Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
It looks like a file scrsvr.exe (28 kb) is spreading through our local network. Could be deleted from DOS envrnment, but is restored in several minutes. Looks like Trojan to me. No info on search of the Internet or major antivirus sites (Kaspersky, Norton, McAffee). Will be grateful for any info/suggestions.
If you go to http://srnmicro.com and use their search, your problem is listed and how to fix it. The official name of your problem is the "PLAGE WORM". I found this company, because of another virus problem listed at this forum that no other major antivirus software could fix or identify. Another helpful forum user had recomended their trial download as the only solution that worked to clean and repair that problem virus and it worked great. So I now recommend and use SRN as another resource for fixing virus/worm problems. Take care and all the best.
0 
I think this might be it a the Norton site but with a different name
Good luck
W32.Opaserv.Worm
0
It's a new virus, just out.
http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm.html
0
hey capt, or anyone else reading this that has info on this. I had searched & come up nothing in the virus' databases i looked in & had suggested to someone that posted here @ this site (forum) That it was 'probably' a screensaver. I had looked at the site you posted & couldnt find any info... IF anyone does know where to fild information on this I would apreciate it to be posetd here also ---> http://www.computing.net/security/wwwboard/forum/2430.html
I would hate to mislead someone into thinking it IS a safe file if it isnt! Just found it thx Norm.
http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm.htmlA2Z
0
Yeah-
I got the damn thing, too. It was a bitch to get out. The only way I was able to see it was that I just installed Zone Alarm, and it alerted that the program was accessing the internet from my computer. I've apparently had it for a while, because it slows down IE5. Also, you can't remove it once your system has started up IE- this stumped me for a while because ZA automatically loads up IE on start, which started the program, which you couldn't remove, etc. I finally got it out w/McAfee Uninstaller. Insidious little bugger- God only knows what info it sent out of my system. BTW- ZA will give you the IP's of where it was trying to contact- people smarter than me can trace it- all I got was ICANN and global crossing, which leads me to think that somebody's using a series of IP's to get the thing out... Have fun!
0
Many thanks to all responded, esp. DW and Norm for link to the Symantec site. It seems that something became clear during the night here (I'm in Russia). The newest Kaspersky update also detected this thing as a backdoor.opasoft virus - without any removal instructions, unfortunately. My observations - the virus is replicating also through the password-protected share of C:, but complete removal of sharing seems to stop reinfection. Will try to follow Symantec instructions - God, we have 30 infected machines :-(((((
0
This procedure was adapted from Symantec's and tested on 20+ computers (win98 and 98se). Seems to work fine – no virus was detected with Symantec's FixOpsrv.exe, no annoying messages.
1. Switch off sharing of drive c: (this prevents reinfection)
2. Delete c:\tmp.ini, if present
3. Remove line run=c:\windows\ScrSvr.exe from win.ini
4. Using regedit.exe, delete: ScrSvr.exe "c:\windows\ScrSvr.exe" from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (or Run-)
5. Delete c:\windows\scrsvr.exe. If not possible (Access denied), reboot, then delete.Good luck
0
One of the computers on the LAN, infected with this virus, is experiencing troubles printing to network printers -- despite them being "seen" in Network Neighborhood. I've contained the virus, but this is still a problem.
I've read three different threads and all related websites I could find with info on whether or not the virus is causing this printing problem, but have found nothing. Any advice?
0
I have possibly 2 virus's on our machine at work, the OPA and datom worm, as I am getting syptoms of both of these. The 3 MSVXD.exe files as well as the scrsrv.exe files. How is this thing getting in? our incoming mail is scanned and I did a scan with NAV this morning and nothing showed up although I saw that the machine tried to dial out which made me suspicious. Which to clean first? I have a feeling that somehow these 2 are connected.. any ideas please...
0
No idea how it's being spread -- I've read both p2p file sharing and e-mail as intial causes, but nothing specific. Anyone who knows, please post it here.
Also, the manual fix seems to be working, since the symantic removal program isn't finding anything. Has anyone else done both and found the same thing?
And is deleting the files enough, or is there some repairs that should take place, too?
0
heres the REMOVAL TOOL for an easy fix (posted at this post also) ---> http://www.computing.net/security/wwwboard/forum/2430.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm.removal.tool.htmllet me know if it actually works... A2Z
0
DRW the MSVXD.exe can be dealt with here (removal tool) http://www.webattack.com/get/datomremoval.shtml good luck
0
Had the virus and used symantec's fix also fixed it manually. It keeps coming back....I keep doing virus scans and it shows clean and then it just re-appears. Any suggestions? win.ini fixed - regedit fixed but cannot locate c:\windows\scrsvr.exe
0
i posted this in 2430 as well, but i have found that all the automated and manual ways of cleaning this worm off my system only work should i disable sharing of drive c. If i leave drive c sharing disabled, the problem seems to stop, however as soon as i share the directory again the bloody scrsvr.exe starts coming back. Does anyone know how to share drive c and keep this worm out?
0
To April (resp.9)
We had the same problem - after removal of the worm, 3 of our comps stopped printing on network printer (HP2200). The reason is obscure, but everything is working after I reinstalled the printer driver on these computers.
0
I got this thing on Sunday via my ISP.
There seemed to be another file associated with it "koajgv.exe" (from memory - the ko part is right).I don't know if this helps
RS
0
Thanks to all for the links to the symantec removal tool and the datom tool. I removed my Pc from the network and trashed all references to tmp.ini, scrs*.exe as well as the Run= references in win.ini and registry. So far my machine is ok, the removal tool doesnt find anything and the machine has gone juttery yet. The one laptop (which I think was the source of the infection) is another story, tried the same procedure and when I ran the tool it found another occurence of the virus. I dont know if the virus has moved back onto the network again though. I will have to watch. The big question I have is what triggers this thing.. does it launch immediately upon receipt? or is there something which lets it loose? Unfortunately the nature of our network is as such that we have lots of potential entry points but we all have to be linked. How best to limit access? shut down as many shares as possible? we cannoyt go the firewall route (corporate policy) and have to try something ourselves... ideas anybody??
Thanks all... and good luck
0
OK.... it never worked yesterady. but I redid the win.ini using dos Edit, msconfi9g just flags the line and doesnt delete it. Also created the blank version of the exe file with +R and -A attributes. So far so good. This morning my connection was slow so I dont know if it was associated with the virus or just a fluke. I am thinking of reloading windows but will it create a new registry and and trash anything that shouldnt be there. Also had the first bugbear coming through e-amil, lucky the ISP blocked that one. In total 6 hours have been wasted on this thing.. what do thes evirus writers get out of this??
0
Try AntiVir by hbedv.com (freeware)
I've removed scrsrv.exe with this at once. Only the entry in the win.ini I had to remove manually.good success!
ub
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
