1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Win32 Dupator and some others?

Discussion in 'Virus & Other Malware Removal' started by hijinx22, Jan 20, 2003.

Thread Status:
Not open for further replies.
  1. hijinx22

    hijinx22 Thread Starter

    Joined:
    Nov 7, 2002
    Messages:
    49
    Hi guys I hope you can lend a helping hand to my situation as you have done in the past. I have had problems with this Opaserv worm A before and i have resolved this problem here before in which I followed the instructions to the letter about cleaning it and reading the posts that have been written about this infestation.throughout this forum.

    My situation arises from when i reformatted my harddrive this bug came back to me my AVG scan tells me its:

    Win32 Dupator
    I worm/Opas A
    I worm/Opas E
    Win32 Funlove

    now I have gone through the procedures here in this forum of how to get rid of this bug but after a couple of times starting up the comp it reinfects itself. now a couple of peolpe have said in this forum that the Kernel32.dll file may be infected and that is why it keeps reinfecting my comp but when I ran the scan with AVG it prompted that these files where in windows directory and drew no connection to the said dll file any help would be appreciated and here is my startuplist after i have baninshed this bug (Supposedly) Thanks

    StartupList report, 21/01/03, 12:44:53
    StartupList version: 1.34.0
    Started from : C:\MY DOCUMENTS\STARTUPLIST.EXE
    Detected: Windows 98 SE (Win9x 4.10.2222A)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSGLOOP.EXE
    C:\WINDOWS\SYSTEM\MSG32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
    C:\WINDOWS\SYSTEM\USBMMKBD.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
    C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\MY DOCUMENTS\STARTUPLIST.EXE

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ScanRegistry = c:\windows\scanregw.exe /autorun
    TaskMonitor = c:\windows\taskmon.exe
    SystemTray = SysTray.Exe
    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    AtiCwd32 = Aticwd32.exe
    AtiKey = Atitask.exe
    Keyboard Manager = C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    hpsysdrv = c:\windows\system\hpsysdrv.exe
    USBMMKBD = usbmmkbd.exe
    AVG_CC = C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    WinampAgent = "C:\Program Files\Winamp3\winampa.exe"
    NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    nwiz = nwiz.exe /install

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    SchedulingAgent = mstask.exe
    Hidserv = Hidserv.exe run
    Avgserv9.exe = C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    Taskbar Display Controls = RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    Reminder = C:\Program Files\Microsoft Money\System\reminder.exe
    NVIEW = rundll32.exe nview.dll,nViewLoadHook

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

    [>PerUser_MSN_Clean] *
    StubPath = c:\windows\msnmgsr1.exe

    [PerUser_LinkBar_URLs] *
    StubPath = c:\windows\COMMAND\sulfnbk.exe /L

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

    [{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = rundll32.exeadvpack.dll

    [>IEPerUser] *
    StubPath = RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

    [{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
    StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

    [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
    StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=
    run=

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=Explorer.exe
    SCRNSAVE.EXE=
    drivers=mmsystem.dll power.drv

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 13/1/2003, 15:43:22)

    [rename]
    nul=c:\windows\TEMP\~f39a36.tmp

    --------------------------------------------------

    C:\AUTOEXEC.BAT listing:

    @C:\PROGRA~1\GRISOFT\AVG6\bootup.exe
    SET BLASTER=A220 I7 D1 T2
    @echo off
    C:\PROGRA~1\NETWOR~1\MCAFEE~1\SCANPM.EXE C:\
    @if errorlevel 1 pause
    REM To make a DOS Boot Diskette; See the file C:\DOSBOOT\DOSBOOT.TXT
    path C:\WINDOWS;C:\WINDOWS\COMMAND;C:\PROGRA~1\GRISOFT\AVG6
    SET SNDSCAPE=C:\WINDOWS
    rem - By Windows Setup - mscdex.exe /d:IDECD000 /L:M

    --------------------------------------------------

    C:\CONFIG.SYS listing:

    DEVICE=C:\WINDOWS\HIMEM.SYS
    DEVICE=C:\WINDOWS\EMM386.EXE /noems
    REM To make a DOS Boot Diskette; See the file C:\DOSBOOT\DOSBOOT.TXT
    [common]
    dos=high,umb
    buffers=40
    ; SBPCI mod: device=c:\windows\himem.sys /testmem:eek:ff
    rem The below DOS CD ROM driver is not required to run Windows 98.
    DEVICE=c:\cdrom\OakCdRom.SYS /D:IDECD000

    --------------------------------------------------

    C:\WINDOWS\DOSSTART.BAT listing:

    @ECHO OFF
    REM To make a DOS Boot Diskette; See the file C:\DOSBOOT\DOSBOOT.TXT
    set path=c:\windows\command
    c:\windows\smartdrv /q
    LH c:\windows\command\mscdex /D:IDECD000 /L:M
    set mouse=c:\imouse
    c:\imouse\imouse
    SET PROMPT=$p$g
    SET TEMP=C:\windows\TEMP
    SET TMP=C:\windows\TEMP
    Rem Configure the sound card
    c:
    cd \windows\system
    SET BLASTER=A220 I5 D1 T4
    RIPUTIL /A220 /I5 /D1 /RI10 /unmute
    cd \windows
    REM to enable ZIP support in DOS, run C:\IOMEGA\IOMEGA.EXE
    REM then uncomment the following line
    REM C:\IOMEGA\GUEST.EXE
    REM or boot DOS and run C:\IOMEGA\INSTALL.EXE
    REM for DOS Networking including most networked games,
    REM read the file IPX.BAT and then uncomment the following
    REM CALL C:\DOSBOOT\IPX.BAT

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Update Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37633.0175694444

    --------------------------------------------------
    End of report, 7,816 bytes
    Report generated in 0.661 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    As far as the StartupList goes hijinx22, it looks perfectly clean.

    What are the indications of infection? Is AVG identifying any specific files?

    There is no reason why those infections should return immediately following a format unless the floppy itself was infected or you got them once again through the internet.

    These are our two best threads for dealing with opasrv:

    http://forums.techguy.org/t97918/s.html

    http://forums.techguy.org/showthread.php?s=&threadid=102879

    To get rid of FunLove, you should follow Symantec's instructions here:

    http://securityresponse.symantec.com/avcenter/venc/data/w32.funlove.4099.html
     
  3. hijinx22

    hijinx22 Thread Starter

    Joined:
    Nov 7, 2002
    Messages:
    49
    Thanks rollin rog I'll give it a go and tell ya what comes up?
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/114363

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice