W32 Opaserv.worm a/k/a Opasoft.A Worm 
Author Message
 W32 Opaserv.worm a/k/a Opasoft.A Worm

Gil,

I think you're in the right direction.

First, I would try booting into safe mode and then modifying your win.ini
file. I suspect that the virus is in memory and protecting itself. Hopefully
in safe mode, this won't happen.

Second, I would do a search of your whole registry for scrsvr (also in safe
mode). It might be hiding in a different key.

Let us know how that goes....

--
--
Matthew Braverman, Microsoft

Please do not send email directly to this alias.  This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.


Quote:



> > 1) did you empty your trash?
> > 2) delete all temp internet files (including offline content)
> > 3) delete all files in c:\windows\temp (include any folders)
> > 4) start run MSCONFIG  go to startup tab and see if there is any
reference
> to
> > scrsvr.exe, if so uncheck it
> > 5) do a file find for *.dat files on your c:\  root directory

>     Thanks for the reply.
>     Yes to 1,2and 3.
>     Regarding 4, I've unchecked scrsvr.exe a dozen times and deleted it
from
> my win.ini folder as well. Keeps coming back though.
>     Regarding 5, I've searched for scrsin.dat and scrout.dat repeatedly as
> per Norton's instructions, but I've never found either and 'show all
files'
> is checked. I don't know what else to look for.

> Gil Theissen



Tue, 22 Mar 2005 06:18:43 GMT  
 W32 Opaserv.worm a/k/a Opasoft.A Worm
Matthew,
I have had the same problem on our machines, which are
networked using W98SE.  It's a network virus, looks for
accessible shared files.  The thing that finally slowed
this worm down was password protecting shared files, which
was suggested by one of the McAfee techs after I tried
everything else that they had suggested (the Safe Mode
things you had listed).  I don't believe that this has
totally rid the machines of the virus, but it has kept it
from putting the ScrSvr file and its associated win.ini
and Registry entries back for now.  I hope that the
antivirus people figure out the root cause for this soon
so that it can be eradicated.

Quote:
>-----Original Message-----
>Gil,

>I think you're in the right direction.

>First, I would try booting into safe mode and then

modifying your win.ini
Quote:
>file. I suspect that the virus is in memory and

protecting itself. Hopefully
Quote:
>in safe mode, this won't happen.

>Second, I would do a search of your whole registry for

scrsvr (also in safe
Quote:
>mode). It might be hiding in a different key.

>Let us know how that goes....

>--
>--
>Matthew Braverman, Microsoft

>Please do not send email directly to this alias.  This is
my online account
>name for newsgroup participation only.

>This posting is provided "AS IS" with no warranties, and
confers no rights.





>> > 1) did you empty your trash?
>> > 2) delete all temp internet files (including offline
content)
>> > 3) delete all files in c:\windows\temp (include any
folders)
>> > 4) start run MSCONFIG  go to startup tab and see if
there is any
>reference
>> to
>> > scrsvr.exe, if so uncheck it
>> > 5) do a file find for *.dat files on your c:\  root
directory

>>     Thanks for the reply.
>>     Yes to 1,2and 3.
>>     Regarding 4, I've unchecked scrsvr.exe a dozen

times and deleted it
Quote:
>from
>> my win.ini folder as well. Keeps coming back though.
>>     Regarding 5, I've searched for scrsin.dat and

scrout.dat repeatedly as

- Show quoted text -

Quote:
>> per Norton's instructions, but I've never found either
and 'show all
>files'
>> is checked. I don't know what else to look for.

>> Gil Theissen

>.



Wed, 23 Mar 2005 23:52:21 GMT  
 W32 Opaserv.worm a/k/a Opasoft.A Worm
I too, ended up slapping a password on all my shared pc's/. I also edited
scrsvr.exe into a zero length file and made it read only. That was two days
ago and so far I haven't had any more alerts and no more mysterious entries
in my win.ini or my registry. I don't know if I killed it or I'm just
fooling it but whatever it is, it works for me.
                                                                        Gil
Theissen


Thu, 24 Mar 2005 06:40:20 GMT  
 W32 Opaserv.worm a/k/a Opasoft.A Worm


Fri, 19 Jun 1992 00:00:00 GMT  
 W32 Opaserv.worm a/k/a Opasoft.A Worm
Rose,

Technically restarting into DOS and safe-mode are two very different
features. However, they should achieve the same purpose: scanning your
system before the virus is activated.
--
--
Matthew Braverman, Microsoft

Please do not send email directly to this alias.  This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.

Quote:


> First, I would try booting into safe mode and then modifying your win.ini
> file. I suspect that the virus is in memory and protecting itself

> My suspicions were in the same theme. The http://www.gristoft.com (AVG
anti
> virus) actually recommends going into safe mode and using the DOS version
of
> their virus checker and remover.
> Its not SO easy to catch the exact moment to push F8 and get into the safe
> mode menu choice just at boot up. One has to be 'on the mark'
> I used 'restart in Dos mode in Win98' and the AVG checked all files in the
> DOS format and deleted the one scrsvr.exe file.
> BUT in my WinXP  the shut down button does not have that menu on my
machine
> although the help files indicates it should be a choice.
> I installed the Zone Alarm firewall before the WinXP ever connected to the
> Internet which has been successful but the other two Win98 machines have
> been plaqued with this scrsvr.exe thing since 9/28/02 and of course I had
> just set up a home network. If they are connected to the internet it
> reappears. The firewalled WinXP appears to be safe.
> I wondered if restart in DOS or at command prompt is the same as going to
> safe mode at boot up?
> Rose



Tue, 29 Mar 2005 05:17:49 GMT  
 W32 Opaserv.worm a/k/a Opasoft.A Worm


Fri, 19 Jun 1992 00:00:00 GMT  
 W32 Opaserv.worm a/k/a Opasoft.A Worm

Quote:

> I too, ended up slapping a password on all my shared pc's/. I also edited
> scrsvr.exe into a zero length file and made it read only. That was two days
> ago and so far I haven't had any more alerts and no more mysterious entries
> in my win.ini or my registry. I don't know if I killed it or I'm just
> fooling it but whatever it is, it works for me.
>                                                                         Gil
> Theissen

Yes, this seems to work. Also for me. Not killed but fooled.
Pet


Tue, 29 Mar 2005 05:34:26 GMT  
 
 [ 7 post ] 

 Relevant Pages 

1. Worm virus: W32/opaserv.worm.f

2. Patch for W32.Opaserv.Worm

3. w32/opaserv.worm.m

4. W32.Opaserv.G.Worm

5. W32.Opaserv.Worm

6. W32.Opaserv.Worm virus

7. Eradicating W32.Opaserv.Worm

8. W32.Opaserv.Worm Virus

9. w32.opaserv.worm

10. W32.OPASERV.WORM

11. w32.opaserv.worm and microsoft patch

12. Mycrowsoft's appetite for opaserv worm

 

 
Powered by phpBB® Forum Software