Have found the following on 7 W98 PCs at two different small companies.
Clients were infected with what Norton AV id’d as Opaserv.G. The viruses were quarantined, but when rebooted, they were reinfected. This happens on or off the small private networks, other PCs on the networks were clean according to NAV and DOS scanners. Networks have only dialup access. The users tried Norton’s removal tool, but it reported no infections. I scanned with trojan detectors – nothing.
Subsequentscans of the clients off the networks in DOS with NAV, F-prot DOS, NOD32 DOS show no infections, suspicious files with the exception of wininit.exe as a possible corrupt file on one machine (F-prot).
Then I manually cleaned WIN.INI, registry, other system files, checked network settings.
After reboot, machines are clean. Double checked with on-line scanners Panda & Trend via dial up. Also did a port scan on the client (NetView), and tried online scanner from Anti-Trojan.net – nothing unusual.
A day later – off the network – but on dial up, Norton catches the same bug again. It occurs when closing IE or disconnecting the dialup connection. Norton deletes files. Back on inet via dialup, same happens. An interesting item is that although Norton deletes the files, the tell tale entries to WIN.INI are already made and causes an error on reboot that Windows cannot find the specified file. I noticed something in netstat, after NAV detected the virus, the client had an nbsession to ip 66.130.9.147:1302, a cable modem via Videotron, in Montreal CA.
There is no reason these PCs should have such a session open. Scanned clients for spyware -clean. File sharing with passwords is enabled on the PCs.
I can accept that the ip address could be a server for Opaserv, but I am at a loss as to what is initiating these client sessions with the remote ip.
Thoughts? More details on request.