My brother was hit with this virus recently. For two days I've been trying to troubleshoot over the phone w/ no success. I've gotten the instructions for removal from Symantec - I know how to fix it. The problem is that he cannot get into Safe Mode. I had him boot off of a Windows Startup disk to try to either run Symantec's removal tool or to edit the win.ini file. When he types a directory listing of C:\ he says he sees a handful of DOS commands, no directories, nothing. It appears that Windows is no longer on his pc. This would explain why he can't get into Safe Mode. Is anyone else running into this as well? Any other ideas?

Contact b_peterson@yahoo.ca, he has done more research on this virus. If there is anyone that can help you out of this jam, it will be BRAD! Take care and all the best!

I have done some work with the Opaserv. I have not seen any versions that delete or remove directories from the PC. Does the PC boot to windows at all? If not you may have had more then 1 virus. Pos the Sircam which is known to start deleting directories and files on the hard drive.

Hey, You're computer is doomed. You were hit by the evil, Opaserv.K virus (according to Symantec...everyone has different names for them now). This is a much more evil Opaserv variant. The first ones were fine, didn't cause any damage other than being annoying. This one is bad. Have a full read for yourself, on Symantec's Opaserv K description. http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.k.worm.html Here's some of the key highlights: If the current date is from December 24 to December 31 of any year, or the current year is greater than 2002, the worm checks whether at least two days have passed since it last ran. If so, it then checks for the presence of a local file named C:\Win.ini. (A legitimate Windows file of the same name normally resides in the C:\Windows folder.) The presence of this file indicates that an infection that happened across a network. If the worm finds this file, the worm triggers the following payload: 1. First it creates the following files: * C:\Msdos.sys (19 bytes) * C:\Autoexec.bat (15 bytes) * C:\Mslicenf.com (1,706 bytes). When this file runs, it overwrites the boot section of the hard drive, deletes the CMOS, destroys all data on the hard drive, and displays a message. * C:\Boot.ini (88 bytes) * C:\Bootsect.dos (512 bytes) * C:\Boot.exe (4096 bytes). When it runs, this file shuts down the system and restarts it. The system is restarted by forcing processes to end (any opened documents are closed without saving their contents). This file is not malicious. 2. The worm then runs C:\Boot.exe to reboot the system, at which time the payload runs. It overwrites the boot section of the hard drive, deletes the CMOS, and destroys all data on the hard drive. It then displays this message: NOTE: These removal instructions will be useful only if the payload has not run. If the payload has run and you saw the "Illegal Microsoft Windows license detected" message as described in the previous section, it is very likely that you computer is no longer functional. In this situation. we suggest that you contact the computer's manufacturer for assistance in restoring CMOS settings and the operating system. You will also have to restore data from a clean backup. Sorry to break the bad news to you, but I'm pretty sure your data is toast. You will need to 1) Reset your CMOS settings (usually through a jumper on your motherboard, next to the circular battery on it). Then 2) Repartition your hard drive then 3) Reformat your hard drive then 4) Reinstall windows then 5) Reinstall all of your drivers and then 6) Reinstall all of your programs and then 7) *REALLY IMPORTANT* protect yourself from future infections by reading up on the virus...I wrote a long article, here. http://www.computing.net/security/wwwboard/forum/3289.html If you need help with that..I can walk you through it all. But most likely, if any of that confused you, its best to take your computer to a shop, and also print off this post, and hand it to them. My instructions should clue them in onto what exactly to do. Feel free to email me for help Brad Peterson b_peterson@yahoo.com

I also have this new variant W32.Opaserv.K, I have reset CMOS through the jumpers, reformatted, reinstalled Windows, downloaded the patch - and it's still there in the master boot, is it invincible? Please help. Great Xmas present - On December 27th 2002 I turned on my computer to get this message before Windows boot-up to say that my Windows license is illegal referring me to Business Software Alliance and locking me out of my system. I went on to the website www.bsa.org to learn that in fact, this problem had nothing to do with my license but was a result of the Opaserv worm which drops a trojan called 'winkill', it does what it says on the packet. By the time my PC displayed this message the worm had managed to delete the entire contents of my hard drive. In my case I have two hard drives, the virus deleted the entire contents of my C drive and has rendered my D drive unreadable. Many sleepless nights later, I had to completely format both drives losing all data and reinstall Windows... Since formatting both drives I have run a Norton check on my system THE VIRUS IS STILL THERE!!! It's in the master boot file and my Norton software can detect it but cannot remove it via Windows or via the DOS boot disk. PLEASE SOMEONE HELP BECUASE I AM GOING INSANE. Thanks Lindsey PS Wishing you all a very happy and virus free new year

Hmm...did you repartition your hard drive? Formatting it will not be enough...it only formats certain parts of the hard drive (whatever is inside of the partition). Repartitioning the hard drive takes care of the whole hard drive! To repartition, you'll want to bootup into DOS, either through a boot disk with FDISK.exe on it, or just to your C drive. Then, run FDISK. Here, you should be able to delete old partitions, and create new ones. If that still doesn't quite do it, try this statement from DOS. FDISK /mbr That often fixes your master boot record Hope that helps. Brad Peterson b_peterson@yahoo.com

I have XP NTFS format and it is in my boot record, the payload has not ran yet i have used sysmantec removal tool and it says ther in nothiing infected on my pc. If i run NAV corp 7.6 the only infection it finds boot record. how can i get it out of my boot sector.