W32 OPASERV.WORM

  JoJoh 14:01 09 Sep 03
Locked

MY COMPUTERS ARE INFECTED WITH THE W32.OPASERV.WORM.I HAVE USED THE SYMANTEC TOOL TO DELETE IT (AND ALSO LOADED THE THE WINDOWS PATCH) HOWEVER I HAVE A VARIANT (THE "INI"
VARIANT)THAT HAS AFFECTED MY SYSBCUKUP FILES IN WINDOWS. I HAVE FOUND THAT 2 CAB FILES "RB003" AND "RB005" ARE COMPRESSED AND THAT THE WINI.INI FILES WITHIN THESE ARE INFECTED. WHEN I EXTRACT THE FILES,MY ANTI-VIRUS SOFTWARE WORKS AND DELETES THE VIRUS. THE PROBLEM IS THAT I AM UNABLE TO DELETE THE INI FILES FILES WITHIN THESE FOLDERS AS THERE IS NO OPTION TO DO SO,ONLY TO EXTRACT THEM. IS IT POSSIBLE TO REPLACE THE INI FILES WITHIN THESE CAB FOLDERS WITH ONES WHERE THE VIRUS HAS BEEN REMOVED? I CANNOT FIND A WAY OF DOING THIS.

I AM NO EXPERT AND DO NOT KNOW WHAT IS A CAB FOLDER.

FINALLY I AM RUNNING WIN 98 AND THE SAME HAS HAPPENED ON 3 OF OUR MACHINES. IS IT POSSIBLE TO RELOAD WIN98 98 SECOND EDITION) WITHOUT LOSING ANY FILES?

  Jester2K II 16:56 09 Sep 03

Delete the CAB files with the infection. Windows will make new copies later (each time you boot)

these are a Rolling backup of your system files.

As long as you have RB001, RB002 etc just delete the ones that carry infection. they are no good anyway without ALL the files.

  Jester2K II 17:17 09 Sep 03

Thanks for this. I have deleted a file called RB003 and windows has not replaced it when I rebooted. How vital is it for the windows operations?

naughty Jester - bad explanation.

Don't panic.

Here's what happens. Every now and then Windows makes a backup copy of your System Files and packs them in a file called a CAB file (Cabinet File - bit like a Zip file - in fact WinZip can open CAB files)

Windows keeps 5 sets of these, called RB001 - RB005. RB001 will be the oldest one.

When windows does the next backup (every few days / boots) it simply deletes the oldest one (RB001) and then RB002 becomes RB001, RB003 becomes RB002 etc and then the latest backup is called RB005.

It won't replace them and having two missing just means you have 3 backups instead of 5 at the moment. The other two were no good anyway as they had a virus in them.

In a week or so you'll have 5 backups RB001 - RB005...

Hope this clears it up...

  JoJoh 17:29 09 Sep 03

Final question - Is there a facility in win98 SE to repair an installation? Because of the virus,I have had to delete the scrv.exe file and also "marco" and Brasil. When windows boots,it is saying that these files are missing.

  Jester2K II 17:36 09 Sep 03

scrv.exe - do you mean ScrSvr.exe?

If so that was the worm itself not a system file.

In the registry locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersionRunServices\Svr32= C:\Windows\svr32.exe and delete it.

to stop Windows calling it on boot up.

Macro and Brazil are almost certainly other copies of the worm Look for their entry in the registry as above and delete it too..

click here

  JoJoh 17:58 09 Sep 03

Hi - Thanks again. This is the warning that i am receiving. How do I get to the registry to delete this?

  Jester2K II 18:05 09 Sep 03

Easier way. Start Menu, Run, Type "MSCONFIG" (no quotes) and hit enter

Go to the StartUp Tab and uncheck anything that points to these files.

  JoJoh 19:11 09 Sep 03

Hi again. I have done as suggested and have the following problems:

When windows starts I get the following messages:

1. Couldn't find instit.bat
2. Couldn't find instit.bat in the win.ini file
3 Couldn't find alevir.exe
4 Couldn't find alevir.exe in the win.ini file
5. Couldnt find marco scr
6. Couldn't find marco in the win.ini file

I have found a ref to these in the win.ini in the msconfig. I have unticked these and am about to re-start now. Will let you know

  Jester2K II 19:23 09 Sep 03

Doh.
Sorry forgot to mention the win.ini file

  JoJoh 19:36 09 Sep 03

Hi again - I found that the problem was in "Windows" folder in the win.ini tab in msconfig.

This was where the item was hiding. I have unticked it. Is there a way of removing it altogether? I did look in the registry by running regedit but it is not where you suggested.

Thanks again

Finally - for some strange reason, the date will not show correctly in our Sage Accounts programme. It continuously reverts to a wrong year. The programme runs correctly on another computer using the shared data,however on one of the win 98 computers which has had the virus there is a problem. Any ideas? I have checked and the date is correct and works perfectly in windows i.e Word.

  Jester2K II 19:40 09 Sep 03

Look into the Windows directory for the file win.ini and open it in Notepad. You can delete the line there.

I would starta a new thread for the Sage problem.

This thread is now locked and can not be replied to.

Amazon Fire HD 8 review: A brilliant combination of function and value – with one massive caveat

1995-2015: How technology has changed the world in 20 years

How to create an introvert-friendly workplace

Apple Watch Series 2 review | Apple Watch 2 review: New Apple Watch is faster, brighter,…