Dammm
28 March 2005, 11:52 AM
#1
Scooby Regular
Thread Starter
Join Date: Jan 2004
Posts: 95
Likes: 0
Received 0 Likes
on
0 Posts
Dammm
I have a worm on my PC, ive identified it in the task manager.
My Antivirus doesnt pick it up, so thats pretty useless.
Whats my next step for action, as i cannot end the process tree for some reason.
Any suggestions?
The process is called crss.exe if that helps
My Antivirus doesnt pick it up, so thats pretty useless.
Whats my next step for action, as i cannot end the process tree for some reason.
Any suggestions?
The process is called crss.exe if that helps
28 March 2005, 12:09 PM
#2
Scooby Regular
Join Date: Apr 2002
Location: Birmingham
Posts: 9,196
Likes: 0
Received 0 Likes
on
0 Posts
That can actually be a normal process. The fact you can't close it sounds like you have the proper one running. If it was the Virus'd version your (up to date) AV would spot it!
28 March 2005, 12:13 PM
#3
Scooby Regular
Join Date: Sep 2002
Location: French side of the border at Geneva, Switzerland
Posts: 5,703
Likes: 0
Received 0 Likes
on
0 Posts
Could be a normal process but then again, it might be that the W32.AGOBOT.GH worm has added it in. Do a quick search on google and you should be able to find removal instructions...and download the latest AV signatures as well - good luck! 
28 March 2005, 12:35 PM
#4
Scooby Regular
Join Date: May 2003
Posts: 1,165
Likes: 0
Received 0 Likes
on
0 Posts
STi-Frenchie is correct
Process File: crss or crss.exe
Process Name: W32.AGOBOT.GH Worm
Description:
crss.exe is a process which is registered as the W32.AGOBOT.GH worm. This virus is distributed via the Internet through e-mail and comes in the form of an e-mail message, in the hopes that you open it’s hostile attachment. The worm has it’s own SMTP engine which means it gathers E-mails from your local computer and re-distributes itself. In worst cases this worm can allow attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately. Please see additional details regarding this process
You could try a online scanner like Trend or Panda or
edit your registry
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run\ Distributed Link Tracking = ascvt.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices\ Distributed Link Tracking = ascvt.exe
and delete them if they exist.
Close the registry editor.
Process File: crss or crss.exe
Process Name: W32.AGOBOT.GH Worm
Description:
crss.exe is a process which is registered as the W32.AGOBOT.GH worm. This virus is distributed via the Internet through e-mail and comes in the form of an e-mail message, in the hopes that you open it’s hostile attachment. The worm has it’s own SMTP engine which means it gathers E-mails from your local computer and re-distributes itself. In worst cases this worm can allow attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately. Please see additional details regarding this process
You could try a online scanner like Trend or Panda or
edit your registry
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run\ Distributed Link Tracking = ascvt.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices\ Distributed Link Tracking = ascvt.exe
and delete them if they exist.
Close the registry editor.
28 March 2005, 12:42 PM
#5
Scooby Regular
Join Date: Apr 2002
Location: Birmingham
Posts: 9,196
Likes: 0
Received 0 Likes
on
0 Posts
I must have a virus on the pc i've only just set up then 
It isn't ALWAYS a virus. The trojan uses that component. That's like saying IRC is a virus. You can close the virus one with Taskmanager. At least you could on the one my workfriend had.
Use Trend Housecall to scan the windows dir: http://uk.trendmicro-europe.com/cons...all_launch.php
That McAfee load of **** removed my copy of mIRC at work. I was most unamused. A threat my ****. I then had to spend 10 mins setting up new group policies to ignore mirc.
It isn't ALWAYS a virus. The trojan uses that component. That's like saying IRC is a virus. You can close the virus one with Taskmanager. At least you could on the one my workfriend had.
Use Trend Housecall to scan the windows dir: http://uk.trendmicro-europe.com/cons...all_launch.php
That McAfee load of **** removed my copy of mIRC at work. I was most unamused. A threat my ****. I then had to spend 10 mins setting up new group policies to ignore mirc.
Thread
Thread Starter
Forum
Replies
Last Post