• Announcements

    • xper

      MSFN Sponsorship and AdBlockers!   07/10/2016

      Dear members, MSFN is made available via subscriptions, donations and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, become a site sponsor and ads will be disabled automatically and by subscribing you get other sponsor benefits.
loblo

Windows 9x/Me Security Thread

114 posts in this topic

What version is your Mscan32.dll?

(please note the spelling of the filename: McScan32.dll)

3,182,712 . 07-31-09 . 6:40a Mcscan32.dll

File Properties | Version (under WinXP) ... v5.400.0.1158

File Properties | Version (under Win9x) ... v5.4.00

CRC in WinZip ... c2482d68

MORE INFORMATION ... I was able to search through a collection of McAfee DATs and determined that this file (McScan32.dll) has been identical since around the 5741 release circa 2009 September. In other words this file has been unchanged for almost two years.

SUPPOSITION ... at some point this DLL will again be changed and will likely not work with Win9x any longer even though the 10 year old executables will function as always. The question will likely become, will the DAT files of some future time work with an older McScan32.dll on Win9x? Your guess is as good as mine.

None of this would be necessary if all the antivirus vendors and virus research labs simply agreed on a standard DAT database while keeping their engines and applications proprietary. But that would be just too logical.

Does anyone have access to 5100eng9x.exe?

I couldn't find the 5100 DATs on any hard drives I have stored. But I did see 5090 and 5110. McScan32.dll is identical in both of those releases ...

2,867,438 . 06-09-06 . 5:10a Mcscan32.dll

File Properties | Version (under WinXP) ... v5.100.0.194

File Properties | Version (under Win9x) ... v5.1.00 (probably)

CRC in WinZip ... ca1d76ed

0

Share this post


Link to post
Share on other sites

Norton Anti-Virus 2002 can still be updated by downloading the (free) Symantec Intelligent Updater package.

But is it kosher to download and use this package?

--JorgeA

0

Share this post


Link to post
Share on other sites

I can confirm that SUPERAntiSpyware version 4.24.0.1004 works on my Win98 (first edition) PC.

Also, FWIW, ZoneAlarm 6.1.744.001 serves as the firewall on my Win98SE laptop.

HTH

--JorgeA

Edited by JorgeA
0

Share this post


Link to post
Share on other sites

AVG 7.5

Since two weeks the update (offline) of the AVG Virus Definitions is faulty. The definitions file incavi.avm remains in the install.1 folder (C:\WINDOWS\All Users\Application Data\Grisoft\Avg7Data\avg7upd\install.1). I must copy it in the AVG program folder. Restart required

0

Share this post


Link to post
Share on other sites

Don't forget that you could also use Linux to scan Windows. I believe you could make a tiny Linux compatible partition around ~200MB, or maybe even smaller. Then do a minimal install of Debian, Fedora, Arch, etc..

I've done this before, and I didn't even install a desktop environment for the distro.

Add the proper repos for your distro, and from the Linux command line, install the program with a package manager.

Debian, Ubuntu;

apt-get  install clamav

OR

aptitude install clamav

Arch;

pacman -S clamav

Gentoo;

emerge clamav

To update the definitions is something like...

freshclam

To scan...

clamscan /media/Windows/
clamscan /mnt/Windows/
clamscan /media/Windows/io.sys
clamscan <path to folder/file>

NOTES;

This method will require you to have a boot manager installed, like one of the GRUB derivatives for instance. This also won't provide "active" protection, but only clean-up after the fact.

0

Share this post


Link to post
Share on other sites

Just a quick update regarding the use of McAfee v6 on Win9x. I extracted the latest DATs v6511 (see details explained above in post #40) ...

..... 640,057 . 10-26-11 . 1:40a Avvclean.dat

..... 445,913 . 10-26-11 . 1:40a Avvnames.dat

. 125,551,486 . 10-26-11 . 1:40a Avvscan.dat

As described previously, just strip the AVV prefix from the default filenames and replace CLEAN.DAT, NAMES.DAT and SCAN.DAT.

The 32-bit engine file, Mcscan32.dll is once again identical to past versions so nothing need be done.

As before, it took a LONGGGGG time for McAfee to initialize and load the DATs (over 5 minutes!). But all went well and McAfee scanned files and folders successfully!

Pretty impressive really because the main executable McAfee file is VSMAIN.EXE v6.01.2000.1 is dated: 2001-11-16. Almost exactly 10 years old.

