I have been running Windows 98 and two days ago got infected by Dupator. Avast can’t repair the files, recommends loving them to the chest… so I have a chest full of files I can’t use. I get these messages:
“memory is infected”
“error occurred during file repair”

Some files I can’t move to the chest. I get the messages:
“cannot process [file name]”
“access is denied”

I can’t run Internet Explorer or Outlook so no fixes that require internet are going to help me. When I try to launch either, my computer starts looking for “rundll32.exe”. This is quarantined in the chest, but restoring it does not fix the problem.

I am writing from a CPU loaded with XP, and to see what’s going on with the one with the virus that’s running Windows 98, I have to disconnect everything and reconnect the old CPU.

I’m using Avast 4.7. Avast can obviously still access the internet, because it updated itself today.

Help help please. I’m a single mom, I work from home via – you guessed it – the internet. I can’t afford to drag the stupid thing into a shop for repair and I’ve lost two working days already.

Thank you

Can I clean it in safe mode?
If I hook up the infected CPU to the OK via ethernet, can I safely clean from there?

Bump … can someone help Christine with this?

In the mean time, Christine, please download HijackThis from here …

http://filehippo.com/download_hijackthis/

Download and run HijackThis and post the contents of the log file (cut and paste) into this topic, you may need to split it over two or more posts depending on how large it is. Do not make any fixes until someone tell you what to fix.

Follow CharleyO’s advice. It may just be a matter of replacing the kernel32.dll.

The avast log would be useful also.

EDIT to add:

Let me qualify my above statement.

If avast removed all the infected files, except for the kernel32, then removing it would get you up and running again.

Avast wouldn’t be able to remove it with windows running. It must be removed using dos. (not the dos prompt within windows), which, fortunately is available on win98 machines.

To be able to help you. you will have to provide some info.

As mentioned, a HJT log and the avast warning log. It can be found here

C:\programfiles\alwilsoftware\avast4\data\log

To get a HJT log, download it from the link CharleyO provided and transfering it to the infected machine. I suggest using a floppy disc, as it has a write protection feature, or a cd, not a usb device. Just in case the worm is still active.

Once on the win98 machine, check to make sure that this file is present

C:\windows\system\kernel32.dll

You will have to make hidden files/folders visible via folder options in window explorer.

This file is a clean version of kernel32 and that is the right location. do not remove it.

If you can provide the two logs and whether or not the file is present we may be able to help.

If the rundll32.exe is infected, remove it, we can get you a new one.

Thank you gentlemen.

No luck with a floppy – I don’t have any, tried to write over an old program disk unsuccessfully. If necessary I can go buy one later. Therefore no Avast or HJT log files right now.

The kernel32.dll is in the correct place.

There are multiple copies of the rundll32.exe – on from 1999, the others from the dates of the infection. This cannot be repaired and restore does nothing. I did email it to Alwil software, apparently successfully.

If I remove the kernel32.dll, do I have to replace it?
How do I get to DOS…F8 during boot? I miss DOS : (

Working on ht eassumption, avast removed the worm and all infected files…

The file in the windows\system folder should be clean, and that is the correct folder.

The infected file is in the windows folder. That is the one you will have to delete, make sure it is there. I’ll throw something at the end to explain. If it’s not there, let me know and we’ll look at something else.

C:/window/kernel32.dll

as you saud you miss dos, you know the commands.

Yes F8 or whatever key you use will get you to the option to select dos.

You can get a new rundll32.exe from here, I believe it should go in the windows folder.

http://www.spywareinfo.com/~merijn/winfiles.php#rundll32.exe

“When an infected file is run it first copies KERNEL32.DLL from the System folder to Windows folder and infects this copy. The virus is using a known vulnerability that Windows will use this copy instead of the original in Windows\System after the first reboot. The virus only patches one KERNEL32.DLL export - “GetFileAttributesA” and when other programs call this standard Windows API the virus receives control and infects other applications in PE format. The virus adds a section called “DUPATOR!” to every infected file.”

edit: corrected rundll to rundll32

Back on my computer now, can confirm the locations

windows folder
rundll32.exe 24kb 23/04/99 10:22pm

windows\system folder
kernel32.dll 460kb 23/04/99 10:22pm

It’s there all right. With Windows running it is greyed out like a hidden file.
I found the clean one in the c:\windows\system folder. In DOS I had to unhide c:\windows\kernel32.dll to delete it, but no apparent effect so far to anything else.

I have a computer guy coming over in about 1/2 hour. He’s going to try to dump everything (but the virus) from the 98 machine onto my XP machine. Then I will throw the 98 off a cliff. It’s only 6:00 p.m. here in Vancouver, it’s been a long week, it will be a long night, wish me luck.

Hey don’t knock the old 98 ;D you should see what the xp guys get.

I’m about 350 miles north of you. Small world.

Keep safe and good luck.

Avast should carry a warning to grumpy old computer lady customers, “not compatible with Windows™ 98”. It was way past time for me to ditch the 98, but now I have a pile of updates and installs at an inconvenient moment, and a 22-year-old tonight told me I could handle it because I “have been on computers since before [he] was born” . True, but not charming. I needed to move my sh*t from 98 to XP, and I was procrastinating, then Avast made me do it and not in a good way. It was fun revisiting DOS but I’m still mad at you Avast.

350 miles north oldman? As the crow flies?

As the crow flies?? Drunk crow perhaps.

Vancouver BC, I’m assuming. If not add a few hundred miles. 150 MH

See my signature avast is compatible with win98. Ms patched that vulnerbility about 3-4 years ago.

ahh dos (Gatesenese) a dying language.