alevir.exe, brasil.pif, scrsvr.exe 
Author Message
 alevir.exe, brasil.pif, scrsvr.exe

Periodically a message appears on my screen saying that
Norton (2002) has detected a virus (w32.opaserv.worm on at
least one case) infecting one of these files.  I respond
either with "delete" or "quarantine," the computer
responds that the action has occurred, but then a little
later the same messages concerning the same files appear.  
Any ideas?

Also, when I am connected to the Internet, the system is
continually uploading and downloading with no message as
to what it is doing.  Today both upload and download
registered more than 2 mb of information.  I have
automatic update turned on and in the past it has
successfully downloaded updates for Norton,ME, IE.  ????



Thu, 14 Apr 2005 04:00:14 GMT  
 alevir.exe, brasil.pif, scrsvr.exe
You will probably have more success using the removal tools from different
vendors by running them in "safe Mode"..most of these tools cannot remove
files that are in use by the OS......Using say F-PROT for DOS and running it
from pure DOS or from a floppy is also helpfull
RVC

Quote:
> I had the same problem. Norton kept catching and deleting them over and
over
> again. Norton's removal tool didn't work, PandaSoft's removal tool didn't
> work. Norton's instructions for manual removal didn't work. I finally had
to
> wait for these files to re-emerge, tell Norton to ignore them and then
edit
> them to zero length and make them 'read only'. This is definitely a
> workaround rather than a solution, so try it only as a last resort.
>     The internet activity is the Opaserv worm trying to phone home. I've
> read though that the website is gone, so I'd expect a little activity, but
I
> have no idea what it could be doing by downloading 2MB.
>     ZoneAlarm would alert you to unauthorized attempts to phone in or out
so
> you might want to consider that if all other attempts to stop the
suspicious
> activity fail.

> Good luck -- Gil Theissen



Thu, 14 Apr 2005 07:16:35 GMT  
 alevir.exe, brasil.pif, scrsvr.exe

Quote:

>Periodically a message appears on my screen saying that
>Norton (2002) has detected a virus (w32.opaserv.worm on at
>least one case) infecting one of these files.  I respond
>either with "delete" or "quarantine," the computer
>responds that the action has occurred, but then a little
>later the same messages concerning the same files appear.  
>Any ideas?

>Also, when I am connected to the Internet, the system is
>continually uploading and downloading with no message as
>to what it is doing.  Today both upload and download
>registered more than 2 mb of information.  I have
>automatic update turned on and in the past it has
>successfully downloaded updates for Norton,ME, IE.  ????

The files are in use and unable to be deleted.  You'll have to start
in DOS to delete them.  They should be in your \windows directory.


Thu, 14 Apr 2005 04:25:50 GMT  
 alevir.exe, brasil.pif, scrsvr.exe
I had the same problem. Norton kept catching and deleting them over and over
again. Norton's removal tool didn't work, PandaSoft's removal tool didn't
work. Norton's instructions for manual removal didn't work. I finally had to
wait for these files to re-emerge, tell Norton to ignore them and then edit
them to zero length and make them 'read only'. This is definitely a
workaround rather than a solution, so try it only as a last resort.
    The internet activity is the Opaserv worm trying to phone home. I've
read though that the website is gone, so I'd expect a little activity, but I
have no idea what it could be doing by downloading 2MB.
    ZoneAlarm would alert you to unauthorized attempts to phone in or out so
you might want to consider that if all other attempts to stop the suspicious
activity fail.

Good luck -- Gil Theissen



Thu, 14 Apr 2005 06:32:38 GMT  
 alevir.exe, brasil.pif, scrsvr.exe
I am getting the same messages on two of my machines both
have Norton 2002 installed.
Previously I diagnosed them for the w32.opaserv.worm. I  
downloaded the fix from the Symantec web site. I think
this problem is another development on the same virus.
The fix does not permanently get rid of the problem. I
have some 7 or more machines that are continually looking
for a non existing file in win.ini. Our school is wired
and we use Verizon DSL.
I am trying to find out if the vulnerability in Windows 98
which allows this to happen is also an issue in Windows
2000. Any information would be appreciated.
Thank You.
Quote:
>-----Original Message-----
>Periodically a message appears on my screen saying that
>Norton (2002) has detected a virus (w32.opaserv.worm on
at
>least one case) infecting one of these files.  I respond
>either with "delete" or "quarantine," the computer
>responds that the action has occurred, but then a little
>later the same messages concerning the same files
appear.  
>Any ideas?

