lcrss.exe

I’ve just installed Comodo Firewall and I’m generally impressed so far. However, I get a notification that lcrss.exe want to access the Internet when I first boot up. I’ve denied it and there is no information available from the popup. I’ve checked the Internet and can fins nothing about this file. A full malware and antivirus scan has turned up nothing.

Any ideas what this file may be? Thanks.

Windows XP SP 2, COMODO Firewall, AVG AntiVirus, broadband cable access.

Hi slap_maxwell, welcome to the forums.

Can you please double check that executable name in CFPs Log (Activity tab). There is a Worm-Trojan called crss.exe… trying to look like csrss.exe (Microsoft Client/Server Runtime Server Subsystem), which could be running because of a Service. I’m not sure if crss.exe is a variant of crss.exe.

It is, indeed “lcrss.exe” residing in WINNT/System32 folder.

just googled and found added by w32/rbot-fzb worm-irc backdoor. hope this helps. frank.

Well let’s see what it is first, if anything (being optimistic). Take WINNT/System32/lcrss.exe for a spin at http://virusscan.jotti.org/. See what they make of it (collectively).

PS If its currently running… terminate it with the Task Manager.

Scan taken on 27 Jun 2007 02:22:57 (GMT)
A-Squared Found nothing
AntiVir Found HEUR/Crypted
ArcaVir Found nothing
Avast Found Win32:SdBot-3700
AVG Antivirus Found nothing
BitDefender Found DeepScan:Generic.Malware.G!I!!FLWX!!Bprng.768FDE7D
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

3 possibles (and all 3 different things) & the rest nothing found. Whatever it is, it never appeared before when I used ZoneAlarm, so good on COMODO for catching it. Just wish I knew exactly what installed it…

I checked the Services in the Administrative Tools and discovered something called MSAPI32Svc is calling this file. I’ve disabled this service for now until I can get this sussed. I also upload the file to COMODO for analysis.

Yep, looks like CFP may have saved the day on this one. The service name doesn’t seem to be a genuine one, so good catch there. Sending it to Comodo for analysis was a good idea.

Thanks for the initial welcome aboard, BTW, Krail…rude of me to go so long without acknowledging it. Thanks for your suggestions as well; I checked with Prevx and all the other usual virus sites/orgs; they know nothing about it either. Weird…

That’s OK, not a problem.

It is weird… but, it is far better to be safe & suspicious, then sorry later. :slight_smile:

Given that you had Service called MSAPI32Svc, you don’t have a DLL called MSAPI32.DLL do you?

Nope…no such creature, either MSAPI32.DLL or MSAPI32Svc.DLL. Just the service entry calling the exe file above. I’ve quarantined it and disabled the service just to see if anything quits working or breaks over the next few days. Could be something new that slipped in somehow, which would be a first. I’ve never once had a virus on my computers (going all the way back to the ol Ataris and TI-99/4a’s) and I’m usually careful to the point of being “obsessive” about security, which is why I switched from ZA to COMODO after reading the reviews and tests.

I had the problem, network was very chatty. Scanned with Jotti and got the following result

Scan taken on 28 Jun 2007 20:26:34 (GMT)
A-Squared Found nothing
AntiVir Found WORM/RBot.328262
ArcaVir Found nothing
Avast Found Win32:Rbot-CSN
AVG Antivirus Found nothing
BitDefender Found Generic.Malware.G!I!!FLWX!!Bprng.2E9601EE
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found a variant of Win32/Rbot
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found Worm.RBot.Gen.21
VBA32 Found Trojan-Spy.Banker.2 (probable variant)