I've had those files sitting on my hard drive for several days now. Looks like they would have infected me before now.
Printable View
I've had those files sitting on my hard drive for several days now. Looks like they would have infected me before now.
probably - it's got the sherlock in me going - but with nothing to chew on :)
Just looked and it was back in win.ini but not the registry or the applog folder. Did you get the file?
I did have an error about a file mismatch on one of the files I was downloading. Just can't remember if it was Friday nite or not.
Makes you go Hmmmmm.
Got the exe - thx. It'll be a while before I know anything (assuming I can figure out anything at all). A quick glance shows quite a bit of network awareness (WSAStartup etc.) as well a mutex. It may (guessing heuristically) have been written in Delphi - but I've very little at the moment.
Are you on a home network - where one computer can reinfect the other? If you want to try and scr*w it up on the reboot perhaps try the tmp.ini file and see if it hiccups? Again - is there anything in wininit.ini at the moment?
Did a search and don't find wininit. ini.
I just fired up WinMx again and gave it server rights. Boom. The scrsvr.exe was back again.
Think I'll create a tmp.ini and have a go at it. ZA won't let it access the other computer on the lan. It's shut down anyway.
Very interesting. Created a tmp.ini file in root directory. scrsvr.exe is in windows. Rebooted computer and no alerts. Nothing in win.ini, regsitry or applog folder and tmp.ini is still 0 KB.
If you're in the mood to look around - you might look at your proxy settings in IE as well.
Here are some strings of interest if you're interested in searching your registry and harddrive.
These 2 files are mentioned as local infects by Symantec
ScrSout.dat
ScrSout.dat
The registry key
Software\Microsoft\Windows\CurrentVersion\Internet Settings
is referenced but I haven't looked to figure out if it's HKCU or HKLM (or both)
There is also
opasoft
in a variety of url strings
as well as
CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
which is a mangled wildcard name of
*\0\0\0........
which makes it look like it comes from the network.vbs family?
I may get back to it later tonite.
I don't use IE. Just started using Mozilla. Switched from netscape.
Didn't find the dat files and in registry when checking for opasoft got urls for msn.com and trendmico. (I did use IE to go to housecall. Wouldn't work otherwise.)
:confused:
Strange that this post happened to show up as I was looking thru the forums tonight. I logged on to my computer tonight and Norton AV showed a virus on file windows/system/scrsvr.exe. It could not quarantine it and it could not delete it. I was going to go to DOS and delete it there, but I misread the name of the file and could not find it (scrnsvr.exe). Rebooted to Windows and then Norton AV was able to quarantine it.
However, Windows said it could not find scrsvr.exe and it needed to to start some programs. I did not write down the exact wording, and when I opened IE, everything seems to be working fine.
Norton AV shows that it is W32.Opaserv.Worm.
I have never dug very deep into the computer, so if Windows needs this file to do anything, how do I get an uninfected file?
Hi goldbrick44 - have a look in your win.ini file and see if the below line is there. If it is put a ; in front of it and see if windows still asks for the file.
run=C:\WINDOWS\SCRSVR.EXEc:\windows\scrsvr.exe
Have a look here
Tnx, AnnMarie
I did as you suggested and the computer booted up without a hic-up and no reference to the quanantined files. I now have 2 copies if this file in my quarantine folder. It showed up again after I was able to quarantine it the first time.
Thanks, again.
You also need to do a search of your registry for scrsvr and delete the key you find. Check windows\applog folder for a scrsvr file and you will also find a tmp.ini file in the root directory of c: that should be deleted.
I recreated a blank tmp.ini file in C: after deleting that one and it seems to keep the worm from executing on rebooting the computer.
Are you running WinMx by any chance?
mawil and others with the "W32.Opaserv.Worm ",
Symantec (Norton) just came out with a W32.Opaserv.Worm Removal Tool . You can read the directions and download it at the link below.
http://securityresponse.symantec.com...oval.tool.html
HTH
Tufenuf
Symantec was pretty quick. Wasn't long after the fist link
http://securityresponse.symantec.com...serv.worm.html
was posted that they added some registry info to it and removed the recommendation about tmp.ini
Almost not worth reversing it now that I have some time :(
OK This is getting old. Got home from work and checked windows directory. No scrsvr.exe. Read the new info at symantec site and checked the registry and the files they mentioned were not there. Nothing in win.ini either.
Just to be safe I ran symantec's removal tool. It said it deleted scrsvr.exe in windows directory and nothing from registry.
Then I found an opasoft key and a scrsvr key in another location in the registry and deleted them. (Sorry. Didn't think to check the exact location.)
A bit later, I checked windows directory again and scrsvr.exe was back. Also the reference in win.ini - run=C:\WINDOWS\SCRSVR.EXEc:\windows\scrsvr.exe.
(NOT the one mentioned at symantecs website.)
Have rebooted and nothing new is added to registry and nothing is trying to get past ZA.
How do I get rid of this *&*&^%$# thing?
Oh. I also went to Computer Associates and downloaded their newest signature file that is supposed to detect the opasoft infection. It found nothing and I even scanned the scrsvr.exe by right clicking on it.
EDIT: Also upon rebooting computer, I get messages that the call in win.ini cannot find scrsvr.exe. So apparently the thing is not actually running. It's just THERE. :(