But very greatful for your help - thanks.;)
Printable View
But very greatful for your help - thanks.;)
Not just put.ini.
Damn thing kept coming back!!
You also will need to delete Win.sys.
Madrid, October 27, 2002 - According to data gathered by Panda ActiveScan,
this week's virus activity has centered on variants "E", "F" and "G" of
Opaserv.
This week, 16.79 percent of total virus infections detected by Panda
Software's free, online scanner have been caused by either Opaserv,
Opaserv.E or Opaserv.F, as compared to 12.68 percent of infections caused by
Klez.I. According to Luis Corrons, director of Panda Software's Virus
Research Laboratory, "This is very significant, as Klez.I has been the most
frequently detected virus by Panda ActiveScan since April. Now, however, its
place at the top of the ranking seems to be jeopardy".
Opaserv and its variants enter computers via the Internet, using
communication ports 137 and 139, which are normally open by default. If the
infected computer shares files or resources with other computers, this
malicious code will spread to these by exploiting a vulnerability in Windows
9x and Me known as "Share Level Password". This enables any variant of
Opaserv to spread quickly to all computers in a network.
On the subject of Opaserv and its variants, Luis Corrons adds, "These worms
are favoring the reappearance of other, older, malicious codes such as
W95/CIH or W32/Funlove. "This is due", he explains, "to the fact that
Opaserv copies itself to computers it affects. If these computers are
infected with a virus, Opaserv will also become infected and spread
infection wherever it goes." For this reason it is advisable that users
install an efficient antivirus that can eliminate every known malicious
code. Antiviruses must also be periodically updated in order to protect
computers against any new virus threats.
just what we need..a virus infected with a virus:mad: :mad: :mad:
Yep. It did contract W32.Funlove.4099 as well!
The customer whos PC it was, only had the PC new from us on Wednesday. It had Norton 2003 on it as standard, with the latest virus defs of 16 Oct. He got the first warning from Norton just 5 minutes after first boot up whilst checking his hotmail! That didnt stop the virus dropping its files though despite it identifying it as Opaserve. Weve since checked his old PC out (for free and out of curiosity) and its riddled. Its got over 2500 infections across 12 viruses).
I would have expected the "...ive only had it 5 mins and its gone wrong - and I thought you said Norton was good....." etc speech, but nope. He was very pragmatic about it. We showed him all the links to sites so that he could see how new his virus was, and he was fascinated. Poor bugger though....... after just 5 mins!
Ive always been a Norton fan, and found there write ups to be very current, and quick to update. But they havent got this one all there yet. A search for alevir gets no results.
BTW i referred to win.sys. I meant delete win.syd.
Every antivirus seems to have a problem with one or another virus. Even though I use Symantec enterprise on this network, I subscribe to the warnings from Panda..Being located in Spain, they seem to have a day or so head start on some of the stuff migrating from Eastern Europe and Asia. You can subscribe to the warnings..(and so can your customer if he's interested)..at their home page. We've used Panda for disinfecting machines from dos for about three years now, and have been quite happy about it, but the dos disinfection only works on fat and fat32 partitions, not on ntfs.
cheers geoscomp :D :cool:
I have been dealing with this one for a week at one of our smaller client sites. Same thing, scrsvr, brasil, and alevir, this guy had them all. I installed Norton 2003, latest definitions, and cleaned all computers manually. Next day, all entries were back. Cleaned again (four pc peer-to-peer setup, disconnected from network cablese while cleaning), ran full scans, back again the next day. Went back, recleaned, logged onto the internet (he uses MSN) and watched Norton quarantine five files in 15 minutes. Everytime he got online, the virus would retur. I figured switch ISPs, new account, new IP's, everything. 15 minutes later, its back! I spent $69.95 calling Symantecs "Premier Support" (getting the number and getting a human is another horror story in itself!), and was told to "get a firewall". This guy had spent enough and I already ate over 5 hours on this job, so I got the free version of ZA (I know...), set it up and... no more infections!?! Don't know why or how it was coming back in after the ISP change, but it seems to have been stopped for now (keeping my fingers crossed on this one). Good luck, this one was a pain even though it is "Non-Destructive".
I've been dealing with this since last Wednesday. if you have file and print sharing enabled it will keep coming back. I've had to go back to the same machines numerous times because the teacher(s) keep enabling sharing." It's incovenient to print from one machine" :rolleyes:
My head hurts.
Unfortunately, file and print sharing had to stay as this is a small business network running shared apps and files. It's pretty sad when the answer to a virus is "disable your network". It seems that cleaning this off with all machines unplugged and not plugged back in until completion should have solved the problems if the virus was coming from a machine on the LAN. The only thing I could come up with was coming in from the internet and the firewall did prevent any more infections, so... who knows?
I deal with viruses daily, and this has to be the worst to extract.
Ive managed it succesfully on stand alone PCs, but where theres a network - its a nightmare. I cant tell them to disable file and print sharing. They cant run the business without it. Unless I do so though we are screwed. I really want to be able to nail this one down, but the big virus services dont seem to have the answer yet. It also screws with Sage as well, changing the date. Even when the virus has gone, the invoice dates revert to 2 years before. Reinstalling Sage did no good, and Sage themselves have now got involved.
I think you might be on to something, Beshman..the internet IS a network after all..it could be coming from an infected server bank on an isp jump or somewhere similar. I wonder if this is related to the recent ddos attack on the dns servers?..seems like the type of virus that would be needed to accomplish it. It also seems to be mutating very quickly to new variants, wonder if that was part of the original code? Now there is an Opaserv.H listed on Pandasoftwares site..with a new file to look for
I have had to deal with this virus on some SMALL networks and what I have found is un share the Root drive and share the folders that they need access to on the network. It stops the virus in its path because when it checks for a shared folder it looks for the windows folder then copys itself to that locate. so if you don't have the root share but other folders shared the virus is not copied to that location.
We too have been battling this virus. No solution yet. Like all of you we think we get it taken care of and then it reinfects or at least it shows up for Norton to stop it. I had our customer kind of keep a log of when he seem to be seeing it. It was happening even just browsing the Net. The strange thing is, he has a 3 computer network and so far only his Winme computer seems to be getting hit. I scanned the other two and even did a manual search and couldnt' find anything. And it does seem to be mutating he's had version a,b,d,e,g! It also occasionally shows up with spaces virus.
Now here's a related question... What do you do if you "remove" a virus for somebody but it keeps coming back? Do you charge them each time even if you are unsure if you have gotten rid of it? AS seems to be the case with this virus?
I had the same problem with a network what I did is went to properties of network removed the file and sharing on all the protocols except dial-up networking and removed net bios over tcp/ip heres what sophos has to say about it Symantec has nothing like this
http://www.sophos.com/virusinfo/anal...2opaservc.html
hope this help cause it had me going for a while now everything is back to normal
these virus is what keeps us working...
Cheers for that. What amazes me is Symantec not covering this. I normally swear by them, but theyve really made me think again now.