:thumbup

0

Share this post


Link to post
Share on other sites

Registered avast 4.8 antivirus on windows 98se until 1 December 2012

0

Share this post


Link to post
Share on other sites

With most support for Win 9x antivirus and antimalware programs coming to an end, I try to keep an eye on some that are still supported.

BitDefender v10 does have VM and on-access protection. BUT it is flaky and will lock files. Also a ram hog unless KernelEX is installed. You have to disable all of it and reboot just to defrag, but it is good for risky surfing. Fortego's ASE still works on 9x + KEX even though most monitors read from the NT event log.

Dave

0

Share this post


Link to post
Share on other sites

herbalist has had many long discussions about the use of SSM. I'll try to find the references.

0

Share this post


Link to post
Share on other sites

Don't know if this needs to be a new Win 98x Security thread for "2012" topic

Clamwin looks interesting for win98se. I do have the old Norton antivirus 2002... not sure what the "intelligent update" service is that someone mentioned for that. I stopped using Norton 2002 a long time ago when (I think) they sent an email saying no more updates for that one.

Networking the win98se machines to some of my other winxp or win7 machines that have avg free 2012 on them sounds like a do-able plan.

I don't use my win98se machines online much. Maybe I will though after I get the sp3 on.

What about this idea...

My win 98se C drivers are in removable ide bay/trays. So are a couple of my online winxp machines (all have extra drive bays inside for addl drives) that have avg free 2012.

Do you suppose I can slide a win98se fat32 system drive from one machine into ide bay 2 of a winxp online machine, do an avg free 2012 scan of all and catch problems that way? That would certainly be the fastest way for me to do things right now. Anyone try that so far?

I could even do that on a few of the win7 machines that have external ide bays connected.

That would certainly beat the problem of dealing with an antivirus program that may stop win98 support at any moment.

Edited by billyb
0

Share this post


Link to post
Share on other sites

What about this idea...

My win 98se C drivers are in ide bay/trays. So are a couple of my online winxp machines that have avg free 2012. Do you suppose I can slide a win98se fat32 system drive from one machine into bay 2 of a winxp online machine, do an avg free 2012 scan of all and catch problems that way? That would certainly be the fastest way for me to do things right now. Anyone try that so far?

I could even do that on a few of the win7 machines that have external ide bays connected.

That would certainly beat the problem of dealing with an antivirus program that may stop win98 support at any moment.

I don't use AVG, so I can't speak directly to that, but -- if your AV software can find the 98SE drives where you normally keep them, you should be able to scan them without needing to physically move the drives around.

This is what I do with my Win98 systems and the ESET NOD Online Scanner. Within the application, I tell it to search the network and then I select the drive(s) that I want scanned.

I've also done this with Avast, installed on an XP machine, scanning a 98SE machine over the network. SuperAntiSpyware will do it, too, IIRC.

Hope this helps.

BTW, you can still install and use Spybot Search & Destroy 1.6.2 on Win98 systems (any flavor), including the real-time protection portions of the program.

--JorgeA

0

Share this post


Link to post
Share on other sites

UPDATE: Success using the latest DATs v6845 with McAfee v6 on Win9x.

  • See above Post #40 for the first time I tried this using DATs v6346 ( has detailed instructions ).
  • See above Post #57 when I tried it again using DATs v6511.

Note that the time/dates shown for these files reflects the download and extraction, which was today. The three downloads that I found ...

- 2012-09-24 ... 16:29 ... 108,306,264 ... 6845xdat.exe

- 2012-09-24 ... 16:31 ... 106,425,344 ... Avvdat-6845.tar

- 2012-09-24 ... 16:31 ... 114,108,032 ... Sdat6845.exe

All three packages contain the same three DAT definition files ...

- 2012-09-24 ... 06:40 ....... 718,817 ... Avvclean.dat

- 2012-09-24 ... 06:40 ....... 487,057 ... Avvnames.dat

- 2012-09-24 ... 06:40 ... 105,206,916 ... Avvscan.dat

As described previously, just strip the "AVV" prefix from the default filenames and replace CLEAN.DAT, NAMES.DAT and SCAN.DAT. Note that the SCAN.DAT actually is smaller by about 20 MB this time compared to last.

The McAfee scan engines contained in the SDAT package still hasn't been changed ...

- 2009-07-31 ... 06:40 ..... 3,182,712 ... Mcscan32.dll

- 2009-07-31 ... 06:40 ..... 4,706,936 ... Mscan64a.dll

... so I updated no other files beyond the three DATs.

As before, it took a long time for McAfee to initialize and load the DATs ( likewise when I changed directories to test scan some known infected files ). But all went well and McAfee scanned files and folders successfully once again.

Pretty impressive because the main executable McAfee file is VSMAIN.EXE v6.01.2000.1 is dated: 2001-11-16. Almost 11 years old.

:thumbup

P.S. Maybe the OP should change the title to: Windows 9x/Me Security Thread for 2011-2012

0

Share this post


Link to post
Share on other sites

I have previously reported that Symantec Antivrus 9 "real time" (auto protect) functionality was broken if you installed virus definitions post ca. Aug. 2009, although "on demand" (manual) scanning remained functional.

I can sadly report that "on demand" (manual) scanning is now also broken with the latest virus definitions.

To add insult to injury, their 'Norton_Removal_Tool_9x.exe' tool now reports it's expired and I can't figure a way to convince it otherwise. Typically, it directs you to a Symantec site for an updated version, but it's still the same version and it still reports it's expired. As some of you will know, the normal uninstall for SAV still leaves behind lots of files and registry settings, which is why the removal tool was created.

Joe.

0

Share this post


Link to post
Share on other sites
To add insult to injury, their 'Norton_Removal_Tool_9x.exe' tool now reports it's expired and I can't figure a way to convince it otherwise. Typically, it directs you to a Symantec site for an updated version, but it's still the same version and it still reports it's expired. As some of you will know, the normal uninstall for SAV still leaves behind lots of files and registry settings, which is why the removal tool was created.

Four ideas, though I'll bet you tried the first two already ...

- It may simply read the date/time. Set the clock back ( I know, it's obvious )

- It may phone home. Disconnect internet first, prevent it from getting the current date/time or status from a server somewhere.

- It may have flagged itself as expired. Use a clean original non-executed copy of the Symantec file if you have one, this is to prevent self-modification which happens more frequently than people might imagine. It can easily flag a bit in itself as expired which would make the clock setting irrelevant.

- It may have flagged an external bit as expired. Use a clean original non-executed copy of the file on a computer that has never seen the program run before. Save registry export and filelist before and after. The idea is to capture any changes such as a registry value or even a changed file date/time somewhere that it reads before execution.

Unless I am completely senile I cannot imagine any other avenue it could use to stop working on Win9x. But I could be wrong.

0

Share this post


Link to post
Share on other sites
To add insult to injury, their 'Norton_Removal_Tool_9x.exe' tool now reports it's expired and I can't figure a way to convince it otherwise. Typically, it directs you to a Symantec site for an updated version, but it's still the same version and it still reports it's expired. As some of you will know, the normal uninstall for SAV still leaves behind lots of files and registry settings, which is why the removal tool was created.

Four ideas, though I'll bet you tried the first two already ...

- It may simply read the date/time. Set the clock back ( I know, it's obvious )

- It may phone home. Disconnect internet first, prevent it from getting the current date/time or status from a server somewhere.

- It may have flagged itself as expired. Use a clean original non-executed copy of the Symantec file if you have one, this is to prevent self-modification which happens more frequently than people might imagine. It can easily flag a bit in itself as expired which would make the clock setting irrelevant.

- It may have flagged an external bit as expired. Use a clean original non-executed copy of the file on a computer that has never seen the program run before. Save registry export and filelist before and after. The idea is to capture any changes such as a registry value or even a changed file date/time somewhere that it reads before execution.

Unless I am completely senile I cannot imagine any other avenue it could use to stop working on Win9x. But I could be wrong.

Hi Charlotte,

Yes, you're right in thinking I'd have already thought of the first two ideas. Alas, so have Symantec, evidently. (Sigh, why can't things be easy for once?)

The file doesn't self-modify. I downloaded a fresh copy (hoping it was actually an updated version) but it was in fact byte-identical to my existing copy.

Unfortunately, I don't have a spare machine to risk installing this now worse-than-useless Symantec bloatware. However, I have used RegMon and FileMon to try to see what this Removal Tool is looking at. I can see it takes a keen interest in some encryption stuff in the registry (apart from looking up what Symantec packages are installed) and also seems to rewrite WIN.INI, however, nothing in either place seems relevant to my eyes.

Because of its keen interest in encryption, it occurs to me that this Removal Tool may actually use its signing certificate to decide if it's expired. Looking at this, I see that it was signed on 2008/2/9 with a certificate valid from 2007/6/15 to 2012/6/15. Now normally, if the signing timestamp is within the validity period, the package is deemed to be valid in perpetuity. However, I suspect Symantec have chosen to use the certificate expiry date as the expiry date for this tool. No doubt when it checks for the validity of the signing certificate, the system will report it is valid but also that the certificate is expired. I'm sure the security checks used on certificates can't be fooled into thinking an expired certificate isn't, by setting the system date or any other simple means.

