+1

Reply:

Where do I find a clean new scrsvr.exe file? I had Norton quarantine it and delete it. Do I need this file at all, and if so where can I find it? Same with an older worm/MSVXD.exe file? Thxs!

+1

Reply:

Hi Ruth, You need neither of those files. Good Day! Mesich

+1

Reply:

I have the same problem. I have downloaded the fix file from Norton and run it. After a full scan using NAV and the new virus definitions, it tells me that I'm clean. Then, upon boot, I still have the error messages. I can't quarantine, or delete or anything. I have even started the computer up in DOS and manually deleted all files (including scrsvr.exe), but still on Boot, NAV goes nuts and gives me repeated messages about every 3-4 minutes. Is this virus hiding somewhere in my computer? If I disable my autoprotect in Norton, I don't get any messages. Any ideas?

+1

Reply:

Paul, Did you check the "run=" line in Win.ini file? Mesich

+1

Reply:

I've noticed the same thing, after removing all the registy entries and win.ini entries relating to the file, "scrsvr.exe". But still, I've noticed that when the machine is connected to the internet, I seems to be getting this file from somewhere and recreating it in the C:\Windows directory. It is the same file that Nortons and all the other fix tools remove. It's seems to have some thread running in the background. I'm also amazed at how quickly this virus is getting around, Fortunately it doesn't seem to do much damage. Well......hopefully

+1

Reply:

Have experienced same symptoms. Does anyone know what site is propagating this worm? I have just finished a complete 40Gig virus scan (Norton updated this morning). Apart from Google (which directed me to this site) this is first site that I have visited. During the time that it has taken me to compose this, the virus has arrived three times (Norton has quarantined OK). Another unusual occurance is that sice receiving this worm my modem is transmitting data at a rate of knots, even although I am not actively surfing otherwise actively transferring data.

+1

Reply:

All messages posted are true on my network here in Spain. Run Symantec tool and I don't know how, virus starts after some time. Does any body know the exact steps to get out this virus? , or some site where explained? THANKS

+1

Reply:

Thanks for the help in response 6! I'll see if Norton gives me another warning while I'm connected via this server. It didn't seem to during a solo IM connection and doesn't seem to here. My guess is is that the worm still resides somewhere on this computer but without any help from the win.ini file it just lies there. Yes?

+1

Reply:

Something else I found on using the fix. It does not remove the following files and you should manually remove them. %system%\Iccyoa.dll %system%\Lgguqaa.dll %system%\Roomuaa.dll %windir%\Okkqsa.dat %windir%\Ussiwa.dat Where the %system% variable is C:\Windows\System and the %windir% variable is C:\Windows for Win95,98 and ME. You should also check the registry at the following location: HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\RunOnce You may find It may also copy itself as C:\Windows\Start Menu\Programs\Startup\Cuu.exe when it runs on a Windows 95/98/Me-based system. HTH Post back. Good Day! Mesich

+1

Reply:

Part of the previous did not get posted as it was in ><. Here it is again.You should also check the registry at the following location: HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\RunOnce You may find: [random letters] [the worm's file name] Mesich

+1

Reply:

Disregard my responses #15 and #16 as I confused the W32.Opaserv.Worm with W32.Bugbear@mm. Appears that removing the entry in the win.ini in response #6 does correct the problem. Take Care, Mesich

+1

Reply:

In the win.ini file, after run= I had the following: QTXEOMC.EXE,,,,c:\windows\scrsvr.exe I deleted the c:\windows\scrsvr.exe many times, but it keeps coming back. The tmp.ini file was on my hard drive C and I deleted it. The alert keeps coming back, what's my problem???

+1

Reply:

Go to the following locations in your registry. HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\Run- HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\RunOnce- HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\RunServices HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\RunServices- Remove any entries related to scrsvr. Mesich

+1

Reply:

Also, delete everything after run= Mesich

+1

Reply:

Please run the remedy for scrsvr.exe explaining it step by step....I'm confused with all the responses above and petrified that Ill screw up! Please help!

