Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I just scanned my PC and found the w32.opaserv.worm virus in my scrsvr.exe file. Norton anti-virus could not repair the file and I had to delete it. Where can I get an uninfected file to replace it with.
Scrsvr.exe is the Virus application of w32.opaserv.worm . You don't need it in your PC!
Although Norton seems to have disinfected the virus, I have seen it still in C:\Win.ini and in C:\Windows\ as ScrSVR.exe and had to manually remove it from the above places and from
You can open Win.ini in Note pad and then look under [Windows] section
you will see Run=C\Windows\Scrsvr.exeUnless you highlight and delete the whole line following the "Run= in the Win .Ini at each startup the DOS window will open and ask you for this File. This is what the virus wants you to do. Run it at startup!!!
You can also see the same SCRSVR.exe in the Registry in the Run key( LeftPanel) of the HKLM\Software\....if you click Run and look inside the Right PanelHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run .
When you click the Run key ( don't expand it by clicking its +) and check the Right panel under Name /Default and Data yoiu will see under Name: ScrSVR and under data "C:\Windows\ScrSVR.exe"
You may use the Norton Wormtool and in my experience, I still had to do manual delete!
Read this from Symantec site about this 2 days old EVIL from the twisted brain of some sociopath.http://www.symantec.com/avcenter/venc/data/w32.opaserv.worm.html
M
0 
I have spent several days now deleting SCRSVR from the system, the Registry Files and the Win.ini and then a day or two later it is back again. Any ideas what file I need to look for to get rid of this thing permanently.
0
Go here:-
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-072.asp
Goto the Patch availability section.
click on the Windows 98/98 Second Edition version.
This will allow you to download a patch.
When downloaded, run it.
Re-start your computer as instructed.
edit your c:\windows\win.ini and remove the line that contains:-
run=C:\WINDOWS\SCRSVR.EXEc:\windows\scrsvr.exe,c:\windows\Brasil.pif
If you know how to, edit you registry using regedit.exeUse 'find' to locate 'brasil' and remove it.
Do not remove 'brasilia' this is part of the system.
Re-start your computer.
You should now be OK.
Cheers
Tony
0
Hello,
You should install the security patch first. Also password protect your C drive share or set the C drive share to read only access. Then install an antivirus. I am using SOLO Antivirus ( www.srnmicro.com ), it removed the virus from my system. Also they have provided details instructions to protect your computer from re-infection. For more details visit www.srnmicro.com/virusinfo/opaserv.htm
Have a nice day
0
Check out all the other posts on computing.net about this virus. In the security and virus section, we've been discussing this virus for quite some time. To sum up, no Anti-Virus program will stop this virus from coming back. You have to close down your computsrs ports. Details of this can be found on my posts (and other posts) at this article
http://www.computing.net/security/wwwboard/forum/2985.html
Hope this helps. Feel free to email me if you have problems.
Brad Peterson
b_peterson@yahoo.com
0
I have this virus on a PC at work and can't get rid of it. Worse, I think it has told my version of Norton that it does not need any more updates and everytime I try to download any it tells me they are up to date, yet the same Norton at home tells me there are updates!
Any thoughts?
0
because you get the virus again is
it is in your swap file
you can start your pc in dos with F8 key
then go to c:\windows ( cd windows )
then delete these files
alevir.exe
brasil.pif
marco!.scr
scrsvr.exe
*.swp
-----------
and now reboot the pc and tjek your win.ini
for this run=
0
I've see that virus is "listening" on port 139. After launch EXPLORER it begin to work.But I've also seen that if I use NETSCAPE it doesn't work (port 139 is always listening).
0
First sorry for my english, I'm french .
Secondly I'll spoke about the version of opaserv I have seen in my neighbourhood. Many variants exist
Opaserv use a bug in Win9X/ME to pass thru internet and get to any shares it can find on any Windows 9X or Millenium Edition to infect them.
If you have shared directory it's probably because you access a LAN so opaserv will use those shares on any other win9X/ME on your lan to infect them from your first infected computer.
HOW To DISINFECT OPASERV By Hand
---Step 0)
-------
go and get microsoft patch and install it unless you want opaserv getting back.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-072.aspStep 1)
-------
Opaserv install 2 programs to infect your computer which are brasil.pif and scrsvr.exe
Each one may reinstall the other if the other is not there at the boot time.They are installed in the windir directory which is usually c:\windows directory.
