# I-Worm/Opas.A help!



## lisa simpson (Nov 7, 2002)

I know you've tried to help somebody else out with this before but I can't seem to get rid of this worm... These are the files and versions of the worm I'm currently living with !

I-Worm/Opas.A (modified)
found in files
alevir.exe
scrsvr.exe

I-Worm/Opas.E
I-Worm/Opas.F
Found in files
brasil.pif

I-Worm.Opas.G
found in file
marco!.scr

I've tried running Norton & AVG.
AVG, booting in dos, seems to find and get rid of them but the minute I connect with a telephone modem they are back. I also you a cable modem which has a firewall (now). 

But that's how I think I got it in the first place.

No one seems to know how to get rid of this one ???

Can anyone help ?


----------



## TonyKlein (Aug 26, 2001)

Go to http://www.spywareinfo.com/downloads.html , and download 'Startuplist' (in the "Startup Program Management" section).

Unzip, doubleclick it, and it will generate a text file that will list all running processes, _all_ applications that are loaded automatically when you start Windows, and more.

Go to Edit > select all, copy it and please post the contents here.


----------



## Rollin' Rog (Dec 9, 2000)

Welcome to TSG, Lisa. Please continue to reply to this, your very own thread


----------



## lisa simpson (Nov 7, 2002)

Whoops. I think my last, unfinished reply might have been sent.

Anyway, I downloaded 'Startup List', unziped and double clicked and got this error message:

'A required .DLL, MSVBVM60.DLL, could not be found'


----------



## TonyKlein (Aug 26, 2001)

Don't worry, it's no big deal.

Download the MS visual basic 6.0 runtime files

Just doubleclick after downloading, and let it install.

You'll ten be able to run the List.


----------



## hijinx22 (Nov 7, 2002)

I did what you said have a look at this report this is on the comp that was not working with IE6 but networked to the infected one which was!

StartupList report, 9/11/2002, 3:07:09 p.m.
StartupList version: 1.34.0
Started from : C:\unzipped\startuplist\StartupList.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WinZip\winzip32.exe
C:\unzipped\startuplist\StartupList.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

WorksFUD = C:\Program Files\Microsoft Works\wkfud.exe
Microsoft Works Portfolio = C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
Microsoft Works Update Detection = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
MoneyStartUp10.0 = "C:\Program Files\Microsoft Money\System\Activation.exe"
AdaptecDirectCD = C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
nwiz = nwiz.exe /install
AVG_CC = C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
CloneCDElbyCDFL = "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
NeroCheck = C:\WINDOWS\system32\NeroCheck.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
EM_EXEC = C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
XupiterStartup = C:\Program Files\Xupiter\XupiterStartup.exe
XupiterCfgLoader = C:\Program Files\Xupiter\XTCfgLoader.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Xupiter\Updates\XTUpdate.dll - {2662BDD7-05D6-408F-B241-FF98FACE6054}

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[{56336BCB-3D8A-11D6-A00B-0050DA18DE71}]
CODEBASE = http://207.188.7.150/219e8ab7673daa27f203/netzip/RdxIE2.cab

[{56C9629A-C33F-11D3-BBFB-00105A1FAD68}]
CODEBASE = http://www.eyetide.com/download//223/Eyetide Installer.cab

[GSDACtl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\gsda.dll
CODEBASE = http://launch.gamespyarcade.com/software/launch/alaunch.cab

[{82202BE7-C56A-487E-9E55-D84BDC1A5776}]
CODEBASE = http://install.anark.com/client/version1/windows-ie/en/AMClient.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37417.8136458333

[{A27CFCAE-9351-4D74-BFFC-21EB19693D8C}]
CODEBASE = http://www.xupiter.com/search2/install/XupiterToolbarLoader.cab

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[{FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75}]
CODEBASE = http://download.redswoosh.com/Installer/rsinstaller.cab

--------------------------------------------------
End of report, 6,466 bytes
Report generated in 0.381 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## TonyKlein (Aug 26, 2001)

Lisa,

There's no sign there of your virus.

If it was still starting up as Windows loads, it would be visible in the list.

You do have the Xupiter foistware: http://allentech.net/parasite/Xupiter.html

Let's do this first:

Download Spybot - Search & Destroy

It looks for spyware, but also targets dialers, keyloggers, and other nasties, and it's freeware.

After installing, go to the Online tab, and search for and install all updates.

Next, go to the Settings tab > File Sets, and uncheck 'System Internals' and 'Tracks' .

These aren't needed for our present purpose, and you can always experiment with them later on.

Finally, after closing down Internet Explorer, hit 'Check All', and have SpyBot remove all it finds.

Next, go to Internet Options > Temp. Internet Files > Settings > Show Objects, and examine all ActiveX objects you see there.

Rightclick each one in turn, chose 'properties', and check the Version tab.

If the company is _anyone else but_ Macromedia, Apple, or Microsoft, rightclick the file, and choose 'remove'.

When you're done, run an online scan at  , and please post back with your results.


----------



## lisa simpson (Nov 7, 2002)

Hi Tony,
The startup list that was posted wasn't mine but someone with a similar problem. After downloading the additional software you suggested, here's my startup list.
Let me know what you think
Lisa

StartupList report, 13/11/02, 12:18:53
StartupList version: 1.35.0
Started from : C:\WINDOWS\TEMP\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v5.00 (5.00.2614.3500)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\INSTIT.BAT
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CRASHGUARD\CGMENU.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\WINDOWS\TPPALDR.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\WINDOWS\SYSTEM\OINQS.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CRASHGUARD\CG16EH.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\PALM\HOTSYNC.EXE
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
HotSync Manager.lnk = C:\Palm\hotsync.exe

Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
S3TRAY = S3tray.exe
IrMon = IrMon.exe
TWBbtn = 
TCDPbtn = 
NAV DefAlert = C:\PROGRA~1\NORTON~1\NORTON~2\DEFALERT.EXE
Norton Auto-Protect = C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE /LOADQUIET
Norton CrashGuard Monitor = "C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CRASHGUARD\CGMenu.EXE"
Norton eMail Protect = C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POProxy.exe
QD FastAndSafe = C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\QDCSFS.exe /startup
EM_EXEC = C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
InCD = C:\Program Files\ahead\InCD\InCD.exe
TPP Auto Loader = C:\WINDOWS\TPPALDR.EXE
LexStart = Lexstart.exe
LexmarkPrinTray = PrinTray.exe
Microsoft Diagnostic = C:\WINDOWS\SYSTEM\oinqs.exe
TkBellExe = C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
AVG_CC = C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
cronos = C:\WINDOWS\marco!.scr
instit = C:\WINDOWS\instit.bat

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = C:\WINDOWS\SYSTEM\mstask.exe
TSPower = 
TDockNUndock = 
TWarmBay = 
TWBrowse = 
TCDPlay = 
CSINJECT.EXE = C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
Avgserv9.exe = C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
TrueVector = C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\SYSTEM\ie4uinit.exe

[>PerUser_MSN_Clean] *
StubPath = C:\WINDOWS\msnmgsr1.exe

[PerUser_LinkBar_URLs] *
StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=C:\WINDOWS\ALEVIR.EXEc:\windows\alevir.exe,c:\windows\scrsvr.exe,c:\windows\Brasil.pif,c:\windows\Brasil.exe,c:\windows\marco!.scr,c:\windows\instit.bat

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\3DPIPE~1.SCR
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 27/10/2002, 23:22:38)

[Rename]
C:\WINDOWS\system.bak=C:\WINDOWS\system.dat
C:\WINDOWS\user.bak=C:\WINDOWS\user.dat
C:\WINDOWS\system.dat=C:\WINDOWS\system.pak
C:\WINDOWS\user.dat=C:\WINDOWS\user.pak

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

@C:\PROGRA~1\GRISOFT\AVG6\bootup.exe
mode con codepage prepare=((850) C:\WINDOWS\COMMAND\ega.cpi)
mode con codepage select=850
keyb uk,,C:\WINDOWS\COMMAND\keyboard.sys

