TechSpot

Windows Explorer Script Trojan Help

By ent
Jan 25, 2009
  1. I recently was attack by what my antivirus said was a script trojan, I wasn't running any AV software wile browsing the net, stupid me. At any rate I followed the 8 step process and here are my logs, want to make sure I'm completely safe to start resetting my passwords for everything. Thanks in advance for the help.

    *edit forgot to add I'm running Vista home Basic, and the symptom was Windows explorer would stop working and have to be restarted over and over.
     
  2. jobeard

    jobeard TS Ambassador Posts: 9,311   +617

    An A/V product would not normally detect Web-based attacks (unless you opt for
    something like AVG 8* with Link Scanning which most of us have abandoned).

    Get a copy of
    1. hostfile to block known bad websites
    2. Spywareblaster to block known bad ActiveX components
    3. Firefox to exercise better control over what is accessed
    4. enable the Pop-up blocking feature of your browser
    5. use a router
    6. enable your firewall
    7. do NOT run daily using an admin account!
     
  3. mflynn

    mflynn TS Rookie Posts: 2,655

    Hi Tammy

    You have done a good job thus far

    After we get you clean we need to cleanup all of your old Virus scanners that are not cleanly uninstalled!

    Run HJT and select and remove the below entries!
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O22 - SharedTaskScheduler: IPC Configuration Utility - IPC Configuration Utility - (no file)
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
    O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
    O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)

    We need second runs of MBAM and SAS as they found so much. It is likely they have exposed others that were not even seen on the first runs.

    UPDATE before any run. If the log files show any removals run again until the log is clean. Attach a log for each run!

    Mike
     
  4. ent

    ent TS Rookie Topic Starter

    Thanks for the info mike and jo, but I'm having a bit of trouble with

    O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
    O22 - SharedTaskScheduler: IPC Configuration Utility - IPC Configuration Utility - (no file)

    I was able to get rid of the other Mcafee entry by going into safe mode and making it not start automatically in the services menu, but I do not have the option for disabling McShield and I do not know what the SharedTaskScheduler is listed as in the services menu. Both are Stopped however.

    Everything else went smoothly and I'm doing a second run of SAS and MBAM tonight. That was accually the log from the 2nd run, so this is the 3rd on both.

    I normally would just reformat but my wife lost the Vista disc, for this computer(Her computer). So reformat is not an option, I don't have another vista disc.

    Are these entries that HJT giving me from the registry? Can I go into regedit and delete it manually?

    Thanks, I'll reply again with clean logs, and all leading to them.
     
  5. mflynn

    mflynn TS Rookie Posts: 2,655

    OK Good!

    Forget the McAfee for now, it is not malware!

    Make sure to post all the logs as we need to know what you had even if cleaned!

    Mike
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...