Fake XP errors (maybe not)?

**drfsupercenter** · 9 Jun 2006, 05:32 AM

http://www.auditmypc.com/process/crss.asp

Apparently I have this CRSS process. It shows up in TaskManager and won't let me end it...

any suggestions for removal?

**jm1647** · 9 Jun 2006, 06:40 AM

Go to http://security.symantec.com/sscv6/d...d=ie&venid=sym and then do the virus scan. crss is part of windows and is probablty infected by something. When you find out what you have there are removal tools and instructions at symantec.

**drfsupercenter** · 9 Jun 2006, 11:05 AM

Hmmmm, apparently these errors only happen when viewing my IRC download folder. But all I have in there is TV rips, wtf? like, if I open another window on top of it the error stops reoccuring.

There are other folders too but mainly that one.
Is it safe to say that reformatting is my only option?

**vw56german** · 9 Jun 2006, 11:09 AM

ok now is the "crss.exe" truly part of windows or is the correct .exe file "csrss.exe"?? I dont have the crss but I have the csrss. Is this crss some kind of trojan made to look like a real windows app?

**drfsupercenter** · 9 Jun 2006, 11:19 AM

csrss is the real one.

And yes that is correct. Same with a LSASS program, that one is fake too if you have it I think.

**Chewy** · 9 Jun 2006, 11:30 AM

http://www.sophos.com/virusinfo/analyses/w32rbotpx.html

Threat Encyclopedia | Trend Micro (US)

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.GH&VSect=T

Latest information on malware and vulnerabilities from Trend Micro.

http://startup.networktechs.com/srch-crss.exe.html

**Chewy** · 9 Jun 2006, 11:31 AM

http://process.networktechs.com/csrss.exe.php

csrss.exe

**drfsupercenter** · 9 Jun 2006, 11:35 AM

How it spreads Network shares

OMG.

That means... the files that I got off the channels in IRC are spreading around to hundreds of people, I was just one of their pawns.

It appends data to the said file, which prevents the affected user from accessing any of the following Web sites:

Symantec Enterprise Cloud

https://www.symantec.com

To meet today's Cyber Security challenges, enterprises need an integrated cyber defense platform that integrates industry-leading solutions and solves for the most pressing C-level challenges like evolving threats, privacy & compliance, and digital transformation.

securityresponse.symantec.com
symantec.com

This hasn't happened yet, scanning with Symantec now. And AVG is still running tho it said no viruses.

And I am assuming IRC.bot means that it spreads via Internet Relay Chat which I often download files from?

**Chewy** · 9 Jun 2006, 11:41 AM

And I am assuming IRC.bot means that it spreads via Internet Relay Chat which I often download files from?

yeah per!

**drfsupercenter** · 9 Jun 2006, 11:55 AM

Dang... I really gotta inform them about that, they may not even know that they are spreading it.

So is there a cure for it or do I have to reformat. I just don't wanna have to worry about losing data and stuff, I would prefer to not reinstall if possible.

**Chewy** · 9 Jun 2006, 08:00 PM

You might kill it, but chances are there's a backdoor open(port) on your pc and as long as you are hooked to the internet it will just reinstall, someone else is probably accessing your computer. You are their BOT. I would try a lot of advanced stuff to gain control back,
this would probably be beyond the scope of this forum and online help, but here's what I would use, a good AV or two, trojan hunter, a squared, ewido,
spybot, adaware, coupled with safe mode, 3 finger salutes, services, regedit
and be disconnected from the internet. All in all it might work but a reload is much faster and much easier.

It's taken many years to get to the point where I could do this. Try to be a little more vigilant next time Danny.

**drfsupercenter** · 10 Jun 2006, 12:03 AM

Hmm, I opened ports 1-45000 on my router so that I could download stuff faster. Plus, I set my IRC client to accept only certain types of files, like AVIs, but block DLL and EXE files.

Now, say I do reformat.
I have a 60GB drive I use as a storage drive. So, I could back that drive up, then transfer some of drive C's files to that drive. However, is it possible the virus would have transferred to the storage drive? I use it mainly for DVD ISOs before burning them.

I would assume that deleting drive C's partition and installing Windows on that wouldn't affect the other drive? I don't want that getting messed up as well. I just figure, 60GB is good storage space for large files, it beats using WinRAR to split into 4.7GB.

**Chewy** · 10 Jun 2006, 12:56 AM

Just boot to the cd and when it says you already have windows installed tell
it to delete the c/system partiton. I wouldn't trust any installer you have backed up, they are too easy to be contaminated. Scans don't catch rare
off the way trojans like you get off irc or limewire.

**drfsupercenter** · 10 Jun 2006, 04:31 AM

But, am I safe moving files to my other drive instead of burning them?

**drfsupercenter** · 10 Jun 2006, 05:30 AM

When I told one of my friends on MSN about this, they were like "stop going to dodgy sites". While I don't consider the sites I go to as "dodgy", I was curious, this can't be downloaded just from popups and stuff can it? Is it just transferred through file-sharing programs? That would make me feel much better, LOL.

Fake XP errors (maybe not)?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment