Solved

How do I get rid of this virus scserver.exe

Posted on 2011-02-22
50
1,200 Views
Last Modified: 2013-11-22
I recently got a virus on my computer. It's 3 months old. When the computer starts up it goes into a windows live scan mode and says there are several things wrong with my computer. Now it has a window I can close Warning Security alert to enable protection. When I go to my browser to download malware protection, it closes the browser.  

I want to clear this and add AVG free anti virus. How do I do this?
Windows 7 Toshiba Satellite L 675
Thank you
Art
0
Comment
Question by:artismobile
  • 23
  • 19
  • 2
  • +5
50 Comments
 
LVL 38

Expert Comment

by:younghv
ID: 34951366
Hi Art,
Can you give us some more details on the symptoms you are seeing (a screen shot would be great).

If we can identify the exact version of malware you have, we can give you more targeted advice.

You might want to review my Articles here for more details:
http://www.experts-exchange.com/A_1958.html
http://www.experts-exchange.com/A_1940.html
0
 

Author Comment

by:artismobile
ID: 34951434
I can use this computer to communicate with you but the infected computer can't reach the internet because of the virus.  It starts in a protected mode and opens Windows Optimal Tool. It asks to do a full scan.  You can't click out of it so you have to scan. hit ok. it scans and says licensing error update error, etc. Makes you open the windows optimal tool license manager.  Wants purchase license but you can click away from that. Then gives another warning screen with hkcmd.exe error to deny or enable detection.
0
 
LVL 12

Expert Comment

by:mattclarified
ID: 34951453
Hi,

Reboot your pc and keep tapping f8 at startup unitl you get the menu for 'Safe mode'
You will need to go to another PC and download malwarebytes from www.malwarebytes.com and copy via a USB memory stick to the infected computer.
Run this while in safe mode and it should clean everything for you.

M@
0
 
LVL 38

Expert Comment

by:younghv
ID: 34951482
If you re-boot the infected computer into "Safe Mode with Networking", you should be able to access Malwarebytes (MBAM) (http://www.malwarebytes.org/mbam.php)

When downloading, save to your "Desktop" and use the "Save As" function (Internet Explorer) to rename the file.
The instructions are included right in that link.

Downloading and transferring via a USB stick will not give you the latest definition files, but MAY still work (SCServer.exe is pretty old malware).
0
 

Author Comment

by:artismobile
ID: 34951495
When I open in safe mode, the Windows Optimal tool still shows up to scan
0
 
LVL 38

Expert Comment

by:younghv
ID: 34951496
Also, if you do the scan in "Safe Mode" (not recommended for SCServer.exe), be sure to re-boot to "Normal Mode" and do another complete scan.
0
 
LVL 7

Expert Comment

by:frajico
ID: 34951526
0
 
LVL 38

Expert Comment

by:younghv
ID: 34951540
You may need to run "TDSSKiller" to stop some of the processes it is running:
http://support.kaspersky.com/viruses/solutions?qid=208280684

http://support.kaspersky.com/downloads/utils/tdsskiller.zip
http://support.kaspersky.com/downloads/utils/tdsskiller.exe

(Download to your working computer, then copy to the infected one.)


0
 

Author Comment

by:artismobile
ID: 34951541
The only option I have after starting in safe mode is to run this Optimal tool. Are you saying to run this?
0
 
LVL 38

Expert Comment

by:younghv
ID: 34951547
Please DO NOT try ComboFix yet.
I may be necessary later on in the process, but should never be your first choice for repair tools.
0
 
LVL 38

Expert Comment

by:younghv
ID: 34951564
Hold the phones!

Malwarebytes have some detailed instructions from "Optimal Tool":

http://www.bleepingcomputer.com/virus-removal/remove-windows-optimal-tool
0
 
LVL 38

Expert Comment

by:younghv
ID: 34951593
This is a really interesting situation.
The posts from Malwarebytes/Bleepingcomputer are dated today and yesterday - really current stuff.
0
 

Author Comment

by:artismobile
ID: 34951620
I Just noticed the date. Maybe I'm making history! <wink!>

O.k. I'll reboot to safe mode, let Optimal run, use the usb to transfer from the safe computer and follow these instructions.  I'll report back after
0
 
LVL 38

Accepted Solution

by:
younghv earned 500 total points
ID: 34951635
NO!
Do not let "Optimal" run.
It is fake.

