Windows Explorer Script Trojan Help

[ent]

I recently was attack by what my antivirus said was a script trojan, I wasn't running any AV software wile browsing the net, stupid me. At any rate I followed the 8 step process and here are my logs, want to make sure I'm completely safe to start resetting my passwords for everything. Thanks in advance for the help.

*edit forgot to add I'm running Vista home Basic, and the symptom was Windows explorer would stop working and have to be restarted over and over.

 

[DelJo63]

I recently was attack by what my antivirus said was a script trojan, I wasn't running any AV software wile browsing the net, stupid me. At any rate I followed the 8 step process and here are my logs, want to make sure I'm completely safe to start resetting my passwords for everything. Thanks in advance for the help.

*edit forgot to add I'm running Vista home Basic, and the symptom was Windows explorer would stop working and have to be restarted over and over.

An A/V product would not normally detect Web-based attacks (unless you opt for
something like AVG 8* with Link Scanning which most of us have abandoned).

Get a copy of

1. hostfile to block known bad websites
2. Spywareblaster to block known bad ActiveX components
3. Firefox to exercise better control over what is accessed
4. enable the Pop-up blocking feature of your browser
5. use a router
6. enable your firewall
7. do NOT run daily using an admin account!

 

[mflynn]

Hi Tammy

You have done a good job thus far

After we get you clean we need to cleanup all of your old Virus scanners that are not cleanly uninstalled!

Run HJT and select and remove the below entries!
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O22 - SharedTaskScheduler: IPC Configuration Utility - IPC Configuration Utility - (no file)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)

We need second runs of MBAM and SAS as they found so much. It is likely they have exposed others that were not even seen on the first runs.

UPDATE before any run. If the log files show any removals run again until the log is clean. Attach a log for each run!

Mike

 

[ent]

Thanks for the info mike and jo, but I'm having a bit of trouble with

O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O22 - SharedTaskScheduler: IPC Configuration Utility - IPC Configuration Utility - (no file)

I was able to get rid of the other Mcafee entry by going into safe mode and making it not start automatically in the services menu, but I do not have the option for disabling McShield and I do not know what the SharedTaskScheduler is listed as in the services menu. Both are Stopped however.

Everything else went smoothly and I'm doing a second run of SAS and MBAM tonight. That was accually the log from the 2nd run, so this is the 3rd on both.

I normally would just reformat but my wife lost the Vista disc, for this computer(Her computer). So reformat is not an option, I don't have another vista disc.

Are these entries that HJT giving me from the registry? Can I go into regedit and delete it manually?

Thanks, I'll reply again with clean logs, and all leading to them.

 

[mflynn]

OK Good!

Forget the McAfee for now, it is not malware!

Make sure to post all the logs as we need to know what you had even if cleaned!

Mike