Worms and stuff! Win 98 SE

[Fowlinho]

After reformatting my hard disk for the 2nd time and installing AVG v 6.00 anti virus software - I keep getting the same entries to my Win ini file:

run=c:\windows\alevir.exe,c:\windows\marco!.scr,c:\windows\puta!!.com,c:\windows\speedy.pif

The program is detecting variants of the I-Opas worm which it moves to another file (or Vault) but the worm keeps on coming back. Any ideas on how to zap these worms once and for all?

Cheers

Steve

 

[jrbarnett]

Hi,

If it keeps coming back, there is obviously a loader somewhere that reinstalls it, so run MSCOnfig and post back here what is set to load under:

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

Windows startup group

We can then find out what is not dodgy, or check it out for yourself at:

http://www.pacs-portal.co.uk/startups

whether it is harmful, harmless or useless.

John

 

[tb525]

Download and run the removal tool here:

http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm.removal.tool.html

Install this patch: (95/98/ME)

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-072.asp

Install a firewall:

http://www.zonelabs.com

 

[Fowlinho]

John

Have run and what I get are tabs. What am I supposed to do next? In the Startup tab there is a reference to ~2.exe which seems a bit strange. Is there an actualog to run? What do I need to do to provide the necessary info?

Tks

Steve

 

[jrbarnett]

Hi,
I would disable that file ~2.exe - it could be the loader.
Then, reboot and if AVG doesn't report an error, you have found the loader. If this is the case, delete the file and then delete from the recycle bin and you can then run a full scan over your machine to ensure that there is nothing else on there.

John

 

[Fowlinho]

John

Deleted from recycle bin but that trashed the screen display a couple of times so had to power back down and up again. Disabled the loader in msconfig and re ran the virus checker - nothing reported this time. Let's hope that this has done the trick!

Thanks for your help!

Cheers

Steve

 

[Fowlinho]

The viruses are back! So what's the best way to to kill 'em?

Steve

 

[smah]

Opaserve is network aware and exploits windows shares. If you use the Keyword search in forum760, you will find a lot of good info.

 

[smah]

I just did some searching, and it's not as easy to find as I thought. Here's one thread760-467230. I know there was another very thorough cleaning instructions that I can't seem to find right now.

 

[Fowlinho]

Found something from your earlier message and pasted view of my startup log. Hope I haven't trashedthe forum!!

Steve

 

[diogenes10]

How many harddrives do you have in your machine?
Saw suggestion somewhere that in case of multiple harddrives it may be necessary to disconnect all but one and disinfect them one at time.

"The best optimizer is between your ears."
M. Abrash

 

[Fowlinho]

One hard drive

 

[kernowboy]

hope this might help. opas worm is difficult to get rid of. just deleting the EXE file will not get rid of it. you must also delete the registry entry in the WIN.INI file the following link might help and point you in the right direction.

http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm.html