Hey, i'm a newcomer. I find here by google.. My mate got same virus today, and i'm searching the solution. But it seems there is none for now. Here is my condition: 5 computer are in same room with familiar network setting, that says OOO.OOO.OOO.10~15. But only the one who shares its harddisk has been infected. Is it reasonable if i think that the virus infected by sharing disk?

0

1. Run regedit and delete scrsvr.exe reference in run key. 2. Edit win.ini to remove scrsvr.exe reference. 3. Delete scrsvr.exe from windows directory.

0

Greetings, from Chile :P (My apologizes for my english... i don't use it often) Well, i have detected the scrsvr.exe file on 2 PCs aprox. the 28/09/02... it appears to be infected on 27th night. Deleting the file and changing win.ini and the register will not help. Aparently, the file is transmited directly over the net, withouth need of download. :/ Well, i think than i have take ride of the infection in some way. What i have made is: ·edited register and deleted any reference to scrsvr.exe ·exit from windows, to ms-dos mode ·enter to c:\windows and deleted scrsvr.exe ·using edit, created a file called scrsvr.exe (0kb) ·changing attributes to +R -A ·edited win.ini and deleted the reference to scrsvr.exe on run= ·reboot, and the file is no longer loaded. I have been over 32 hours without changes on my 0kb file, and no other files have tried to load... Plus, there have been several "nbsession" trying to connect my pc, and still there is no change... i think (and i hope...) Well... and, that's all... (again, my apologizes for my english... :P)

0

this virus is altering also the system.dat file anyone knows what to do?

0

It happened to me too. And the date of the files ScrSvr.exe and win.ini is 2106, besides it cretes a tmp.ini file on the disk.

0

Hi Scrsvr.exe appears to be a trojan hiding as an innocuos file. It is transmittted apparently by opening a email message that contains it (not by downloading an attachment) I got it yesterday. It appears to trsnsmit information directly to its source. It achieves this by logging onto the internet automatically. Firstly stop it transmitting by changing your internet settings to not log on automatically. If you have a dialup this is easy, if you are on a network this is more difficult so advise your system admin. This Virus/Trojan disables your firewall if installed and is invisible to both mcafee and Norton. It amends your windows installation file and system data files. It cannot be removed in windows. It must be removed in DOS - a big problem if you have XP. Identify that your machine has it by running a find/search for scrsvr.exe it will be in your windows directory. Do not attempt to delete it here. Close down machine and use DOS to delete file scrsvr.exe from your Windows directory. Reboot machine and you will receive two error messages ignore them. After reboot use edit to remove the run line for scrsvr.exe from Win.ini file. Delete all emails and empty deleted items folders. This should cure the problem unless you are re-infected with a new email. Ensure that your firewall is reset together with your antivirus to block scrsvr.exe As a precaution if you use your computer for any secure transactions that involve Banks/Building Societies/Credit cards etc arrange with your bank etc to change all computer passwords with immediate effect. Regards John

0

john, can you help? I am a user who can follow instructions but doesn't have much technical computer knowledge. I know how to get into dos from programs but please can you give me the commands within DOS to firstly delete scrsvr .exe and how to remove the run line from win.ini thanks janette

0

Thanks a lot Braxat. I could not find the file scrsvr.exe in the registry, neither in windows directory. But Norton deteted it and quarantined. There were 500 tmp files. I need to check up if these were created by " scrsvr.exe "I got this 4 time every 3/4 minutes. Then I enabled NIS 2002 , after which it did not appear. I followed Braxat's instructions. It is quite a great advise. Thanks. SO far no recurrence.. will update if any !!!

0

There are other files called rrddvvss.exe rrddvvss.dll and rrddvvss.lgc also seem to be involved somehow. There is a removal tool at http://securityresponse.symantec.com/avcenter/FixOpsrv.exe but you need to manually remove some of the files, check the link previously posted

0

My Norton Anti-Virus picked up that "SCRSVR.EXE" in heart beat! There is definately something weird about that file.

0

YES, It is a virus!!!!!!!!!!!!!!!! I scanned and found 20 infected files. Norton fixed fixed too.

0

I started a thread at this location a few days ago when I had similar problems. http://www.thecomputermechanics.com/forums/showthread.php?s=&threadid=59541

0

I could not sustain any more. It is stupid and aggressive worm (it makes me more stupid then itselves is). I appreciate a lot if someone could give me rightful solution for removal of error msg. at start-up !!!, but i have to say Symantec's tool has removed this pest from my system(i hope ???). Please help me !!! AS - MC Group LS

0

Hi !!! I´m a portugues.. My english is very bad. Edit win.ini to remove scrsvr.exe reference. Delete scrsvr.exe from windows directory. Reinstall Windows. This problem is finished Daniel Brazil

0

It looks like it's able to access your C drive in windows ME, even if you have a password. I turned off filesharing, removed the file. The moment I turn sharing back on, within minutes, i see 3 computers attaching to post 139 and uploading that file again. Eventhough I just changed the password.

0

new virus " WORM_OPASOFT.A " At this time of analysis, the download site is not accessible and is either blocked or is currently down. This worm also scans for the computer name and domain name of machines connected to the network. It then sends this information to the download site. NOTE: Before proceding to remove this malware, Trend Micro recommends that infected machines be temporarily disconnected from the network. Removing Autostart Entries from the Registry Removing autostart entries from the registry prevents the malware from executing during startup. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft> Windows>CurrentVersion>Run In the right panel, locate and delete the entry or entries: ScrSvr = %Windows%\ScrSVr.exe *where %Windows% is the Windows directory, which is usually C:\Windows or C:\WINNT. Close Registry Editor. Removing Autostart Entries from System Files A malware may modify system files so that it automatically executes at every Windows startup. These startup entries must be removed before the system can be restarted safely. Open System Configuration Editor. To do this, click Start>Run, type SYSEDIT, then press Enter. In System Configuration Editor, select the WIN.INI window. Under the [windows] section, locate the line that begins with: run = From the same line, delete the malware path and filename: ?Windows%\SCRSVR.EXE?br> *where %Windows% is the Windows directory, which is usually C:\Windows or C:\WINNT. Close System Configuration Editor and click Yes when prompted to save. Terminating the Malware Program This procedure terminates the running malware process from memory. Open Windows Task Manager. On Windows 9x/ME systems Simply restart your machine and continue with the next procedure Running Trend Micro Antivirus. On Windows NT/2000/XP systems, press CTRL+SHIFT+ESC, and click the Processes tab. In the list of running programs, locate the process: SCRSVR.EXE Select the malware process, then press the End Process button. To check if the malware process has been terminated, close Task Manager, and then open it again. Close Task Manager.

0

Has anyone had any problem with dial-up connection speed with this virus?? I have not been able to get on faster than 1200 bps since the 27th. I have the virus removed now still having connection problems. Would a re-install of Windows fix??

0

To Janette, The way to delete the line from win.is is to double click the file, and delete the line with the del key in your keyboard(the line is at the begining). To delete the scrsvr.exe file in DOS, you have to go to c:\Windows by writing cd windows (if you are not yet). When you are in c:\Windows, you put del scrsvr.exe and thats all!

0

Try this: http://securityresponse.symantec.com/avcenter/FixOpsrv.exe

0

Hi, I thought I would post detailed directions to what I did to remove this virus. Mostly I followed the instructions that I saw other people post in this discussion, but I decided to be very detailed so that everyone could follow it. It would be helpful to print this out first if you decide to do it. Click on Start button, then on Run. Type in MSCONFIG and hit enter. A window will pop up, and you should click on the Startup tab. There will be a little scroll list of all the programs that startup when you turn on your computer. Look for Scrsvr and uncheck the box next to it. Click OK, and Windows will ask if you want to restart, click No. You don't want to restart, you want to shut down completely. Close down your computer and restart with a boot disk, which will bring you to DOS. (If you don't know how to make a boot disk, search the internet for some instructions.) Then use these commands to delete scrsvr.exe from your Windows directory. Type in: del c:\windows\scrsvr.exe Press Enter Type in: Edit and then Press Enter (If you have a good boot disk this will bring up a small application that will allow you to make a fake scrsvr file and keep the virus from duplicating itself again.) A blue screen will appear. Press Alt and F at the same time. Use your arrow keys to move down and highlight Save As in the menu that appears. Press Enter. Type in: scrsvr.exe in the window that appears next. Then use Tab to get to the Save button and press Enter again. Then you're back to the blue screen. Once again Press Alt and F at the same time. Use your arrow keys to move down and highlight Exit in the menu that appears. Press Enter. You should now be back to the black and white screen. Type in: attrib +r c:\windows\scrsvr.exe Press enter. The fake scrsvr you created now can't be deleted or overwritten by the virus. You're done in Dos, so turn off your computer, remove the boot disk, and reload to Windows. You will probably see a little message saying "You are using Selective startup for troubleshooting". Just click the check box on this and click ok so that you won't have to see it anymore. It is just talking about the first step you did when you changed MSCONFIG. Open Notepad (look for it in your Start Menu, under Programs > Accessories). Click on the File menu, then on Open. A window pops up. Next to "Files of Type" at the bottom of the screen, click on the down arrow and select "All Files". Then browse your computer to get into the Windows folder on C drive. Find a file called Win.ini and open it. On my computer there was a line near the top that was set to load scrsvr.exe when the computer started. It looked like "C:\Windows\scrsvr.exe" and I just deleted it right out of there. Then click File, and Save. Exit this program. Click on Start button again, then on Run. Type in REGEDIT and hit enter. Click on the Edit menu in the window that comes up, and then on Find. Type in scrsvr in the box and then click on Find Next button. It will locate scrsvr in your Registry, all you have to do is right click on it and delete it. Close this window when you're done. That's all I did, besides configuring McAfee Firewall to block scrsvr.exe from accessing the internet. Please note that I am running Windows ME and your computer might be a little different from mine. I hope this works, I'll watch my computer for a few days and see. Good luck!

0

I to have got the worm (virus) nothing i do rids the virus. I have done evrything i have seen here and on the securityresponse symantec com main page. I delete the scrsvr.exe, edit the registry, edit win.ini, run a full virus scan. 3mins later with out doing anything the scrsvr returns and the win.ini has been chaged again. how is this done. I do have file and print sharing on and a HTTP server on on of my systems. I cant afford to turn it off. What I dont under stand is how afer i clean it out it find away on to the system and executes it self. I have read everything here. Has anyone found anything new on the worm?

0

Hi all, i had this file scrsvr in my windows directory. It said it was modified in June 2106. I noticed it was there because every time i booted up my machine it would try to connect to the internet. I ran Msconfig only to find the entries =run and SCRSVR in there. One was leading to the win.ini so i removed it from there. Restarted machine. Didnt try to connect. Problem solved i thought! The following day i went on the internet. Shut down my machine. Booted it up next day and it tried to connect. Straight after that i go to delete it, it says File being used by windows. I run Inoculate 6 on it. No viruses detected. Think nothing of it. However when i went on the interenet again i get inoculate 6 telling me the file scrsvr is infected by WIN95/space.1445 so i cure it. No problem. Seems to have worked fine. Anyone else get that virus?

0

hey this virus went to Romania too, if not programed by a romanian wise guy. I am preparing to follow the steps written in here. Hope it will work, if not the same old format command will occur :) Anyone using cable as a conection had problems sending and receiving data after scrsvr.exe gets into place? My computer blocks a few seconds till I press CTRL+ALT+DEL and close the not responding program which is... scrsve.exe After that, no more transfer over the network... Alex

0

Well, i don't know what else to do to get rid of it right now. so i created a batch file to delete it apon upliad to my system. -Open note pad- type the following: del c:\windows\scrsvr.exe c:\mybatchfile.bat save as mybatchfile.bat SAVE TYPE AS "all files" You can change the name to what ever u want, just remeber to change what you type in note pad. Execute the batch file. It will run a continual loop deleting the file as soon as it is uploaded. Untill I can find a way to rid it I use a cheap way of riding the file. I have tryed everything and cant find a way.

0

A big THANK YOU to everyone that helped in the solution - especially suddhakuyt. It was brilliant solution and after being stressed for 3 days I have FINALLY deleted this worm - without having to download Nortons (which really annoyed me) virus definitions again! Now I will just watch my PC for a few days and see what happens!

0

Yes its a Virus !!! W32.Opaserv.Worm Install mcafee and run a scan in the dos mode with there latest dat files.Should do the job.

0

My mom managed to quarantine it with Norton as soon as she turned on the computer but I don't know if it's completely gone. On the startup it says "Cannot find the file 'scrsvr.exe' (or one of its components). Make sure the path and filename are correct and that all required libraries are available." and after you click OK for that, another pops up saying "Could not load or run 'scrsvr.exe' specified in the WIN.INI file. Make sure the file exists on your computer or remove the reference to it in the WIN.INI file." I don't think that it's completely gone because when I check my WIN.INI (which is a Notepad file) it says some stuff about scrsvr.exe at the top. How do I remove ALL of it? Please be clear. I don't know a lot about computers so if you tell me to do some stuff, I won't understand you at all.