On your good computer, go here and read about it:
http://www.bleepingcomputer.com/virus-removal/remove-windows-optimal-tool

(You're right about the history part, first time I've seen this one EE.)
0
 
LVL 3

Expert Comment

by:mmarketing
ID: 34951658
Often these viruses are installed in users folder. Start up in safe mode as suggested earlier. (Holding down F8 during start up) and log in with administrator (often no password is set). See if the tool runs. If it still does, try to create a new user account on the system and log in on the new user account.

When you've managed to gain Internet Access download Hitman Pro. This anti-malware software scans your files in "the cloud" so proces is less likely to be interrupted by the malware.

http://www.surfright.nl/en/hitmanpro
0
 
LVL 38

Expert Comment

by:younghv
ID: 34951710
@mmarketing,

I agree that HitMan Pro is a great generic tool, but I don't see it being recommended anywhere as a fix for the "Windows Optimal Tool" infection.

If you have a specific link for that, please post it so we can all learn something.
0
 

Author Comment

by:artismobile
ID: 34951729
I know Optimal is fake but it won't let me move from the screen until I do.  This is a good one.  When I try to install the Rkill from the thumb drive, it won't let me open the program.  I recognizes it as a "Threat" Of course when I place the thumb drive in the computer, auto play doesn't work. I don't see how I can load the first step, Rkill
0
 
LVL 13

Expert Comment

by:upalakshitha
ID: 34951741
can you open task manager?
0
 
LVL 38

Expert Comment

by:younghv
ID: 34951771
It is a 'good one' indeed.

I'm reading through the details of the instructions as we go along and just saw this:

"Therefore, when it tells you that it must perform a scan press the OK button to allow it to do so. Windows Optimal Tool will now perform a fake scan and then state you need to open the License Manager. Press the OK, Open the license manager button"
0
 

Author Comment

by:artismobile
ID: 34951799
Where is task manager?
0
 

Author Comment

by:artismobile
ID: 34951813
Yes,
I have made it to the desktop screen but I can't open the first step.
0
 
LVL 13

Expert Comment

by:upalakshitha
ID: 34951816
press ctrl + Altr + del  >> task manager
0
 

Author Comment

by:artismobile
ID: 34951829
No task manager. brings me back to the Warning!
0
 
LVL 76

Expert Comment

by:arnold
ID: 34951835
Go through the repair option and go to a point before this issue came up.
If you do not have anything customized i.e. documents, etc.
The quickest thing is to restore the system to the state when you bought it with the only issue if you created the restore disks.

Are you able to launch taskmgr (ctrl-shift-escape) with which you can kill the extraneous process/es.
0
 
LVL 23

Expert Comment

by:edbedb
ID: 34951848
Is there an icon for it on the desktop or an entry in the programs list?
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 3

Expert Comment

by:mmarketing
ID: 34951853
@ younghv: hitman pro usually gets the job done in these cases.

@artismobile have you tried logging in as an administrator user in safe mode or to create a new user?
0
 

Author Comment

by:artismobile
ID: 34951854
Can't launch task mgr
0
 
LVL 38

Expert Comment

by:younghv
ID: 34951908
Art,
I will be glad to continue working with you, but all of this extraneous advice is confusing me.

If you will respond by name, it will help eliminate some of the confusion.

The guy writing the instructions for this removal (Grinler) is just about without peer in the anti-malware business and no one posting in this question has anywhere near his experience and expertise.

I suggest that we walk through his instructions and if they don't work, I will bow out.

Thanks,
Vic
0
 

Author Comment

by:artismobile
ID: 34951917
Once I log in as safe mode, Windows starts then this Optimal thing. It doesn't give me a chance to do anything else. In the advanced boot I can log in:
Safe mode
safe mode with networking
same mode with command prompt
enable boot logging
last known good configuration
directory services restore mode
debugging mode
disable auto restart on system failure
disable driver signature enforcement
start normally
0
 

Author Comment

by:artismobile
ID: 34951957
Ok Vic,
Let's get it done!
Art
0
 
LVL 38

Expert Comment

by:younghv
ID: 34951971
OK - got it.