+1

Reply:

Opaserv (Scrsvr.exe) here its the thing: I have 6 computers on lan. one of them (server) is sharing internet,files and Printer. Server have the scrsvr.exe virus, my Norton every 5 minutes show me a warning about it... so i always delete it. I try all the indications before (tools, and edit regedit) but the warning stills. The other 5 computers have the same Antivirus but never show any warning of virus, i do the same things i do with server, for security. I disconnect the server from the lan, and i format the hard disk, re.instal windows and all the programs. I though with taht process i can get rid of the virus but NO !!!! When i connect the Server to the lan, the Norton show me the warning!!! i tried everything!!! and the scrsvr.exe still there!!! Im so desperate!! i need help!!! I cant disable the sharing cuz we need to share files and printers, so thats not the solution, and by the way i have the Norton updated in all the computers.. PLEASE HELP!!! Carlos

+1

Reply:

Por favor yo también necesito ayuda...he hecho todos los pasos anteriores, pero de nada sirve...el norton cada 5 minutos me da alarma de virus..le doy delete...pero nada sirve...revise el regedit y no encuentro nada con respecto al scrsvr.exe...inclusive volvi a copiar el scanregw.exe que lei por ahi que también se infectaba con el virus..pero de nada sirve... help me please...no he podido trabajar en todo el dia... gracias

+1

Reply:

My virus file diappeared after the norton update and removing the win.ini files, i'm glad!! But does anyone know what that worm is trying to send through my modem?

+1

Reply:

As most of you reading this thread, I have noticed that all of the above post have something in common, Norton. I do not use Norton, nor do I have the virus, but I would approach it as follows: 1. If you are on a Network disconnect from any Network temporarily. (If not proceed to step #2) a. Right-click the Network Neighborhood icon on the Windows desktop. b. Click Properties. c. Click the Configuration tab. d. Click Client for Microsoft Networks. e. Click File and Print Sharing. f. Uncheck both boxes, and then click OK. g. Restart the computer for the changes to take effect. 2. Run the fix in the link that was provided by Norm in response #3. 3. Edit the Win.ini file using the procedure in response #6. 4. Check the registry entries in response #19 and delete any with "ScrSvr %windir%\ScrSvr.exe" or "ScrSvrOld [original worm name]". To Enter the registry click on Start and Run. Type regedit and click on OK **It is always a good idea to Backup your registry before making any changes and to know how to restore a previous registry if you have problems. See the notes below. 5. Delete the file C:\Windows\Scrsvr.exe 6. Restart the computer. Notes: Back up your current registry settings: Go to start and run. Type scanregw and click on OK. It will ask if you want to backup again today? Say yes. How to restore a backed up registry: Boot up using a Win98 bootdisk. At the A:\>type scanreg /restore [Enter] You will see a screen with some dates. Choose the registry you made earlier today and let it boot up. This will install the previous registry back. HTH Good Day! Mesich

+1

Reply:

we found a bymer.scanner in the registry and an ilegal Dnetc program registerd to bymer@ukrpost.net futher we found an non-removable Wnad.exe in the windows dir which was our virus we removed it in dos modus but still norton comes up with problems sofar what we found still hassling with it

+1

Reply:

Mesich what problem u think i have?? I formated the Hard disk!!! r u sure if i quit sharing files, then running the tool, i can get rid of the virus??? and if that is the case, i can back and share files, printer and Internet????

+1

Reply:

Hi Carlos, Try and do as stated in response #25. Leave it disconnected from the network and see if you still get the error. If you do not, then there are some files that Norton isn't seeing on the remote computers. If you still receive the message..WOW!..Post Back. Actually post back either way. Mesich

+1

Reply:

Mesich Actually yes I desconnect my computer from the others.. and the warning still. The problem is that the computer is the server, all the other computers have internet cuz the server, and everytime the warning appears, the other computers stop surfing. I repeat... I formated the HD, then i connect the comp to the others and the warning gets back.. how?? i dont know!!! and the other Comp's dont have any warning at all. I checked one by one and anyone have problems on regedit and the tool says that no one is infected... Help me!

