Hi guys I hope you can lend a helping hand to my situation as you have done in the past. I have had problems with this Opaserv worm A before and i have resolved this problem here before in which I followed the instructions to the letter about cleaning it and reading the posts that have been written about this infestation.throughout this forum.
My situation arises from when i reformatted my harddrive this bug came back to me my AVG scan tells me its:
Win32 Dupator
I worm/Opas A
I worm/Opas E
Win32 Funlove
now I have gone through the procedures here in this forum of how to get rid of this bug but after a couple of times starting up the comp it reinfects itself. now a couple of peolpe have said in this forum that the Kernel32.dll file may be infected and that is why it keeps reinfecting my comp but when I ran the scan with AVG it prompted that these files where in windows directory and drew no connection to the said dll file any help would be appreciated and here is my startuplist after i have baninshed this bug (Supposedly) Thanks
StartupList report, 21/01/03, 12:44:53
StartupList version: 1.34.0
Started from : C:\MY DOCUMENTS\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\MY DOCUMENTS\STARTUPLIST.EXE
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ScanRegistry = c:\windows\scanregw.exe /autorun
TaskMonitor = c:\windows\taskmon.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
AtiCwd32 = Aticwd32.exe
AtiKey = Atitask.exe
Keyboard Manager = C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
hpsysdrv = c:\windows\system\hpsysdrv.exe
USBMMKBD = usbmmkbd.exe
AVG_CC = C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
WinampAgent = "C:\Program Files\Winamp3\winampa.exe"
NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
nwiz = nwiz.exe /install
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
Hidserv = Hidserv.exe run
Avgserv9.exe = C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Taskbar Display Controls = RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
Reminder = C:\Program Files\Microsoft Money\System\reminder.exe
NVIEW = rundll32.exe nview.dll,nViewLoadHook
--------------------------------------------------
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)
[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}
[>PerUser_MSN_Clean] *
StubPath = c:\windows\msnmgsr1.exe
[PerUser_LinkBar_URLs] *
StubPath = c:\windows\COMMAND\sulfnbk.exe /L
[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}
[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}
[{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exeadvpack.dll
[>IEPerUser] *
StubPath = RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP
[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP
--------------------------------------------------
Load/Run keys from C:\WINDOWS\WIN.INI:
load=
run=
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv
--------------------------------------------------
Checking for EXPLORER.EXE instances:
C:\WINDOWS\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
--------------------------------------------------
C:\WINDOWS\WININIT.BAK listing:
(Created 13/1/2003, 15:43:22)
[rename]
nul=c:\windows\TEMP\~f39a36.tmp
--------------------------------------------------
C:\AUTOEXEC.BAT listing:
@C:\PROGRA~1\GRISOFT\AVG6\bootup.exe
SET BLASTER=A220 I7 D1 T2
@echo off
C:\PROGRA~1\NETWOR~1\MCAFEE~1\SCANPM.EXE C:\
@if errorlevel 1 pause
REM To make a DOS Boot Diskette; See the file C:\DOSBOOT\DOSBOOT.TXT
path C:\WINDOWS;C:\WINDOWS\COMMAND;C:\PROGRA~1\GRISOFT\AVG6
SET SNDSCAPE=C:\WINDOWS
rem - By Windows Setup - mscdex.exe /d:IDECD000 /L:M
--------------------------------------------------
C:\CONFIG.SYS listing:
DEVICE=C:\WINDOWS\HIMEM.SYS
DEVICE=C:\WINDOWS\EMM386.EXE /noems
REM To make a DOS Boot Diskette; See the file C:\DOSBOOT\DOSBOOT.TXT
[common]
dos=high,umb
buffers=40
; SBPCI mod: device=c:\windows\himem.sys /testmem
ff
rem The below DOS CD ROM driver is not required to run Windows 98.
DEVICE=c:\cdrom\OakCdRom.SYS /D:IDECD000
--------------------------------------------------
C:\WINDOWS\DOSSTART.BAT listing:
@ECHO OFF
REM To make a DOS Boot Diskette; See the file C:\DOSBOOT\DOSBOOT.TXT
set path=c:\windows\command
c:\windows\smartdrv /q
LH c:\windows\command\mscdex /D:IDECD000 /L:M
set mouse=c:\imouse
c:\imouse\imouse
SET PROMPT=$p$g
SET TEMP=C:\windows\TEMP
SET TMP=C:\windows\TEMP
Rem Configure the sound card
c:
cd \windows\system
SET BLASTER=A220 I5 D1 T4
RIPUTIL /A220 /I5 /D1 /RI10 /unmute
cd \windows
REM to enable ZIP support in DOS, run C:\IOMEGA\IOMEGA.EXE
REM then uncomment the following line
REM C:\IOMEGA\GUEST.EXE
REM or boot DOS and run C:\IOMEGA\INSTALL.EXE
REM for DOS Networking including most networked games,
REM read the file IPX.BAT and then uncomment the following
REM CALL C:\DOSBOOT\IPX.BAT
--------------------------------------------------
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden
--------------------------------------------------
Enumerating Task Scheduler jobs:
Tune-up Application Start.job
--------------------------------------------------
Enumerating Download Program Files:
[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37633.0175694444
--------------------------------------------------
End of report, 7,816 bytes
Report generated in 0.661 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
My situation arises from when i reformatted my harddrive this bug came back to me my AVG scan tells me its:
Win32 Dupator
I worm/Opas A
I worm/Opas E
Win32 Funlove
now I have gone through the procedures here in this forum of how to get rid of this bug but after a couple of times starting up the comp it reinfects itself. now a couple of peolpe have said in this forum that the Kernel32.dll file may be infected and that is why it keeps reinfecting my comp but when I ran the scan with AVG it prompted that these files where in windows directory and drew no connection to the said dll file any help would be appreciated and here is my startuplist after i have baninshed this bug (Supposedly) Thanks
StartupList report, 21/01/03, 12:44:53
StartupList version: 1.34.0
Started from : C:\MY DOCUMENTS\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\MY DOCUMENTS\STARTUPLIST.EXE
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ScanRegistry = c:\windows\scanregw.exe /autorun
TaskMonitor = c:\windows\taskmon.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
AtiCwd32 = Aticwd32.exe
AtiKey = Atitask.exe
Keyboard Manager = C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
hpsysdrv = c:\windows\system\hpsysdrv.exe
USBMMKBD = usbmmkbd.exe
AVG_CC = C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
WinampAgent = "C:\Program Files\Winamp3\winampa.exe"
NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
nwiz = nwiz.exe /install
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
Hidserv = Hidserv.exe run
Avgserv9.exe = C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Taskbar Display Controls = RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
Reminder = C:\Program Files\Microsoft Money\System\reminder.exe
NVIEW = rundll32.exe nview.dll,nViewLoadHook
--------------------------------------------------
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)
[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}
[>PerUser_MSN_Clean] *
StubPath = c:\windows\msnmgsr1.exe
[PerUser_LinkBar_URLs] *
StubPath = c:\windows\COMMAND\sulfnbk.exe /L
[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}
[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}
[{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exeadvpack.dll
[>IEPerUser] *
StubPath = RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP
[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP
--------------------------------------------------
Load/Run keys from C:\WINDOWS\WIN.INI:
load=
run=
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv
--------------------------------------------------
Checking for EXPLORER.EXE instances:
C:\WINDOWS\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
--------------------------------------------------
C:\WINDOWS\WININIT.BAK listing:
(Created 13/1/2003, 15:43:22)
[rename]
nul=c:\windows\TEMP\~f39a36.tmp
--------------------------------------------------
C:\AUTOEXEC.BAT listing:
@C:\PROGRA~1\GRISOFT\AVG6\bootup.exe
SET BLASTER=A220 I7 D1 T2
@echo off
C:\PROGRA~1\NETWOR~1\MCAFEE~1\SCANPM.EXE C:\
@if errorlevel 1 pause
REM To make a DOS Boot Diskette; See the file C:\DOSBOOT\DOSBOOT.TXT
path C:\WINDOWS;C:\WINDOWS\COMMAND;C:\PROGRA~1\GRISOFT\AVG6
SET SNDSCAPE=C:\WINDOWS
rem - By Windows Setup - mscdex.exe /d:IDECD000 /L:M
--------------------------------------------------
C:\CONFIG.SYS listing:
DEVICE=C:\WINDOWS\HIMEM.SYS
DEVICE=C:\WINDOWS\EMM386.EXE /noems
REM To make a DOS Boot Diskette; See the file C:\DOSBOOT\DOSBOOT.TXT
[common]
dos=high,umb
buffers=40
; SBPCI mod: device=c:\windows\himem.sys /testmem
ffrem The below DOS CD ROM driver is not required to run Windows 98.
DEVICE=c:\cdrom\OakCdRom.SYS /D:IDECD000
--------------------------------------------------
C:\WINDOWS\DOSSTART.BAT listing:
@ECHO OFF
REM To make a DOS Boot Diskette; See the file C:\DOSBOOT\DOSBOOT.TXT
set path=c:\windows\command
c:\windows\smartdrv /q
LH c:\windows\command\mscdex /D:IDECD000 /L:M
set mouse=c:\imouse
c:\imouse\imouse
SET PROMPT=$p$g
SET TEMP=C:\windows\TEMP
SET TMP=C:\windows\TEMP
Rem Configure the sound card
c:
cd \windows\system
SET BLASTER=A220 I5 D1 T4
RIPUTIL /A220 /I5 /D1 /RI10 /unmute
cd \windows
REM to enable ZIP support in DOS, run C:\IOMEGA\IOMEGA.EXE
REM then uncomment the following line
REM C:\IOMEGA\GUEST.EXE
REM or boot DOS and run C:\IOMEGA\INSTALL.EXE
REM for DOS Networking including most networked games,
REM read the file IPX.BAT and then uncomment the following
REM CALL C:\DOSBOOT\IPX.BAT
--------------------------------------------------
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden
--------------------------------------------------
Enumerating Task Scheduler jobs:
Tune-up Application Start.job
--------------------------------------------------
Enumerating Download Program Files:
[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37633.0175694444
--------------------------------------------------
End of report, 7,816 bytes
Report generated in 0.661 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
