April 11, 2011
Trojan Horse BackDoor.Generic 13
Wow. I think I finally turned the corner on a nasty computer virus. I hard a hard time getting on top of this one. Don't know where it came from. AVG saw it, but couldn't get rid of it. Malwarebytes Anti-Malware could always see it, but couldn't get rid of it.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Data: c:\docume~1\rob\locals~1\temp\csrss.exe -> Quarantined and deleted successfully.
C:\Documents and Settings\Rob\Local Settings\Temp\csrss.exe (Trojan.Agent) -> Delete on reboot.
The trick was that there was a file named "C:\Documents and Settings\Rob\Local Settings\Temp\csrss.exe" that I couldn't delete. This was the Trojan Horse, and he was getting loaded into memory at startup by the Registry Key "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Data: c:\docume~1\rob\locals~1\temp\csrss.exe".
Finally, I had to reboot in Safe Mode. Once I was in Safe Mode, I could unload the process csrss.exe using Task Killer. Once the process was unloaded, I deleted the file and rebooted. It came up saying it couldn't find the file csrss.exe, so I scanned the registry and deleted the references to this file "c:\docume~1\rob\locals~1\temp\csrss.exe". This one is kinda tricky though, because there is a valid csrss.exe in the registry, but it's located in the system32 folder. So, don't delete that one, of course. Hahaha. Wow. That was a close one.
Update: I never could get on top of this one. I ended up having to reinstall the O/S.
Posted by Rob Kiser on April 11, 2011 at 5:09 AM
TrackBack URL for this entry:>