Persistant Virus
Can anyone help prevent me from going crazy?
Three times now I have had Norton AntiVirus pop up a warning about a file in the windows folder which contains a virus. As the NV report says:
The file
C:\WINDOWS\alevir.exe
was infected with the W95.Spaces.1445 virus.
The file was deleted.
Although the previous two times it was in a file called brasil.exe. It always comes with some other files. All together, the ones I have had are:
brasil.exe
brasil.pif
alevir.exe
marco!.scr
scrsvr.exe
These are always in the Windows folder. The first time the two brasils, alevir and marco! were in the windows folder and McAfee Firewall picked up alevir communicating to something over the internet - it has since been "banned" from doing this.
This time it was alevir carrying the virus, accompanied by brasil.exe and scrsvr.exe.
Win.ini is edited to load them on startup, these, win.ini and another invisible and as of yet unfound file called cronos appear in the Selective Startup section of msconfig. A file called gay.ini is used to duplicate and modify win.ini and is left in the C: directory.
I have found information on these files on the internet - i.e. how to get rid of them, but not where they are coming from or, more importantly, how to get them to stop appearing - by times NAV picks up the one with the virus it is too late!
Incidentally, the virus itself only clogs up the internet connec...AND YET AGAIN ALEVIR.EXE HAS JUST BEEN PICKED UP BY NORTON ANTIVIRUS AS CARRYING A VIRUS!!!! HELPPPPP!!!!!
Damn it! Yeah, it just clogs up the internet connection a bit unless it's the 1st of June, when it wipes the MBR.
Can someone please help??!!
Phil
Three times now I have had Norton AntiVirus pop up a warning about a file in the windows folder which contains a virus. As the NV report says:
The file
C:\WINDOWS\alevir.exe
was infected with the W95.Spaces.1445 virus.
The file was deleted.
Although the previous two times it was in a file called brasil.exe. It always comes with some other files. All together, the ones I have had are:
brasil.exe
brasil.pif
alevir.exe
marco!.scr
scrsvr.exe
These are always in the Windows folder. The first time the two brasils, alevir and marco! were in the windows folder and McAfee Firewall picked up alevir communicating to something over the internet - it has since been "banned" from doing this.
This time it was alevir carrying the virus, accompanied by brasil.exe and scrsvr.exe.
Win.ini is edited to load them on startup, these, win.ini and another invisible and as of yet unfound file called cronos appear in the Selective Startup section of msconfig. A file called gay.ini is used to duplicate and modify win.ini and is left in the C: directory.
I have found information on these files on the internet - i.e. how to get rid of them, but not where they are coming from or, more importantly, how to get them to stop appearing - by times NAV picks up the one with the virus it is too late!
Incidentally, the virus itself only clogs up the internet connec...AND YET AGAIN ALEVIR.EXE HAS JUST BEEN PICKED UP BY NORTON ANTIVIRUS AS CARRYING A VIRUS!!!! HELPPPPP!!!!!
Damn it! Yeah, it just clogs up the internet connection a bit unless it's the 1st of June, when it wipes the MBR.
Can someone please help??!!
Phil
ASKER
I know how to remove it - I need to know how to stop these files from re-appearing!
Thanks
Phil
Thanks
Phil
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If the files are still appearing, your computer is still infected. You must remove the virus and the files will no longer appear.
ASKER
Thanks, will give it a try - 16Mb is going to take a while though...I'll let you know if it works.
One thing before I do use it - this isn't going to damage anything, is it? I have a lot of stuff on this machine (albeit backed up) and I don't want to have to re-install everything!
One thought, actually - would system restore (I have windows ME) clear it up?
One thing before I do use it - this isn't going to damage anything, is it? I have a lot of stuff on this machine (albeit backed up) and I don't want to have to re-install everything!
One thought, actually - would system restore (I have windows ME) clear it up?
If the files are still appearing, your computer is still infected. You must remove the virus and the files will no longer appear.
ASKER
Thanks, will give it a try - 16Mb is going to take a while though...I'll let you know if it works.
One thing before I do use it - this isn't going to damage anything, is it? I have a lot of stuff on this machine (albeit backed up) and I don't want to have to re-install everything!
One thought, actually - would system restore (I have windows ME) clear it up?
One thing before I do use it - this isn't going to damage anything, is it? I have a lot of stuff on this machine (albeit backed up) and I don't want to have to re-install everything!
One thought, actually - would system restore (I have windows ME) clear it up?
If the files are still appearing, your computer is still infected. You must remove the virus and the files will no longer appear.
