scrsvr.exe

mawil, I had the following on an e-mail from CA.

Win32.Opaserv.Worm

Win32.Opaserv is a worm that spreads through shared Windows drives. When run, the worm copies itself to the Windows directory. It then adds the following value to the registry so that this copy is run each time Windows starts:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScrSvr="%Windows%\ScrSvr.exe"

It also creates this registry key value that is set to the file from which worm was originally run:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScrSvrOld="ScrSvr.exe"

This registry key is later deleted.

The files ScrSin.dat and ScrSout.dat are also created in the %Windows% directory.

Win32.Opaserv attempts to copy itself over the network through open share directories to WINDOWS\scrsvr.exe on a remote Windows machine.

The worm also attempts to update itself by downloading a copy off a webserver. The file that is downloaded is named scrupd.exe.

The eTrust InoculateIT signature updates listed below contain detection and system cure for Win32.Opaserv.Worm.

To cure an infected system, all files being detected as Win32.Opaserv.Worm must be deleted. This can either be done manually or by setting eTrust InoculateIT to delete infected files.

If you already saw this just disregard.

Tufenuf

Ran eZtrust AV with the newest updated file. It's not finding anything, but the scrsvr.exe file keeps coming back. :(

I've scanned all drives with it and run Symatec's removal tool.

Thing is, the scrsvr.exe doesn't seem to be doing anything. Just keeps coming back to my windows directory and the win.ini file.

W32.Opaserv.Worm

Look at it this way, it's not as bad as a Trojan like KLEZ!

mawil, Do you by chance have the file that's mentioned in this paragraph from the CA Removal Instructions.

The worm also attempts to update itself by downloading a copy off a webserver. The file that is downloaded is named scrupd.exe.

I don't know what else to say but there are a lot of people at different forums I frequent having problems getting rid of this virus. If I find a definite solution I'll post back to this thread.

Tufenuf

mawil, Response 26 at the link below may have the solution. It has worked for others at that thread. Here's the link.

http://www.computing.net/security/ww...orum/2430.html


Good Luck,
Tufenuf

Thanks Tufenuf . Read thru it and checked msconfig startup. Nothing there. It's getting late and I'm really bleary eyed. :) Will read thru it again tomorrow and try a few things.

Oh. I just restored an earlier version of my registry because every time I did a search of it for scrsvr or opasoft, I found something new. (Different locations. Different files.) Will give it some time and see if it affected anything.

Have you disabled file and print sharing in network yet (till you get rid of it) ?

Hi
Having had this virus since the 30th of September I am nearly at my wits end. I have looked everywhere for a solution. Although Norton, McAfee, etc have posted their solutions, nothing seems to prevent it recurring.

Everything mentioned in the previous posts I have tried and the only thing I can see that works is to remove the shares. As mentioned in post 41
After removing all the shares on my PC, the virus stopped completely.

I believe this virus is scanning any computer on the internet for open network shares. Once it finds a share on a windows root drive, it writes the scrsvr.exe file and then modifies the win.ini file.

Hey presto, the next time to boot up the virus runs. When you connect to the internet, your machine starts scanning the internet for other machines with open ports to infect them.

So, as long as you are sharing your root drive, you are vunerable. If you have a fixed IP, the the virus probably stores your address for targeting again.

That is my conclusion, in the absence of any other ideas.
My guess is the only way to use shares is to employ a decent firewall to prevent penetration or too turn write off permissions on the shares.

This gets stranger and stranger.:) After restoring a previous registry, IT came back again. After a reboot, it didn't seem to be DOING anything. Not trying to access the net or lan.

So, being totally fed up, I double clicked on it. It immediately tried to pass thru ZA. I then ran symantec's fix again, with different results this time.

It deleted the executable, cleaned a registry entry AND said I was now innoculated (I think that's the word it used) against the virus. I then cleaned the call from the win.ini file, searched the registry and removed all scrsvr and opasoft entries that were left.

The bloody thing came back, but it is 0KB in size and there is nothing in win.ini or the registry.

If anything changes, I'll post back.

I HAVE DEFINITELY GOT RID OF IT!!!!!

Go to your internet settings, then the properties of your tcp/ip protocol and disable the 'Client for Microsoft Networks' & 'File and printer sharing for Microsoft Networks' bindings.

I am on a 2 machine network with a shared 'c' drive on one machine (the one with the problem). I can still access my shared c drive and my printer!

For 3 hours i have been scrsvr.exe free and my win.ini file is untouched.

For more info see http://grc.com/su-bondage.htm


YIPPEEEEEE!!!!!!:D

Was watching a movie last nite and came back to the computer. I have my AV (eTrust) set for real time protection now. Message on screen that scrsvr.exe contained the opasoft virus. Now it's back to 28KB and in the win.ini file again. Nothing in regisrtry. Right clicked on the file and scanned with eTrust, it deleted the file. I also deleted the win.ini line AGAIN. This is all while the computer was running continuously without rebooting and with ZA running. (I have cable connection.)

This thing is really persistent.

SO. After reading the thread in Tufenuf's link, I did the following.

Went to dos and created a scrsvr.exe file, copied it to windows directory and made it read only. Been surfing all day and no more problems.

I know this is only a workaround and plan to implement Muk1wa's fix as soon as I have time.

Thanks for everyone's help. :D

Hi friends,
I hope my bad English be understood.
I don't know if the scrsvr is a solved problem.
When I'm connected, every 5-10 minutes my NAV2002 detect an infected file .... c:\windows\scrsvr.exe.
My win.ini now is very light. Yes I have a new line run=C:\WINDOWS\SCRSVR.EXEc:\windows\scrsvr.exe but I dont find remainder. I have [windows]-[compatibility]-[embedding]-[desktop] only. Nothing [fonts], [intl] etc...
The printers aren't recognized, Corel Draw don't start, Autocad don't print etc..
In the HKEY_LOCAL_MACHINE I don't see nothing...

HELP !!!

(sorry for my English) Here it's midnight.
Thankx
Giovanni:(

Hi

I had this problem for 2 days and have been pulling my hair out, but it has now gone. I am scrsvr.exe free!!!!

Please see my post above for fix...

Muk1wa

You must remove the shares or change access to them to read only.

I have shares all over my PC and set them all to read only.

Since that, I have never had any problems.

This virus scans you machine for writeable shares and if it finds that your windows directory is shared with write access, it writes the exe file to this folder. Then it modifies the win.ini file.

YOU MUST REMOVE THE WRITEABLE SHARES> THIS DEFINITELY WORKS.

Thanks Muk1wa,
How can I find the internet setting you are talking? I works with Win98 and IE 4.0. I sow http://grc.com/su-bondage.htm but I didn't find nothing.

Thanks Asp,
What are the shares in a PC?
How can I remove the writeable shares?

Thanks and sorry for my computer knows.

greetings from Italy