--------------------------------------------------

C:\CONFIG.SYS listing:

REM - by PC Card (PCMCIA) wizard - DEVICE=C:\WINDOWS\setver.exe
device=C:\WINDOWS\COMMAND\display.sys con=(ega,,1)
Country=044,850,C:\WINDOWS\COMMAND\country.sys
DEVICE=C:\WINDOWS\Panning.SYS

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Scan for Viruses.job
Live Update.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[CV3 Class]
InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
CODEBASE = http://windowsupdate.microsoft.com/R1116/V31Controls/x86/w98/en/actsetup.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai.net/7/840/537/2002110401/housecall.antivirus.com/housecall/xscan53.cab

--------------------------------------------------
End of report, 9,152 bytes
Report generated in 1.871 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## TonyKlein (Aug 26, 2001)

Lisa,

You have far to much in Startup and this must be slowing you down enormously.

Let's get rid of the virus, other malware, and further unneeded items:

Go to Start > Run, type *win.ini*

Your Win.ini will open in Notepad.

You'll see the following line there:

*run=C:\WINDOWS\ALEVIR.EXEc:\windows\alevir.exe,c:\windows\scrsvr.exe,c:\windows\Brasil.pif,c:\windows\Brasil.exe,c:\windows\marco!.scr,c:\windows\instit.bat *

These are all Opasoft.

Edit that line, so that only *run=* remains, save in "File", and close Win.ini.

Now go to Start > Run, type Msconfig.

On the Startup tab, uncheck ALL of the following:

Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe 
Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE 
Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE 
Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE 
Norton CrashGuard Monitor = "C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CRASHGUARD\CGMenu.EXE" 
Microsoft Diagnostic = C:\WINDOWS\SYSTEM\oinqs.exe (this is actually a backdoor trojan): http://www3.ca.com/virusinfo/Virus.asp?ID=11532
cronos = C:\WINDOWS\marco!.scr (= Opasoft)
instit = C:\WINDOWS\instit.bat (Opasoft as well)

Click OK, close Msconfig and reboot (important!)

Now do a search for, and delete the following files (you may not have absolutely all of them):

c:\windows\alevir.exe
c:\windows\scrsvr.exe
c:\windows\Brasil.pif
c:\windows\Brasil.exe
c:\windows\marco!.scr
c:\windows\instit.bat
C:\WINDOWS\SYSTEM\oinqs.exe

Good luck,


----------



## lisa simpson (Nov 7, 2002)

I've done all that and removed the files. The worms are now appearing in different files:

C:\recycled\DC6.exe (I-Worm/Opas.A)
C:\recycled\DC7.exe (I-Worm/Opas.A modified)
C:\recycled\DC8.pif (I-Worm/Opas.E)
C:\recycled\DC9.exe (I-Worm/Opas.F)

The AVG shield found these...

Help !!!


----------



## TonyKlein (Aug 26, 2001)

C:\Recycled is your recycle bin.

Can you empty it?


----------



## lisa simpson (Nov 7, 2002)

Yep. I've emptied it !
Is there any way of testing that I've got rid of it ?


----------



## jm100dm (May 26, 1999)

You could run AVG, Norton and spybot again to see if they come up empty now. Just a thought.
Tony is very good at this and you should be okay now. I would be more careful in the future as to what e-mails I open and keep the updates up to date with your anti-virus program(s).

Jeff


----------



## []i9 (Nov 14, 2002)

Hey all,

Ive been fighting this worm myself for some time now. Ive done a lot of reading here and on other sites. I put a bunch of info together and this is what I did. It seems to have been successfull.

First I manually deleted all the associated files. Apparently, from what Ive read, the worm deletes the original file once its been activated, so its all a matter of getting all of its peices deleted.

The files I deleted were
brasil.exe
brasil.pif
scrsvr.exr
alevir.exe
gay.ini
shorcut to gay.ini
macros.scr
Then went in and manually deleted all references to those files in Win.ini

Next I ran the prog Regcleaner. I just ran the auto clean in the "tools" heading. It found registry entries something like Win32Osgrv. It was something similiar to that anyway. Reg Cleaner can be dloaded here: RegCleaner

Next I shut down all of my shared files and drives before going on th the next 2 steps. This was recommended by Symantes as well as other sites.

