Hi im experiencing a new virus, wich is in my system startup. It’s called crsss.exe. When i restart my computer internet is very slow or i just can’t connect to sites. I can also see it when i press alt+ctrl+del in the processes tab. I am currently running Win XP PRO-SP2 with avast 4.5 and it cannot find it…When I stop the process of crsss.exe i can surf on the internet again and connect to msn and other things that use the internet. Here is some info about the virus. I think this is the correct one, and please correct me if i’m wrong I’m using IRC quite al lot so i think i got it from there. Can anybody help me or can avast delete is somehow? Btw, I turned it off under the startup tab of msconfig, and it doesnt automatticly start anymore. But i still want it removed hehe.
W32/Rbot-SZ is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Rbot-SZ spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.
W32/Rbot-SZ copies itself to the Windows system folder
please work through the link “VirusRemoval” below in my sig, and then:
post a hijackthis-Log for diagnosis
scan the file ONLINE, e.g. with Jotti, TREND & RAV
you’re sure that the file is CRSSS.exe and not CSRSS.exe ?
where can you find the suspicious file(s) on your PC (full path/foldername) ?
In the meantime:
disable your IRC
change all passwords, PINs etc… and set more SECURE ones
check/deactivate or at least secure with good passwords your network shares/filesharing
P.S.:
Work through below links/descriptions/removal instructions and see if they fit your problem:
→ TrendMicro
if updated avast doesn’t detect the malicious file, not even in SafeMode or via Boot-time Scan, then please prior to removing it, email the malicious file to
virus (at) avast.com
mail it in a password-protected ZIP or RAR, and include archive-password and problem decription in the mailtext
See board-search for Details
Yes i am sure that it is the crsss.exe and not csrss.exe. The filename is as following : CRSSS.EXE-06E1D49E.pf and it is located in c:\Windows\Prefetch. It cannot be found by Avast with my up to date version. Not even in the memory scan when the crsss.exe is running. When i scan with the online free virus scanners, the file seems to be clean…I will now start with the things you have said in your reply.
Recca, all files in the c:\Windows\Prefetch folder are to open applications quicker (at least is what Microsoft says ;D).
You can delete them all without harm to your system.
They will be ‘generated’ again when you open any program.
(I mean, each one will be generated for each opened program).
True, but i made a mistake hehe, i’ve scanned my pc with the online scan from Trend micro and he found the crsss.exe and it’s called : WORM_RBOT.BSZ and he found it in C:\Windows\System32\crsss.exe. However, when I got to the folder i can’t see the crsss.exe file…So I can’t send you the file…And trendmicro can’t clean/delete the file either.
You’re using Windows XP, can you schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning
Select for scanning archives.
Boot.
Sometimes, access denied or ‘returning’ files cannot be repaired/cleaned/moved/handled by avast into Windows but only on boot time…
When I check my C partition with the Boot-Time scanning Avast! can not find any infected files. So I have no clue what to do now hehe. This is the report :
12/29/2004 17:54
Scan of C:\
Number of searched folders: 1561
Number of tested files: 55060
Number of infected files: 0
I’m using IRC quite al lot so i think i got it from there. Can anybody help me or can avast delete is somehow? Btw, I turned it off under the startup tab of msconfig, and it doesnt automatticly start anymore. But i still want it removed hehe.