Opaserv reinfects URGENT 1

[KimberTech]

Patched the systems with the Microsoft patch noted by SMAH's post earlier in this thread.
Disconnected from everything.
Ran the Symantec opaserv fix tool.
Finally I was able to get this out.....
I have manually had to remove the put.ini,instit.bat and gay.ini files from the hard disk, and edit win.ini to remove the references to the virus files. If you don't you get the boot errors that windows cant find the files. You get the scrsvr.exe, marco!.scr, brazil.pif errors.

This machine was also infected BY this worm with a spaces and a datom worm. Was a real mess.
The client was running the opaserv fix tool from symantec, after unsucessfully telling Norton to deal with it.Kept getting it back again.

Each time the user went back online with dial up, the system warned that the files had reappeared and were infected. The other two machines on the network were not infected. Interesting huh?

I finally manually deleted everything, scanned the entire network, checked the registry on all three machines, virus scanned with Norton 2002 rescue disks updated with the newest sig files, and then installed AVG free edition until they could get a newer anti virus program. They were using NAV2K.

Everything was ok for three days and now the original reinfected system is coming up with infected warnings on boot.

ANY idea where these might come from?
The network was clean when I left.....
I am so frustrated I can't think straight! Kimber

The more I learn,I realize how much more there is to know!

 

[smah]

A few possibilities to prevent further infections:

Unbind F&P Sharing from TCP/IP -> dial up adapter
Add passwords to the network shares
Make sure it's not on any removable media that's used (zip, floppy, cdr)
If any users are using ME or XP, make sure it's not in a Restore Point.

You could also try a different removal tool like

http://www.bitdefender.com/download/download.php?file=AntiOpaserv.exe

 

[smah]

You could also run any of the free online virus scanners as a double check.

http://www.mcafee.com/myapps/freeservices.asp

http://housecall.trendmicro.com/

 

[KimberTech]

Can get it OUT...just can't keep it out.

Installing a firewall i guess...

thanks all Kimber

The more I learn,I realize how much more there is to know!

 

[Grenage]

A firewall won't stop virii, it will stop the likes of trojans and crackers.

If your computer's data is important you should have both so do yourself a favour and get the zonealarm firewall from

http://www.zonealarm.com

and AVG anti-virus from

http://www.grisoft.com.

Both are free.

 

[KimberTech]

Yes thank you Grenage, this is a trojan, and AVG was installed after the clean.
I have put Zonealarm in place for when the user is online, but its a pain because it is too complicated for her to use with her LAN setup.
SO>>>>she has to turn it on and off each time she accesses the net.
SMAH, your post was a big help, the shares are patched and passworded, and I unbound the stuff from dial up. I didnt know it even bound there...everything binds to everything.

So far so good......waiting and holding my breath to see if this is all resolved now.


Kimber

The more I learn,I realize how much more there is to know!

 

[smah]

That should do it. With F&P Sharing bound to the dial-up adapter, the shares on that machine were accessable from the internet when connected by dial up.

 

[2ffat]

Just a thought, have you unshared your C: drive? Sophos suggests that the C: drive be unshared, subdirectories are OK to be shared.
James P. Cottingham

When a man sits with a pretty girl for an hour, it seems like a minute. But let him sit on a hot stove for a minute and it's longer than any hour. That's relativity.
[tab][tab]Albert Einstein explaining his Theory of Relativity to a group of journalists.

 

[KimberTech]

Thanks again smah....

2ffat, in this configuration the C:\ drive has to be shared.
I have networked programs etc that run from DOS and there is no workaround.
I installed Zonealarm and set it to isolate the pc from the network while it is on internet, thus protecting the data server and other workstation.
It will have to be my workaround until I can get them behind a router.

Thank you for the suggestion though, for someone else it might be useful.
I try to not share C:\ and if I do, I share it as something else..I inherited this network after it was already set up.
Kimber

The more I learn,I realize how much more there is to know!

 

[Designware]

Kimber provided excellent information for me to get rid of the Opasrv virus!! It was continually reinfecting my PC, Norton wouldn't find it, the DOS boot Norton wouldn't find it ... but system is now clean, secure and running well!

Thanks Kimber!!!

Designware

 

[KimberTech]

Thank you so much for you kind feedback.
It is heartwarming to know I have helped someone today.

I am in the process of writing a detailed document outlining the steps to clean this virus properly and some things necessary to keep from reinfection.

If anyone needs help sooner, please post here. When the document is finished I will post here the link to it in the FAQ section.

Have a great day! Kimber

The more I learn,I realize how much more there is to know!