0

heres the REMOVAL TOOL for an easy fix http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm.removal.tool.html let me know if it actually works... A2Z

0

Hi, i've got the virus since 28/29.9. I've already deleted the entry in the win.ini file and search the registry for entries with "scrsvr". Also delete the file but i won't help. After I connect to the internet the scrsvr.exe comes back on my pc. I've got the newest update for NAV2002 (bkdr.opasoft) but it only finds scrsvr.exe as a virus an no other viruses. The REMOVVAL TOOL don't find anything on my pc. So the scrsvr.exe comes again and again... :( If created a fake scrsvr.exe file and it gets a write protection also the win.ini gets write protection. So at the moment my system will not infected by this file again. But why the file comes always back on my system, if the fake would'nt exist?????????????????????????? *hopeless* CIAO Phoenix

0

I also infected by scrsvr.exe at 09/28/02 At first I did not know what it was, so I used DOS command: Type scrsvr.exe then I found about opasoft.com. - one of the text line shows ... opasoft.com Today(10/10/02) I found it was virus, so I removed scrsvr.exe file and registry too. Then I also installed Norton FireWall. After that I ping opasoft.com at DOS Prompt, because I want to know who is opasoft.com. Then I got problems, It returned IP Address 127.0.0.1 which is my localhost. Then I face another problem, When I check the View Statistics at the Norton Firewall, 'localhost' was changed to 'opasoft.com'. I tested to other computer and samething was happend. After I turned off computer and turned on again, opasoft.com was disapper from VIEW STATISTICS, but as soon as I ping opasoft.com then samething happens again. Is anyone knows what is going on?

0

i have had this virus since yesterday and i have done all that notans has said to do ... but everytime i get online after a while of being on it reappears in the win file.. even after deleting several times... it don't save its infected but when its in the win file it messes up the start up with errors... any advice ? have done everything can think of.

0

W32.Opaserv.Worm is a network-aware worm that attempts to replicate across open network shares. It copies itself to the remote computer as a file named Scrsvr.exe. This worm also attempts to download updates from www.opasoft.com, although the site may have already been shut down. Indicators of infection include: The existence of the files Scrsin.dat and Scrsout.dat in the root of drive C. This indicates a local infection (that is, the worm was executed on the local computer). The existence of the Tmp.ini file in the root of drive C. This indicates a remote infection (that is, the computer was infected by a remote host). The registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run contains the string value ScrSvr or ScrSvrOld, which is set to c:\tmp.ini. I GOT THIS INFORMATION OF THE NORTON ANTIVIRUS SITE. FOR THOSE OF YOU WHO STILL HAVE THE SCRSVR.exe GO TO http://securityresponse.symantec.com/avcenter/FixOpsrv.exe DOWNLOAD THE PROGRAM, BUT BEFORE YOU RUN IT MAKE SURE YOU CLOSE ALL PROGRAMS. IF YOU ARE ON A NETWORK OR HAVE FULL TIME INTERNET CONNECTION TO THE INTERNET. DISCONNECT THE COMPOUTER FROM THE NETWORK AND THE INTERNET. ONCE YOU HAVE DONE THAT RUN THE PROGRAM AND IT WILL TAKE ABOUT 5 TO 10 MINUTES TO SCAN ALL THE FILES. JUST INCASE YOU WANTED TO KNOW WHAT THE PROGRAM DOES, HERE ARE THE 4 THINGS: 1. Terminates all the viral W32.Opaserv.Worm processes 2. Deletes any W32.Opaserv.Worm executable files 3. Removes the viral registry entries 4. Restores the Win.ini file I HOPE THIS WILL HELP YOU TO GET RID OF THE VIRUS.

0

i have done the fix and yet somehow the line in the win file still shows up.... how do fix that .... cause when i restart puter it comes up with couple errors... any help would be greatful.... thank you

0

How does this worm get onto the machine in the first place ? Thanks,

0

I had deleted scrsvr.exe too and it came back. Then I noticed my C drive was shared. I think that may be how it keeps coming back. Have removed it and disabled the share and seem to be ok. I am going to go to Norton and check their site too.