>Also, when I am connected to the Internet, the system is
>continually uploading and downloading with no message as
>to what it is doing.  Today both upload and download
>registered more than 2 mb of information.  I have
>automatic update turned on and in the past it has
>successfully downloaded updates for Norton,ME, IE.  ????
>.



Sat, 16 Apr 2005 03:43:47 GMT  
 alevir.exe, brasil.pif, scrsvr.exe
I have many of the same problems reported here and elsewhere. This
virus indicators (brasil.exe, scrsrv.exe, alevir.exe, run=
<win.ini><reg>, tmp.ini, put.ini) are all gone. But I continue to get
probes into my machine from around the world - China, Korea, Brazil,
Spain, Sweden). I installed on IP monitor and the results are cut and
pasted below (one of many samples)

10      10:27:34 PM     System  D99E7950        TDI_EVENT_RECEIVE       TCP:12.77.136.209:139   62.83.228.102:2381      SUCCESS Length:66
Flags: ENTIRE_MESSAGE LOOKAHEAD
12      10:27:34 PM     KERNEL32        3C000065        TDI_SEND        TCP:12.77.136.209:139   62.83.228.102:2381      SUCCESS-14      Length:39

They are all associated with KERNEL32 activity.

I have ZoneAlarm running and their have been no further
infestations, but I receive an "atttack" every 5 minutes or so.

It appears that there is still a
   WORM WITHIN MY SYSTEM
but not deleted by Symantec, McAfee or Kaperskey downloads.

Help would be appreciated, before I reformat everything.

Quote:

> You will probably have more success using the removal tools from different
> vendors by running them in "safe Mode"..most of these tools cannot remove
> files that are in use by the OS......Using say F-PROT for DOS and running it
> from pure DOS or from a floppy is also helpfull
> RVC


> > I had the same problem. Norton kept catching and deleting them over and
>  over
> > again. Norton's removal tool didn't work, PandaSoft's removal tool didn't
> > work. Norton's instructions for manual removal didn't work. I finally had
>  to
> > wait for these files to re-emerge, tell Norton to ignore them and then
>  edit
> > them to zero length and make them 'read only'. This is definitely a
> > workaround rather than a solution, so try it only as a last resort.
> >     The internet activity is the Opaserv worm trying to phone home. I've
> > read though that the website is gone, so I'd expect a little activity, but
>  I
> > have no idea what it could be doing by downloading 2MB.
> >     ZoneAlarm would alert you to unauthorized attempts to phone in or out
>  so
> > you might want to consider that if all other attempts to stop the
>  suspicious
> > activity fail.

> > Good luck -- Gil Theissen



Sat, 16 Apr 2005 06:10:32 GMT  
 alevir.exe, brasil.pif, scrsvr.exe

The main problem with these type of viruses, is that they
are self re-installing.

Check the c:\windows\win.ini file for the "run="
and "load=" lines. There are very few reasons to have any
entries here. This is the first change to make...
---------------
[windows]
load=
run=
---------------
Modify to match the above.

I also look at the registry entries [Run, RunServices] for
similar entries. The registry looks like a folder
structure.

Start->Run->regedit [ENTER]

EXORT any "Keys" you might MODIFY FIRST!!!
[Alt-R, E, then type in the Key Name] here is one example.
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
on\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme"
"POINTER"="C:\\PROGRA~1\\MICROS~2\\point32.exe"
"vptray"="C:\\Program Files\\Norton AntiVirus\\vptray.exe"
"Brasil"="C:\\WINDOWS\\Brasil.pif"

The virus here is the last line, and needs to be deleted.

Here is more info on this specific virus...
http://www.sophos.com/virusinfo/analyses/w32opaserva.html

You may also need to modify your network settings, "File
and Printer Sharing" as  well. Once a workgroup is
infected, it keeps re-infecting all "Shared" resources,
until ALL machines are Virus Free!

HTH



Sat, 16 Apr 2005 06:46:10 GMT  
 alevir.exe, brasil.pif, scrsvr.exe

Quote:
> The files are in use and unable to be deleted.  You'll have to start
> in DOS to delete them.  They should be in your \windows directory.

No -- Dwight is talking about active re-infection attempts.

Nothing to do with DOS or Safe Mode or already open files.

Everything to do with shoddy network and system admin though.

Read my reply to "Rick Bates" under the same Subject: line as this.

--
Nick FitzGerald



Sat, 16 Apr 2005 19:02:53 GMT  
 alevir.exe, brasil.pif, scrsvr.exe

Quote:

> Periodically a message appears on my screen saying that
> Norton (2002) has detected a virus (w32.opaserv.worm on at
> least one case) infecting one of these files.  I respond
> either with "delete" or "quarantine," the computer
> responds that the action has occurred, but then a little
> later the same messages concerning the same files appear.
> Any ideas?

So, you are being continually re-infected -- well, NAV prevents
the actual re-infection, but you are bineg targeted for
re-infection by another infected machine on the network.

Read my very recent reply to "Rick Bates" under the same
Subject: line as this...

--
Nick FitzGerald



Sat, 16 Apr 2005 19:01:16 GMT  
 alevir.exe, brasil.pif, scrsvr.exe

Quote:

> You will probably have more success using the removal tools from different
> vendors by running them in "safe Mode"..most of these tools cannot remove
> files that are in use by the OS......Using say F-PROT for DOS and running it
> from pure DOS or from a floppy is also helpfull

Bzzzzzzt -- wrong.

Read my other posts -- the "problem" here has nothing to do with
trouble removing Opaserv.  The problem here, as Dwight quite clearly
explained, is with Opaserv continually trying to re-infect.

That it gets to the point of writing itself to his hard drive and
then is intercepted by NAV means he has not installed MS00-072 and/or
not suitably reviewed his network protocol and service binding and/or
not replaced all "open" shares on the root of his C: drives.

Read my other posts for more details.

--
Nick FitzGerald



Sat, 16 Apr 2005 19:14:31 GMT  
 alevir.exe, brasil.pif, scrsvr.exe
The problem is that windows9x has some security hole.
The solution is simple:
Patch ii!

Microsoft Windows 95
http://download.microsoft.com/download/win95/Update/11958/W
95/EN-US/273991USA5.EXE

Microsoft Windows 98 and 98 Second Edition
http://download.microsoft.com/download/win98SE/Update/11958/W98/EN-US...

Microsoft Windows Me
http://download.microsoft.com/download/winme/Update/11958/W
inMe/EN-US/273991USAM.EXE

Good luck



Sat, 16 Apr 2005 20:58:36 GMT  
 alevir.exe, brasil.pif, scrsvr.exe

Quote:

> I had the same problem. Norton kept catching and deleting them over and over
> again. Norton's removal tool didn't work, PandaSoft's removal tool didn't
> work. Norton's instructions for manual removal didn't work.  ...

They would have if you applied _all_ the instructions.  The first step
is to obtain and apply the MS00-072 critical security patch -- at more
than two-years of age, the fact that it is missing from these machines
in the first place suggests your system admin practices are, at best,
seriously deficient.  Also, that you became infected in the first place
almost certainly means that you have clueless (i.e. default) network
protocol and service binding and are sharing your LAN with the whole
Internet.  You may also be using inadequate passwords, but note the
lack of the MS00-072 patch makes all Win9x and ME share-level passwords
"inadequate" which is why it is so important to obtain and install it!

Quote:
> ...  I finally had to
> wait for these files to re-emerge, tell Norton to ignore them and then edit
> them to zero length and make them 'read only'. This is definitely a
> workaround rather than a solution, so try it only as a last resort.

Don't do this.

The next Opaserv variant, or the next worm to exploit the vulnerability
the MS00-072 patch fixes, will likely use different filenames and you
will be equally open to infection from them.  Read my reply to "Rick
Bates" under the same Subject: line as this for full details.

Quote:
>     The internet activity is the Opaserv worm trying to phone home. I've

Nah.

Most of the Internet activity is Opaserv scanning randomly selected IP
addresses for more sucker like you who are sharing their LANs on the
Internet and who don't bother with even the most cursory of system
security administration.

--
Nick FitzGerald



Sat, 16 Apr 2005 19:11:10 GMT  
 alevir.exe, brasil.pif, scrsvr.exe

Quote:
> > I had the same problem. Norton kept catching and deleting them over and
over
> > again. Norton's removal tool didn't work, PandaSoft's removal tool
didn't
> > work. Norton's instructions for manual removal didn't work.  ...
>> They would have if you applied _all_ the instructions.  The first step
>> is to obtain and apply the MS00-072 critical security patch

Actually Nick, I did apply the patch. Also slapped passwords on all open
shares and finally, even pulled the network plug on the infected PC. Still
kept popping back up.

