OpaServ - Grrrrrrrrrrr

Of course!

I'm forgetting non-NT more and more.

Regards,
Anders

 

If this is the case, and I know for sure that the system was set up correctly (I did it myself ), and OpaServ was fully removed, how was the registry altered again? Why did Amon allow this?

We are now more than 24hrs later and the system is still clean.

Thank you all for your help, Opaserv is a persistant mongrel at least now I know how to strangle it

Cheers.

 

Hey Blackspear,

I'm glad it's OK now.

We recommend to use our cleaners without manual intervention.

Anyway, it's over now - good to have the machine clean

Best wishes,

jan

 

More than 2 days clean now, client is very happy, and so am I

Thanks for your help everybody

Cheers.

 

I still have one nagging and nawing question, that nobody has yet answered:

The system in question - Win98SE, it is the only machine with internet access (other 2 machines are CLEAN install with XP-Pro and Nod32 - All set up by me - Deep Heuristics, Scan all files, Scan Extensionless files, Clean and if uncleanable - delete etc etc, and BOTH these PC's are CLEAN of viruses and have NEVER been infected). C Drive on 98 PC is shared - yes I know about this.

Client's only ever use internet to get "Web-mail", mail ONLY ever comes from 1, yes 1 business - massive video chain - their emails and PC's are clean, or more than 400 stores across Australia would also be infected (and I'd love that job of cleaning off viruses)

The client did not open or click on anything, they don't know how to execute a file, and weren't game enough to try anything after the 1st infection, to scared to touch

How did the registry change after a FRESH install of windows, as in there was reinfection from Opaserv (all the usual files - brasil etc) which were found in the registry after reconnection to the internet?

As I understand it, Amon checks the background. If Amon is checking the background, how did the 2nd and 3rd reinfections get past Amon into the registry?

This just bugs me, clean install, Nod and Amon setup properly, reinfection - How?

Cheers.

 

Hey Blackspear,

the discussion is getting pretty long here

The disk shoudln't be shared for writing (the user should disable it) - especially the system directory (that's a BIG security hole). If there is a need for write sharing - select a specific directory that is not dangerous.

One of the possiblities is that maybe athat user was checking a webpage and maybe there was a quick alert from Amon that a dangerous file has been created on the disk and he just clicked it OK - it happens sometimes when too many windows are opened.

There are many possibilities - if we should write it more exactly we'd need to see that process on site.

rgds,

jan

 

Thanks Jan, sure this is getting pretty long, but nobody addressed my why (how) question... and now you have and it has given me an understanding of how it could happen. With these guys there is a very GREAT chance that they clicked OK, infact that is most likely

I'm now going to have to tell all my clients to read very carefully what Amon is alerting them to, and at all times delete. When I 1st purchased Nod32 and started selling it, I thought having set Nod up to automatically clean and if uncleanable delete, this would have been the case. It is not. This would be a great feature for the general public - especially my dumb and dumber being, it gives them no option to screw up that it just deals with viruses according to preset settings and advises them of such upon removal

Thanks for your answer...

Cheers.

 

OK, we'll think about it

All the best

jan

 

Well, this is my first time posting to this board. We had the same problem, but this little trick may help, using it aditional to all the tools and removal programs. Do a search not with file name, use "containing text" using brasil, marco, and all the names. You will be surprised how many files you find...

Hermann

 

http://www.pandasoftware.com/com/us/

I've tried 5 or 6 different virus programs and several virus removal tools and they all allowed reinfection after indicating opaserv had been cleaned.

I don't think any virus program out there will find and remove the code that kicks off opaserv.

I suggest you go to the above link and in the Virus Encyclopedia click on one of the variants of opaserv.

Eventually you'll get to a page where you can download a file named PQRemove.com.

It's a virus removal tool that does something a little differently than all the others.

It will, initially, clean the registry and the win.ini file and delete any of the standard opaserv files. It then creates folders of the same names,eg, C:\windows\scrsvr.exe, so the folder path looks exactly the same as the executable opaserv files.

Wherever the virus code resides it can't write the executable to disk because there will be a folder with the same name and an executable can't overwirte a folder with the same name.

 

I'm NOT happy, I'm getting to the point that I do NOT believe Nod32 can actually protect against Opaserv.

I have had 2 more clients today that did NOT and have NEVER had Opaserv infect their systems, on my recommendation they purchased Nod32 for NEW computers.

One of these customers was going ape-sh*t in my shop this afternoon about his systems being infected... I kept putting it back to him NOT having a firewall and this is how he became infected, what else could I say... It's a mongrel worm that nobody seems to have any answers for...

It makes it hard to sell Nod at this point, when this same client is used to hearing only the big 2 AV's, and he is wondering why he purchased a little AV that he and his friends etc have never heard of, and now he is infected...

I personally set up Nod on their computers, both did not have firewalls, one (by sheer bad luck – or stupidity – if I can say that with hindsight) did not put his firewall back on to protect his computer on a ADSL connection, the other is on dialup and did not see the point.

BOTH are now infected with Opaserv.

Amon did NOT protect their computers.

This is getting to be ridicules, Amon is NOT doing its job! I can’t see how anyone can say it is…

I see in my ZoneAlarm logs that port 137 is being targeted, when I ask other firewall protected users the same question, I get the same response, massive hits on port 137, approximately 80%

Do I now need to sell a firewall when I sell Nod to stop any potential infections of Opaserv?

If this is the case it is going to be a massive pain in the backside to teach the average user what a firewall is and how to use it… No it’s not stopping your internet connection, you just haven’t given it permission to access the internet. No it’s not stopping your Emails, you just haven’t given it permission to access the internet… But I gave it permission, but you didn’t tell it to remember this answer… This firewall is too much hassle, No, it really isn’t, you just need to read what it is trying to tell you and let it protect your system…

I am at a loss as to what to do for the average home user and for the average small business. I am trying to defend this product (Nod32) but am loosing the battle very quickly…

I am becoming VERY disillusioned…

Can someone from Eset please tell me:
WHY if Amon is supposedly protecting EVERY file, by continuous scanning in the background, does it allow alteration of system files

Why can't you guys at Eset as the worlds leader and very best Anti-virus manufacturer write something into an update that stops this mongrel in its tracks, FULL STOP! You guys know how this mongrel operates, surely you have the ability to circumvent this pig and stop it from giving us as end users absolute heartache.

At the moment you are offering a patchup job AFTER an infection, I need to offer a solution PRIOR to infection to my customers, as far as I'm concerned with my experiences in the field, at the moment they are NOT protected with Nod32...

You guys are way superior beings to the mongrel who wrote this The sun shines from your office in Esetland, I'm sure that's were it starts its rise across the planet. I love your work... I'm just one frustrated, angry, p*ssed off reseller... I'm getting heat from end-users that are getting infected... and I can NOT offer a solution prior to infection (it used to be "Install Nod", this is no longer an appropriate course of action - it is NOT a complete solution).

I not only need answers, I need urgent solutions BEFORE this becomes a major headache for me...

Cheers.

 

Am I correct in my train of thought and understanding:

1) Opaserv is targeting port 137.

2) It is coming in from the web through port 137 if a firewall is not present.

3) Amon is NOT protecting a system with infection from the Web (otherwise system files would NOT be altered).

4) Due to how it comes in, EVERY user should now have a firewall BEFORE they become infected (being on dialup connection is no longer an excuse for NOT having a firewall).

5) The ONLY way for a NEW system that has NEVER been on the internet to be protected from Opaserv is to have a firewall and Nod32, BEFORE they connect for the 1st time to the internet.

If this is the case, I'll send out a mass email to my clients and advise them to immediately install a firewall, even if they are on dialup, as they are prone to infection...

Cheers.

 

Hi Blackspear,

I'm also not happy that the customer got infected. One of the possibilities is - as I already wrote in this thread - that the C disk was shared:

>The disk shoudln't be shared for writing (the user should disable it) - especially the system directory (that's a BIG security hole). If there is a need for write sharing - select a specific directory that is not dangerous, use more letter/number password for sharing and update the system for the latest patches.

We need to educate the users about this. We'll also do it.

rgds,

jan

 

I reiterate what Jan said about the latest patches. If a user on Win9xME doesn't have the Share Level Password patch ( http://support.microsoft.com/default.aspx?scid=kb;en-us;273991 ) It doesn't matter about how good a password is. But, if they don't need it, I would completely disable the file sharing from within the network neighborhood.

- Fixed MS link