Well, I THINK (knock on wood) that I have successfully eliminated the Opaserv family from our network. I know there is ALOT of info on this already, but I have added a few things here that might be helpful - any and all advice is greatly appreciated! First of all, I unplugged our DSL modem and disconnected each computer from our network - no more "talking" until we are done here! I have found that put.ini and tmp.ini are both copies of the win.ini file that have the added run info for various components, including scrsvr.exe, and alevir.exe. The put.ini and tmp.ini files were both located in C:\...right on the root - I deleted these two. Now, I went into the win.ini file (by running sysedit) and deleted any references to any of the virus files (see the list below). Then I went into the registry (running regedit)and i went to the following address: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run I deleted any entries for alevir.exe, brazil.exe, brazil.pif or scrsvr.exe Also, I just did a "Find Files" and searched for any of the following: brazil.exe brazil.pif alevir.exe scrsvr.exe marco!.scr. If I found them, I deleted them. If I couldn't delete them because they were in use by windows(this happened to me with alevir.exe), then I ran msconfig and and chose "selective startup" and unchecked everything and restarted my computer. Now, with all startup groups out of commission, I could delete my file (and of course, delete from the recycle bin). Now, I re-ran msconfig and chose "Normal startup" and restarted normally. While I had the computer out of service, I went ahead and cleaned out the C:\Windows\temp folder and ran disk cleanup (WIN 98 machines), scandisk and defrag. I noticed that on most of my machines, when I ran scandisk, that scandisk found lost file fragments - I allowed scandisk to delete these "file fragments". I don't know if this was anything like a hiding virus, but I just thought I should add it in here. Now, I went ahead and password protected each computer's C: drive and installed the related patch from Microsoft. This will prevent this virus from just walking uninhibited across all our computers again! I did this routine on all of our machines. On the "internet server" I also uninstalled and reinstalled our firewall software - I couldn't figure out how it got through in the first place!...well, that is until I started doing my maintenance and realized that I always kill all my TSR's before a defrag...and I didn't disconnect from the internet...Duh!...I took out my own firewall!...bad mistake...the only thing that makes sense is that this virus just waltzed on in while I was defragging...I'll never leave the internet up while I do that again! (Hate admitting my mistakes, but if I help someone else not to do what I did, then it's worth it). I should also note that our firewall is Sygate Personal Firewall 4.0 Build 670. I went to https://grc.com/x/ne.dll?bh0bkyd2 and tested my firewall - had green lights all the way - that was nice to see. this program is free for the home user also! The only thing is, you can't do much configuration with it - I have been curious about this Zone Alarm - will have to play with it when I have time! Anyway, we have been virus free for over 24 hours now (knocking on wood again!). I should note that I have seen in my firewall's traffic log attempts from various IP addresses to connect with us through port 137. And the strange thing is, in the "Rule name" column of my traffic log I see a strange rule name for these and only these attempts: GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP I am going to write Sybergen and ask them about this - all the other rules say "Block_all" If anyone knows anything about this, your response would be appreciated. If there is anything I have overlooked, please let me know. Good Luck! :)

Great to hear! Before you switch to Zone Alarm from Sygate try its upgrade version of 5.0. Take care and all the best!

Angie, I'm glad to hear you've stopped that virus. It's a real bugger. I can see you've read up on this site on how to fix it, (and I'm glad some of my tips were helpful for you). In case anyone has just wandered into this thread, here is my post that describes pretty much what Angie just said, but it also has a couple of other fixes: http://www.computing.net/security/wwwboard/forum/3023.html Angie, like you're seeing, and like I've mentioned in my other posts, you've stopped the virus, but its NOT gone. That should be good enough for everyone, but not me! =) I'm not going to give up until I can fully rid this virus off my system. Here's my plan... I'm going to figure out exactly what this worm infects. I plan on installing win98 on a fresh machine, loading on Norton Anti-virus, hook up a network card, and then install a 32-bit installation monitor. I'll take a snapshot of the computer, then hook up the network cable...wait to get infected, and then take another snapshot. That will tell me any files that have changed in size, date, or content, as well as listing every change to the ini files, as well as every registry addition. Cool huh? That should narrow down where this virus is *really* stored. I'll post the results when I get them By the way, I think I've noticed something similar with scandisk always finiding lost sectors on my computers too. I just ignored it, but maybe the worm is involved with that too? Thanks for that clue.. Brad Peterson b_peterson@yahoo.com

Hi, Brad Wow!...it sounds like with a plan like that, you will definitely solve this problem once and for all! I can't wait to hear your results! I was hoping that whatever scandisk had removed will have taken out the last of the virus, but I have no way of knowing this without the means to run an experiment like you are doing! And Thank you very much for your previous posts - your advice was crucial to getting a handle on this one! I look forward to your post! Best of Luck to You! ~~ Angie

Hi, Capt! I will have to check out the new version - I just have to make sure it is compatible with the internet sharing software we are using. It is also a Sybergen product and I believe they recommend only certain versions of the firewall to be used with certain versions of the Internet Sharing software - I DO need to look into this. Thanks for the tip!! ~~ Angie :)

I'm trying to remove this from my computer at the moment and I noticed that there also is a brasil.pif file. With an s instead of a z. Thought this might be worth mentioning. Thanks for the info Angie Hopefully I'll get everything removed. Jef

Hello all. I have been lucky enough to receive the worm myself. :) I believe that I have removed the worm successfully, however I am experiencing lag on outlook express and internet explorer now. OE take forever to open and IE lags when navigating around inside an open browser window. Anyone else seeing this. Any help would be greatly appreciated. Peace! Cody D. Welty