• Announcements

    • xper

      MSFN Sponsorship and AdBlockers!   07/10/2016

      Dear members, MSFN is made available via subscriptions, donations and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, become a site sponsor and ads will be disabled automatically and by subscribing you get other sponsor benefits.
loblo

Windows 9x/Me Security Thread

114 posts in this topic

I have installations of Avast! 4.8 Home Edition on two different Win98 systems, installed months apart. On one of them the virus database last updated on December 29, on the other it was January 2. When I click to manually update the database, they hang as if they can't connect to the server.

Are you using Avast! 4.8, and are you still getting virus database updates?

You will need to download the update directly from the website yourself. The file can be obtained from this link.

http://www.avast.com/en-us/download-update

The definitions are updated daily. I have the link bookmarked for easy access. It is unknown how much longer Avast will continue to provide 4.8 updates. Expect support to cease at any moment.

0

Share this post


Link to post
Share on other sites

You will need to download the update directly from the website yourself. The file can be obtained from this link.

http://www.avast.com/en-us/download-update

The definitions are updated daily. I have the link bookmarked for easy access. It is unknown how much longer Avast will continue to provide 4.8 updates. Expect support to cease at any moment.

That's great to hear, thanks for the link! I'll go in and try that. It'll be a nice "excuse" to fire up IE6 again. :yes:

--JorgeA

0

Share this post


Link to post
Share on other sites
The file doesn't self-modify. I downloaded a fresh copy (hoping it was actually an updated version) but it was in fact byte-identical to my existing copy.

That statement put me in action. And I have good news: the following procedure works. I have just tested it for you. Disconnect the machine physically from the internet. Reset the machine date to some day (I used 19) in January, 2009. Turn off the machine. Wait 10 minutes. Turn it on and boot Win 9x (if it runs Scandisk or NDD, abort the scan or it'll find many "wrong dated" files). Once at the desktop, run Norton_Removal_Tool_9x.exe and it'll run OK. Nothing will be installed, the Norton_Removal_Tool_9x.exe is stand-alone. It removed all Norton products all right, except the Norton CrashGuard, which it didn't touch (then again, I'm possibly the last user of the much maligned CrashGuard, but it works all right for me)!

Yes, you're right in thinking I'd have already thought of the first two ideas. Alas, so have Symantec, evidently. (Sigh, why can't things be easy for once?)

Sure. And in the present case they actually are. :yes:

cheers.gif

Hi Den,

Thanks for trying this out for me. Unfortunately however, MMDV (think YMMV). :(

I tried many times and also with several "variations on the theme" (disabling the NIC in Device Manager, re-installing SAV, installing NAV, double Ctrl-Alt-Delete, reboot, changing date in DOS), but always the result was the same expiry error. The version I have of this tool has an MD5 hash of 316b61ce6f827a8ee48944e5b076f37c.

BTW, I didn't get any "invalid date" errors from ScanDisk. If you get this, it means Symantec has usurped 'scandisk.exe'. If I recall correctly, the way to restore normal ScanDisk behavior is to delete a file called 'scandisk.alt'.

Joe.

0

Share this post


Link to post
Share on other sites

It's the same file. The MD5 is the same (and the SHA1 is BC6F1C1EB7DCD4FA88A2F8C861A492F36A73C047). The key-points in my method are changing the date in the BIOS to a date later than PE Timestamp of the NRT_9x, but before its certificate's expiry date, and then rebooting with the internet cable disconnected. There remains no way the NRT_9x can ascertain the true date, but it can check it's later than the BIOS default date, so it accepts it as the true date, IMO.

You're right: I deliberately use NDD, so there is a 'scandisk.alt' which is another copy of NDD. I had forgotten the "invalid date"is an NDD thing, though. Please do give it another try, just in case. Good luck!

0

Share this post


Link to post
Share on other sites

It's the same file. The MD5 is the same (and the SHA1 is BC6F1C1EB7DCD4FA88A2F8C861A492F36A73C047). The key-points in my method are changing the date in the BIOS to a date later than PE Timestamp of the NRT_9x, but before its certificate's expiry date, and then rebooting with the internet cable disconnected. There remains no way the NRT_9x can ascertain the true date, but it can check it's later than the BIOS default date, so it accepts it as the true date, IMO.

You're right: I deliberately use NDD, so there is a 'scandisk.alt' which is another copy of NDD. I had forgotten the "invalid date"is an NDD thing, though. Please do give it another try, just in case. Good luck!

Hi Den,

Alas, I still get the same expiry problem. Here are the stats : PE = 2008/2/9, signature = 2008/2/9, certificate expiry = 2010/11/25, file (directory) = 2009/1/14, BIOS (system) = 2009/1/22, network disconnected. I think that complies with the above recommendation. I can only think the security system (already) knows the certificate is expired and that the tool uses that fact to decide it is too. :(

Joe.

Edited by jds
0

Share this post


Link to post
Share on other sites

That may well be the case. If so, provided you have an image of the partition from before your 1st attempt, I'd suggest you redeploy the said image and try again as per your latest trial, which sure does comply in every aspect with my own experiment. The rationale for this present suggestion is that if it stored somewhere the info the certificate is expired, that place must be either the registry or (less probably) some other file inside the same partition... which an image redeployment would perforce remove. Good luck!

0

Share this post


Link to post
Share on other sites

Looks like (nearly identical) to what's available on the FTP -

ftp://ftp.symantec.com/public/english_us_canada/removal_tools/

Linked to from here -

https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?ct=us&lg=en&product=home&pvid=f-home&version=1&docid=20080710133024EN

This document is for Norton products downloaded from your service provider.

For NOT from Service Provider -

https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?ct=us&lg=en&product=home&pvid=f-home&version=1&docid=20080710133834EN

You must pick a product... - same products though... and gives same link. :(

There's a comment here as well (would prevent services/processes from running) -

http://community.norton.com/t5/Norton-Internet-Security-Norton/Can-t-remove-Norton/td-p/109722/page/2

I would boot into Safe Mode and run NRT once and reboot to safe mode and rerun again. After that, delete any folders that are named Symantec or Norton. Before deleting, change the options so you can view hidden files and folders (Explorer > Tools > Folder Options > View and apply to all ).

Norton_Removal_Tool_9x.exe

2007.2.0.14

Welcome to Norton Removal Tool

This tool will remove ALL copies of:

- Norton AntiSpam 2004 and 2005

- Norton AntiVirus 2003 through 2007

- Norton Ghost 2003, 9.0, and 10.0

- Norton GoBack 3.1 through 4.2

- Norton Internet Security 2003 through 2007

- Norton Password Manager

- Norton Personal Firewall 2003 through 2006

- Norton SystemWorks 2003 through 2006

- Norton Confidential Online 2007

Here's something interesting though... Unpacked with WinRAR/UniExtract, it gives a file named "all.cpr" that lists everything that it deletes/services/etc-etc. Be aware that it appears that some fields are "<stringvalue>". Sadly, you would have to manually perform all of the operations within (stop services/processes/etc).

edit - also found this with a different set of procedures and files (BAT/REG/Manual Delete) to "get rid of" Norton/Symantec (the links inside work as well) -

http://filesharingtalk.com/threads/111599-Remove-Norton-*completely*-safely

HTH

Edited by submix8c
0

Share this post


Link to post
Share on other sites

One idea: look for and delete the key HKLM\Software\SYMNRT and all subkeys and values under it. Then disconnect the internet, reset the bios date and try again.

0

Share this post


Link to post
Share on other sites

Looks like (nearly identical) to what's available on the FTP -

ftp://ftp.symantec.com/public/english_us_canada/removal_tools/

Linked to from here -

https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?ct=us&lg=en&product=home&pvid=f-home&version=1&docid=20080710133024EN

This document is for Norton products downloaded from your service provider.

For NOT from Service Provider -

https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?ct=us&lg=en&product=home&pvid=f-home&version=1&docid=20080710133834EN

You must pick a product... - same products though... and gives same link. :(

Yep, I have versions 2007.2.0.11 (2007/1/12) and 2007.2.0.14 (2008/2/9). They both exhibit this expiry problem.

