Archived from groups: microsoft.public.win98.gen_discussion (
More info?)
From: "Ogg" <sorry-nopam-wanted@anywhere.com>
|
| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote..
|
|>> I'm back, ..but the Win98 system isn't!
|>> This pe_dupator.1503 is one slick puppy.
|>>
>> I am sorry to hear that you were hit with a TRUE virus (not a Trojan).
| But proactive
>> mitigation of infectors, especially viruses, is very important.
>>
>> Details:
>> Kernel32.dll Infection...
|
| Yep.. thanks. I read about kernel32.dll infections and the dynamics of
| pe_dupator.1503 before the failed kernel32 happend. I was hoping that
| TrendMicro's sysclean would be able to "clean" it. But obviously it
| rendered the OS dead.
|
>> This virus has been around since 1999/2000. The questions that come up
| are...
>> How long have you been infected ?
>> Have you spread the infection (infects SYS, EXE and SCR files) to others ?
>> Are there infected files (DLL, SYS, EXE and/or SCR) residing on alternate
| media ?
|
| Good questions!
Well.. this particular system belongs a couple of
| senior friends in my town. They called me to investige a weird slowdown when
| they used the internet. The system was infected with several WORM_OPASERV
| variants. I fixed that immediately and applied the MS patch for the
| exploit.
|
| But the machine had NO anti vir prgm at the time. Infact.. when their
| Norton expired, and they looked for another replacement, they couldn't find
| a good compatible alternative. I don't think they were aware of the FREE
| ones available. Based on some of the "modified" dates of some of the
| corrupted files, it looks like they were using the machine for atleast a
| year without any anti vir. Obviously, by then, kernel32 was already
| corrupted and pe_dupator.1503 was busy modifying any .exe file that was
| being used or viewed via Attributes. Even the Panda, TrendMicro, Adware,
| and Spybot executables were modified after I used them.
|
| I just finished installing W98 (original). I am now rerunning TrendMicro's
| Sysclean. Then it will be the Win98SE upgrade.
|
If I had a Crystal Ball I would not have suggested the Trend Sysclean Front End utility I
wrote. Sysclean requires running under Windows. If I had the forethought I would have
suggested the McAfee Command Line Scanner (MCLS) Front End I wrote.
In that case you would have executed the script in Windows and it would downloaded the
McAfee SuperDAT and then would have extracted the scanner and DAT files. Then you could
have booted off a Win98 Emergency Boot Disk (EBD) or other DOS Disk where you could have
executed the MCLS under DOS. It would have been more effective and maybe would have cleaned
the infected files without a problem rather than deleteing them. The Trend Scanner was an
insurance based upon the number of infected files the Panda online scanner caught. I didn't
think a major virus would be resident.
For future reference, here is that set of instructions...
Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files
Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear
Download CLEAN.EXE from the URL --
http://www.ik-cs.com/programs/virtools/clean.exe
It is a self-extracting ZIP file that contains the Kixtart Script Interpreter
{
http://kixtart.org Kixtart is CareWare } three batch files, two Kixtart scripts, two Link
(.lnk) files and a PDF instruction file.
GETFILES.BAT -- For downloading (FTP) the files needed to run the McAfee Command Line
Scanner. If you are using Windows XP, you may have to disable the Windows XP FireWall to
allow the FTP utility to download the needed files
CLEAN.BAT -- For running within Windows after running c:\mcafee\GetFiles.BAT. If you choose
to scan again at a future date, run this batch file. It will automatically check the date
of the McAfee DAT files and if it is a couple of days old, it will download (FTP) the latest
signature files and install them before performing the scan.
DOSCLEAN.BAT -- For use on a Win9x/ME PC or on a Win2K/WinXP PC that is using FAT32 after
you have booted from an Emergency Boot Disk or DOS disk and have already executed;
c:\mcafee\GetFiles.BAT from within Windows. DOS disk boot images can be obtained from;
http://www.bootdisk.com/bootdisk.htm
I need you to perform the following...
Execute; CLEAN.EXE
Choose; Unzip
Choose; Close
Execute; c:\mcafee\GetFiles.BAT
{ or Double-click on 'GetFiles Link' in c:\mcafee }
Reboot the PC into Safe Mode [F8 key during boot]
Shutdown as many applications as possible !
It would also help for you to read - "How to perform a clean boot in Windows XP"
http://support.microsoft.com/kb/310353
Execute; c:\mcafee\CLEAN.BAT
{ or Double-click on 'Clean Link' in c:\mcafee }
A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.
It would be a good idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm