Four varients of the, opaserv, worm, E,F,J & H got into my PC the other night. How they did that was a result of my own stupidity, however let's not discuss that at the moment.

They provided a small inconvienience and were easily removed, however the, w95.Dupator 1503 virus had piggybacked along with them.

I have Panada Antivirus and it is supposed to be able to remove the dupator virus. I think it has succeeded, however four main windows system files were corrupted and one was moved.

Symantec has lots of good info about the virus but the removal/repair tool is only good with Norton Antivirus.

These are the files that were corrupted:

C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LVComS.exe
C:\WINDOWS\STARTER.EXE

When it entered my PC it made a copy of the C:\WINDOWS\SYSTEM\KERNEL32.DLL and placed that copy in C:\WINDOWS\. It then used the original to infect all of the .exe files it could find on my system. It succeeded admirable, if only we could government to work so well....

Panda was able to repair most of the .exe files infected. However some of my programs will have to be reinstalled after the machine is clear again.

My questions are:

How do I fix the corrupted system files?

Is it a matter of just replacing them?

If so where would I get clean copies?

Would it have to be done in SafeMode?

What about the KERNEL32.DLL? Can the infected original be deleted and the copy that the virus placed in C:\WINDOWS be moved back to the SYSTEM files?

Help sure would be appreciated.

I'm assuming Windows 98?

Stimon is installed with a scanner.
Systray is a built in Windows system file, it can be extracted from the CD by using SFC.
Lvcoms is installed by a Logitech Quickcam.
Starter is installed by an Ensoniq/Creative sound card.
Kernel32 should be able to be extracted with SFC also.

Ok, used SFC to extract clean versions of:

Kernel32.dll & systray.exe. Stimon.exe was also on the win98se cd. (I do not have a scanner installed)

However I ran the Antivirus right after making the change and they had become infected again.

If I uninstal the Logitech web cam and the Ensoniq/Creative software would that remove LVComS.exe and Starter.exe? And if I were then to reextract the other 3 from the cd do you think that would work?

I tried to rename LVComS.exe and Starter.exe but got this message; "File in use by Windows. You can not rename this file you do not have permission of the owner".

I noticed that the Norton fix is done in DOS Mode. Is it possible to extract these files from the win98se cd if I went to DOS Mode? If so I would need to know the command lines. I am not that conversant with it all.

Thanks glc

Extract them to an alternate location then boot to DOS and copy them where they are supposed to be. You can rename the other 2 in DOS or safe mode.

Thanks again glc. I have managed to remove all of the infected files except, the copy of Kernel32.dll that was made in C:\windows. Apparently the virus is in that file and uses it as a base of operations to make the changes through the original Kernel32.dll in C:\windows\system.

I tried using Safe Mode to either delete or rename them, but I kept getting the, "file can not be deleted because it is in use by windows" pop up.

I tried rebooting with my system start up disk, but it will not boot from the disk, it just bypasses and goes right into windows. The same thing happens when I try using the Safe Disk that I made for my Antiviurs. The only way I have been able to get to DOS is through windows. When I do it that way and triy to delete I get, "Can not find file".

Is there another way to get to DOS?

Also, if I have to reformat the HD to get rid of this thing I am wondering if I am going to have problems with trying to use a boot disk.

Is it possible the virus has made a change to stop the system from reading from A:\ during boot and if so how to I enable it again?

The, "Seek floppy drive during boot" had been disabled in Bio's. I do not know if it was disabled before the virus entered my PC or not. This PC is only 5 months old and was built for me. The chap that built it is away so I can not ask him. I enabled it, but still the boot disk is being bypassed.

Is there something I have missed?

Again any help is appreciated.

Start tapping F8 when you boot up to get the boot menu, and choose "safe mode command prompt only". You should be able to delete, copy, and move files at will because nothing will be in use.

Are you sure it's "kernel32.dll" and not "kernel32.dil"?

Thanks again, glc.

The file name as displayed in Explorer is, KERNEL32.DLL, in both instances.

Don't know if this will help but in win 98se you can do a restore from cab files. I believe that you boot up in dos and type scanreg.exe and from there it will give you an option to restore from previous cab files. Select one from before the infection and see if that will fix the problem. Sorry its been a long time since I had win98se and I am not sure of all the commands, but this used to pull me out all the time when I deleted the wrong files or corrupted something. Maybe worth a try?? Good luck- If someone knows the exact commands please post:D

Try this in dos type scanreg.exe- then start-then view backups-then restore(oldest cab file listed)-maybe it will work, don't know-If you haven't added any new programs to your puter in the previous day it shouldn't be a problem.

mark - I don't think he wants to restore a registry here - he's trying to replace system files, which is what SFC does, not scanreg.

Thanks Mark, will keep this info for future. I have quite a lot of info that I have gathered from PCMech over the years. I would know diddely squat without the help I have received here.

I have been able to get rid of the duplicate KERNEL32.dll. Your method worked glc, however the first time I tried it I received the same response as when I did it in Safe Mode. Namely that it could not find the file.

Well I knew something had to be wrong becuase the file was there in plain sight, however I did notice that the icon, was slightly greyed out compared to others. So I right clicked on the file and then on Properties. It was registered as Archieve and Hidden. I changed it to Read Only and unchecked the Hidden value.

Then I rebooted and went back to, Safe Mode dos prompt, changed the directory to C:\windows> and typed in del KERNEL32.DLL and walla, it was gone.

Can not tell you how much I appreciate your help glc. I have spent a whole week trying to remove this thing and I have learned a very valuable lesson. One must never let one's guard down when connecting to the internet or one will pay the price.

I paid and I learned.