Going with the "signing certificate validity date" theory, I signed the tool with my company's code signing certificate (which is still current, of course). Unfortunately however, the tool then reported that it wasn't signed, which in other words, meant it was specifically looking for Symantec's signing certificate. Grrr!

Joe.

0

Share this post


Link to post
Share on other sites
The file doesn't self-modify. I downloaded a fresh copy (hoping it was actually an updated version) but it was in fact byte-identical to my existing copy.

That statement put me in action. And I have good news: the following procedure works. I have just tested it for you. Disconnect the machine physically from the internet. Reset the machine date to some day (I used 19) in January, 2009. Turn off the machine. Wait 10 minutes. Turn it on and boot Win 9x (if it runs Scandisk or NDD, abort the scan or it'll find many "wrong dated" files). Once at the desktop, run Norton_Removal_Tool_9x.exe and it'll run OK. Nothing will be installed, the Norton_Removal_Tool_9x.exe is stand-alone. It removed all Norton products all right, except the Norton CrashGuard, which it didn't touch (then again, I'm possibly the last user of the much maligned CrashGuard, but it works all right for me)!

Yes, you're right in thinking I'd have already thought of the first two ideas. Alas, so have Symantec, evidently. (Sigh, why can't things be easy for once?)

Sure. And in the present case they actually are. :yes:

cheers.gif

0

Share this post


Link to post
Share on other sites
<snip>Wait 10 minutes<snip>

Huh? Really? Hot dates? :w00t:

Ennyhoo, I appreciate the "hey, did it occur to you?" about using it because - I haven't used it for some time now. It appears that I'm running 9x sans-AV but using Outpost (the free one)...

0

Share this post


Link to post
Share on other sites
<snip>Wait 10 minutes<snip>

Huh? Really? Hot dates? :w00t:

No. Delivery chinese food. :P

0

Share this post


Link to post
Share on other sites
The file doesn't self-modify. I downloaded a fresh copy (hoping it was actually an updated version) but it was in fact byte-identical to my existing copy.

That statement put me in action. And I have good news: the following procedure works. I have just tested it for you. Disconnect the machine physically from the internet. Reset the machine date to some day (I used 19) in January, 2009. Turn off the machine. Wait 10 minutes. Turn it on and boot Win 9x (if it runs Scandisk or NDD, abort the scan or it'll find many "wrong dated" files). Once at the desktop, run Norton_Removal_Tool_9x.exe and it'll run OK. Nothing will be installed, the Norton_Removal_Tool_9x.exe is stand-alone. It removed all Norton products all right, except the Norton CrashGuard, which it didn't touch (then again, I'm possibly the last user of the much maligned CrashGuard, but it works all right for me)!

This sounds VERY promising. I ran into this Norton problem with lingering remnants the last time I had to reinstall Win98FE -- couldn't reinstall Norton Internet Security, no matter what I tried with that Removal Tool or how many references to Symantec/Norton I deleted from the Registry. Ended up installing Avast! 4.8 instead, but as of the end of 2012 that's no longer receiving updates (must have been due to the Mayan Calendar) so I may as well uninstall that and try your procedure. Thanks very much for reporting it.

--JorgeA

0

Share this post


Link to post
Share on other sites

Ended up installing Avast! 4.8 instead, but as of the end of 2012 that's no longer receiving updates (must have been due to the Mayan Calendar) so I may as well uninstall that and try your procedure.

Avast continues to release definitions for 4.8, despite their official announcement of not releasing new definitions after May 2012.
0

Share this post


Link to post
Share on other sites

Ended up installing Avast! 4.8 instead, but as of the end of 2012 that's no longer receiving updates (must have been due to the Mayan Calendar) so I may as well uninstall that and try your procedure.

Avast continues to release definitions for 4.8, despite their official announcement of not releasing new definitions after May 2012.

I have installations of Avast! 4.8 Home Edition on two different Win98 systems, installed months apart. On one of them the virus database last updated on December 29, on the other it was January 2. When I click to manually update the database, they hang as if they can't connect to the server.

Are you using Avast! 4.8, and are you still getting virus database updates?

--JorgeA

0

Share this post


Link to post
Share on other sites

Hello I registered Avast 4.8 until November 1 2013. I do not know what happens if Ï would install it off course.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.