starting this morning it will basically freeze up for bit (blue avast ball stops spinning) as if it's thinking....then it takes off again."

"my computer froze up & could not access anything."

They are almost certainly a factor, in the freezes, etc. as the AVs fight for control over the scanning of your system like two dogs fighting over a bone and you have three dogs fighting over that one bone.

1. Yes.
2. You also have Sygate, which is also a firewall.

[schubed1]

It depends on which problem you are talking about, certainly not that of the title, that is down to the other AVs having not even detected the JS:ScriptIP-INF (TRJ) malware in your temp internet files, but avast did when installed.

The other problems you mentioned outside of that in the title:
"Also - since loading Avast yesterday my computer is sooooo incredibly slow. When starting this morning it will basically freeze up for bit (blue avast ball stops spinning) as if it's thinking....then it takes off again."

"my computer froze up & could not access anything."

They are almost certainly a factor, in the freezes, etc. as the AVs fight for control over the scanning of your system like two dogs fighting over a bone and you have three dogs fighting over that one bone.

1. Yes.
2. You also have Sygate, which is also a firewall.

Ok....I'll remove the McAfee AV.....but not sure where the Sygate Firewall came from.  Should I remove that & leave the McAfee firewall?   

My main concern is whether or not the TRJ msg that I posted in title is a virus-Trojan?  If so, does that mean someone possibly was able to obtain my personal identity info, etc....& how to remove it.    :'(   
   Thanks

[Lisandro]

Ok....I'll remove the McAfee AV.....but not sure where the Sygate Firewall came from.  Should I remove that & leave the McAfee firewall?

Undoubtedly, McAfee is updating its firewall, while Sygate is out of development for year.
I suggest McAfee firewall. But, you need to uninstall the antivirus part to use avast.

This article provides the steps to remove SecurityCenter from your computer.
http://ts.mcafeehelp.com/faq3.asp?docid=71525
Also for direct download: http://download.mcafee.com/products/licensed/cust_support_patches/VSCleanupTool.exe
and http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe (2007)

Sometimes, McAfee won't be completely removed if, before, you do not uninstall Avast, including the use of its "Uninstall Application" if necessary (www.avast.com/eng/faq-install-uninstall-avast.html).

[DavidR]

Yes, you should remove Sygate (check add remove programs), it is no different to having more than one resident AV, you should only have one firewall.

Removing McAfee AV by my counting would still leave two, as you also have "Last wk I purchased ParetoLogic AntiVirus Plus software from internet."

There is no way to tell what the payload of that may have been, because it usually contains a URL to another site that contains the payload.

If you haven't already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

• 1. SUPERantispyware On-Demand only in free version.
• 2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

[micky77]

You have 2 entries in your HJT log, which appear odd.

O4 - HKUS\S-1-5-18\..\RunOnce: [SSAWrapper] C:\WINDOWS\TEMP\sg_rd.bat (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [SSAWrapper] C:\WINDOWS\TEMP\sg_rd.bat (User 'Default user')

If after removing your extra AV's  and firewall, you are still running slow, I would fix these entries. To me they look extremely odd.
 Do they mean anything to you

[DavidR]

I didn't look at the log, but as Micky said they look strange, mainly because having an item run from the Temp folder, that and being a batch file there would be a number of commands inside the file.

If you can find the sg_rd.bat, open it with notepad (don't run it) and paste the contents, it might give a clue on what it is about.


I have a suspicion it may be related to spywareguard which is another rogue security application, as far as I can see.