1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

W32/Dupator virus

Discussion in 'Virus & Other Malware Removal' started by khiam, Jan 23, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. khiam

    khiam Thread Starter

    Joined:
    Oct 15, 2000
    Messages:
    36
    seems that after i clean/quarantine these viruses using Mcaffee virus scan, the viruses are still there. especially this particular one (dupator) which i seem to have a hard time eradicating b/c after over 7000 files scanned i have over 120 infected viruses.
    any tips/hints anyone can give me to help me out.

    TIA.:(
     
  2. Dark Star

    Dark Star

    Joined:
    Jun 8, 2001
    Messages:
    3,054
  3. khiam

    khiam Thread Starter

    Joined:
    Oct 15, 2000
    Messages:
    36
    this is what i get after i copy/paste of my startuplist

    StartupList report, 1/24/2003, 9:14:24 PM
    StartupList version: 1.50
    Started from : C:\UNZIPPED\STARTUPLIST\STARTUPLIST.EXE
    Detected: Windows ME (Win9x 4.90.3000)
    Detected: Internet Explorer v5.50 (5.50.4134.0600)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
    C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
    C:\WINDOWS\INSTIT.BAT
    C:\WINDOWS\SRV32.EXE
    C:\WINDOWS\BRASIL.EXE
    C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE
    C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCDASH.EXE
    C:\PROGRAM FILES\MCAFEE.COM\SHARED\MGHTML.EXE
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCMNHDLR.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\UNZIPPED\STARTUPLIST\STARTUPLIST.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINDOWS\Start Menu\Programs\StartUp]
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD.EXE

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
    TaskMonitor = C:\WINDOWS\taskmon.exe
    SystemTray = SysTray.Exe
    PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    LoadQM = loadqm.exe
    EM_EXEC = C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    MMTray = C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
    QuickTime Task = C:\WINDOWS\SYSTEM\QTTASK.EXE
    MCAgentExe = C:\Program Files\McAfee.com\Agent\mcagent.exe
    MCUpdateExe = C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
    VirusScan Online = "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
    RFX_auto_upgrade =
    instit = C:\WINDOWS\instit.bat
    Srv32 = C:\WINDOWS\Srv32.exe
    Brasil = C:\WINDOWS\Brasil.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    SchedulingAgent = mstask.exe
    *StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe
    SSDPSRV = C:\WINDOWS\SYSTEM\ssdpsrv.exe
    McAfeeWebScanX = C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [{89820200-ECBD-11cf-8B85-00AA005B4395}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [>PerUser_MSN_Clean] *
    StubPath = C:\WINDOWS\msnmgsr1.exe

    [PerUser_LinkBar_URLs] *
    StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "C:\Program Files\Outlook Express\setup50.exe" /APP:OE /CALLER:WIN9X /user /install

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

    [{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
    StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = C:\WINDOWS\SYSTEM\ie4uinit.exe

    [dsnjjsbd] *
    StubPath = C:\WINDOWS\SYSTEM\dsnjjsbd.exe

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=explorer.exe
    SCRNSAVE.EXE=
    drivers=mmsystem.dll power.drv

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 23/1/2003, 19:0:18)

    [rename]
    NUL=C:\WINDOWS\TEMP\GLB1A2B.EXE
    NUL=C:\WINDOWS\SYSTEM\MACROMED\SHOCKW~2\UNWISE.EXE

    --------------------------------------------------

    C:\AUTOEXEC.BAT listing:

    SET windir=C:\WINDOWS
    SET winbootdir=C:\WINDOWS
    SET COMSPEC=C:\WINDOWS\COMMAND.COM
    SET PROMPT=$p$g
    SET TEMP=C:\WINDOWS\TEMP
    SET TMP=C:\WINDOWS\TEMP
    SET BLASTER=A220 I5 D1 H5 P330 T6
    SET CTSYN=C:\WINDOWS
    C:\PROGRA~1\CREATIVE\SBLIVE\DOSDRV\SBEINIT.COM
    SET CLASSPATH=C:\PROGRA~1\CANONC~1\PDELUXE\ADOBEC~1
    SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\PROGRA~1\NETWOR~1\MCAFEE~1;C:\PROGRA~1\NETWOR~1\MCAFEE~1

    --------------------------------------------------

    C:\WINDOWS\WINSTART.BAT listing:

    @C:\WINDOWS\tmpcpyis.bat

    --------------------------------------------------

    C:\WINDOWS\DOSSTART.BAT listing:

    C:\PROGRA~1\CREATIVE\SBLIVE\DOSDRV\SBEINIT.COM

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\WINDOWS\SYSTEM\NZDD.DLL - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Maintenance-ScanDisk.job
    Tune-up Application Start.job
    PCHealth Scheduler for Data Collection.job
    Maintenance-Defragment programs.job
    Maintenance-Disk cleanup.job
    McAfee.com Update Check 00242003175904.job
    McAfee.com Scan for Viruses - My Computer.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = http://active.macromedia.com/flash2/cabs/swflash.cab

    [QuickTime Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab

    [McAfee.com Operating System Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\MCINSCTL.DLL
    CODEBASE = http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,55/mcinsctl.cab

    [BrowseFolderPopup Class]
    InProcServer32 = C:\WINDOWS\MCBIN\SHARED\MGBRWFLD.DLL
    CODEBASE = http://download.mcafee.com/molbin/Shared/MGBrwFld.cab

    --------------------------------------------------
    End of report, 8,377 bytes
    Report generated in 0.934 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only

    i see some stuff that shouldnt be in there. how do i go about deleting them.
     
  4. Dark Star

    Dark Star

    Joined:
    Jun 8, 2001
    Messages:
    3,054
    Yes I see a few things in there that dont look to be good in your Enumerating Browser Helper Objects ...

    (no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

    I'm not too sure about and....

    NZDD.DLL {{EBCDDA60-2A68-11D3-8A43-0060083CFB9C}

    Is a part of the RealDownload product, formerly called "NetZip Download Demon" (hence the NZDD name). Does not appear to be "adware" or "spyware", but rather a legitimate BHO, that seems to integrate into your browser to support unzipping of downloads.
    According to Real, "NZDD.dll is a system file which is used by RealDownload in downloading files from browser directly by clicking on the link."

    Be that as it may I'd suggest that you run an online virus scan from Trend Micro at... http://housecall.trendmicro.com/

    let us know what it turns up..

    DS
     
  5. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    All of these files are related to the opasrv worm, a very tough critter to get rid of:

    instit = C:\WINDOWS\instit.bat
    Srv32 = C:\WINDOWS\Srv32.exe
    Brasil = C:\WINDOWS\Brasil.exe

    See these past threads for resolution help:

    http://forums.techguy.org/showthread.php?s=&threadid=102879

    http://forums.techguy.org/showthread.php?s=&threadid=102879

    For dupator see...

    http://vil.nai.com/vil/content/v_99800.htm

    Do a File search for kernel32.dll

    Dupator copies it from c:\windows\system to c:\windows and infects the one in Windows, which will run in precedence to the default version in c:\windows\system

    Compare the file sizes of the two, the infected one in Windows should be about 2k larger.

    Do NOT delete the one in c:\windows\system and make sure that one is in fact present.

    If there is one in c:\windows and you cannot delete it from within Windows, you will need to boot with your WinME boot disk and at the a:> prompt enter:

    del c:\windows\kernel32.dll

    remove the boot disk and ctrl-alt-del to reboot.

    If the remaining infected files are in the WinME Restore archive, you will need to disable System Restore, reboot and then re-enable it again to purge the archive.
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/115003

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice