?
Solved

scrnrdr.exe problem / virus

Posted on 2009-04-16
10
Medium Priority
?
2,973 Views
Last Modified: 2013-11-22
My computer had a virus, I used combofix and scanned in safemode with 3 scanners and now the virus is gone. My windows XP is a little damaged afterwards. I am trying to uninstall the "Vista Transformation Pack" that gave me the virus in the first place. To uninstall it however, it says it can't find a valid scrnrdr.exe file in the WINDOWS/system32 folder. I put in my XP cd and I can't find it on there. Any suggestions in how I can replace this file?

-Jeff
0
Comment
Question by:jeffiepoo
  • 3
  • 3
  • 2
  • +2
10 Comments
 
LVL 8

Expert Comment

by:skywalker39
ID: 24164349
Hi jeffiepoo,

scrnrdr.exe is the virus. Have you tried uninstalling in Safe Mode?
0
 
LVL 6

Author Comment

by:jeffiepoo
ID: 24165304
It is not because it is not there anymore - I need to replace the file.
0
 
LVL 93

Assisted Solution

by:nobus
nobus earned 800 total points
ID: 24165442
try the revo uninstaller :  http://www.revouninstaller.com/
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 5

Accepted Solution

by:
Gregg DesElms earned 1200 total points
ID: 24172556
jeffiepoo wrote:  "It is not because it is not there anymore - I need to replace the file."

No, you don't, because, as...

skywalker39 wrote:  "scrnrdr.exe is the virus."

What you now need to do is uninstall the "Vista Transformation Pack" (VTP), which is giving you problems because the installer is telling you that it can't run until and unless   scrnrdr.exe   is present.  Were I wishing to inflict malware hidden within something else (in this case, that "something else" would be the VTP), I'd also make it so the VTP couldn't be uninstalled unless the underlying malware which I intended to convey was present; and I'd also leave said malware behind even after the VTP was uninstalled.  Once it becomes clear to you that the author of VTP was trying to harm you, why would you, from that moment forward, trust any other part of what he deposited onto your computer... including his uninstaller?

The reason Nobus told you to use the REVO uninstaller is because REVO does a kind of interesting thing when it uninstalls.  It first tries to run the software's own uninstaller; but even if that fails, REVO then goes and tries to hunt down any files, folders and registry entries left behind after the normal uninstaller runs... even if it fails.  REVO is free and safe and easy to use.  I, personally, use it exclusively to uninstall now (er... well... I also use the free -- and extraordinarily cool -- ZSoft uninstaller, but only when I need to use its snapshot capabilities).

You need to get VTP off your machine.  Use REVO to do it.

But don't stop there.  We know your machine was infected.  I know you think that now it's not, but don't make that assumption.  You used ComboFix, which is not for the faint-of-heart.  Once VTP is off your machine, since you're not afraid to use it, I'd use it again, just for grins.

But then I'd do a manual scan with the free versions of both MALWARE BYTES and SUPERANTISPYWARE.  

And then, begged is the question:  Why didn't your anti-spyware catch this thing?  Or are you not using any?  How 'bout a firewall?

You didn't ask, but I'll tell you the suite that I now use (every bit of it free):

Comodo Internet Security (CIS) as my firewall, anti-virus and host intrusion protection (HIPS).  It's firewall component is best-of-breed.  It's anti-virus component is young and is only now finally getting to the point where it's as good as (or maybe slowly becoming better than) AVG's free anti-virus product.  Its HIPS component is a pain-in-the-rear at first because it pops-up so much... until it's finally trained, that is.  Once you know how to use it, and it has finally learned your machine, you'd be amazed what it catches.  The three of them, together, create an impenetrable fortress that's amazing... especially  considering that the darned thing is free.  Yes, Comodo has its critics in such as the Wilder Security Forums... but if you look close, a lot of that is coming from the makers (and/or their supporters) of commercial products which aren't really much better than Comodo, and who realize that if Comodo ever catches on, they'll lose money hand-over-fist.

Spybot Search & Destroy (SS&D)... not because it's a good anti-spyware product anymore... it really isn't.  But it has a nice hosts file capability, and a good browser innoculation and realtime browser protectiion capability.  Its tea-timer is also a terrific albeit very cryptic HIPS, but Comodo's is better, so I just leave that turned off.  I almost never spyware scan with SS&D anymore because, like I said, there are other free products out there that are superior (which I'm about to mention).  But I sure do use the other parts of SS&D as I've described herein.  I also make sure that SS&D checks for updates every night; and I also have it auto-innoculate in the middle of the night, right after updating, twice a week.

Malware Bytes (MB) -  This thing is amazing.  There's no other way to put it.  It find almost everything, and what it doesn't fine, the one I'm about to name will find (and vice versa).  The freeware version won't do realtime scanning, so I just manually update it and scan with it weekly.  Simple as that.  I also occasionally scan individual suspicious files with it by right-single-clicking on them in Windows Explorer, and then selecting Malware Bytes to scan them.

SuperAntiSpyware (SAS) - This thing is amazing.... same as Malware Bytes.  What one misses, the other finds.  The freeware version won't do realtime scanning, so I just do weekly manual scanning, just like Malware Bytes.  I do, though, let SAS load with Windows and sit in the system tray, not because it can do realtime scanning, but because by so doing, it will auto-update periodically, and also by having it in the system tray it also shows-up on the right-click context menu so I can manually scan individual files with it.  But here's the coolest thing about having it in the system tray:  It will watch for changes to my browser's home page (the changing of which is a common malware tactic).  I used to use Spyware Guard (SG) for that, but it hasn't been updated since 2004... and as long as SAS will do that function, and is in my system tray anyway, I stopped using SG.