-- at more

Quote:
> than two-years of age, the fact that it is missing from these machines
> in the first place suggests your system admin practices are, at best,
> seriously deficient.

I guess I should fire myself.

 Also, that you became infected in the first place

Quote:
> almost certainly means that you have clueless (i.e. default) network
> protocol and service binding and are sharing your LAN with the whole
> Internet.

You're certainly right. I have no business owning any computer let alone
three. Somebody stop me, please!

 You may also be using inadequate passwords, but note the

Quote:
> lack of the MS00-072 patch makes all Win9x and ME share-level passwords
> "inadequate" which is why it is so important to obtain and install it!

I've installed the patch, my shares are now protected with a six digit
password (Yes, it's true Nick. Although I'm ashamed to admit it, I hadn't
placed any passwords on my home network until I came across this {*filter*}) and
even though I'm just using dialup, a firewall as well. Is that enough?

Quote:
>> Most of the Internet activity is Opaserv scanning randomly selected IP
>> addresses for more sucker like you who are sharing their LANs on the
>> Internet and who don't bother with even the most cursory of system
>> security administration.

Hey Nick. What are you like when you're having a BAD day?

                                                                        Gil
Theissen



Sun, 17 Apr 2005 03:31:43 GMT  
 alevir.exe, brasil.pif, scrsvr.exe


Quote:

> > You will probably have more success using the removal tools from
different
> > vendors by running them in "safe Mode"..most of these tools cannot
remove
> > files that are in use by the OS......Using say F-PROT for DOS and
running it
> > from pure DOS or from a floppy is also helpfull

> Bzzzzzzt -- wrong.

> Read my other posts -- the "problem" here has nothing to do with
> trouble removing Opaserv.  The problem here, as Dwight quite clearly
> explained, is with Opaserv continually trying to re-infect.

> That it gets to the point of writing itself to his hard drive and
> then is intercepted by NAV means he has not installed MS00-072 and/or
> not suitably reviewed his network protocol and service binding and/or
> not replaced all "open" shares on the root of his C: drives.

> Read my other posts for more details.

> --
> Nick FitzGerald

Nick
 Thats why we "allow" you to be in This NG.......so you can keep us all on
our toes......;-)


Sun, 17 Apr 2005 07:51:39 GMT  
 alevir.exe, brasil.pif, scrsvr.exe
start run sysedit
on the wini file
remove line that says run= any thing with brasil in the
name and scrsvr.exe or scrsvr in it.
read stuff on symantec site
best fix i have so far =  is to remove/disable file and
print sharing.
symantec tells you to down load ms fix for windows 98 or
windows me at
http://download.microsoft.com/download/win98se/update/11958/w98/en-us...
for me last part is 273991usam.exe
this i have done, but direction on how to install it  is a
problem.  i could not figure out how/where to find the
direction on how to do it.  i have a question to this forum
on wher the directions are on how to do it.  waiting for an
answer.
site to ge this info is
www.microsoft.com/technet/security/bulletin/ms00-072.asp?f
for microsoft secutiry bulletin ms00-072
if you figure out how to apply the patch plese respond
lily

Quote:
>-----Original Message-----
>Periodically a message appears on my screen saying that
>Norton (2002) has detected a virus (w32.opaserv.worm on at
>least one case) infecting one of these files.  I respond
>either with "delete" or "quarantine," the computer
>responds that the action has occurred, but then a little
>later the same messages concerning the same files appear.  
>Any ideas?

>Also, when I am connected to the Internet, the system is
>continually uploading and downloading with no message as
>to what it is doing.  Today both upload and download
>registered more than 2 mb of information.  I have
>automatic update turned on and in the past it has
>successfully downloaded updates for Norton,ME, IE.  ????
>.



Sun, 17 Apr 2005 06:14:51 GMT  
 
 [ 15 post ] 

 Relevant Pages 

1. scrsvr.exe - worm

2. Shared EXE and PIF Files

3. Brasil.exe

4. Brasil.pif

5. 32-Bit NMAKE.EXE, LINK.EXE, LIB.EXE, & RC.EXE

6. c5print.exe and c5printx.exe cannot run in the root directory of a network drive

7. cscn.exe and cvvt.exe

8. ABC Exe Called From Clarion Exe

9. Splitting a big .exe in a smale.exe and many ddl's in C4b

10. ntvdm.exe - Application Error when running C55EE.exe

11. close exe form another exe

12. need cw21lpex.exe or c4lpex.exe

 

 
Powered by phpBB® Forum Software