TechSpot

Need help with trojan

By rgw2354
Feb 17, 2008
  1. I could use a little bit of help. I know that I am infected with Win32:Neptunia-KH. I read the sticky about cleaning vs. reformatting and decided to reformat. Because I use my computer for online transactions I did a destructive system recovery (some program that my compaq came with) which basically restores the computer to the factory settings. My problem is that I think this trojan has infected my recovery partition because I still have the trojan after the destructive system recovery. I do not have much knowledge of computers and I am wondering if this is something I can fix myself. I know that I am not following the directions but I am literally pulling my hair out at this point and I was just wondering if this is something that would be relatively easy to fix or if I need to take it to a repair shop. Any help would be appreciated. Rick
     
  2. N3051M

    N3051M TS Evangelist Posts: 2,115

    if it has infected the recovery partition on your hdd, then you have a few options.. you can either do a full format and then reinstall windows on it with a proper windows cd, or attempt to clean the trojan up yourself and see how you go..

    with the reformat, you basicaly wipe the hdd clean (usually including the recovery partition) using one of many utilities or the windows cd itself, then proceed to install windows over it. However, it may be difficult for you if you don't have a copy of windows and especially since that key is probably an OEM key, meaning only certain cds would work with it.. (sometimes true, but you can always try your luck). Extremely risky operation since you loose your safety net (recovery partition). Although do it if you have no regrets and can find your own workaround to this..

    If you want to try and clean it up, read on: http://www.techspot.com/vb/topic58138.html
     
  3. rgw2354

    rgw2354 TS Rookie Topic Starter

    Ok I have followed the 15 steps to the best of my abilities and my HJT log is attached. I have followed these steps twice because I don't think that I did it properly the first time. Panda did not report anything and avg and combofix both came back negative the second time around. Since avg and combofix came back negative so I am not posting the logs at this point. Thanks in advance to whoever is kind enough to review my HJT log, If you still require the combofix and avg logs let me know and I will post them asap.

    Rick
     

    Attached Files:

  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Can you please post the combofix log as only somebody with experience reading combofix could tell if it was negative.

    Also your Java Runtime needs updated

    Update your Java Runtime Environment
    • This new release will overwrite previous installations and automatically update browsers to use this new release. The configuration files and program files folder used by Java Web Start have changed, but all your settings will remain intact after the upgrade, since Java Web Start will translate your settings to the new form.

      Java SE Runtime Environment 6 Update 4 First Customer Ship

      Simply enter your operating system and check agree to terms of service. Select ok
      Then click directly on the file to download
      This downloads the installer (hopefully to your desktop)
      Locate and double click the installer jre-6u4-windows-i586-p-iftw.exe (or whichever installer you chose)
     
  5. rgw2354

    rgw2354 TS Rookie Topic Starter

    Sorry about not posting the combofix log. Here it is.
     

    Attached Files:

  6. rgw2354

    rgw2354 TS Rookie Topic Starter

    If someone would please review my HJT and combofix logs it would be appreciated. I ran a virus scan today with avast and nothing was detected but I need to use my computer for things that require it to be secure and I am still worried that it is not due to the fact that the virus was still present after a destructive system recovery.
    Rick
     
  7. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    I don't have "combofix" expertise, but these two don't look right
    C:\WINDOWS\000001_.tmp
    C:\WINDOWS\Fonts\RandFont.dll

    I'd remove them (you may want to rename them to *.old - until somone else confirms removal, but I'd remove them)
     
  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Just to check

    Show hidden files through windows explorer
    • Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
    • On the Tools menu in Windows Explorer, click Folder Options.
    • Click the View tab.
    • Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Go to Start, click Search, click All files and folders, and then click More advanced options. Click the check boxes to Search system folders and Search hidden files and folders.

    In the search box for All or part of the file name please type csrsv.exe and csrsu.exe

    If found let me know, if not everything else looks clean
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...