I then installed this Windows security patch for Network passwords. Its here:patch

Lastly, I ran this utility from Symantec that is designed to kill this worm. It could be that the Windows patch and this utility are all you need. Its here: utility

Since the worm deletes its original file I cant reinfect to see what steps were actually needed. But thats what I did. I have rebooted numerous times and activly tried to find remnants of the worm and have found nothing. Hope this helps someone.

Heres some links for info on the worm, if anyone cares http://www.viruslist.com/eng/viruslist.html?id=52256

http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm.removal.tool.html

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_OPASERV.B


----------



## lisa simpson (Nov 7, 2002)

It's gone. Yipeeee !
Thanks so much for your help.

What a brilliant forum. I will be recommended it to everyone !

Lisa


----------



## alleycat (Nov 14, 2002)

Can someone please help me through this opas stuff. I have been having the same problems as Lisa. I tried following the suggested steps...No luck. It's still on my computer in all it's glory. Can anyone help?


----------



## jm100dm (May 26, 1999)

alleycat,

Please post more information. What have you done so far? What are you finding? What operating system do you have? Let everyone know so they can help.

Jeff


----------



## []i9 (Nov 14, 2002)

alleycat.
list what all youve done. Also what antivirus software you are using


----------



## alleycat (Nov 14, 2002)

I am using Windows 98, AVG free edition, and have installed the file-sharing patch from Microsoft. I have run AVG in safe mode and in DOS. I have manually deleted all infected files, and removed the references from the win.ini. They still keep coming back every startup. 

Does this help?

Alleycat


----------



## Bokchoi Cowb (Nov 6, 2002)

Is your C drive shared? Have you unbound "file and printer sharing" in the TCP/IP settings? Have you disconnected yourself from any network AND the Internet? Have you downloaded and run the Symantec and/or the Panda Opas removal tool?


----------



## []i9 (Nov 14, 2002)

This worm resides in your registry. Simply deleting the Win.ini and the infected files wont get rid of the worm. You have to clean the registry. Use the Symantec utility that I linked to in my previous post. Mcaffee also has one and so does Trend Micro. They are free utilities and dont require you to have the entire antivirus software. Just the small utility.

As long as its still in your registry it will continue to reinstall the files and .ini settings


----------



## takuma683 (May 16, 2003)

Another detail. I got this worm in the computer at my work place, and all drives in that computer were shared. I did the described removal procedure in this thread and the worm went away but came back. I got rid of it later. To whoever gets the same problem: Those "Xupiter" things leave ActiveX components in the "Downloaded Program Files" folder and they will download the virus automatically again from a number of URLs. If you do what is in this thread and it comes back again, check all the ActiveX components in the "Downloaded Program Files" folder and remove everything that you think look "suspicious" (having any reference to Xupiter and other bad things), then delete all the virus files (also look for IPINSIGT.DLL, created by the virus to broadcast your IP and other machine info over the net), delete all the virus' registry entries and the worm is gone.


----------



## IMM (Feb 1, 2002)

An often overlooked recommendation regarding opaserv (opasoft) is to patch the system. You should do this right away or you will likely get it again.
The patch for ME, 98SE, 98G and 95 can be found through
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-072.asp


----------



## Sirgets (May 21, 2003)

What i have found out in the past about this virus is that it is using an open port on your machine to infect the machine over and over again. What i have done to correct this problem on clients machines was to install Zonealarm on the machine to firewall it from outside attack this has solved the virus problem 9 times out of 10. not sure if anyone is still battleing this virus just thought i would offer this suggestion.


----------



## eband00 (Jun 24, 2003)

hey, i have the virus i-worm/opas.g virus but i do not have any simptoms, like gay.ini or marco!.snr . The virus is located on the _Restore/temp/#########.cpy but it jumps allways to another cpy? often it goes to a near cpy folder like i deleted in dos the a0115405.cpy and it jumped to a0115418.cpy


----------

