Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Snrndr.exe is it a virus of some sort?


  • This topic is locked This topic is locked
16 replies to this topic

#1 INeedHelp!

INeedHelp!

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 05 March 2009 - 07:44 PM

Well I had downloaded a Vista Transformation Pack 9, which basically transforms Windows XP so it looks like its Vista, but it isn't. Ever since after that, when ever I start up my system, this message tells me something about now finding this program Snrndr.exe. I click ok, then it pops out another message saying Could not execute the external program C:\WINDOWS\system32\scrnrdr.exe. There is another topic extacly like this so this is double posted but it hasn't been updating for a long time. I am reposting this is see if anyone can help me solve this problem. If not I will remove the whole VTP 9. Thank You! Anyway I'm really trusting this website since they helped me remove alot of viruses like AntiVirus Pro 2008 :thumbsup:

Edited by INeedHelp!, 05 March 2009 - 08:17 PM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:46 AM

Posted 07 March 2009 - 08:50 PM

Hello.

Does sound like an infection. Take a look here: http://www.threatexpert.com/files/scrnrdr.exe.html

Run MBAM and see if it can remove/find anything.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 INeedHelp!

INeedHelp!
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 08 March 2009 - 12:25 PM

Ok the log is:

Malwarebytes' Anti-Malware 1.34
Database version: 1827
Windows 5.1.2600 Service Pack 3

08/03/2009 10:30:09 AM
mbam-log-2009-03-08 (10-30-09).txt

Scan type: Quick Scan
Objects scanned: 69814
Time elapsed: 3 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Sorry about the edit, I forgot to check for updates. I was a lot of versions down. I didn't use your download link, I had MBAM before already. The top is the real log. I still can't find this virus, is it hiding or something? Like a trojan or some sort? Oh no I forgot to tell you guys that it has the message "Windows cannot find 'C:\WINDOWS\system32\sdcrnrdr.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the start button then click search." Right after I click OK. "Could not execute the external program C:\Windows\system32\scrnrdr.exe." Sorry I didn't tell you.

Edited by INeedHelp!, 08 March 2009 - 12:45 PM.


#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:46 AM

Posted 08 March 2009 - 02:30 PM

Hello.

No, I think the file is gone but the registry relating to it is not. Let's see.

Run the following script for me please.

Create and Run batch script
  • Please create and execute the following batch script.
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "code".
    @Echo off
    
    Echo [color=orange]----------------------- HKLM\RUN KEY -----------------------------------[/color] > C:\looking.txt
    
    reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" >> C:\looking.txt
    
    
    Echo [color=orange]----------------------- HKCU\RUN KEY -----------------------------------[/color] >> C:\looking.txt
    
    reg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" >> C:\looking.txt
    notepad C:\looking
    
    Del %0
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input peek.bat.
  • Hit OK.
When done properly, the icon should look like Posted Image for the .bat file.

Double click on peek.bat, and Black DOS window shall appear and then notepad shall open. This is all NORMAl, please do not panic.

Post the contents of notepad in your next reply. It can also be found at C:\Looking.txt. Thanks. :thumbsup:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 INeedHelp!

INeedHelp!
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 08 March 2009 - 08:44 PM

Ok here's what it has:

----------------------- HKLM\RUN KEY -----------------------------------

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Recguard REG_SZ C:\WINDOWS\SMINST\RECGUARD.EXE
SunKistEM REG_SZ C:\Program Files\Digital Media Reader\shwiconem.exe
<NO NAME> REG_SZ
High Definition Audio Property Page Shortcut REG_SZ HDAudPropShortcut.exe
CHotkey REG_SZ zHotkey.exe
ShowWnd REG_SZ ShowWnd.exe
mcagent_exe REG_SZ "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
McENUI REG_SZ C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
IMJPMIG8.1 REG_SZ "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
MSPY2002 REG_SZ C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
PHIME2002ASync REG_SZ C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A REG_SZ C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
GrooveMonitor REG_SZ "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
RemoteControl REG_SZ "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
LanguageShortcut REG_SZ "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
SkyTel REG_SZ SkyTel.EXE
SoundMan REG_SZ SOUNDMAN.EXE
AlcWzrd REG_SZ ALCWZRD.EXE
Alcmtr REG_SZ ALCMTR.EXE
IgfxTray REG_SZ C:\WINDOWS\system32\igfxtray.exe
HotKeysCmds REG_SZ C:\WINDOWS\system32\hkcmd.exe
Persistence REG_SZ C:\WINDOWS\system32\igfxpers.exe
TkBellExe REG_SZ "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
RoxWatchTray REG_SZ "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
DMXLauncher REG_SZ "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
RoxioDragToDisc REG_SZ "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
Adobe Reader Speed Launcher REG_SZ "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
QuickTime Task REG_SZ "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper REG_SZ "C:\Program Files\iTunes\iTunesHelper.exe"
DrvIcon REG_SZ C:\Program Files\Vista Drive Icon\DrvIcon.exe
SunJavaUpdateSched REG_SZ "C:\Program Files\Java\jre6\bin\jusched.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
----------------------- HKCU\RUN KEY -----------------------------------

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe REG_SZ C:\WINDOWS\system32\ctfmon.exe
swg REG_SZ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
ViOrb REG_SZ C:\Program Files\ViOrb\ViOrb.exe
Vista Rainbar REG_SZ C:\Program Files\Vista Rainbar\launcher.exe
ViStart REG_SZ C:\Program Files\ViStart\ViStart.exe
LClock REG_SZ C:\Program Files\LClock\LClock.exe
BitTorrent DNA REG_SZ "C:\Program Files\DNA\btdna.exe"
System REG_SZ C:\PROGRA~1\MOZILL~1\firefox.exe
SUPERAntiSpyware REG_SZ C:\New Folder\SUPERAntiSpyware.exe

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:46 AM

Posted 09 March 2009 - 03:06 PM

Hello.

I would like you to do a regsearch. I don't see it on startup in those keys..

Download and Run RegSearch
We need to do a registry search.

Please download RegSearch and save it to your desktop.
  • Extract the folder regsearch onto your desktop
  • Double-click on regsearch folder and then find regsearch.exe and double click it
  • A Security Window will open please select Run.
  • The Registry Search window will appear please make sure under the Search everything is checked.
  • At the top of the Regsearch where it says: "Enter Search string (case independent) and click Ok..." please input:

sdcrnrdr.exe
  • After inputing the name, please click Ok
  • It will begin searching, once it is finished notepad will open with the log.
  • Please post the contents of that log in your next reply.
  • If more than one line was listed, then copy and paste the contents of that log before searching the second line.
    If you do not do this then the second registry search log will overwrite the second.
Post back with the:
-Regsearch log

With Regards,
Extremeboy

Edited by extremeboy, 09 March 2009 - 03:07 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 INeedHelp!

INeedHelp!
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 09 March 2009 - 07:48 PM

Isn't it scrnrdr.exe, not sdcrnrdr.exe? cause when i type sdcrnrdr the program lags then nothing happens and I have to force quit!

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:46 AM

Posted 09 March 2009 - 08:12 PM

Hello.

Try scrnrdr.exe then.. I copied and pasted that name, how did it turn out to be "sdcrnrdr.exe"... This is strange..

Anyways, this time paste in scrnrdr.exe and post the log back.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 INeedHelp!

INeedHelp!
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 09 March 2009 - 11:30 PM

Im sorry but something doesn't work. Whenever i open it up and type in scrnrdr.exe, press ok and the bottom does all this mumbo jumbo word things. The it lags and stops on one and doesn't move. I open up Windows Task Manager and it says it's Not Responding. Could you please help? Thank You!

P.S. I found this program called RegSeeker. Should I try to use that program?

Edited by INeedHelp!, 09 March 2009 - 11:33 PM.


#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:46 AM

Posted 10 March 2009 - 12:12 PM

Hello.

Try this regsearch instead then..

Find Registry Search Tool and download that

Next please extract the folder Registry Search Tool that you downloaded earlier. To Extract right-click on it and select Extract All.
A folder will be extracted. Open that folder and double click on RegSrch.vbs

In the Open Field type in: scrnrdr.exe and hit Ok.

