By skodje ·

I have encountered some type of worm on two of my main server which are running Windows NT 4.0.

After doing some online research it appears that my servers are infected with a variant of WORM_AGOBOT.ADG. This Worm uses all of the CPU resources and makes it virtually impossible for the server to perform any other tasks.

I removed the crcss.exe application from the System32 folder, removed it from HKLM/Software/Microsoft/Windows/CurrentVersion/Run, and deleted the crcss.exe process. This seems to temporarily stop the problem however; the application keeps reinstalling somehow.

No virus software, Antispyware, or other tools are picking anything up. I have checked the scheduled tasks and nothign appears to be out of the norm.

Can anyone tell where else I am likely to find some hidden application running responsible for re-installing this malware application?

Any help would be greatly appreciated....I am just weeks away from a migration to 2003..Murphy's Law I guess.


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -


by gbj1964 In reply to CRCSS.exe

1. Kill the process. You can use the kill.exe. They syntax is kill -f crcss.exe.

2. Delete the crcss.exe in c:\winnt\system32

3. Create a dummy file called crcss.exe. (Create a text file and remore .txt and replace with .exe.)

4. Remove all rights to the crcss.exe file including the Administrator. No one should have access to this file including the virus.

5. Remove all entry with CRCSS.exe in registry. Do a find on CRCSS.exe and delete.

Be carefull you don't delete the csrss.exe. this is a valid file.

Update your virus definition and your good to go until you migrate.

Related Discussions

Related Forums