scrsvr.exe virus problem

[WSW]

My PC repeatedly got infected by the scrsvr.exe virus. I can use McAfee anti-virus to detect and delete the virus. However, after a few days, the virus re-appear.

The virus also try to add a run command into either the system.ini or win.ini or startup. I can use msconfig to go into system.ini or win.ini or startup to delete the run scrsvr.exe command. However, after a few days a new run scrsvr.exe command will be added into the ini file again.

Anyone has experience in getting rid of this scrsvr.exe virus?

[Redo40]

Have you tried Symantecs removal tool? Removal Tool Hope this helps, from what I have read this one is pain.

[SMILEYCFC]

The only real way to get rid of a bad worm like that is to wipe the drive clean and start from scratch. I know it sounds drastic but it will be better for the system in the long run.

[WSW]

I am hoping that I don't have to re-format the harddisk from scratch.

I installed the Microsoft patch and ran the worm removal tool. The removal tool detected the worm in the .ini file. The worm is supposed to have been removed. I'll wait a few days to see if the computer get re-infected.

Thanks for all the suggestions.

[RoyKelly]

Just one quick question:

IS YOUR MACAFEE ANTIVIRUS CURRENT?

[galaxian]

And are you running it in "always on" mode?

You want to detect trojans/worms/viruses as they arrive NOT after they have been installed and done potential damage.

[WSW]

Yes, I am using McAfee anti-virus with the latest Superdat. However, when I install my PC, I did test Internet and email access before I installed McAfee anti-virus. The worm could have got through before I install McAfee.

McAfee anti-virus is always ON on my computer. I also use ZoneAlarm firewall.

The worm removal software seems to work so far. I will know for sure after a few days. Before I use the worm removal software the worm seems to hide somewhere in the computer and tends to re-appear a few days after I do a virus scan using McAfee.

[beerman]

I have the same problem plus every few minutes one of the following pops up:

marco!
alevir.exe
brasil.pif
I've removed the offending line from win.ini only to have it reappear, run Norton's removal tool, all to no avail. Antivirus is up to date. All Norton can do is quarantine them.

beerman

[TimPoet]

I hate to say this, but McAfee just ain't what it used to be (as I think you have found out)....
Next chance you get, buy Norton AV 2003 or get the free version of AVG. I'm using the latter. See this:

http://forum.pcmech.com/showthread.p...ight=antivirus

[glc]

beerman: go to housecall.antivirus.com and get a free online scan.

[jackjones]

I think you are being infected again and again. Try reading the removal intructions at : http://vil.mcafee.com/dispVirus.asp?virus_k=99729

Try instaling the mentioned patch and see if it helps.

[beerman]

Unchecking file and print sharing as suggested by MaAfee seems to have done the trick for me. Wonder why Symantec didn't think of that.

Thanks,
beerman

[WSW]

I have the same problem as beerman.

The Symatic worm removal software worked only for two days and now the worm re-appeared.

I'll try the suggestion by glc to see if it works for me.

[jackjones]

Why don’t you try removing it and patching the hole instead of just removing it. The removal software only removes the program it does not make your computer immune.

[galaxian]

"Wonder why Symantec didn't think of that. "

From the removal link above, How to Configure Windows Folders for maximum network protection

"Disable file and print sharing, if possible


1. Right-click the Network Neighborhood or the My Network Places icon on the Windows desktop.
2. Click Properties.
3. Click the Configuration tab.
4. Click Client for Microsoft Networks.
5. Click File and Print Sharing.
6. Uncheck both boxes, and then click OK."

[beerman]

galaxian

Thanks for the Symantec link.

beerman

[matt_richards]

Hello there,

I have had the exact same problem - and it is still recurring. I have tried all the removal tools - including in safe mode and without any system restore programs present. I have also removed the entires in win.ini etc. All virus definitions have been updated and maintained, but it still keeps popping up and being quarantined.

As much as anything else, I am just intrigued to know where on my hard drive it is dormantly residing and then reinfecting.

Does anyone know by whay mechanism it is reinfecting.

Matt.

[galaxian]

What OS?

And have you disabled print and file sharing?

[beerman]

Matt

The ones I had---marco, brazil and alevir all were in C:\windows and I was able to delete them in safe mode.

beerman

[matt_richards]

The infected compuer has windows 98 on it. I have not disabled file and printer sharing, but I will do - out of interest why does this help.

What I cannot understand is where the virus or trojan is hiding so that it can refer after an all clear from the fixes and after all traces have been removed from win.ini etc.

Cheers guys.

[galaxian]

I "presume" you are going back on the net after clearing off the virus?

If so, you are then being reinfected via the gaping security hole with File&Print sharing open.

[matt_richards]

I think I am misunderstanding the context of "file and printer sharing". Am I correct in thinking that it is only a problem if it is bound to the internet connection, with "file and printer sharing" over a LAN not being as much of a problem.

[galaxian]

I suggest you run a Shields Up test

https://grc.com/x/ne.dll?bh0bkyd2

And there is a little more info on the issue here also.

http://grc.com/su-explain.htm

[WSW]

I followed jackjones suggestions, went into the McAfee site and followed the removal instructions. It has been 3 days and the virus has not re-appear. The McAfee removal instructions seems to work.

Basically what I did is the following:

1. Download and install McAfee's latest superdat.

2. Went into Network Neighbourhood > Properties > TCP/IP > Properties > Bindings. Uncheck "File and Printer Sharing for Microsoft Networks"

3. Ran McAfee virus scan. It detected and deleted the virus files Brasil.pif and scrsvr.exe.

This removal process seems to work for me. I'll monitor and report back if the virus re-appear.

[WSW]

In my reply I forgot to mention that I also downloaded the Microsoft patch for Windows 98SE. The patch is supposed to prevent Windows 98SE from re-infecting by the same virus. So fare it seems to work.

[matt_richards]

Anyone know how long you have to leave file and printer sharing unchecked until you are safe?

Cheers.

[jamesrpm]

Are all the computers on your network clean?If one of them has the virus it will infect the rest as soon as you start sharing again.

[matt_richards]

At the moment the machine is not connected to the network. But I had planned to do in the near future, so I wondered what the situation was with the file and printer sharing.

[galaxian]

What are you running that needs File and Printer Sharing enabled?

[matt_richards]

nothing at the moment - so there is no problem with removing it. But I will be connecting it to an existing peer to peer network soon - I just wondered if I would get reinfected when it is re-enabled.