[Resolved] W98 opaserv virus and scandisc/defrag freezing up PC - please help

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Korky

Thread Starter
Joined
Oct 8, 2003
Messages
6
I have had a good look around the topics previously posted. There are related discussions, but despite trying out a number of ideas posted, I just can't seem to fix this one. I am reasonably proficient with the PC (Dell 650 PII, W98) and have hijackthis and spybotinstalled and ready to go. I guess I may need to calm down a little and do things in an orderly sequence, but these problems are really driving me mad. I will be eternally grateful if anyone can help me sort out the problems below. I'm sure I need to install a decent firewall and some viral protection software and would welcome any recomendations.

First symptoms were different bits of software failing (HP printer software, Wordpad, etc.) The PC was also getting slow.

I tried scandisk and the W98 defrag, but these no longer work. They hang up on me (even in safe mode or using MSCONFIG to load without other tasks running). Not the usual poroblems when the PC is busy. Both applications just stop and completly hang the PC. I guessed it may be a corrupted FAT or boot record and looked for a virus.

I found what I think is opaserv (Brasil, alevir, etc) and cleaned out the EXEs. I installed the MS patch. (I have been on this for several days). It has all been to no end. The virus keeps coming back to me.

I seem to have things stable enough to use the PC, but am being very careful (using system mechanic) to check/stop anything suspicious from running. I really need some guidance with a process to remove the virus properly.

I am very worried about scandisc and defrag freezing up, and wonder what damage has been done. All my files/apps seem OK(ish), but I have lost my confidence.

Please can you help me?
 

Korky

Thread Starter
Joined
Oct 8, 2003
Messages
6
Rollin' Rog,

This for replying to me. The log is appended and attached as a TXT file (Created this morning). The PC seemed to start up OK this morning (although I have had a few false dawns with this). Yesterday I cleaned off this suspect EXE's and anything that looked odd in Win INI. I am sure it will come back.

Thanks again for offering to help me.

Korky

------------------------------------------------------------------------------------

Logfile of HijackThis v1.97.2
Scan saved at 08:03:37, on 09/10/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.snapy.net/index2.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.snapy.net/index2.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/index_new_002.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.snapy.net/index2.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ALiUSBfix] c:\windows\SYSTEM\GREENMK.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: USB Manager.lnk = C:\PROGRA~1\BELKIN\BELKIN~1\WLANMO~1.EXE
O4 - User Startup: USB Manager.lnk = C:\PROGRA~1\BELKIN\BELKIN~1\WLANMO~1.EXE
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Dell Home (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37608.4219560185
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: ChatSpace Java Client 2.1.0.95 - http://69.33.12.11:8000/Java/cs4ms095.cab
O16 - DPF: {1FDEC088-A699-46FE-BF76-D5FD6DAE6150} (UCSearch.ucUCSearch) - http://www.armbender.com/UCSearch.CAB
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowerscan.com/pcpowerscan.cab
 

Attachments

Joined
Dec 9, 2000
Messages
45,855
I don't see any software causes of those problems there. They sound like they may be hardware issues, possibly overheating.

Is the fan working? You may need to take the cover off and keep a small table fan blowing to see if it helps. When problems tend to occur after the system has been on a while, that tends to point to heat.

I would also check the ram.

You can run a software tester such as this one. It should pass all tests without any errors.

http://www.memtest86.com/
 

Korky

Thread Starter
Joined
Oct 8, 2003
Messages
6
Rollin' Rog,

I wasn't the memory, but you got me thinking about what could be causing the problem. I think it is all fixed now.

This is what I did for each problem. I hope it may be useful to others.

Thanks for trying to help me. I did scan the memory, but all was OK. Read on though.

Best wishes

Korky

The worm OPASRV - and the SPACES virus
-----------------------------------------------------
OPASRV was still there, even though it was not showing up on the hijackthis log. Probably because I had just completed a half-baked attempt to remove it just before doing the log. In the end, it was really hard to get rid off.

I used the VCOM Systems Suite to get rid of most of the virus, but it is not 100% (running in W98). Things were further complicated by discovery of the 'SPACES' virus (1663 flavour) , which had infected about 500 files. I lost a few of these, but most came through OK. I thought I would be OK to clean the disc in safe mode, but that was not good enough. In the end I got hold of an evaluation copy of 'SOLO' virus. This will reboot the W98 system and clean down the files before W98 comes up. (Some infected files were locked by W98SE). SOLO did the trick - in the end. VCOM is very useful to use as a dynamic virus scanner. I will run it now and put up with the slower speed. I also have a firewall in place and am scanning e-mails. I have learned my lesson this time!

Freezing up SCANDISC and DEFRAG
---------------------------------------------
Another big pain. The W98 SCANDISK & DEFRAGGER would not run. Worse still, the VCOM versions were just as bad. In the end it turned out to be a corrupted FAT. Not too bad, but enough to do this. Again VCOM repaired the damage, and it is OK now. I did have a few corrupted files, but was lucky. I did a W98SE reload, and it is fine now. MORPHEUS got badly corrupted. Good I say. I think that is where the problem may have originated. I have canned it for good. Not worth the agro.

I hope nobody else has these problems - very stressful!
 
Joined
Dec 9, 2000
Messages
45,855
Thanks for the follow up Korky.

Spaces is a particularly nasty one too if not fully cleaned. I assume it was or you will be having problems running newly downladed setup files which will be reported corrupted.

It is spread mainly through infected floppy disks I believe, so you might want to be careful about what you have been using on the infected system.
 

Korky

Thread Starter
Joined
Oct 8, 2003
Messages
6
Thanks for trying to help. It all seems swell now. I have moved on to trying to sort out my USB 2.0 drive now. It only seems to work on the USB 1.x ports (backwards comp). The USB 2.0 ports seem to be OK though. I suspect I may be pushing this old box too hard!

I have set up a separate thread with some details under W98.

If you hear of any others getting problems with the viruses SPACES, etc., and they are getting frustrated, put them on to me whilst it is all fresh in my mind.

Thanks again for your support.

Korky
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Top