+1

Reply:

we followed #25 and surpringly we SAW the sscrsvr.exe in the windows dir after removal of all lines in ini`s etc we closed down and removed te scr-file on dos prompt level to make sure it was gone !! here`s the suprise, its still there !!! after a reboot it looked like it was gone but after a little while there came the norton message again somehow i think it remotely infected because after we connected back to the net it appaered again somehow it lookes like it was reporting itself back to the infector i`m not saying it is but where does it get it from otherwise its so weird that you almost can`t get rid of it !! sofar our up date and thoughts any one else any new ideas ?

+1

Reply:

Problem, I completely agree with you that it is somehow remotely connected. It is a rather new virus and I am currently at a loss. This post however is old enough that other regulars at Computing.net will not see it. I am going to create a new post referring everyone to here so all the information given so far can be provided. Hang tight as more help will be on the way! P.S. I have not given up on this myself either.:) Mesich

+1

Reply:

Im going to be in touch then.. Good luck Mesich

+1

Reply:

Carlos, Hang out, Computing.net works best when everyone acts like a TEAM. None of us have all the answers, especially with something as a known new virus! I wanted to ask some others to participate as their knowlege in certain area's by far supercede mine. :) Mesich

+1

Reply:

I have started a NEW POST HERE I requested all responses to go here to better review all of your previous responses. Please continue to resolve your issues from here and not the newer post linking to here. Take Care All, Mesich

+1

Reply:

Hi Mesich, hi everyone, You are again doing a wonderful job Mesich! I just read very quickly all of the posts above... This is truly a vicious virus! If the virus keeps coming, that means we eradicated only the consequences and not the cause of that malware! Below is the address of a page that lists 8 clues to get rid of a program launched at startup (first clues are rather mild). As Mesich wrote it, check your Registry! (be careful) Automatic Launch of Programs at Startup I remind you the page is written in American on left hand! Hope This Helps, Gérard from Paris, France

+1

Reply:

Hi everyone, I could see Mesich's thread for help. I asked members of a French forum to come and try to help here... it's 1:59a here in Paris! Good luck, Gérard from Paris, France

+1

Reply:

There's a long thread going in the Security & Virus forum about this worm. It looks like the solution hasn't yet been found, but a couple of things that have been tried seem to put this virus into "remission". After going thru the recommended procedures & deleting scrsvr.exe, several people have created (using notepad) a junk file named scrsvr.txt, renamed it scrsvr.exe, & inserted it into the C:\Windows folder. Some have also reported (limited) success by renaming the shared drive C to something else. That is, renaming the share, not the actual drive. Here's a link to the post in the other forum: Scrsvr.exe - Opasrv worm HTH Dave

+1

Reply:

Hi all, The French message board of CCM reported a virus alert some days ago (from the www.SecUser.com web site)! Here is a thread on the subject: Virus alert on CCM (French) Here are some links to a French specialist against virus fight: Opaserv Alert on SecUser Online Antivirus Desinfection on SecUser It seems this virus is like Nimda, able to very easily spread thru the network... disconnect your computer till total desinfection. HTH Good luck, Gérard from Paris, France

+1

Reply:

Response #25 fixed the problem for me. Thanks!

+1

Reply:

Bonjour to all, We have been awared in France on two "new" very bad viruses and "Frenchie" (Gerard Melone) just give to us the link on this post. Apparently these viruses will spread in Europe whith the classic delay and because a lot of people and companies use Norton AV. If it can be of some help (excuse me no time to (badly) translate) find under some advertisings and practical ways to prevent contamination which we try to spread among all users in France : -------------------------- 2 alertes virus à connaître Ajouté par ofournier.cbd 2002-10-02 08:43:56 (GMT+1) Bonjour tout le monde. Secusers avertit de 2 virus récents : ~~~~~~~~~~~~~~~ Opaserv est un virus qui se propage via les dossiers partagés. Il se copie dans le répertoire Windows sous le nom SCRSVR.exe puis modifie la base de registres afin d'être exécuté à chaque démarrage du système. Opaserv tente de se propager aux autres ordinateurs du réseau en se copiant dans les dossiers laissés en partage ouvert. Il tente enfin d'accéder à une URL distante pour se mettre à jour, mais le site semble avoir été fermé. http://www.secuser.com/alertes/2002/opaserv.htm ~~~~~~~~~~~~~~~ 2. SYSTEME(S) CONCERNE(S) ~~~~~~~~~~~~~~~ Windows 95 Windows 98 Windows Me ~~~~~~~~~~~~~ 3. PREVENTION Les utilisateurs concernés doivent mettre à jour leur antivirus. Il est par ailleurs conseillé de mettre fin aux partages de dossiers inutiles et de protéger les autres par mot de passe afin de prévenir toute propagation. 4. DESINFECTION ~~~~~~~~~~~~~ En cas de contamination d'un réseau local, les ordinateurs infectés doivent être déconnectés du réseau afin de stopper la propagation du ver et n'être reconnectés que lorsque tous les ordinateurs contaminés ont été désinfectés. DESINFECTION AUTOMATIQUE Les utilisateurs ne disposant pas d'antivirus peuvent utiliser gratuitement l'antivirus en ligne pour rechercher et éliminer le virus. http://www.secuser.com/outils/antivirus.htm DESINFECTION MANUELLE Voir la fiche complète http://www.secuser.com/alertes/2002/opaserv.htm#Desinfection ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Bugbear est un virus qui se propage par email et via les dossiers partagés. Il se présente sous la forme d'un message sans corps et dont le titre est aléatoire. Si le fichier joint est exécuté, le virus se copie dans le répertoire Windows avec un nom aléatoire et installe un troyen de type "keylogger" qui espionne les frappes au clavier. Bugbear est enfin capable de désactiver les antivirus et firewalls personnels les plus populaires. http://www.secuser.com/alertes/2002/bugbear.htm ~~~~~~~~~~~~~~~ 2. SYSTEME(S) AFFECTE(S) Windows 95 Windows 98 Windows Me Windows NT Windows 2000 Windows XP ~~~~~~~~~~~~~ 3. PREVENTION Les utilisateurs concernés doivent mettre à jour leur antivirus. En cas de doute, les utilisateurs d'Internet Explorer doivent également mettre à jour leur navigateur via le site de Microsoft ou le service WindowsUpdate pour corriger la faille exploitée par le virus pour s'exécuter automatiquement (MS01-020). http://www.microsoft.com/technet/security/bulletin/MS01-020.asp http://www.secuser.com/outils/index.htm#windowsupdate ~~~~~~~~~~~~~ 4. DESINFECTION Les utilisateurs ne disposant pas d'antivirus peuvent utiliser gratuitement l'antivirus en ligne pour rechercher et éliminer le virus. http://www.secuser.com/outils/antivirus.htm - Donc attention ... Olivier Fournier

+1

Reply:

I like everyone else have been pained by this latest virus. I did all of the above, removing from win.ini. file the run= line, I also changed my C drive to "not shared" believe it or not I have "not" had the warning come back and this has now been over 10 hours. I am using windows 98 SE. I went to norton, downloaded the removal tool, then deleted the run line from the registry, then changed C drive to not sharing and touch wood it so far has work. I am open to any other suggestions. Good Luck. Rob

+1

Reply:

Are Norton aware that their tool does not fix the problem, in that the virus seems to comeback after their "removal" tool has been used? It's difficult to get any info from their website. Surely they must know by now and should post a message saying that they are looking into it etc. Am

+1

Reply:

If it helps I found in "HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\Doc Find SPEC MRU" parts of all the names in #15. I deleated them and still wait to see what happens

+1

Reply:

My Win98 PC is not attached to a network, but it does have dial-up modem access to an ISP. I have manually deleted the virus from C:\Windows and Win.ini Run= and my system is fine. BUT then when I connect to the internet the modem lights start flashing on their own and the bytes received goes up, and after a few minutes Norton reports that ScrSvr.exe has reappeared in C:\Windows! Since reading the posts on this web (last 10 mins) it has been deleted by norton and reinstalled 3 times! I have also run the mini Norton fix it program after I manually deleted the virus and it reports that the virus is not found on my PC. But then it always reappears when I connect to the net. So I think A) There is some other, as yet unidentified, process running which constantly downloads the virus when you are connect to the internet or worse B) A web-site somewhere has my IP address and downloads it to me whenever it detects I am online!!! Freeserve is my ISP. Note that my C: Drive is shared because I am a developer and I am working on a Client/Server program that I can test on a single PC. This is obviously how the virus gets in. I have no doubt that if I unshare the drive or put a password on it the virus will no be able to install, but this is NOT a solution for me as the drive must be fully shared. One post I read that seemed a good idea said that you could try to make a text file called scrsvr.txt and rename it to .exe so that the virus can't install itself. I haven't tried this yet, but if I had made the virus I would make it say "oh, there is another file here which is not me, so kill it and reinstall myself." or it could simply overwrite the file as a matter of course even if it was read only. Hope someone solves this virus problem as it is a real pain! Jake

+1

Reply:

I tried removing all my cookies and so far I haven't seen it come back yet

+1

Reply:

I made a text file containing junk and renamed it scrsrv.exe (in C:\windows) and then made it read only. I have been connected to the internet for 30 mins and the file has not been replaced by the 28k virus yet and norton hasn't bleeted yet either. Could this be a workaround? I know it is not ideal but at least it seems to stop it from installing. I'll post again if the virus appears again and this workaround is in fact invalid. In repsonse to post 45 re: removing all cookies from IE. Is this likely to have any detrimental effect on various web-sites that I visit or will I simply have to reenter logon info and address info again etc? By the way, how can a cookie download a virus from the internet if you are not on the relevant site? Or can IE assign a default cookie or script or something? wish me luck Jake

+1

Reply:

In regard to #45 it came back!! Ive done the format and all good so far! I haven't connected the computer back on the LAN yet. I also haven't put on Norton yet as I am sceptical. It appears that ppl with Norton seem to only have the problem. Let me know if I'm wrong. Well I'll put Norton back on when this has been sorted out

+1

Reply:

I hate to break the news, but it is not isoloated to people running Norton. I have McAfee on my machine and picked up the virus several days ago. I, too, have been having the same problems as everyone else and can't get rid of it. I have my machine acting as a server for internet connection only and also have my files shared. Perhaps this is targeted at servers? Just a thought. Steve

+1

Reply:

Sorry I don't have any answers to this issue, but it has been causing me the same problems since 30 SEP 02. Some people have pointed out the following WRT this virus/worm and Norton: Systems w/ Norton seem to be particularly troubled with this recurring problem, even (or particularly) after running the Norton Removal Tool. And Norton posts no indication on their site that they are aware of the recurrence problem. And it is nearly impossible to communicate w/ Norton except in the context of a paid support call. If you look at the info on the Norton site regarding the BugBear worm, part of what that does is detect numerous AV and firewall programs (including Norton's) and disable them. Could there also be something written into the opsaserv.worm that is targetting Norton? We perceive the problem as the virus recurring because the internet connection is alive, or because the C drive is shared, etc., but another common thread seems to be having Norton AV running.... This line of thought is NOT a suggestion to dismantle your virus protection. However, it would be good to take a head-count to see if there is anyone who has the opaserv.worm who DOES NOT have Norton installed but DOES have some other anti-virus program running.

+1

Reply:

Bonsoir, just a look to this post for fresh news. If it could be useful, I have not seen the names of the two viruses "opaserv" and "bugbear" on the lists of signatures of "F-PROT for DOS" (icelandic) and "ANTIVIR/9X personal" (german) updated these last days. But sorry, I have not tried to check if the two viruses are really recognized or not by these excellent AV ! I suspect they are not yet included. So we shall see in the next updates around october 8-10 ...