In my case
scrsvr.exe has a size of 28Kb.
brasil.pif has a size of 24Kb.If you want to kill them without an antivirus then You must have a utility to kill them running in memory.
You have to do that because the task manager (ctrl-alt-del) doesn't show them and you can't simply destroy those files because they are locked by windows as any files used by a running process.
A marvelous utility to do that (and also
if you want to see those processes running in the back) is Process Explorer written by Mark Russinovich (a Windows Guru) at www.sysinternals.com . Process Explorer not only give you the ability to view the process tree but also to kill those naughty processes.After that you can delete those files from your system directory (usually c:\windows)(wahoooo).
You can also, of course, boot under a Dos disket, go in the c:\windows directory
with the command CD c:\Windows
and delete those files with the command
DEL brasil.pif
DEL scrsvr.exeStep 2)
-------
After having destroyed those files
you have to edit Win.ini
for that find it and use a text editor like notepad
Under the section [Windows]
Opaserv should have written
run=c:\windows\scrsvr.exe,c:\windows\brasil.pifYou have to transfom this line in run=
Step 3)
-------
Next , execute regedit
( You know the program you shouldn't use because it's too to dangerous for the averedge user)
In the registry Under
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runyou will find the key
Brasil with the value "C:\WINDOWS\Brasil.Pif"
and the key
ScrSvr with the value "C:\WINDOWS\ScrSvr.exe"You have to suppress those keys
and be careful You are using regedit ;-)Reboot and observe if it is back. In my case it wasn't.
What Opaserv 's doing
---------------------It will try to access to Internet to infect any other computer it can find.
Opaserv use a big share of your network resources
If you want to see it working take NeoMonitor it will show opaserv doing netbios connections to anywhere in the world. http://www.nycsoftware.com/neomonitor/
If you havent NeoMonitor use NetStat which is a standard line command
start menu / execute and
command /K netstat|more and you should see something like this
(Sorry but my computer is in french)
C:\Windows\Bureau>netstat |more
Connexions activesProto Adresse locale Adresse distante État
TCP Zoulou98:2145 SpeedTouch.Amerique:80 SYN_SENT
TCP Zoulou98:2082 MASSAIXP:nbsession TIME_WAIT
TCP Zoulou98:1840 218-160-109-229.HINET-IP.hinet.net:nbsession TIME_WAIT
TCP Zoulou98:1886 218-160-108-204.HINET-IP.hinet.net:nbsession TIME_WAIT
TCP Zoulou98:1891 218-160-108-223.HINET-IP.hinet.net:nbsession TIME_WAIT
TCP Zoulou98:1892 218-160-108-224.HINET-IP.hinet.net:nbsession TIME_WAIT
TCP Zoulou98:1894 218-160-108-226.HINET-IP.hinet.net:nbsession TIME_WAIT
TCP Zoulou98:1896 218-160-108-230.HINET-IP.hinet.net:nbsession TIME_WAIT
TCP Zoulou98:1901 218-160-108-248.HINET-IP.hinet.net:nbsession TIME_WAIT
TCP Zoulou98:1903 218-160-108-251.HINET-IP.hinet.net:nbsession TIME_WAIT
TCP Zoulou98:1924 extra.global-ip.net:nbsession TIME_WAITC:\Windows\Bureau>
sorry for the line wrapping but as you can see opaserv makes a lot of nbsession (Windows networking sessions) to infect none protected computers anywhere in the world
What is Important to notice is
1) that the password you provide IS NOT a protection till you havent run the Microsoft patch
2) Your computer is right now infecting other computers on Internet3) In my case Windows Update showed my computer as Updated so CAN WE BE CONFIDENT in Windows update anymore !!!
Conclusions
-----------1) Install a good antivirus like Norton, Panda ...
2) Install a good Firewall like ZoneAlarm..
3) get a net monitor tools just to see what 's happening in your back and know what are the legal processes on your machine
4) subscribe to Microsoft mailing list about security and dont be too confident in Windows UpdateTheCric
0
follow up of my last post...
Of course what is said above about Windows caching is also valid.
So it would be better to delete the swapfile (maybe..)
In my case It wasn't needed but the Microsoft patch is MANDATORY
0
This post contains the full fix for the Opaserv worm. It explains in detail how it works, and 3 methods you can use to stop it.
http://www.computing.net/security/wwwboard/forum/3289.html
Brad Peterson
b_peterson@yahoo.comFeel free to email me if you need any help removing this virus.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