Spyware Blaster (SB) - This isn't really an anti-spyware or anti-virus product in the same sense as the others.  It's a browser innoculator... a lot like that particular function ins SS&D... except that compared with SS&D, it's on steroids.  It doesn't do realtime scanning... or any scanning for that matter.  It just innoculates... and better than anything else out there!  The free vrsion won't auto-update, so one has to remember to periodically update and then do a manual innoculation.  I do it maybe twice a month.

And that's pretty much it.  It's a killer combination, I tell you.  *NOTHING* gets through.  Nothing.  And it doesnn't cost me a cent (though, as earlier mentioned, there is a trick to properly using CIS... but once trained and learned, it's the best!).

I used to also use a-Squared-Free (a2Free) as a periodic manual scanner... that is, until I read a couple of articles by guys who did thorough head-to-head testing of all of these products using a fresh installation of Vista fand a CD with 50 known exploits on it for each test. To my surprise (and to the surprise of the testers, too) a2Free ended-up being only one notch above completely useless against about 90% of them.... kinda' like what has happened with the venerable SS&D of late.  So I uninstalled a2Free.  In those same tests, either MB or SAS found nearly all; and together they found 100%.  CIS also found 100%, but, like I said, it's through a combination of its three components... the HIPS part of which takes some both learning and getting used to.

So those are my recommendations... for whatever it's worth.

0
 
LVL 93

Expert Comment

by:nobus
ID: 24174247
hey DesElms i wonder if your pc still runs with all those malware programs running !
But admitted : sound advice
0
 
LVL 5

Expert Comment

by:Gregg DesElms
ID: 24176220
Well, only Comodo Internet Security (CIS) is running constantly.... er... well... SuperAntiSpyware (SAS), too, but only for purposes of notifying when something tries to change the browser home page.  Remember that everything else is either periodic or innoculation based.  

Spybot Search & Destroy (SS&D), for example, isn't running its HIPS (TeaTimer) which would, if it were running, be a "realtime" thing.  The other monitoring that SS&D does is a misnomer... not really realtime.  The "hosts" file is really a Windows thing.  SS&D just provides the entries to the hosts file.  And the realtime browser monitoring is really just based on the innoculation.  There isn't a realtime browser monitor piece of software running.

Spyware Blaster (SB)... same thing.  It's just an innoculation.  Launch it, let it update, innoculate, then close it.  Done.  Nothing running in the background.

Even SAS sitting in the system tray is only running a tiny little utility that monitors how long it's been since a spyware database update (and then notifies if it's been too long); and then watches the one and only registry entry where the browser homepage is controlled.  Nothing else.  No big realtime scanner utility running.  Same with Malware Bytes (MB).  It has a right-click context menu item, but that doesn't mean it's running.  It's just a periodic scanner, like SAS.

Even SS&D's nightly updates and twice-weekly auto-innoculations aren't as a consequence of SS&D running in the background and then launching itself on scheduler.  Rather, SS&D (to its credit) uses the Windows Task Scheduler... which is always running in the background, no matter what.  So, since I'm not running SS&D's TeaTimer, no part of it is sitting in memory, slowing things down.

I've actuallyl given all this lots of thought... making sure that there's no overlap of tasks; and trying to make as little of it as possible running all the time... for precisely the reason you suggest.  The whole reason, for example, that I stopped using Spyware Guard (SG) to notify me if the browser homepage changed was because SAS performed that same task.  Since I wanted SAS on the right-click menu (which meant it needed to be sitting in the system tray), I dumped SG and let SAS take over what SG used to do.  (And that's after being a loyal SG user for... well... since back in the 90s.  SG has been in my system tray through something like a half dozen computers (and nearly as many OS's.)

Again, CIS is really the big thing running all the time... and one of the reasons I so like it is that it's so easy on resources, no matter what it's doing.  Except when it's doing a whole system scan, I'm completely unable to detect any difference in system speed whether it's loaded and running, or loaded but disabled, or not loaded at all.  CIS is pretty darned slick... way slicker than most people realize.  When/if it finally gets really popular, it's gonna' really hurt the makers of similar fee-based products.  And the soon-to-be-released version 4.x of CIS is rumored to be the really killer version that's going to take all of the complaints of its critics off the table... most notably, that its HIPS is just too much of a pain in the rear.  The "Defense+" component of upcoming CIS version 4.x is rumored to be the most "silent" and unobtrusive of all HIPS products out there... bar none.  This, of course, remains to be seen... but Comodo has never let me down.  Ever.  It's the best-kept secret on the Internet!

(And, no, I don't work for, or am a shill for, Comodo... just in case you're wondering.) [grin]

0
 
LVL 6

Author Comment

by:jeffiepoo
ID: 24244348
Very insightful DesElms. Thanks guys, I've now added revo uninstaller and "That other uninstaller" that I forgot what it's called to my arsenal of fixing tools. Anyone find an automated Winsock tool for vista yet?

-Jeff
0
 
LVL 6

Author Closing Comment

by:jeffiepoo
ID: 31571279
Right on dudes
0
 
LVL 5

Expert Comment

by:Gregg DesElms
ID: 24255153
I know I'm slow, so at the risk of embarrassing myself because I don't know this...

...please define "automated winsock tool" as you intend it to mean.

And I'm wondering if this should be a new thread, in any case, so that others can learn from whatever comes of it.  (Just wonderin')
0
 

Expert Comment

by:meetthegem
ID: 25602644
Thanks, for the information
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Step by step guide to Clean and Sort your windows registry! Introduction: Always remember: A Clean registry = Better performance = Save your invaluable time In this article we're going to clear our registry manually! Yes, manually! The e…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question