Norton 2002 anti-virus has caught this thing over 2 dozen times. I have downloaded the Microsoft patch and ran the cleanup tool. My machine does not have the virus. However, every time I sign on the internet, the virus tries to load into my computer, alters my win.ini file, and is caught by Norton Anti-Virus 2002. How do I stop it from coming in to my machine from the internet???

Something is wrong with the description you are describing. You either have the virus, or you are opening or visiting websites that allow the virus into your system. I would use the trial version of Solo(best thing to rid this virus) from www.srnmicro.com to make sure the system is clean. What firewall are you using? Do you use Outlook Express? Have you set the security rules correctly; disable preview pane, set the security to prevent attachments that might have a virus and programs from accessing and all the other associated things? Please post back!

I disabled the preview pane Out.Exp.I didn't install the Solo trial, because of concern that it might conflict with NAV 2002. I did look in my temp files and found four IE HTML D files. I don't understand them but two read as follows: r;kw=scrsvr%2Exe;pos=;tn= 3;ta=left;tva= middle;tsw=0;to=vjtw=500;th= 66;sz=500x22;tile=5;ord=1028306[1] and r;kw=
scrsvr%2Eexe;;pos=1;sz=468x60;tile=1;ratio=
1_5;ord=1028306[1] They came in @ 12:17 & 12:24pm while I was signed on the web. I was not at a particluar site at the time. I have disable my firewall (Zone Alarm) because of some conflicts it was causing. I plan on getting the MacAfee Anti-Virus/firewall software soon. I am thinking some website has my isp address and sends it automatically when I sign on, but I'm to sure. NAV has caught it every time (so far)

You might want to check out the following websites concerning firewalls/antivirus before you pay for Macafee, they are PC Flank and the Virus Bulletin. From the files you found you are still infected. If you have the Norton CD, there is really no risk in using the trial of Solo. Just disable Norton and use Solo, just do not actively use them at the same time. If you are looking for a new antivirus program try Solo and you will be very satisfied with it. If you have updated and configured Zone Alarm correctly there should be no conflicts, or they should be easy to correct.

To help prevent viruses, it is also important to make sure you have all the security updates that are available free from windowsupdates.microsoft.com
Select Products, wait, and it will tell you what you need. Make sure you get all critical updates and security fixes and service packs. Then go to the start page and get the Office updates and new versions as well. Then if you use Internet Explorer and Outlook or Outlook Express, check your security settings and such to make sure you are protected as well as you want to be. One thing I do in Outlook Express 6.0 is set my attachments to not be opened at all. Then I can delete anything suspicious and when there are attachments I want to view, then I deselect it, view them, then reselect it.

A couple more things I should mention...

There are online virus scanners that you can use, such as:

www.pandasoftware.com
www.bitdefender.com

These ones also look at your email. It could be that you are reinfecting yourself when you access your email again.

I had the exact same problem at various clients of mine. Here is what you do.
Firstly after you run the MS patch, put a password on the sahre that has access to the internet(very important). Find the opaclean.exe file on the net (can't remember where I got it) and run it. When scan is completed it prompts you to ask wether you want to immunize your system, say yes. Restart, and voila!! All gone.

Found a link.

link to opaclean.exe file --> http://www.nod32.com.hr/DOWNLOAD/opaclean.zip

Hope your problems are solved!!

kevin - look for a program called brasil.exe and a file called brasil.pif on your system - there is a new variation of the opaserv worm which gives you these as well as the scrsvr.exe - the remove tool (free on symantec website) will get rid of scrsvr.exe, but brasil you have to get rid of manually. (i would give you advice, but you'd be better off reading the brasil.pif thread on this board, if you do indeed have the brasil problem as well as the scrsvr...) good luck.

I also got this scrsvr.exe and brasil.exe. This is happening when I am connected to the internet (24hrs cable internet). When the viruses are off my system, somehow they are back in while I am browsing/surfing the internet, I do not know how. I cannot find this total protection yet.

Today I got this new one Alevir.exe

This is driving me crazy.

Can somebody help.

hi kevin y,
try doing this, it may help.
delete the entry brasil.pif from win.ini
run and load should equal nothing. then save and reboot. check your windows directory for the brasil.pif, opaserve and scrsvr.exe files and right click on them and make them read only files then delete them, go into your registry and do a search for those files, and wherever found delete the values, check your run services also in your hkey current user, hkey user, and hkey local machine, if found delete the keys.
scan your computer with an anti-trojan, and and anti-virus software, with the latest definitions. if this does not work then go into dos and use fprot for dos and scan your machine. you may also want to check your files in dos for any brasil.pif and opaserve and scrsvr.exe, if found delete from dos.
for more info on trojans, and firewalls go to www.thepublicworks.com security section and link to simovits consulting, trojan ports, wilders.org, pcflank, trojan removal, firewalls and security, firewall security.
hope this helps, take care,
murve

Dear All,

I have to say that this virus is a pain in the neck.
I ran the an updated version of NAV and it removed it - but it came back. Then I downloaded the detecated removal tool from symantec and ran it. It removed the virus - but again it came back. I then ran the miscrosoft patch. Still re- infected. So latest solution was to take of file and print sharing from my dial up adapter. So far so good, and NAV has not flashed up detecting the virus.