There's a comment here as well (would prevent services/processes from running) -

http://community.norton.com/t5/Norton-Internet-Security-Norton/Can-t-remove-Norton/td-p/109722/page/2

I would boot into Safe Mode and run NRT once and reboot to safe mode and rerun again. After that, delete any folders that are named Symantec or Norton. Before deleting, change the options so you can view hidden files and folders (Explorer > Tools > Folder Options > View and apply to all ).

Humbug! If you run the tool in Safe mode, it tells you it won't run in Safe mode.

Norton_Removal_Tool_9x.exe

2007.2.0.14

Welcome to Norton Removal Tool

This tool will remove ALL copies of:

- Norton AntiSpam 2004 and 2005

- Norton AntiVirus 2003 through 2007

- Norton Ghost 2003, 9.0, and 10.0

- Norton GoBack 3.1 through 4.2

- Norton Internet Security 2003 through 2007

- Norton Password Manager

- Norton Personal Firewall 2003 through 2006

- Norton SystemWorks 2003 through 2006

- Norton Confidential Online 2007

Here's something interesting though... Unpacked with WinRAR/UniExtract, it gives a file named "all.cpr" that lists everything that it deletes/services/etc-etc. Be aware that it appears that some fields are "<stringvalue>". Sadly, you would have to manually perform all of the operations within (stop services/processes/etc).

edit - also found this with a different set of procedures and files (BAT/REG/Manual Delete) to "get rid of" Norton/Symantec (the links inside work as well) -

http://filesharingtalk.com/threads/111599-Remove-Norton-*completely*-safely

Checked those alternative procedures, downloaded the files, turned out to be for NT only, not compatible with W9X.

One idea: look for and delete the key HKLM\Software\SYMNRT and all subkeys and values under it. Then disconnect the internet, reset the bios date and try again.

Den, you're a genius! :thumbup Thank you.

That was the missing piece of the puzzle - SAV is now vanquished! :)

Joe.

0

Share this post


Link to post
Share on other sites

Running Norton_Removal_Tool_9x.exe for Dummies:

(it must be Version: 2007.2.0.14, MD5: 316B61CE6F827A8EE48944E5B076F37C, SHA-1: BC6F1C1EB7DCD4FA88A2F8C861A492F36A73C047,

CRC32: 5FB68354, Digitally Signed by Symantec Corporation, with a VeriSign Class 3 Certificate valid from 10/30/2007 to 11/24/2010)

1 - Disconnect the machine physically from the internet.

2 - Run REGEDIT and delete (if exists) "HKLM\Software\SYMNRT"

3 - Reset the machine date to some day (e.g. 19) in January, 2009.

4 - Shut Down/Turn Off the machine.

Note: This is an "insurance" step to enusre everything "sticks".

5 - Turn the machine on.

6 - Boot Win9x.

Note: If it runs Scandisk or NDD, abort the scan

or it'll find many "wrong dated" files.

7 - Once at the desktop, run Norton_Removal_Tool_9x.exe.

8 - Reset Date to Current.

9 - Repeat Steps #4 thru #6

Note: Ignore #6 Note as the Date has been Reset (#8).

Done!

Nothing will be installed.

The Norton_Removal_Tool_9x.exe is stand-alone.

It removes all Norton products except Norton CrashGuard,

which it didn't touch.

Additional Notes:

Step #3 may be instead performed after #5 in the BIOS.

====

Does the above cover it? :thumbup

Odd that it doesn't self-clean (ref. "all.cpr") and has the NERVE to insert REG Keys/Values. :puke: Still, that file DOES have everything listed that it performs/cleans.

Edited by dencorso
0

Share this post


Link to post
Share on other sites
That was the missing piece of the puzzle - SAV is now vanquished! :)

Yay! yahoo.gif

@submix8c: Great how-to, thanks! :thumbup

I've added some info, because the date selected in step 3 must fall in between the vallid dates of the certificate.