I'm afraid that I posted that "Safe Mode" advice before finding the information at bleepingcomputer.

I just read through the instructions again and they do not say that.

Let your computer boot to Normal, let the Optimal Tool run its course, then see if you can 'click the X' to close it.

Standing by.
0
 
LVL 38

Expert Comment

by:younghv
ID: 34951999
Just to clarify - I am following the instructions about 1/3 of the way down this link
http://www.bleepingcomputer.com/virus-removal/remove-windows-optimal-tool

The section title is:
"Automated Removal Instructions for Windows Optimal Tool using Malwarebytes' Anti-Malware:"
0
 

Author Comment

by:artismobile
ID: 34952046
Yes, and it still won't allow me to open Rkill and won't let me access Explore 8. .it closes after a few seconds.
0
 
LVL 38

Expert Comment

by:younghv
ID: 34952064
If you have Rkill on a USB stick, try copying it over to the infected computer as "xyz.exe", then try to run it.

(Sophisticated malware 'knows' the names of several anti-malware tools and can block them from starting.)
0
 

Author Comment

by:artismobile
ID: 34952128
O.k.
I just changed the name, it went to a c prompt, said it was terminating malware to be patient
Gave me a log in notepad says it was completed. That warning is done. Now do I do the shell.req as a download on the infected computer or usb?
0
 
LVL 38

Expert Comment

by:younghv
ID: 34952156
Great news!

Let's try it the easy way first - from the infected computer.

If that doesn't work, we can do the old IT-2 step and use the USB stick.
0
 
LVL 38

Expert Comment

by:younghv
ID: 34952171
Also - just as a precaution...
From now on use the "Save As" function (in Internet Explorer) and use phony names for your downloads.

0
 

Author Comment

by:artismobile
ID: 34952241
Yes! On to download Malwarbytes I'll let you know.

(You don't want to know the new save as name I used...something like...take this you..you get the idea)  <grin>
0
 
LVL 38

Expert Comment

by:younghv
ID: 34952253
LOL!

I always admit that my language in the workshop is not fit for tender ears. On occasion, I make up new swear words to fit the situation.
0
 

Author Comment

by:artismobile
ID: 34952308
To say the least!
Doing a quick scan now.
0
 
LVL 38

Expert Comment

by:younghv
ID: 34952321
OK - note "Step 11"
If MalwareBytes' prompts you to reboot, please do not do so.

0
 
LVL 38

Expert Comment

by:younghv
ID: 34952350
(Never mind, you're past that.)

You should Abort the "Quick Scan" and do a "Full Scan".

(Step 13)
0
 

Author Comment

by:artismobile
ID: 34952379
All done! Looks cleared.  A lot of work for this one wasn't it? I'll load AVG on that computer.
Thanks for the hard work!
0
 
LVL 38

Expert Comment

by:younghv
ID: 34952458
A thought for you - before you do AVG (which I used to recommend).
Take a look at this Article and just give it some consideration - before deciding.

http://www.experts-exchange.com/A_1958.html
....

Really glad this (seems to have) worked - but re-boot and run some basic functions as a check.
0
 

Author Comment

by:artismobile
ID: 34952523
Thanks for that tip too. I've been a fan of EE for years now and I always follow the advice.
Yes, all functions are operational.
Thank you!
0
 
LVL 38

Expert Comment

by:younghv
ID: 34952541
Great to hear!
(Phew!)

See you around the Zones (but not this one too soon).
<Grin>
0
 
LVL 38

Expert Comment

by:younghv
ID: 34952707
Art,
If we're good to go here, close it out and I'll move on to help someone else.

Thanks,
Vic
0
 

Author Comment

by:artismobile
ID: 34952717
Yes! Hopefully not this one! You worked hard for the points!
0
 

Author Closing Comment

by:artismobile
ID: 34952738
Great instruction! The solution was perfect!
0
 
LVL 38

Expert Comment

by:younghv
ID: 34952779
Art,
Fair to say that we both learned a whole bunch on this one - thank you.
Vic
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now