I-Worm/Opas.g

I've done the Read Me and gone through all the steps for spyware/virus removal.

I somehow contracted this worm, and while my AVG nulifies it when it starts to run, I can't seem to find the source that installs it. It may be that I'm contracting it on the net from the same source, or a file that I can't find on my PC. It seems that no matter what I do it keeps coming back. I've remove the registry for it, the win.ini file and the scrsrv.exe file, can anyone tell me if there are other files to look for, in case the install file is on my pc?

I believe I contracted this initially from MSN Game Zone through the ZoneFriends messenger, but I'm not sure. It has not spread through my network, thankfully. So I know it isn't bouncing back and forth. Either there is a site that is infected or someone with Zone messenger or I still have the install file, and can't find it. I've killed it version Opas.g seven times now and also 3 other variants once each. As the other variants haven't come back, I'm led to believe I'm getting this online somewhere.

I'm running Win98 with AVGFree 7.0. HiJack This 1.99 removed the associated .ini file and the reg key, and now comes back clean. Any help on this would be appreciated.

Unless I keep contracting this in MSN Game Zone, I'm pretty sure this is a simple fix.

 

Duh!, forgot to try safemode. Will give it a try and get back.

 

Ok I have done everything I can think of. I know I'm protected from these viruses, but I can't seem to locate the installation source. I've searched and searched for downloaded files, deleted all the temp stuff, run disk cleanup ran all kinds of scans, but even as I'm typing this post these viruses (all versions of the Opaserv worm) keep getting installed. I can't remember how to remove the backup files to get rid of it and am not sure how to detect the scource as AVG doesn't seem to be able to detect the install source only the actual virus. I have to be getting it from somewhere online, but I wouldn't know how to find out where it's coming from or how to block it.

 

Since my last post, I've run Trendmicro's online scan, AVG scan, Stinger scan, downloaded an opserv worm remover, and all have come up clean. I know I don't have the virus right now, but I have a funny feeling, sometime tomorrow I will suddenly have it again and have to remove the WIN.INI file again(this will be third time) as well as the files AVG removes and any RegKeys I can find(by the way I haven't found any new keys since the last one I deleted)

 

Here's my HJT file. I've gone through it several times and can't seem to find anything wrong. This is why I believe as I stated earlier that I seem to be getting it from someone connected to the msn network somewhere. I don't think it's coming directly out of thier net, but from possibly a contact in one of my buddies lists.

 

Thanks Chaslang for helping me with this, if I thought this was going to be a one time thing, I wouldn't bother you with it, but it keeps coming back over and over.
Also I figure an Opaserv Worm would be a change of pace from all the About:Blanks.http://forums.majorgeeks.com/images/smilies/wink.gif

Thank you also Major. I've been here a little while and try to do my homework before I bother you guys with this stuff, but I can't figure out why I keep getting this one.http://forums.majorgeeks.com/images/smilies/confused.gif

 

There may be one more bit if info that might help. I only seem to contract thie worm when I log into my .net passport ID's through IE. I have never gotten this when using my mozilla firefox. I have to use IE whenever I want to play at Zone.MSN.com(Game Zone) and it seems I only get it when I play there. This is what led me to believe it was coming in through the Zone Friends messenger.

 

Please update to Hijack This 1.99.1

After you download the new version, post a new log! Chas will be in when time permits.

 

I didn't realize there was an upated version out yet. Here is my new log.

When I reconnected my ISP to come back here and upload the new log, My AVG caught and killed 2 more worms. Opas.g again and another one. This occurred after I came back online, so may not show in log.

 

Ok, I do have AVG run at startup, but I temporarily had it stop for some things I was doing awhile back with my home network, and forgot to reset it. Not a problem, it's been corrected. I have done the online scans, but you probably don't see it in my log, because I removed all of those lines with HJT earlier before I came here for help.

As to the firewall....well I'll admit it I've just been to lazy to download it. This will be remedied right now however. The windows tutorial was accidental. I started it once the day I loaded my log and it reset itself to run at startup, and I didn't realize it. That's fixed.

Chaslang, I'm not having a problem removing viruses, I'm trying to find out where I'm getting them from so I can block them. (obviously a firewall will help, but I would feel better knowing.)

 

Ok, Zone Alarm installed, configured and updated. Now I've been online about 2 hours and(knock on wood) I've gotten no viruses. However, I've had about 15 alerts to soomeone trying to get access from the same IP address, ports seem to be random, but seem to be in a range I don't use(so far) is it safe to assume this is where I'm getting attacked from or is there an easy way to research this IP to find out where it is? Who would I notify about the possibility of malicious attacks? Jeez this this is persistant just got 5 more attempts.http://forums.majorgeeks.com/images/smilies/eek.gif
What do I do if this thing finds one of the ports I have Zone Alarm configured to allow to be open for my IE Firefox and Network?

 

Thank you Chaslang, everything seems to be ok now.

I was doing some research on these viruses and it's entirly possible and very likely probable that whoever is send these doesn't know it. Also very likely they use the same ISP as I do as these are netbuei based spreaders, and seek close IP's. I'll let my ISP know what's going on and maybe they can get ahold of the person at the address it's coming from and let them know.