Strange Virus / Trojan problem

Closed Thread
Page 1 of 3 1 2 3 LastLast
  1. #1

    Join Date
    Sep 2005
    Location
    Lantau
    Posts
    1,519

    Strange Virus / Trojan problem

    Guys,

    Hope you can help. Got my first virus / trojan on my PC. I have cleared loads of these up from friends / relatives PC's over the years, but first time I get one on my machine, I can't seem to figure out what it is.

    My virus checker finds it, doesn't give any info as to the name except Trojan Horse Dropper.Agent.BVY and can't seem to deal with it.

    It lives in the c:\documents & settings\username\Local Settings\Temp\RarSFX0 folder and will increment the folder name (ie RarSFX1 onwards)

    The virus checker quarantines a file called tshz093.exe and there is another file csrss.exe in that folder. CSRSS.exe is running twice as two separate processes and they can't be stopped.

    Booting up to safe mode and removing those folders doesn't seem to do it.

    A search of the registry for those files hasn't helped (1 entry found an removed). Nothing in the Run or Runonce keys in the registry.

    There is also an odd process running in task manager - 927up.exe

    Checked google, symantec etc for a few of these keywords but don't get anything back.

    It also pops up some odd winrar box from time to time.

    Anyone know what this is and how to get rid?

    Thanks


  2. #2

    Join Date
    Apr 2003
    Posts
    12,383

    HKNewBi : chances are its written over a system file (crss) so you cant delete it . i'd recommend doing a SFC scan ..

    sfc /scannow

    You will need the windows CD to replace the corrupted / infected file.


  3. #3

    Join Date
    Sep 2005
    Location
    Lantau
    Posts
    1,519

    Thanks KIA

    The machine became very unstable - it would reboot if putting a new URL into Firefox for example, so I thought I would just format and reinstall.

    The installation bluescreened twice!!!

    Finally managed to get windows installed but nothing is working properly.

    Back to the drawing board


  4. #4

    Join Date
    Oct 2006
    Posts
    1

    Hi HKNewBi,
    I just have the problem then you and found this usefull info:
    http://research.sunbelt-software.com...&threatid=3678
    Hope that helps.


  5. #5

    Join Date
    Sep 2005
    Location
    Lantau
    Posts
    1,519

    Thanks Test but I have since formatted the whole system and reinstalled. Problem gone... for now!


  6. #6

    Join Date
    Oct 2006
    Posts
    4
    Quote Originally Posted by HKNewBi:
    Guys,

    Hope you can help. Got my first virus / trojan on my PC. I have cleared loads of these up from friends / relatives PC's over the years, but first time I get one on my machine, I can't seem to figure out what it is.

    My virus checker finds it, doesn't give any info as to the name except Trojan Horse Dropper.Agent.BVY and can't seem to deal with it.

    It lives in the c:\documents & settings\username\Local Settings\Temp\RarSFX0 folder and will increment the folder name (ie RarSFX1 onwards)

    The virus checker quarantines a file called tshz093.exe and there is another file csrss.exe in that folder. CSRSS.exe is running twice as two separate processes and they can't be stopped.

    Booting up to safe mode and removing those folders doesn't seem to do it.

    A search of the registry for those files hasn't helped (1 entry found an removed). Nothing in the Run or Runonce keys in the registry.

    There is also an odd process running in task manager - 927up.exe

    Checked google, symantec etc for a few of these keywords but don't get anything back.

    It also pops up some odd winrar box from time to time.

    Anyone know what this is and how to get rid?

    Thanks
    I have exact same problem and its doing my head in. Run a couple of spyware programs but nothing comes up..

    Ran CCleaner and deleted all temp files, as this is where it's hiding. Killed the csrss (under username, not system) with Hijack this. Removed registry entries pointing towards the 927up file. Also kill and delete the file with Killbox.

    When restart and browse the internet it keeps popping back.

    The 927up.exe installs itself into C:\program files and the the other csrss process comes up in task manager..

    Please help get rid of this file..

  7. #7

    Join Date
    Sep 2005
    Location
    Lantau
    Posts
    1,519

    Have you tried any of that in safe mode?

    I ended up reinstalling windows which solved the problem for me.


  8. #8

    Join Date
    Oct 2006
    Posts
    4

    Yes mate, tried pretty much everything. Don't wanna go the format route, too much stuff that I need and don't wanna spend a week reinstalling everything..

    Can't believe that there is no information on the net about this..

    I use Firefox, but the culprit brings up IE and tries to connect to 123sha.com

    Last edited by Skindog; 17-10-2006 at 12:35 AM.

  9. #9

    Join Date
    Oct 2006
    Posts
    4

    Just tried deleted everything in Safe Mode again, didn't do the reg entries last time, but did it this time and all seems fine...


  10. #10

    Join Date
    Nov 2005
    Posts
    408

    You got a firewall, anti-virus, spy-remover?


Closed Thread
Page 1 of 3 1 2 3 LastLast