0

Share this post


Link to post
Share on other sites

Bumping just to call attention to two interesting Symantec KB documents I've found:

Manually Uninstalling Symantec AntiVirus 9.x from Windows 98/Me

Manually Uninstalling Symantec Client Security 2.0 from Windows 98/Me

@jds: It might be interesting to give a look in all of those places, since SAV is not officially indicated as one of the packages the NRT_9x removes.

Who says you won't find up some leftovers lurking in some obscure nook or cranny?

0

Share this post


Link to post
Share on other sites

Go figure -- Avast 4.8 updated twice today (at 6:30 AM and 10 PM) on one of my Win98 systems. (The other one is offline, but I'll turn it back on to see what happens.)

--JorgeA

0

Share this post


Link to post
Share on other sites

( Sorry, I forgot to post this from about three weeks ago )

UPDATE: Success using DATs v6883 and v7040 with McAfee v6 on Win9x.

  • See above Post #40 for the first time I tried this using DATs v6346 ( has detailed instructions ).
  • See above Post #57 when I tried it again using DATs v6511.
  • See above Post #65 when I tried it again using DATs v6845.

Strangely, just three days after I downloaded the 6883 DATs, they updated the FTP servers with 7040, ( only 6883 downloads are shown here ). Note that the time/dates shown for these files reflects the download and extraction. The three downloads that I found ...

- 2013-04-06 ... 14:40 ... 110,494,296 ... 6883xdat.exe

- 2013-04-06 ... 14:42 ... 108,612,096 ... Avvdat-6883.tar

- 2013-04-06 ... 14:43 ... 116,296,064 ... Sdat6883.exe

As has been the case, all three packages contain the same three DAT definition files.

This was 6883 ...

- 2012-11-01 ... 01:40 ....... 727,193 ... Avvclean.dat

- 2012-11-01 ... 01:40 ....... 489,337 ... Avvnames.dat

- 2012-11-01 ... 01:40 ... 107,382,892 ... Avvscan.dat

And here is 7040 ...

- 2013-04-09 ... 06:40 ....... 749,177 ... Avvclean.dat

- 2013-04-09 ... 06:40 ....... 534,921 ... Avvnames.dat

- 2013-04-09 ... 06:40 ... 103,458,908 ... Avvscan.dat

As described previously, just strip the "AVV" prefix from the default filenames and replace CLEAN.DAT, NAMES.DAT and SCAN.DAT. Note that the SCAN.DAT actually got smaller between the last two versions.

The McAfee scan engines contained in the SDAT package still hasn't been changed ...

- 2009-07-31 ... 06:40 ..... 3,182,712 ... Mcscan32.dll

- 2009-07-31 ... 06:40 ..... 4,706,936 ... Mscan64a.dll

... so I updated no other files beyond the three DATs.

As before, it took a long time for McAfee to initialize and load the DATs, approximately 3 minutes at 2.6 GHz ( likewise when I changed directories to test scan some known infected files ). But all went well and McAfee scanned files and folders successfully once again.

yBc2epx.jpg

See in the screenshot that the main executable McAfee file is VSMAIN.EXE v6.01.2000.1 is dated: 2001-11-16. Over 11 years old. :thumbup

P.S. Maybe the OP should change the title to: Windows 9x/Me Security Thread for 2011 ... 2012 ... 2013 ( or just leave off the date! )

0

Share this post


Link to post
Share on other sites

Both of my Windows 98 systems (one SE, one FE) have Avast! "virus recovery database" dated 4/29/13. :thumbup

--JorgeA

0

Share this post


Link to post
Share on other sites

An update on Avast! 4.8 support for Windows 98 (SE).

 

I just renewed the free one-year license for my 98SE laptop last night and there were zero problems. Then it downloaded the current virus definition files. Good to go for another year. :)

 

--JorgeA

0

Share this post


Link to post
Share on other sites

An update on Avast! 4.8 support for Windows 98 (SE). I just renewed the free one-year license for my 98SE laptop last night and there were zero problems. Then it downloaded the current virus definition files. Good to go for another year. :) --JorgeA

Now if only there was malware circulating on the internet that actually runs on win-98 without crashing - there would actually be something you need protection from!
0

Share this post


Link to post
Share on other sites

So, in your view, is Win98 actually more secure than current versions of Windows (XP/Vista/7/8)?