Sorry about those postings, i reloaded the page, and thats what happens. System restore may or may not remove the virus, but on most occasions it wont. The floppy disk package is only 3.x magabytes so maybe you are better off using that one. Or get a cable modem.
And no, it wont damage anything. They are disks provided by the major antivirus corporations to facilitate the removal of viruses. They wouldnt be of much use if they killed your system while killing the virus. We could just use fdisk for that.
ASKER
Down in deepest Devon a cable modem is not a viable option...I'd dearly love braodband or adsl but there you go..!
Thanks for your help. By times I read this it has nearly finished downloading so never mind! I will try system restore as well...since I have a recent restore point it should help a bit.
Thanks again
Phil
Thanks for your help. By times I read this it has nearly finished downloading so never mind! I will try system restore as well...since I have a recent restore point it should help a bit.
Thanks again
Phil
My pleasure. If you need any more help, post back. And about the cable modem... move!
ASKER
Hmmm...annoying but harmless virus >> destroy >> takes too long >> move house...great idea! I'm sure my parents will appriciate travelling 300 miles to move into a hectic metropolis (London is the only place that gets cable apparently).
Think I'll wait for broadband to come down a bit in price....thanks!
Think I'll wait for broadband to come down a bit in price....thanks!
not harmless- "W95.Spaces is a dangerous Windows 9x virus. On June 1 of every year, the virus manipulates the Master Boot Record (MBR) of an AT hard disk by using port commands. The virus modifies the MBR data area so that the first partition will point to itself. This prevents the system from booting, if running certain MS-DOS versions that contain a bug and are unable to boot the system correctly."
If you cant get rid of it, every May 31 you are forced to change your pc clock to June 2 or face a dead system
ASKER
Not dangerous in that it does not destroy data or damage the hard drive in any way. The little programs were more annoying...
I would say Nortons is giving you a red herring. The virus is more likely to be W32.Opaserv.worm. W95.Spaces is an old virus and it does not infect .scr or .pif files.
All of the files you mentioned are created by various strains of the Opaserv worm (A, B, C, ...):-
http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm.html
(Or search google with the names of the files)
This virus spreads by (amongst other things) network shares. If you have file sharing enabled and connect to the Internet (or are on a LAN with another infected computer) you will be continually reinfected.
If you connect to the Internet you should disable all the various Netbios bindings on your computer, otherwise you will be at the mercy of malicious traffic.
All of the files you mentioned are created by various strains of the Opaserv worm (A, B, C, ...):-
http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm.html
(Or search google with the names of the files)
This virus spreads by (amongst other things) network shares. If you have file sharing enabled and connect to the Internet (or are on a LAN with another infected computer) you will be continually reinfected.
If you connect to the Internet you should disable all the various Netbios bindings on your computer, otherwise you will be at the mercy of malicious traffic.
ASKER
I'm only sorry this thread is closed and I can't give you any points! Thank you very much - you were exactly right!
Norton's website had a downloadable tool for removing the opaserv worm and it found it infecting win.ini.
As it happens I did have file sharing enabled on some folders as I was experimenting with home networking. I guessed this might be 1/2 the problem and disabled it, as well as changing my IP address just in case.
Thank you for averting disaster. If there is any way for me to get you points, let me know.
Norton's website had a downloadable tool for removing the opaserv worm and it found it infecting win.ini.
As it happens I did have file sharing enabled on some folders as I was experimenting with home networking. I guessed this might be 1/2 the problem and disabled it, as well as changing my IP address just in case.
Thank you for averting disaster. If there is any way for me to get you points, let me know.
