Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

WIN.INI.FILE 2

Status
Not open for further replies.
wil115

wil115

Technical User
Apr 21, 2003
23
Hi
Loaded PC-cillin but it put up a firewall and stopped my network internet connection Iremoved it but now have error message (could not load or run'scrsvr.exe'specified inthe WIN.INI.FILE.make sure the file exists on your computer or remove reference to it in WIN.INI.FILE )how do I recover or remove this.I am using win98se
Thanks Norman
 
Sort by date Sort by votes
Did you go to Add/Remove Program to remove the PC-cillin or did you just delete the folder?

Try reinstalling and uninstalling via Add/Remove Programs.
 
Upvote 0 Downvote
Go to
Start/Run
type msconfig enter
This utility will allow you to edit the Win.INI file and stop the reference to the file being started.
scrsvr.exe is a screen saver file, and possibly a virus file. PC-Cillin might have gotten rid of the file, but the virus would have put the reference in the win.ini file to load it on boot.

Good luck, and Happy Computing
 
Upvote 0 Downvote
hi I removed it through add/remove programs
norman
 
Upvote 0 Downvote
What exactly do i type in tried msconfig no joy
Norman
 
Upvote 0 Downvote
Win32.Opaserv.D is very similar in function to Win32.Opaserv.A, although it creates two extra log files in the Windows directory:"ScrLog" and "ScrLog2".

Win32.Opaserv is a worm which spreads through shared Windows drives and became surprisingly widespread in early October 2002.

When run, the worm copies itself to the Windows directory. It then adds the following value to the registry so that this copy is run each time Windows starts:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScrSvr="%Windows%\ScrSvr.exe"

It also creates the following registry value:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScrSvrOld="ScrSvr.exe"

This value is set to the file from which the worm was originally run. This registry key is later deleted.

The files ScrSin.dat and ScrSout.dat are also created in the %Windows% directory.

It attempts to copy itself across Windows Networking (SMB) networks by exploiting a very old vulnerability in the way Windows 95, 98, 98SE and ME machines verify network share passwords. In short, unpatched versions of these Operating Systems can be fooled into accepting just a single character password, regardless of how long a password is actually set on the share (so long as a password has been set). Microsoft shipped a patch to fix this vulnerability in October 2000. A brief description of the problem with links to the patch download locations and installation instructions is available from this Microsoft security bulletin:


All users of Windows 95, 98, 98SE and ME machines that have file and print sharing enabled should obtain and install that patch, as despite the rather weak recommendation the security bulletin gives its installation, it really should be considered a critical update. Exploit code, allowing remote password discovery against share-level passwords, has been available since around the time the vulnerability was first disclosed, but Opaserv is the first malware known to have exploited this weakness.

The share-level password vulnerability only affects the non-NT versions of Windows. Further, it only affects shares available via share-level access permissions - Windows 9x and ME machines that are part of a domain and only employ user-level (or domain) access controls are not vulnerable to this exploit. Microsoft recommends "...that user-level access permissions be granted to shares rather than share level permissions based on passwords".

Earlier reports of Opaserv's operation suggested that it spread through open shares (i.e. ones with no passwords) or shares with only very short, or one character, passwords. This is incorrect. Opaserv spreads by exploiting the share-level password vulnerability mentioned above, specifically trying to attach to the 'C' share (the default name of a share based at the root of the C: drive) of randomly selected IP addresses. If it can attach to such a share, it attempts to copy itself to \WINDOWS\scrsvr.exe on the share (this, of course, requires that not only is the C: drive shared and Windows installed in the default directory, but that 'full', rather than 'read-only' access has been granted to the share).
Note: Even though this particular vulnerability does not affect NT-based Windows operating systems, (NT, 2000, XP), Opaserv will still successfully copy itself to these systems if it finds a share that meets the above criteria.

Failure to patch this vulnerabilty in Windows means that disinfecting a machine is only a very temporary fix so long as it remains attached to the network(s) from which it was initially infected. If access to Microsoft Networking ports cannot be blocked or otherwise hardened with a firewall or similar means and a Windows 9x or ME machine must be left on a hostile network, the patch absolutely must be applied or the machine will likely be re-infected in short measure.

The worm also attempts to update itself by downloading the file scrupd.exe. from a webserver and replacing itself with the new version. The server has been closed, so this should not pose any further threat.



Regards

Phil
 
Upvote 0 Downvote
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top