HAs anyone here done the same as me and been re-infected? thanks

re: reinfections

how long is it taking you to get reinfected?

i *seem* to have gotten rid of it w/o it coming back again... i ran the symantec opaserv tool, and then manually deleted the brasil.exe and brasil.pif (the .pif you must delete in dos) and deleted relevent registry keys also. so far, so good. (this is on win98se) i found good information on the symantec and kaspersky sites, and in the brasil.pif thread on this site. i have not done this yet, but in that thread they were saying you could innoculate yourself against re-infection by making blank notepad files with the names of the deleted virus files, and making the blank file attribute (in properties) be "read only". read that thread, lots of good advice there.

good luck.../julia

Thanks to everyone who has responded to this thread. I reinstalled the Zone Alarm firewall yesterday, and have not had a recurrance of the scrsvr.exe virus. At the same time, I also went into my Outlook Express and disabled the preview pane, enabled the security to prevent attachments that might contain a virus. I also went into the registry and ran a "find" search with the name "brasil". Keys for opaserv, brasil, alevir, and scrsvr came up, which I deleted. I haven't rebooted my computer yet so I am praying that all will be well. The JBTIL key also appeared when I did the registry search for brasil. I did not delete it, although NAV 2002 quarantined it about 2 weeks ago. Should I also delete JBTIL from the registry? I'm going to reboot now. Thanks again. ky

To everyone who's having reoccuring opaserv problems, I'm having them too! I know exactly what you're talking about, you've taken every precation, downloaded the patch from Microsoft, you've downloaded every fix from Norton, ran them in safe mode, rebooted, and still Norton catches scrsvr.exe (and possibly alevir.exe) about every 15 minutes. I've also noticed the trend that it happens when I'm online. We've had quite a long discussion about this over on the brasil.pif topic on this website. (Its just a few days older than this topic)...its good reading...check it out to get a better understanding). Apparently, a few of us have reached a conclusion that somehow, when you log on, a request is made over the internet, and this somehow triggers the virus to come back, or change its name to brasil.pif, or something. So because of that, somebody has mentioned that we *must* turn off port 137-139. From what I've researched, I don't know how to turn off ports 137 and 138, or even if its necessary. But it is possible to turn off ports 139. To do this, go to this website:

https://grc.com/x/ne.dll?bh0bkyd2

The first page contains a couple of tests, a shield scan and a port scan...very nicely done..run those for kicks.

If you scroll down to section 5 "Network Bondage", it will explain how to turn off port 139. Its explained very well, with lots of handy screenshots. (Its kind of a round about solution. You do not simply uncheck some box labeled "Port 139?")

I hope this helps. Since turning off the port, I haven't had any reoccurring problems. (I turned it off an hour ago, but I was getting virus warnings every 15 minutes).

If this doesn't work...darn...I'll have no clue what to do

good news!

symantec has released a free tool to remove opaserve.e - aka brasil.exe/.pif - if people are still having problems, you can find that here:

http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.e.worm.html

hopefully that'll do the trick...

Glad to find this so I know I'm not the only one with this problem! Now, I know all the patches/fixes/workarounds here...but what I don't understand is WHERE this thing comes from!?!? My machine is infected upon boot, without ever accessing a browser or email. (Win98se, Cable Modem) It gets past ZoneAlarm, Norton catches it, but it still gets into Win.ini & startup. Yes, I can make it stop by changing settings. But my issue is, could this be coming directly in from my cable modem provider?

I also exactly know what you are all talking about. I have tried everything - Norton,McAfee, Protector Plus etc. Nothing helps... It keeps on popping up all the time...

Well, I installed Win98 on another newly formatted HD and started surfing the internet. Nothing happened and I was connected for hours. My conclusion must be: it is something in your system, on your HD and no bloody antivirusprogs are able to remove it. I think this is a shame. They should work much harder on this and take the matter much more seriously.

Hi all - great comments. I have been battling this nasty virsus for three weeks. I have killed it repeatedly but I haven't found the program which is reloading it every few minutes when I am up on the net yet but I will work through all of your comments. I have tried all of the standard fixes and nothing to date has dealt with it properly. I did notice that the virus was originally just scrsvr.exe then after two week it changed and started to bring in Brasil and alevir as well so the problem is ongoing with the source of the virus mutating.

Just to repeat what I said in comment #13 (Hey, I think it's important! I'm virus free now! I want the rest of you to be also =)

Closing off ports 137-139, or in other words, turning off NetBios, did the trick for me. It appears that stopping short of formatting your hard drive, there is no way to fully remove the virus from your computer. Also, you can remove the virus from your computer, but the moment your computer has an internet connection *bam*, the virus is back, and sometimes in a new form (brasil.pif or alevir.exe). From what I can tell, the virus uses a security flaw in Windows, allowing the virus to have too much access to your computer through ports 137-139. By blocking the virus's access to these ports, you can keep the virus from coming back.

