locked
Trojan ?? Sticky-keys message at starup and random, F8 safe boot disbled, multiple selection. RRS feed

  • Question

  • Trojan ?? Sticky-keys message at starup and random, F8 safe boot disbled, multiple selection.
    I have this problem,  most likely related to some TROJAN (?), which I belive, got after downoading a Virtual-DJ torrent... :-(?). And after many many hours & DAYS of searching have not  been able to clean or solve yet !! :-( 
     Machine: a Lenovo (IBM) 3000 N200 NoteBook.
     Windooze: Vista starter
    Problem: right at boot, (also in safe mode !!), a Sticky-key, and / or a filter-key dialog window message appears !!  Even before selecting "user" (logging in)...
    After logging in, the desktop icons cant be selected individualy, but always a "group" is selected (from the "first" to the one clicked). Same behaviour in Windows explorer where the object selection is MULTIPLE, as if SHIFT is beeing pressed (stuck).
     And randomly problem "clears" itself, but comes back after some  minutes initially, or even after some 70m minutes or so...
     The process y relate to, seems to be "csrss.exe", where multiple instances "appear" but with different "memory eating" (I presume some 4-5 kB is legit, while the one with abot 1k Byte is bogus (trojan?)...
     The messaage/dialog box may appear 9 times at once initialy (one ove the other, you wont notice, until u click-move the window aside!). Later I have had up to 21 message boxes at once!
     "Clearing" the sticky-behaivour by going into control panel accesibility, does NOT change (solve) anything, and when in "bad behaviour mode" the "normal" Sticky or Filter on/off by holding SHIFT-right 8+ seconds, or clicking 5x times dont seem to respond at all !!
    Also trying to boot into SAFE F8 mode does NOT respond - seems as if F8 is disabled.
    Also already tried external USB keyboard, and NEW (admin) user account, which seemed to solve the problem(s), but after Win Update, that profile went "corrupt" and I am stuck with the old profile AND problem.
     
      WHAT KIND OF TROJAN MIGHT THIS BE ???
    It is NOT seen by Avira, not by SpyBoot, not by Malwarebytes and a dozen I have already tried.
    HijackThis does not show any strange "run" at startup (autorun).
    A regedit search for "csrss" gives  -I think- more results than "normal", but here my knowledge stops, tos ay which is legit and which NOT !  ??

    ANY ANY hint is welcome.  THANKS :-)

    Saturday, December 26, 2009 5:41 PM

All replies

  • This forum is for writing security related software. I suggest you visit the "where is the forum for" forum near the top of the forum homepage  to find a forum related to your issue.

    The following is signature, not part of post
    Please mark the post answered your question as the answer, and mark other helpful posts as helpful.
    Visual C++ MVP
    Sunday, December 27, 2009 12:43 AM
  • Hi - I think my information can help you:

    Hmm? This is bad, I think this can be a combination of a "worm" and a boot-sector virus.
    To be able to remove these, Symantec Corporation has provided some specific virus removal
    tools to find and clean the PC from these infections.

    Here are they:
    http://www.symantec.com/security_response/writeup.jsp?docid=2003-081119-5051-99
    http://www.symantec.com/connect/forums/mebroot-virus-infection-bootmebroot-trojanmebroot
    http://www.pchell.com/virus/sasser.shtml

    Sheng Jiang MVP:
    We still can help him here, since, if the OP seems lost
    then we help him, and try to answer his question.

    Merry Christmas...

    I hope this helps...

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Sunday, December 27, 2009 9:16 AM
  • Hi again:

    How is the situation on your side?
    Is this thread solved?

    Please tell me!

    Have a nice day...

    Best regards,
    Fisnik

    Coder24.com
    Saturday, January 2, 2010 3:11 PM