W32/Dupator virus

[khiam]

seems that after i clean/quarantine these viruses using Mcaffee virus scan, the viruses are still there. especially this particular one (dupator) which i seem to have a hard time eradicating b/c after over 7000 files scanned i have over 120 infected viruses.
any tips/hints anyone can give me to help me out.

TIA.

 

[Dark Star]

I looked in the Mcaffee site for removal and they're not much help perhaps this may be of some help to you...

http://forums.techguy.org/showthread.php?s=&threadid=114042&highlight=W32+Dupator+virus

Good luck...

DS

 

[khiam]

this is what i get after i copy/paste of my startuplist

StartupList report, 1/24/2003, 9:14:24 PM
StartupList version: 1.50
Started from : C:\UNZIPPED\STARTUPLIST\STARTUPLIST.EXE
Detected: Windows ME (Win9x 4.90.3000)
Detected: Internet Explorer v5.50 (5.50.4134.0600)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\INSTIT.BAT
C:\WINDOWS\SRV32.EXE
C:\WINDOWS\BRASIL.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCDASH.EXE
C:\PROGRAM FILES\MCAFEE.COM\SHARED\MGHTML.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCMNHDLR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\STARTUPLIST\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe
PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
LoadQM = loadqm.exe
EM_EXEC = C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
MMTray = C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
QuickTime Task = C:\WINDOWS\SYSTEM\QTTASK.EXE
MCAgentExe = C:\Program Files\McAfee.com\Agent\mcagent.exe
MCUpdateExe = C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
VirusScan Online = "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
RFX_auto_upgrade =
instit = C:\WINDOWS\instit.bat
Srv32 = C:\WINDOWS\Srv32.exe
Brasil = C:\WINDOWS\Brasil.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
*StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe
SSDPSRV = C:\WINDOWS\SYSTEM\ssdpsrv.exe
McAfeeWebScanX = C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{89820200-ECBD-11cf-8B85-00AA005B4395}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[>PerUser_MSN_Clean] *
StubPath = C:\WINDOWS\msnmgsr1.exe

[PerUser_LinkBar_URLs] *
StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "C:\Program Files\Outlook Express\setup50.exe" /APP:OE /CALLER:WIN9X /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "C:\Program Files\Outlook Express\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\SYSTEM\ie4uinit.exe

[dsnjjsbd] *
StubPath = C:\WINDOWS\SYSTEM\dsnjjsbd.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 23/1/2003, 19:0:18)

[rename]
NUL=C:\WINDOWS\TEMP\GLB1A2B.EXE
NUL=C:\WINDOWS\SYSTEM\MACROMED\SHOCKW~2\UNWISE.EXE

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP
SET BLASTER=A220 I5 D1 H5 P330 T6
SET CTSYN=C:\WINDOWS
C:\PROGRA~1\CREATIVE\SBLIVE\DOSDRV\SBEINIT.COM
SET CLASSPATH=C:\PROGRA~1\CANONC~1\PDELUXE\ADOBEC~1
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\PROGRA~1\NETWOR~1\MCAFEE~1;C:\PROGRA~1\NETWOR~1\MCAFEE~1

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

@C:\WINDOWS\tmpcpyis.bat

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:

C:\PROGRA~1\CREATIVE\SBLIVE\DOSDRV\SBEINIT.COM

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINDOWS\SYSTEM\NZDD.DLL - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Maintenance-ScanDisk.job
Tune-up Application Start.job
PCHealth Scheduler for Data Collection.job
Maintenance-Defragment programs.job
Maintenance-Disk cleanup.job
McAfee.com Update Check 00242003175904.job
McAfee.com Scan for Viruses - My Computer.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://active.macromedia.com/flash2/cabs/swflash.cab

[QuickTime Object]
InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab

[McAfee.com Operating System Class]
InProcServer32 = C:\WINDOWS\SYSTEM\MCINSCTL.DLL
CODEBASE = http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,55/mcinsctl.cab

[BrowseFolderPopup Class]
InProcServer32 = C:\WINDOWS\MCBIN\SHARED\MGBRWFLD.DLL
CODEBASE = http://download.mcafee.com/molbin/Shared/MGBrwFld.cab

--------------------------------------------------
End of report, 8,377 bytes
Report generated in 0.934 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

i see some stuff that shouldnt be in there. how do i go about deleting them.

 

[Dark Star]

Yes I see a few things in there that dont look to be good in your Enumerating Browser Helper Objects ...

(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

I'm not too sure about and....

NZDD.DLL {{EBCDDA60-2A68-11D3-8A43-0060083CFB9C}

Is a part of the RealDownload product, formerly called "NetZip Download Demon" (hence the NZDD name). Does not appear to be "adware" or "spyware", but rather a legitimate BHO, that seems to integrate into your browser to support unzipping of downloads.
According to Real, "NZDD.dll is a system file which is used by RealDownload in downloading files from browser directly by clicking on the link."

Be that as it may I'd suggest that you run an online virus scan from Trend Micro at... http://housecall.trendmicro.com/

let us know what it turns up..

DS

 

[Rollin' Rog]

All of these files are related to the opasrv worm, a very tough critter to get rid of:

instit = C:\WINDOWS\instit.bat
Srv32 = C:\WINDOWS\Srv32.exe
Brasil = C:\WINDOWS\Brasil.exe

See these past threads for resolution help:

http://forums.techguy.org/showthread.php?s=&threadid=102879

http://forums.techguy.org/showthread.php?s=&threadid=102879

For dupator see...

http://vil.nai.com/vil/content/v_99800.htm

Do a File search for kernel32.dll

Dupator copies it from c:\windows\system to c:\windows and infects the one in Windows, which will run in precedence to the default version in c:\windows\system

Compare the file sizes of the two, the infected one in Windows should be about 2k larger.

Do NOT delete the one in c:\windows\system and make sure that one is in fact present.

If there is one in c:\windows and you cannot delete it from within Windows, you will need to boot with your WinME boot disk and at the a:> prompt enter:

del c:\windows\kernel32.dll

remove the boot disk and ctrl-alt-del to reboot.

If the remaining infected files are in the WinME Restore archive, you will need to disable System Restore, reboot and then re-enable it again to purge the archive.