The page that describes this flaw of ports 137-139 and how to turn them off is found at
https://grc.com/x/ne.dll?bh0bkyd2
What this fix do is redistribute your computers network communication in such a way so that your computer is much more secure.

First, go to this website and click on "Probe my ports". This should show you that your computer is open at port 139, the port that this virus uses. (Actually, I think the virus uses 137, but the fix he describes later turns off ports 137-139...which are all the ports involved in this security flaw)

Next, go to section 5, labeled "Network Bondage" This will tell you how to fix this flaw by turning off the ports. It has handy screenshots and step by step instructions.

This should do it. I've spent many hours trying all sorts of fixes on many computers on our network. TURNING OFF THE PORTS IS THE ONLY THING THAT WORKED! I would have loved to reformat our hard drives, but with our network traffic, the virus would have been back in no time (since my ports were open).

If anyone has any problems, feel free to email me. I understand just how annoying this virus has been. I 3 weeks trying to remove it, until I finally succeeded.

Brad Peterson

(As a side note, I'm suspecting that the virus is on my computers, just not active. I bet if I reopened my ports, and then reconnected to the internet, the virus would be back. But as long as NAV doesn't catch the virus loading up in my memory, and the virus can't communicate over the internet to receive updates, the virus should remain inactive for the rest of my computers life.)

Am I going insane!!!! When will my virus software remove ALL traits of this VERY annoying virus.... Sick to death of it!

Shan

Yes!!It is gone.First I used the virustool at www.pandasotware.com ,Then I deleted all my cooky's and temporary internetfiles and I got a network-password.Then I never saw the annoying thing again

P.S. while I did all this I disconnected from the internet

The problem is not removing the virus from the computer. The procedures above do that and updated virus software prevents reinfection. The problem is that the virus is attempting to reinfect your system from the Internet while you are browsing (it doesn't come via email and has nothing to do with the preview pane). This leads to the nuisance of constant alarms from the antivirus programs during reinfection and reboot when the virus can't find its files. Your computer is not infected, but the Win.ini and registry have been modified to run the virus files on startup. The virus scanners don't prevent these modifications but are alerting you when the virus files are being transferred to your system. This is the problem people are experiencing.

The real problem is your network security. Check the Bindings of your TCP/IP Protocol, which is the one used by the Internet. Go to Start/Settings/Control Panel/Network. Select the TCP/IP protocol for the adapter you use to connect to the Internet. Click on Properties and check the Bindings tab. Make sure that File and Printer Sharing and Client for Microsoft Networks are NOT checked. Answer No when the system asks you if you want to select any drivers to bind with. Then select the NetBIOS tab and make sure that it is disabled. From a security standpoint, you shouldn't have any bindings or NetBIOS on any of your TCP/IP protocols. Use another protocol (like IPX/SPX) for your internal networks and file and printer sharing services. All of this has the same effect as a firewall or turning off ports as far as this and similar viruses are concerned. This is the most important thing you can do to keep hackers out of your computer and personal information. Run the removal tool one more time or clean out the Win.ini and registry manually (see other responses)and reboot.

The virus should also only attack computers that share their c: drive with a share name of "C" (the default name). It's a good idea to change the share name to something else. In Explorer, right click on the c: drive and select Sharing. Then type in a new Share Name for the drive.

Hi everybody.
Thanks Sympatec and removal tool.
Go to: http://www.symantec.com/region/de/techsupp/consumer_thin2.html

The Symantech fix does not work. Neither Version 1.01 or 1.02. They must come up with something far better than that. The only thing that helps is to close the ports 137 - 139. Use this link: http://grc.com/su-bondage.htm

That stops the thing from poping up - but still there is som malicious code on your HD and no fix has been able to remove it yet. And as som other post stated: if you open up the ports again the damned thing will return immediately.

Trying for weeks to get rid of this problem, but don't worry cause after scrsvr.exe comes brasil.pif and then brasil.exe and then alevir.exe and then marco!.exe.
when will it end?

some one help please

Check out this link:

http://www.computing.net/security/wwwboard/forum/2985.html

I've posted a long discussion and two ways to get rid of this worm. Hope it helps.

I kept getting reinfected (Marco alevir scrsvr brasil). I think it is due router solicitation where your IP is sent out to 224.0.0.2. and onwards.I think you need to diasble DHCP in your registry. I used Tweek up from http;//tweakup.homestead.com and am now waiting to see if it is cured.

A bunch of us figured out a full fix to the Opaserv worm. This post contains the full fix, and it explains in detail how Opaserv works, and 3 methods you can use to stop it.

http://www.computing.net/security/wwwboard/forum/3289.html

Brad Peterson
b_peterson@yahoo.com

Feel free to email me if you need any help removing this virus.