+1

Reply:

We have about 20 Computers in our Network. Somehow two of them get the Opaserv (Scrsvr.exe.) The thing is that this two computers have "Zone Alarm" Firewall, Updated Norton Antivirus 2002, which is always ON and read/write share with 1 character password. My guess is that Opaserv has internal algorithm to brake the share password. Tha's how it get from first computer to second one, but I have no idea how the worm sneak into our system in first place, cuz Zone Alarm should not give outside access to computer even if I have open Share. Only reasonable explanation I see if the first computer get infection before 30 september (before Norton had made a update for it) through email. But again it said that it spread itself only through sharing. So I am confuse. Another possibilities is when windows boot, the Zone Alarm have several seconds delay to be UP, that is time when Computer is not protected from outside word, but again it had 1 character password protection? It's time for me to get rid out the Worm now. First I am going to disable read/write sharing on all windows machines and left only READ share (with password) on all this windows computers in our network. We are using Novell Server, so the Windows Sharing is not important for us it just was convinient - that's it. The computers which are OFF right now, I am gonna to unplug (phisically) from Network, boot, then disable read/write share. When Share for READ/WRITE is DISABLED on All Computers (except Novell Server) the WORM will not have chance to move inside of our network from one Windows computer to another. Then I will run Norton Antivirus Fix on each of Windows computers. Then I will search for scrsvr.exe on C: drive in win.ini and in regestry. Then After boot I run Norton Antivurus Scan, to make sure it is gone on each computer. Actually I think the Response 25 of this board should work more reliable than my method, so I suggest everybody to stick with it. Wish me Luck !

+1

Reply:

Re. #49. I don't have Norton - I use AVG and Zone Alarm. AVG picked up MSVXD but not SCRSVR. However as soon as it popped up on my computer at boot up I was suspicious, and spoke to several people 'in the know' who assured me it wasn't a problem! I have just updated AVG (I do so regularily) and it's now picked it up. So it is obviously becoming known. Just hope I get rid of it though.

+1

Reply:

You know what. I've change my mind. (Message 51) I have decide to go to turn off the Network Sharing, as it suggested in Response 25, rather then making computers just read only sharing. I have 20 Computers and I just do not want to do it twice. :-) I am doing that because if Virus is active than it should not to be problem for it to enable read/write share back after I have disable it. In case if I will uninstall the sharing capabilities, then it should be much more harder for virus to reinstalled it back.

+1

Reply:

Hi all, I have read every response to date. All seem to have the same problem...as do I. It keeps reappearing. I noticed that it only comes back after connecting to the internet. As I was reading these responses, it came back. Let me add my 2 cents worth. I think the virus may also be on our ISP's. Once we contract the virus (from some web site), we spread it to our own ISP's if it isn't already there. Only a thought. In the meantime, I will keep deleting the scrnsvr.exe file and the references to it within my win.ini file and deleting the registry items referring to it. I also check the system.ini file to see if it ever lodges in there. I believe this virus has become viscious enough for the anti-virus people to give it a higher priorty in their research. Somehow this has got to be cured. All advice above is greatly appreciated. I'll keep checking back here to see if the cure is found. PS. I did have Norton A/V and uninstalled it a couple of months ago. I now use AVG by Grisoft. But I still got the virus. I don't think it is just Norton A/V related. PPS. Good luck Phil (#51)

+1

Reply:

I think I found root of infection. We had one computer which worked as the Fax Server, and we completely forget about it, so no "Zone Alarm" Firewall was installed there, no "Norton Antivirus there" - nothing. And it was shared for read/write with password in 1 character. And it has it's own Public IP.

+1

Reply:

I'm sure that compared to many of you all, I know very little about these matters. However, has anyone noticed a link with the W32Kriz virus? I ask this because I was away from my computer for at least a week and, when I returned, I went on the Web. Very soon I received a notification that my Nort needed updating (since I had been away). I simply OK'd it with the intention of updating later. Within minutes I began having problems, and, as I have learned, checked the System Utility (Startup) and found scrsrv there on two lines. I suspected it was a "virus" and began looking elsewhere. I quickly discovered--I must have scanned the computer with my un-updated Nort--W32Kliz. Here is where I found it: C:\WINDOWS\scrsrv.exe. This put me on to the scrsrv problem. I believe I'm on top of it, but I'm not certain. I hope this is a helpful contribution to the discussion and resolution.

+1

Reply:

OK, I'm relieved to hear it's not just a Norton problem ... that would have been very troubling. In the meantime, since reading this thread, I have done as suggested in #37 and #46: I have created a junk file, named it scrsvr.exe and made it read-only. I also unshared the C drive of this system (I have a 3 system LAN w/ only 2 units presently hooked up, and the share was a one-way deal: Unit 2 could read/write to this one, but not the reverse.) Anytime I am online, I will turn off the share properties for this unit. I went back online as soon as I did these two things ... that's been about 3 hours ago, and have yet to have an alert from Norton ... usually, I would have a new alert within 10 mins of going online. I will continue this experiment for the rest of the weekend, or until it fails (e.g., I get a new alert....) For now, it seems like a good work-around until a better fix is being offered by the AV companies -- big thanks to those who made the suggestions.

+1

Reply:

Ok here`s our Update: we did al in #25 looked fine until we hooked up to the net, it is broadcasted from several ip`s we installed Xnetstat pro 4.0 en found that its infecting your machine thru port 139 so we blocked incomming tcp ports 139 (we used winroute because of availability) and voila it didn`t came back again !! sofar so good, but when i repeat the #25 and after als systems have been loaded again and i try to open port 139 again (you may never gues again) so some kind of firewall to keep port 139 closed from the outside world will keep you safe for a while now trying to find the source of this mess, probably the ip numbers are harvested somehow and de virus is broadcasted towards port 139 on those ip numbers continuesly the remote ip`s and ports are changing al the time so no blocking possible on ip`s if our machine doens`t seem to have any virus by our AV software, how does it keep comming in then ???? must say that av-software supliers under estimate this one !!!!

+1

Reply:

Well, it looks like I might have found a work-around for my system...been working well for several hours now anyway. To begin with, mine is a two computer network with internet sharing. Furthermore, both computers were setup with completely open sharing. My unit acts as the server and is the only one showing the repeated virus alarm. First, I went through and physically disconnected the LAN between the two machines. Second, I then removed all traces of the virus from both machines using SYSEDIT to get the reference in the Win.ini file, REGEDIT to kill any instance of run=, and finally Windows Explorer to remove the tmp.ini file from my root directory. Third, I modified the sharing of the C: drives in both PCs for free read-only access but a four-letter password protection for full access. I then reconnected the LAN and rebooted both PCs. I have not had a recurrance of the virus being found since. I sure hope a cure is found soon, but I will give regular updates on how well or not this works. Steve

+1

Reply:

Further to #37 and my #46 where a read-only text file called scrsvr.exe has been placed in C:\Windows to prevent the virus writing itself there ... this is still working perfectly for me! My drive is still completely shared with no password but the virus can no longer install itself because of the read-only file. Making your system not shared is a bad solution if the machine needs to be shared, yet so many people seem to be doing this! Just make the read-only file then you can keep all your sharing with no problems. Reading the posts, this is obviously NOT a Norton only problem. I definitely think now that the virus is being broadcasted to my PC over the internet which is a very sneaky way of installing itself. Maybe the FBI or similar can shut down the sites doing this unless there are way too many. If the sites or infected PCs can't be cleansed then I will have to put up with constantly being sent a virus that luckily I am blocking with a read-only file. This is not really satisfactory. Just to clarify some other posts I have seen - the virus was reappearing on my PC before I ran the Norton mini fix and it kept reappearing on my PC after running the mini fix. Plus I manually cleaned it out (via DOS boot) of c:\windows, win.ini, registry and root drive (tmp.ini etc) and it kept reappearing! The only 2 valid fixes seem to be a) make fake read-only scrsvr.exe file in C:\windows or b) unshare or password protect your shared drive. Killing it with virus killers does NOT work as it WILL reappear next time you connect to the internet or a network containing a PC with an internet connection. Lets hope a real permanant fix can be generated as this is very annoying! All the best Jake

