Win32 Dupator and some others?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

hijinx22

Thread Starter
Joined
Nov 7, 2002
Messages
49
Hi guys I hope you can lend a helping hand to my situation as you have done in the past. I have had problems with this Opaserv worm A before and i have resolved this problem here before in which I followed the instructions to the letter about cleaning it and reading the posts that have been written about this infestation.throughout this forum.

My situation arises from when i reformatted my harddrive this bug came back to me my AVG scan tells me its:

Win32 Dupator
I worm/Opas A
I worm/Opas E
Win32 Funlove

now I have gone through the procedures here in this forum of how to get rid of this bug but after a couple of times starting up the comp it reinfects itself. now a couple of peolpe have said in this forum that the Kernel32.dll file may be infected and that is why it keeps reinfecting my comp but when I ran the scan with AVG it prompted that these files where in windows directory and drew no connection to the said dll file any help would be appreciated and here is my startuplist after i have baninshed this bug (Supposedly) Thanks

StartupList report, 21/01/03, 12:44:53
StartupList version: 1.34.0
Started from : C:\MY DOCUMENTS\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\MY DOCUMENTS\STARTUPLIST.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = c:\windows\scanregw.exe /autorun
TaskMonitor = c:\windows\taskmon.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
AtiCwd32 = Aticwd32.exe
AtiKey = Atitask.exe
Keyboard Manager = C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
hpsysdrv = c:\windows\system\hpsysdrv.exe
USBMMKBD = usbmmkbd.exe
AVG_CC = C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
WinampAgent = "C:\Program Files\Winamp3\winampa.exe"
NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
nwiz = nwiz.exe /install

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
Hidserv = Hidserv.exe run
Avgserv9.exe = C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Taskbar Display Controls = RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
Reminder = C:\Program Files\Microsoft Money\System\reminder.exe
NVIEW = rundll32.exe nview.dll,nViewLoadHook

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

[>PerUser_MSN_Clean] *
StubPath = c:\windows\msnmgsr1.exe

[PerUser_LinkBar_URLs] *
StubPath = c:\windows\COMMAND\sulfnbk.exe /L

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exeadvpack.dll

[>IEPerUser] *
StubPath = RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 13/1/2003, 15:43:22)

[rename]
nul=c:\windows\TEMP\~f39a36.tmp

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

@C:\PROGRA~1\GRISOFT\AVG6\bootup.exe
SET BLASTER=A220 I7 D1 T2
@echo off
C:\PROGRA~1\NETWOR~1\MCAFEE~1\SCANPM.EXE C:\
@if errorlevel 1 pause
REM To make a DOS Boot Diskette; See the file C:\DOSBOOT\DOSBOOT.TXT
path C:\WINDOWS;C:\WINDOWS\COMMAND;C:\PROGRA~1\GRISOFT\AVG6
SET SNDSCAPE=C:\WINDOWS
rem - By Windows Setup - mscdex.exe /d:IDECD000 /L:M

--------------------------------------------------

C:\CONFIG.SYS listing:

DEVICE=C:\WINDOWS\HIMEM.SYS
DEVICE=C:\WINDOWS\EMM386.EXE /noems
REM To make a DOS Boot Diskette; See the file C:\DOSBOOT\DOSBOOT.TXT
[common]
dos=high,umb
buffers=40
; SBPCI mod: device=c:\windows\himem.sys /testmem:eek:ff
rem The below DOS CD ROM driver is not required to run Windows 98.
DEVICE=c:\cdrom\OakCdRom.SYS /D:IDECD000

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:

@ECHO OFF
REM To make a DOS Boot Diskette; See the file C:\DOSBOOT\DOSBOOT.TXT
set path=c:\windows\command
c:\windows\smartdrv /q
LH c:\windows\command\mscdex /D:IDECD000 /L:M
set mouse=c:\imouse
c:\imouse\imouse
SET PROMPT=$p$g
SET TEMP=C:\windows\TEMP
SET TMP=C:\windows\TEMP
Rem Configure the sound card
c:
cd \windows\system
SET BLASTER=A220 I5 D1 T4
RIPUTIL /A220 /I5 /D1 /RI10 /unmute
cd \windows
REM to enable ZIP support in DOS, run C:\IOMEGA\IOMEGA.EXE
REM then uncomment the following line
REM C:\IOMEGA\GUEST.EXE
REM or boot DOS and run C:\IOMEGA\INSTALL.EXE
REM for DOS Networking including most networked games,
REM read the file IPX.BAT and then uncomment the following
REM CALL C:\DOSBOOT\IPX.BAT

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job

--------------------------------------------------

Enumerating Download Program Files:

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37633.0175694444

--------------------------------------------------
End of report, 7,816 bytes
Report generated in 0.661 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
 
Joined
Dec 9, 2000
Messages
45,855
As far as the StartupList goes hijinx22, it looks perfectly clean.

What are the indications of infection? Is AVG identifying any specific files?

There is no reason why those infections should return immediately following a format unless the floppy itself was infected or you got them once again through the internet.

These are our two best threads for dealing with opasrv:

http://forums.techguy.org/t97918/s.html

http://forums.techguy.org/showthread.php?s=&threadid=102879

To get rid of FunLove, you should follow Symantec's instructions here:

http://securityresponse.symantec.com/avcenter/venc/data/w32.funlove.4099.html
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top