Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I can't get this virus off of my PC. I have norton professional 2000. I have gone to their website aznd downloaded their repair tool. it Will not get rid of it! I went through and manually took it per their instructions. It is still there... Please Help!!!
1) If you are on a network with other PCs, disconnect from the network and clean each PC before re-attaching back to the network. The virus spreads through network shares with other PCs.
2) Follow the instructions in the following link at the end of this post as I have performed this w/o any problems.
3) Make sure you hand check the win.ini and registry for the following:
* Run regedit and check for:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"ScrSvr" = %WinDir%\ScrSvr.exe* Check the win.ini for the following and remove:
Run= 'C:\WINDOWS\SCRSVR.EXE'
4) Make sure the scrsvr.exe file has been removed from your systemCheck out the following link for virus info and be sure to apply the Microsoft patch for your Windows system:
http://vil.nai.com/vil/content/Print99729.htm
0 
I have done all of this and it just keeps showing up, it is like they haven't found it all because as soon as you hook to the internet with nothing open the lights lite up and then i get a detection from my anti-virus program. I have fought this continually today and just doesnt go away. I checked all of the other computers in my office and find no sign of the virus except this PC. Any othe r suggestions??
0
Look rather than going digging around your Pc looking for a virus , like 1/2 the people in here tell you .. get a cleaner they make those for a purpose and change the Norton crap its obviously not doing its job if you still have the virus
Get a free opaserve cleaner here
read this http://www.nod32.com.au/nod32/msgs/opaserv.htmthen download this:
http://www.nod32.it/tools/OPACLEAN.ZIPclean then see if there is still payload left and clean it up
0
If you want to read up on it...check out these links.
http://miataru.computing.net/security/wwwboard/forum/2954.html
http://miataru.computing.net/security/wwwboard/forum/2921.html
http://miataru.computing.net/security/wwwboard/forum/2897.html
0
I've posted this article numerous times on all of the Opaserv topics in this forum. Here it is again, with a few additions:
I was one of the lucky ones who got the full blown effect of the Opaserv worm. I had scrsvr.exe, brasil.pif, and then alevir.exe. Norton Anti-Virus would always detect it trying to run, but it could never keep my system clean from it. I followed all of their directions, downloaded all of their tools, downloaded the patch from Microsoft, cleaned out my registry, kept my win.ini file clean, made dummy scrsvr.exe and brasil.pif files with the +r read attribute flag, etc. And the stupid things kept coming back!!! I wrote Norton email after email, telling them that their anti-virus software isn't stopping the virus from getting on my computer. I sent them brasil.pif on October 21, and then finally, on October 25, they listed it as a threat, claiming it was discovered on October 25. Stupid liars. And all the while, the virus kept coming back. Because of all of this, I feel that I have to resort to caps to make the following point =)
IF YOU SIMPLY USE NORTON ANTIVIRUS AND DELETE CERTAIN FILES AND REGISTRY ENTRIES THE VIRUS CREATES, THE WORM WILL COME BACK! THE VIRUS USES TO USE PORTS 137-139 ON YOUR COMPUTER TO WORK. YOU MUST CLOSE THOSE PORTS!
So, I resorted to closing my ports 137-139 (Turning off NetBIOS), and my computer has not reported a virus for 6 days now. (It used to report it every 15 minutes.) Before, from what I could tell, I could clean the viruses off my system using simple techniques such as removing the lines out of win.ini and my registry. I'd stay virus free until I'd connect to the internet, and then *bang* the viruses were back, sometimes in a new morphed form (brasil.pif or alevir.exe). It appears the virus uses a security flaw in Windows (I'm running win 98), by communicating to your computer through these ports, and by turning off ports 137-139, you fix it.
I found a nice site that describes how to turn off these ports in detail, and it has simple to follow steps with handy screenshots. The site is here.
https://grc.com/x/ne.dll?bh0bkyd2
Run the "Probe my Ports" test first for kicks, it should show you that your computer is vulnerable in the ports that this virus uses. Next, go to section 5 "Network bondage". That will describe how to turn off these ports. By the way, this shouldn't affect your computer's network connections at all. It just redistributes network commucation in the proper way, and you simply just close off ports 137-139 to those that shouldn't have access to it. Once you do this, the virus should be blocked from coming back every time you connect to the internet.
By the way, make sure you also follow all of the tips listed on Symantec about the Opaserv worm. You must clean out your registry, win.ini file, and download the patch from Microsoft.
If all of this was too technical for you, then another great solution is to download the free version of ZoneAlarm here:
http://download.com.com/3000-2092-10153456.html?tag=lst-0-8
And as for one last side note, it appears that you can't fully remove the virus, you can only suppress it. For example, my ports 137-139 were closed, and I hadn't had a virus report in 7 days as a result. I scanned for the opaserv virus using both of Norton's tools (NAV and FixOpsv.com), and it reported I was virus free. Then I decided to open the ports and connect to the internet to see what happened. *BAM* The virus was back in 5 minutes! And I was on a dialup dynamic IP address! That means the virus waits on the computer, just waiting for open ports and an internet connection. So I closed the ports, and immediately all virus activity stopped again. To sum up, by closing the ports off, you'll just suppress the virus for the rest of your computer's life.
Good luck!
(email me if you have problems, I'd be happy to help)
0
And now for the technical followup. You should only read this if you are running on a network:
The site I mentioned the above postadvocates using NetBEUI for your internal network. Unfortunately, that can be a pain if you're running a TCP/IP internal network, and you can't switch over to NetBEUI protocol. So I looked for a way to allow me to run a TCP/IP network on a Windows 98 machine while blocking ports 137-139. But, according to grc.com, "the only way to close port 139 is for every single service to be unbounded from every single instance of TCP/IP."
What this means is, there is no way to use TCP/IP for an internal network while having port 139 closed!
So if you're in this sticky situation, you must put up a firewall. Either ZoneAlarm for your personal computer, or configure your network's firewall. We configured our linux firewall to not allow any outbound communication over ports 137-139, and that did the trick for our office. (As for me, since I take my computer home from our office network to connect to the internet via Dial-Up adapter, I'll have to get Zone Alarm).
0
I hate to throw this in here, but we're using Zone Alarm, and this thing gets right past it.
Are we having fun yet?
0
I kept getting reinfected (Marco alevir scrsvr brasil). I think it is due router solicitation where your IP is sent out to 224.0.0.2. and onwards.I think you need to diasble DHCP in your registry. I used Tweek up from http;//tweakup.homestead.com and am now waiting to see if it is cured.It might need investigating by someone with more knowledge.
0
We use Zone Alarm and it has stopped every attempt. Which Zone Alarm are you using, and how high are your protection levels in it Margo?
0
Maybe this will help. I had this virus, and I used the Norton removal tool. It got rid of everything, but for some reason, it failed to remove "PUT.INI" from the root directory. So I removed this manually, and I emptied the recycle bin just to be sure. That virus is now gone, and hasn't come back. (The Norton Symantic info on this virus is where I learned about the PUT.INI, but for whatever reason their tool failed to delete it.) Check for this file in your root directory.
0
We are using Sygate Personal firewall (www.sygate.com free download) which in the traffic logs reports kernel32 trying to connect to 224.0.0.2 . If this succeeds we then get incoming data follwed by Norton picking up the virus file. We have disabled the firewall after disabling irdp/dhcp(www.homstead.com/tweakup/tweakup.html download) and are waiting to see if the virus returns.
0
We're running ZoneAlarm Pro, on Win98se, and just now upgraded to Norton 2003 (from 2002). In ZoneAlarm we just found a reference to "Brasil", and blocked it totally. (It wasn't there before) We have security set to ask on everything before allowing it, and so far this thing has snuck past. Maybe now this will help? (we did have a child get on this computer. He may have allowed something he shouldn't have) Now we wait.....
Fingers crossed!!!
;-)
0
Hello,
You should install the security patch first. This will be a permanent solution. Also password protect your C drive share or set the C drive share to read only access. Then install an antivirus. I am using SOLO Antivirus ( www.srnmicro.com ), it removed the virus from my system.
Solo antivirus site contains instructions to protect your computer from re-infection. For more details visit www.srnmicro.com/virusinfo/opaserv.htm
Have a nice day
0
ok now I can't play any multiplayer game, and I don't understand anything of what u'r all saying
would a format work?
0
This is my experiance with the opaserv.d (and e , a) worm . I got all three types of the worm, alevir.exe brasil.exe and scrvcr.exe. You get these by being lazy and stupid ( like me ) and having a Peer to Peer file sharing program (Kazzaa, bearshare etc) and a lan setup with the hard drives being shared but no password protection. I also didn't bother with having the virus checker on as it only slows the games down. Anyway I have learnt my lesson ( for the moment).
I'm using the PC- Cillin virus checker (came free with the computer) and have looked at their website as well as the others. They all give pretty much the same advice but can't tell you what is telling the computer to download the virus when you go online. You can prevent this by not sharing the c:\ hard drive or having at least a 4 letter password.
I don't know what files were affected but I suspect msimgsiz.dat as there are several versions in the windows folder and one is dated fairly close to the day of the attack. I also have tmp001.tmp and _delis43.ini.
This worm dosen't seem to do much damage on its own , but left unchecked it will try to download much worse viruses to your computer.
0
This worm is a propper b-------
I downloaded the Systemac or similar named virus removal tool, then the windows patch, disconeccted from the net and put them on both my home computers. I then disconnected my network cable. I ran the virus removal tool on both computers, both computers were infected, but cleared of the worm. I rebooted, ran virus removal tool again. Both computers clear. I installed the microsoft patch, and downloaded a the Zonealarm firewall from cd. I should be right! But to be sure I removed files called "alevir", "Brasil", "marco!" and "gay" from computer, and emptied them from recycle bin.
Then I ran virus removal tool 2 more times, and checked that the files listed above hadnt reappeared, rebooting each time.
I should be safe, so I reconnected the network and connected to the net.
Guess what! I got infected again! (only the computer connected to net)
This worm is somewhere lurking in my computer. And its bringing up a "dial up connection" box every time I reboot. Ill just have to put up with it! F--- IT! It beat me!
0
First, brasil came, then it was alevir, today, I'm almost sure, it's instit's turn, I'd like to know where it came from.
0
Infection seems to come from the internet. Go to response #5. Procedure was a pain in the butt, however it worked.
0  |
 zonealarm HIGH rated
|
IE trojan..please help
|
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