+1

Reply:

Ok Finale, the work around with the readonly scrsvr.exe works fine sofar. we removed the port 139 block again and the thing didn`t came back ... i think i`m completely clean now although i can`t figure out why it keeps comming in when i remove the fake scrsvr.exe file you would think that something in your PC would trigger the download somehow only the thing is i can`t find anything on the system which is actually active doing so somewhere in this world there are systems polling around the net if the scrsvr file is present and if not they place it in your system. these systems should be detected right ?? sofar it costed us two days work and we`ll try to live with it for now and wait for a definite fix for this ...

+1

Reply:

This is my first post, but I am battling the same issues. I'm no guru so someone else will have to let me know if I found something, but it looks VERY SUSPECT as the potential to the root of this problem. I was going through my registry and noted the following entry: HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run There is a "StartIE" item with a data value of "C:\Windows\Notepad.exe qazwsx.hsq" The Solo AntiVirus deleted my Notepad.exe because it said it was infected with a virus. I don't know what qazwsx.hsq is and I couldn't find it on my system, but it fits the profile of running when IE is started (at least it appears that way to my untrained eyes). It is odd though because my Notepad.exe is deleted and I couldn't find the file qazwsx.hsq on my system, yet I still ended up with that blasted ScrSvr.exe back on my system after going out on the net. Let me know if I'm onto something here or way off base.

+1

Reply:

Well, a quick google on the qazwsx.hsq file showed me the light. It was the "QAZ" virus, another one I was apparently attacked by at some point. So back to the drawing board! I'll try the Read Only ScrSvr.exe "fake file" workaround for now.

+1

Reply:

I don't know if this is of any importance, but I did just as in post #25, then connected myself to the internet, waited a while and checked if scrsvr.exe came back, but it wasn't there. I ran norton AV and it said that C:\recycled\dc6.exe was infected by Opaserv. I don't remember deleting a file with that name...

+1

Reply:

Hello, be carefull ! After reading above, I have tried to search dc6 exe and dc* exe (note : I dont write the .), by Google. In both cases the result is a try to directly download something (?) without any google page or advertisement. Also, I have found that there are DC* exe, included DC6 exe, in DesignCAD program. And I found a CD6 exe to upload on this site (U.K.): http://downloads.earlsoft.co.uk/browse.php?folder=Graphicshttp://downloads.earlsoft.co.uk/browse.php?folder=Graphics Sorry no time to go further ...

+1

Reply:

I am owndering if AOL has something to do with this. I have just found AOL files installed on my system and refererences to it in the tmp.ini. I have NEVER used AOL.

+1

Reply:

This site: http://www.f-secure.com/v-descs/opasoft.shtml has the best description of Opaserv I've found so far. It also has a tool for disinfection at ftp://ftp.f-secure.com/anti-virus/tools/f-opasrv.zip, but I've not yet tried it (and haven't had problems since creating the read-only file scrsvr.exe on my own)

+1

Reply:

I got success with killing the sharing and with the junk scrsvr.exe file as reported in previous responses. I contacted Vet, my anti-virus provider, and they now have new information on how this virus works on their website. http://www.vet.com.au/html/zoo/local/zoo_descriptions/opaserva.htm Hope this helps.

+1

Reply:

Never mind what I said in post #64, my norton was weird and that "DC6.exe" was in fact the scrsvr.exe I had deleted. I don't know why Norton gave it another name, but it did it again just now and instead of deleting it, I went to check and it was scrsvr.exe and not DC6.exe like norton was saying... ¬_¬

+1

Reply:

FWIW, New update and patch at Norton as of 10/10/02

+1

Reply:

where i can get kill scrsvr.exe in one floppy disk thanks...

+1

Reply:

You can get the REMOVAL TOOL at this link. http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm.removal.tool.html Tufenuf