0

Did not Restores the Win.ini file Please what Now???? -Everything other than that worked

0

norton anti virus helped me to quarantine file but the virus continued to find a way into my computer every 15 minutes....then i checked on my Zone alarm firewall and noted that it was turned off so i turned it back on to "hi".....that stoped virus from rentering my computer and i thought that that was the end of it...the minute i turned off my firewall again so that i could use a web conference program that does not work if firewall is turned up high; virus rentered computer every 15 minutes. is there a way to stop it from rentering computer and infecting files when firewall is turned off?

0

What a bugger this has all been! Got it first on the 28th and when Norton sent a response back saying the file wasn't malicious that was the first of many headaches. Searched high and low to try and find out what this scrsvr file was and if I really needed it on my comp. The only place I found it was on a search for the program itself and finding a site in German of the fella who made the DOS? file. I have learned alot about this evil machine since then..lol Just yesterday in a matter of 2.5 hours, I had the file put into Norton's quarantine a total of 9 times! The odd thing is when Norton did finally recognize it as a virus and posted their removal instructions I did not have any of the values they had described.. only the scrsvr.exe file being put back continiously in my C:\Windows file and the run in my winini file... no matter how many times I would delete it. Checked registry and nothing, checked sysedit and nothing but that one line. Was in a state of 'what in the Sam Hill am I going to do about this!' especially since some said to get into DOS with the boot disk... not this gal!, until I decided to just download all virus definition updates & the fixit tool from Norton, run it, delete all the quarantined scrsvr.exe programs and make sure that the run line was deleted in my winini file, and delete all my personal e-mail from the 27th. Fingers crossed.. so far so good. And I still believe Computers Are Evil! lol But so habit forming too. Hopefully now I can go back to my old 'Computer Illiterate' self and just enjoy the computer, I don't like having to know all this stuff! :-) Especially now that I'm being called a 'Computer Geek' by my family & friends! No offence to the 'real' Comp Geeks! I'm sure glad you all are around for me to ask much needed help! Cheers!

0

found this file on my harddrive, after cleaning scrsvr.exe from my system: c:\windows\applog\scrsvr.lgc { o c166adb0 7000 "C:\WINDOWS\SCRSVR.exe" R c166adb0 5600 800 o c16182b0 12000 "C:\WINDOWS\SYSTEM\WS2_32.DLL" R c16182b0 f000 a00 o c1614850 47035 "C:\WINDOWS\SYSTEM\MSVCRT.DLL" R c1614850 3a000 1000 R c1614850 3a000 1000 R c1614850 34000 1000 R c1614850 34000 1000 R c1614850 3b000 600 R c16182b0 f000 1000 R c1614850 36000 1000 R c1614850 38000 1000 R c1614850 37000 1000 R c1614850 39000 1000 R c166adb0 5600 800 o c16bfb10 256c "C:\WINDOWS\WIN.INI" R c16bfb10 0 256c C c16bfb10 R c1614850 3c000 1000 R c1614850 35000 1000 R c166adb0 0 400 R c1614850 3e000 1000 R c1614850 3f000 1000 R c1614850 40000 1000 R c1614850 3d000 1000 R c16182b0 d000 1000 R c16182b0 e000 600 o c1619e60 74510 "C:\WINDOWS\SYSTEM\WININET.DLL" R c1619e60 62400 1000 o c1613fb0 49510 "C:\WINDOWS\SYSTEM\SHLWAPI.DLL" R c1613fb0 42400 1000 R c1613fb0 42400 1000 R c1613fb0 400 1000 R c1613fb0 400 1000 R c1613fb0 43400 1000 R c1613fb0 44400 e00 o c1619fb0 1e000 "C:\WINDOWS\SYSTEM\TAPI32.DLL" R c1619fb0 1a000 1000 o c1615610 4e710 "C:\WINDOWS\SYSTEM\RPCRT4.DLL" R c1615610 4a600 c00 R c1615610 4a600 c00 R c1619fb0 1a000 1000 R c1619e60 62400 1000 R c1619e60 400 1000 R c1619e60 400 1000 R c1613fb0 3f400 1000 R c1613fb0 40400 1000 R c1613fb0 41400 1000 R c1619e60 63400 600 R c1613fb0 10400 1000 R c1613fb0 45200 800 R c1613fb0 d400 1000 R c1613fb0 22400 1000 R c1615610 49e00 800 R c1619fb0 19000 e00 R c1619fb0 18000 1000 R c1619e60 63a00 1000 R c1619e60 14400 1000 R c1619e60 64a00 e00 R c1619e60 2400 1000 R c1619e60 a400 1000 R c1619e60 1400 1000 R c1619e60 1b400 1000 R c1619e60 60400 1000 R c1619e60 61400 1000 R c166adb0 4400 1000 R c1619e60 b400 1000 R c1613fb0 8400 1000 } (some of the lines may have wrapped) I have idea what that means, but should the files listed (esp the .dlls) be replaced with ones from the windows install cd? i think im going to replace them myself this is a nasty virus.. on my dsl i must have u/l a gigabyte in a couple minutes