Wait for it to search your registry, it will be done once you get a message. WordPad will open. Please Save this to your desktop by going to File>Save as... and save it as search.txt.

Post back with that log. I need to leave today and probably can not help you any further after that. Sorry :thumbsup:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 INeedHelp!

INeedHelp!
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 10 March 2009 - 08:48 PM

Ok here's the log.
REGEDIT4
; RegSrch.vbs Bill James

; Registry search results for string "scrnrdr.exe" 10/03/2009 6:47:12 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_USERS\S-1-5-21-915568536-1621196428-2532072760-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\WINDOWS\\system32\\scrnrdr.exe"="ResWriter"

Who will help me now? Will there be anyone to help me or will you guys just stop?

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:46 AM

Posted 19 March 2009 - 07:51 PM

Hello.

I'm sorry for the delay. If you're still there let's continue.

Backup you registry FIRST. Then please create a registry script and execute it.

Backup Registry with ERUNT

This tool will create a complete backup of your registry. A backup is created to ensure we have backup so encase anything goes wrong we can deal with it. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

How to Restore from the ERUNT Backup

Only restore from the backups if instructed to, or you need to do so. You need it if after doing something, your computer will only boot in Safe Mode and you are unable to contact us (or anyone else) for help by other means, or if your computer will not boot into Windows at all.

To restore if you can boot, navigate to C:\WINDOWS\erdnt, choose the folder with the most recent date, and double click ERDNT.EXE. Check all boxes in the restoration options.

To restore from the Recovery Console using the Windows CD:
  • Turn on your machine with the disk in the drive.
  • Type in the number of the Windows installation you want to repair (usually 1), then press Enter.
  • Type in the Administrator password (leave blank if you are unsure what it is or if you do not have one) and press Enter.
  • Type without quotes "cd erdnt" followed by Enter.
  • Type without quotes "dir" followed by Enter. This will list out the available folders, whose names are the date on which the backup was taken in (M)M-DD-YYYY format. Try the most recent dates first.
  • Type without quotes "cd **name of the folder**" followed by Enter.
  • Type without quotes "batch erdnt.con" followed by Enter.
  • Type without quotes "exit" followed by Enter.
  • Remove your CD from the drive and reboot your computer into the restored registry. If you still cannot boot, try again with an earlier restore date.


Create and Run Registry Script
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "quote".

    REGEDIT4

    [HKEY_USERS\S-1-5-21-915568536-1621196428-2532072760-100\Software\Microsoft\Windows\ShellNoRoam\MUICache]
    "C:\\WINDOWS\\system32\\scrnrdr.exe"=-

  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input fix.reg.
  • Hit OK.
When done properly, the icon should look like Posted Image for the .reg file.

Double-click on fix.reg, you will get a warning saying something like: "do you wish to merge/add the following information to the registry?". Please say Yes. Next you will get a confirmation telling you if it was merged sucessfully.

Tell me in your next reply if the reg script got merged sucessfully. Reboot afterwards.

Let me know how it goes and if you have any problems still.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 INeedHelp!

INeedHelp!
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 20 March 2009 - 12:06 AM

It did not work! I didn't want to wait so i restored my files. Once you tell me the next step I will redo everything like backing the files up again.

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:46 AM

Posted 20 March 2009 - 10:08 AM

Hello.

Let's start a topic in the malware removal forum now. There's probably more on your computer that is visible currently. Starting a topic there should make sure you are free from malware after the disinfection process.

1) Backup all your important data files, pictures, music, work etc... These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe's, .scr, .com, .pif etc... as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

1st Step: Preparation Guide Before Starting a Topic: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
2nd Step: Starting a Topic in the HJT-Malware Removal forum: http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

Good Luck! :thumbsup:

With Regards,
Extremeboy

Edited by extremeboy, 20 March 2009 - 11:02 AM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 INeedHelp!

INeedHelp!
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 20 March 2009 - 10:37 AM

Im sorry I don't really understand what you are saying. Are you asking me to do a whole system restore?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users