This worm is a major hassle. My network has repeatedly been infected by it. It is my opinion that this trojan is gaining access through the File and Printer Sharing for Microsoft Networks service while surfing the Internet. I have 4 PCs on a Windows ME home network for gaming and I have sucessfully removed it from all my machines and it has not reappeared. This is how I removed it and keep my network free from it. First off, remove File and Printer Sharing for Microsoft Networks service from the Network Control Panel and restart your machine (Removing this service will disable file and printer sharing on your network, it is a hassle but you will need to add this service again when you want to share files but remember to remove it again when you are done and don't log onto the Internet until you remove the service again. I don't know of any other solution besides a personal firewall). If you are running Norton AntiVirus, turn off the Autostart temporarily otherwise it will detect these infected files and attempt to remove or repair them. After turning off Norton go into the Windows directory in Windows Explorer (C:\Windows). Look for alevir.exe and delete it. Then look for brasil.exe, brasil.pif, macro!.exe and scrsvr.exe and delete them all. You may get an error message stating that the file is being used by Windows and it cannot be deleted. If this happens you must remove them by booting into DOS which I will explain later. Next look in the main directory (C:\) and look for a file named "Put.ini". Delete Put.ini if it is there. If you open it you will see references to alevir.exe, brasil.exe, macro!.exe and scrsvr.exe. After sucessfully removing the files, you will need to open the win.ini file in the Windows directory (C:\Windows\win.ini). Look for any references to to the previously deleted files next to a "Run=" command line. Edit the command line removing references to the files or if there are no other references other than the affected files delete the whole line and save win.ini. Warning: The next step should only be attempted if you are experienced with Registry Editing. Make sure you know what you are doing and don't say I didn't warn you. Open the Registry Editor and remove any references to alevir.exe, brasil.exe, macro!.exe and scrsvr.exe. You should be able to find the references in HKEY_LOCAL_MACHINE\SOFTWAR
I just had this problem. I think the latest version of this virus consist of two programs alevir.exe and instit.bat. They are in the c:\windows directory. These programs work by jumping on to your computer though File and Print Sharing. It happened to me. You need to edit your win.ini so that they don't get loaded. Also use regedit and search for alevir and instit. You will likely find something at local machine\software\microsoft
(I could be wrong about the above, so just search for it)
When you find the Registry values delete them.
Now restart your computer and go to C:\windows. Now you should be able to delete these programs alevir.exe and instit.bat. You computer is now completely free of the virus. But if you leave it like it is it will just come back. Remember this virus does not have to be downloaded it will come in on its own. To stop this get a FireWall. I use a free program called zonealarm. I got it on a CD from my ISP but I'm sure you can download it. www.zonealarm.com Probaly. It works really well and it will pop up a alert when someone or something is tyring to access you computer. And you can leave your File and print sharing Wide open. That's my 2cents.
(I could be wrong about the above, so just search for it)
When you find the Registry values delete them.
Now restart your computer and go to C:\windows. Now you should be able to delete these programs alevir.exe and instit.bat. You computer is now completely free of the virus. But if you leave it like it is it will just come back. Remember this virus does not have to be downloaded it will come in on its own. To stop this get a FireWall. I use a free program called zonealarm. I got it on a CD from my ISP but I'm sure you can download it. www.zonealarm.com Probaly. It works really well and it will pop up a alert when someone or something is tyring to access you computer. And you can leave your File and print sharing Wide open. That's my 2cents.
ASKER
Useful stuff to know. I've managed to eradicate the thing now anyway but this is clearly not an isolated problem!
It seems to be a fairly clumsy thing - easy to find and eradicate if you know where to look.
Thanks for all your help
It seems to be a fairly clumsy thing - easy to find and eradicate if you know where to look.
Thanks for all your help
if you are using Windows 95/98/Me, you must download and install the Microsoft patch from
http://www.microsoft.com/technet/security/bulletin/MS00-072.asp
The removal procedure for this virus is as follows:
Open the Windows Registry Editor.
Navigate to the following path:
HKEY_LOCAL_MACHINE\SOFTWAR
From the right hand side pane, remove the following values if found: instit C:\Windows\insistit.bat
GustavVED <Path\original worm name>
In systems running on Windows 95/98/ME alone, open the file Win.ini.
In this file, remove the line run=c:\Windows\Brasil.exe,
c:\windows\instit.bat
or
run=c:\institu
Restart the system.
http://www.microsoft.com/technet/security/bulletin/MS00-072.asp
The removal procedure for this virus is as follows:
Open the Windows Registry Editor.
Navigate to the following path:
HKEY_LOCAL_MACHINE\SOFTWAR
From the right hand side pane, remove the following values if found: instit C:\Windows\insistit.bat
GustavVED <Path\original worm name>
In systems running on Windows 95/98/ME alone, open the file Win.ini.
In this file, remove the line run=c:\Windows\Brasil.exe,
c:\windows\instit.bat
or
run=c:\institu
Restart the system.
If you use dialup networking. Unbind file and printer sharing to the dial up adapter and that will solve your issue. and you can keep your internal network running.
I watched the opaserv virus infect a pc watching the network through netwatcher. Once I removed the binding to dial up adapter. no more issues. Yet, I still haven't had the pleasure to kill it on a network.
I watched the opaserv virus infect a pc watching the network through netwatcher. Once I removed the binding to dial up adapter. no more issues. Yet, I still haven't had the pleasure to kill it on a network.
The end of the page contains removal instructions.
If you have no access to a clean computer with Norton Antivirus including the latest definitions, post back here and I will upload a disk image for you.