0

i have just done all thats been said on this board to remove the trojan whether it be using the automated symantec cleaner, booting in dos to edit win.ini and delete scrsvr.exe, or using regedit i have tried it. These things ALL remove the trojan, however so long as my drive c is shared, it keeps coming back. If i dont share drive C however it doesnt return. Could anyone PLEASE enlighten me on how to share drive C and prevent the worm returning?

0

if you have windows 98 and have done all of the above reboot and goto a command prompt and use scanreg /restore and restore the secord to last backup. it will work

0

I am trying to delete this virus from a friend's computer. I followed everybody's steps that are listed here, but the virus is still there. I deleted the run command from win.ini and I deleted scrsvr.exe from the registry. I have run two different Symantec tools and neither one of them find the w32.opaserv.worm but when I try to receive more of their emails Norton finds the worm and quarantines it. Is it still in the PC somewhere or do the emails that are being received also contain the worm? Thanks for any help, Elizabeth

0

Hi evereybody I keep fighting the Worm since 30th. I have 20 Win Me Computer in one Net. And everytime I Cleaned them it comes Back and Back and Back. But in my opinion the way to find it seems to be to easy! What I mean is , the fact that it comes Back instantly after deleting the Files clearin Registry etc. seems to indicate, that there is much more than just this few things, so I guess the scrsvr.exe and all that stuff is just for camouflage to confuse us, while the actual active part of this Virus is hidden somewhere else, my opinion. What do U think Michael from Germany

0

Hi Having had this virus since the 30th of September I am nearly at my wits end. I have looked everywhere for a solution. Although Norton, McAfee, etc have posted their solutions, nothing seems to prevent it recurring. Everything mentioned in the previous posts I have tried and the only thing I can see that works is to remove the shares. As mentioned in post 41 After removing all the shares on my PC, the virus stopped completely. I believe this virus is scanning any computer on the internet for open network shares. Once it finds a share on a windows root drive, it writes the scrsvr.exe file and then modifies the win.ini file. Hey presto, the next time to boot up the virus runs. When you connect to the internet, your machine starts scanning the internet for other machines with open ports to infect them. So, as long as you are sharing your root drive, you are vunerable. If you have a fixed IP, the the virus probably store your address for targeting again. That is my conclusion, in the absence of any other ideas. My guess is the only way to use shares is to employ a decent firewall to prevent penetration.

0

Hi, I've have had the same problems like you, but I SOLVED IT. The file scrsvr.exe comes through the Netbeui Port (Port 139). You must manually close this port. Look on this page http://grc.com/su-bondage.htm Sorry but I can't explain it in "good enlgish" MfG Phoenix

0

Hi, i've got the same problem but I solved it. The reason why the file is coming back is the open netbeui port (port 139). You must manually close it. Go to the TCP/IP protocol an let show you the properties in the section connections you must disable all entries (Microsoft Family Login or any other). But only TCP/IP over your connection not the LAN. http://grc.com/su-bondage.htm MfG Phoenix

0

i also beleive i have found a way to permanently solve the issue. It is actually already mentioned on this board in post 5. What i did was: 1) Temporarily unshare drive c (or any other shared hard drives) 2) Remove the scrsvr.exe file, remove its command line from win.ini and remove its entry in the registry (details on this in above posts) 3) Create a new text document in c:\windows, and name it scrsvr.exe, hence making it an exe file. Make sure you make this file read only 4) Share any drives unshared previously 5) Thats it, nice and simple. 24hours now and the worm hasnt returned.

0

After doing all the stuff recommended the day befoire yesterday I found that the machines were re-infected again. Today I booted to dos and manually removed the run commands in win.ini (was using msconfig prev), they were flagged before and not removed. Also created the blank scr file and will see tomorrow... hold thumbs...

