| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 54134 | 2005-02-04 21:18:00 | Win32.Opaserv.AE | GrahamB (750) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 321665 | 2005-02-04 21:18:00 | One of my computers (not networked) has attracted Win32.Opaserv.AE The virus was picked up by ZoneAlarm Antivirus, which has determined that it cannot treat, delete or rename it. I copied some info on the Virus from ZoneLabs Virus Information Centre, and working from those notes I can make the following observations: There was no reference in registry to either: HKLM\Software\Microsoft\Windows\CurrentVersion\Run \Spees1="C:\Windows\Speedy.scr" or HKLM\Software\Microsoft\Windows\CurrentVersion\Run \SpeedBost="<Location of the source file>" There was no reference in win.ini to: Run=c:\windows\speedy.scr I cannot find any files called either: c:\Windows\banda! or C:\Windows\podre!! They did not show up on a file search either. The only reference in the Zone alarm Virus Scan screen was to a file at : c:\_restore\temp\A027336.cpy (I think that was the correct name - I only wrote down the 'A0273376.cpy' part at the time. I did find a folder called c:\Windows\Speedy with one file in it call 'speedy'. I rather bravely (or foolishly) deleted the file and folder without checking the file extension. A renewed virus Scan still shows the computer as having a Virus that could potentially be live. So the question is, how do I locate the source file and destroy or render it inoperative? In the meantime I have limited all outgoing emails to my laptop, which has checked out clean. TFYH Regards Graham Bockett |
GrahamB (750) | ||
| 321666 | 2005-02-04 22:35:00 | Hi Graham If the virus file path had the words _restore in it, this just means your WinXP or WinME machine has a copy of a previous virus in a System Restore point. You must of had this virus at one stage and your AV cleaned it from the system then. It is not an active infection now unless you use System Restore and roll the machine back to that date which will then re-release the virus. To get rid of this Restore point you need to disable System Restore, reboot the machine and then re-enable it which will purge all stored Restore points. |
Jen (38) | ||
| 321667 | 2005-02-04 22:45:00 | I agree with Jen and add that even though virus checkers can often scan the area system_restore most cannot heal clean or delete files from there. Also As far as I know Zone Alarm is not a virus checker but more of a firewall and yes it can scan and log virus's if they came in I cant do any more than that. It used to change the attached files icon to that of its own and change the file extension (so it could not be exercuted) | beama (111) | ||
| 321668 | 2005-02-05 00:21:00 | Also it wouldn't do any harm to download and run an Operserv worm removal tool: securityresponse.symantec.com |
Terry Porritt (14) | ||
| 321669 | 2005-02-05 21:15:00 | Thank you Jen, Beama and Terry for your inputs. It is very helpful and I will take the collective advice and actions recommended. For your info Beama, ZoneAlarm have bought the rights to Computer Associated virus scanner and now market a Firewall with Virus Scanner. Good value for money in my opinion, the more so after the comment about all virus checkers having a problem with _restore file cleanups. TFYH Graham Bockett |
GrahamB (750) | ||
| 1 | |||||