0

Its gone for me now thank god. It turend out that Inoculate 6 was only finding the virus win95/space.1445. So i update my virus checker and it finds 7 viruses! 5 of them were this opaserv virus which u speak of another was backdoor/opaserv and another win95/space.1445. It cure em all and i was left to doing the registry and win.ini. I suggest you all buy copys of inoculate 6 but its price does put it out of reach of home users. It starts at £400 i think. Thanks

0

it seems strange but i think it is asociated with yahoo messenger it seems that logging in and reading mail or log into ymessenger and pc-cillin catches it trying to come in through and blocks it but i have to continualy delete it from the quarantine folder it was on my machine and i removed it manualy just as others stated here it slows download speed as it is tranfering data as soon as you log in to your isp please post feed back if we all have yahoo messenger or mail this might be the cause ????

0

A solution to the Scrsvr.exe worm: Do all the usual stuff that you'd do for a trojan (registry [local..soft..micro..win..curr..run], win.ini, sys.ini) Also delete scrsin.dat Also delete scrsout.dat delet scrs... from the run= in tmp.ini most importantly, diable system restore: right click on My Computer, then f--- nevermind, NAV just detected it again on my computer. Let me know if you find a solution: buddypedro@hotmail.com man, this one's a bitch!!

0

Using Zone Alarm's firewall prevented reinfection.. then after a day with it off, the virus was back. I suspect closing the port is the clean way to prevent it (this almost may prevent future strains) while the dummy text file is the dirty way (a new strain could use a new file name and beat it). I'm going to use both for now for the times when i cant use my firewall it seems i've been getting a lot of incoming traffic on port 137. they come in pairs from many random IPs.. perhaps scrsvr.exe on other peoples computers. maybe this worm is constantly portscanning and spreading itself..

0

Hi, the worm is comming through the Netbeui Port, thats Port 139. YOU MUST MANUALY CLOSE IT. Then the worm can't come back on your harddisk. Someone said "Don't share your harddisk with the whole worlf ;) )

0

DOES ANY ONE KNOW THE SOLUTION? PlEASE POST PROCEDURE STEP BY STEP THANK YOU

0

this virus keeps coming back although nortons quarantines it and I delete it. . is there a tool to remove it.

0

HERE'S THE SOLUTION.... This assumes that you already cleaned the virus and now you want to make sure you are not re-infected. Ok, everyone, I found a cure for being constantly re-infected with the Opaserv/Opasoft virus. After doing some research (see references below) I found that disabling the "File & Printer sharing" in Windows did the trick to keep me from being re-infected after cleaning the virus. That solved the problem of being re-infected. Below is the info that tells how the Opaserv/Opasoft virus finds it's victims. All you need to do is be connected to your ISP and it can get you!!! ---pete--- Full article on Opaserv Virus.... https://www.europe.f-secure.com/v-descs/opasoft.shtml =============================================================== Excerpt from full article above... To locate victim computers the worm scans networks by using port 137 (NETBIOS Name Service). The following subnets are scanned: - current (infected) computer subnet (aa.bb.cc.??) - two neighbor subnets (aa.bb.cc+1.?? , aa.bb.cc-1.??) - random selected subnets (except several ones that are "disabled" for scanning) In case there is reply from an IP address (i.e. there is real computer at this address), the worm also scans two subnets that are neighbor to that address. When "reply data" is received the worm checks the special field in it. In case this field contains information that victim computer has "File and Print Sharing" service activated, the worm starts infection routine. The infection routine specific SMB packets to the found IP address by using port 139 (NETBIOS Session Service). There packets cause the following actions: 1. The worm established connection with \\hostname\C resource on a victim machine (where "hostname" is a victim machine's name, that the worm gets this name from "reply" data). 2. In case the resource is protected by a password the worm tries to open it with all one-symbol passwords (brute-force attack). 3. In case of successful connection the worm sends its EXE file to a victim machine. The packet also contains the destination file name on the target computer: WINDOWS\scrsvr.exe ---end or excerpt--- =================================================================

0

I have sucessfully avoid this virus for a few days now, without using the dummy text file. Basically what you need to do is this: remove the scrsvr.exe file from your system as described above Get to the control panel, and open Network For each TCP/IP -> XXX click properties, then bindings, then unbind Client for microsoft networks, File & Printer Sharing, and Microsoft Family log on. When it asks if you'd like to bind a protocol, click no. Repeat for each TCP/IP protocol. Then close Network by clicking OK, and reboot when asked.. Your harddrive is now closed to the outside world.

0

BTW The above process still allows you to use file & printer sharing on local networks.

0