Note: I'm not trying to start an argument, I'm sincerely interested. I've heard it argued before that Win98 is safer, but am not convinced strongly enough to do without malware protection.

How do others feel about it?

--JorgeA

0

Share this post


Link to post
Share on other sites

How do others feel about it?

Personally, quite comfortable ;).

Comeon :), this is one of those topics you cannot touch :w00t: without starting a flame war :ph34r: if you are looking for "popularity" you may want to start a poll, otherwise what you will get will be "anecdotal evidence", about people that is running Windows 9x without any form of antivirus and never got one, but you cannot base yourself on that, as you cannot know how "smart", "knowledgeable" and "attentive" the user is, it is well possible that his/her activities on the PC are "low risk" and that that is the reason for the apparent lack of security failures.

jaclaz

0

Share this post


Link to post
Share on other sites

How do others feel about it?

Personally, quite comfortable ;).

Comeon :), this is one of those topics you cannot touch :w00t: without starting a flame war :ph34r: if you are looking for "popularity" you may want to start a poll, otherwise what you will get will be "anecdotal evidence", about people that is running Windows 9x without any form of antivirus and never got one, but you cannot base yourself on that, as you cannot know how "smart", "knowledgeable" and "attentive" the user is, it is well possible that his/her activities on the PC are "low risk" and that that is the reason for the apparent lack of security failures.

jaclaz

That is absolutely right really the "true" security of a computer goes down to the user.

Edited by lolnousernameforyou
0

Share this post


Link to post
Share on other sites

All right, let me offer a scenario. Suppose that you have a Windows 98 machine sitting behind a hardware firewall. It also has installed the last version of (say) ZoneAlarm's software firewall that worked on Win98, plus up-to-date definitions for Avast 4.8.

Further (and perhaps crucially), let's say that, for the sake of getting as much functionality on the Web as you can for this machine, you're also running on it the last versions of Adobe Flash, Acrobat Reader, and Java that ran on Win98.

Lastly, suppose that you use this machine to visit only well-known news websites -- no sites of "dubious" themes, or even entertainment (TV/movies/celebrities) sites.

How likely would such a machine be to get infected, relative to a PC that had a current version of Windows and up-to-date applications? I guess that my biggest (though not my only) doubt has to do with the security of those old Flash and Java versions. (Anymore, it's hard to get much done on the Web without both of those.)

Let's leave aside the likelihood that many sites that use Flash and Java won't work with these old versions. In our scenario, you're limiting yourself to sites where they do work. How safe is your machine?

Curious,

--JorgeA

0

Share this post


Link to post
Share on other sites

All right, let me offer a scenario. Suppose that you have a Windows 98 machine sitting behind a hardware firewall. It also has installed the last version of (say) ZoneAlarm's software firewall that worked on Win98, plus up-to-date definitions for Avast 4.8.

Further (and perhaps crucially), let's say that, for the sake of getting as much functionality on the Web as you can for this machine, you're also running on it the last versions of Adobe Flash, Acrobat Reader, and Java that ran on Win98.

Well, for the web you should install NoScript (still supported, current version 2.6.7.1) and Adblock Plus (last version 1.3.10, but still usefull) in your browser !! (Or similar apps, of course)

I am visiting sometimes doubtful websites ;-) but with these apps running I never had a problem.

0

Share this post


Link to post
Share on other sites

Well, for the web you should install NoScript (still supported, current version 2.6.7.1) and Adblock Plus (last version 1.3.10, but still usefull) in your browser !! (Or similar apps, of course)

I am visiting sometimes doubtful websites ;-) but with these apps running I never had a problem.

The latest versions of adblock or adblock plus work if your using opera 12.02. (kernel ex required)

0

Share this post


Link to post
Share on other sites
How do others feel about it?

--JorgeA

I would still use virus data base since we dont know how a particular program would work on an old computer. (it would most likely fail but I would rather be safe than sorry)

0

Share this post


Link to post
Share on other sites
How do others feel about it?

--JorgeA

I would still use virus data base since we dont know how a particular program would work on an old computer. (it would most likely fail but I would rather be safe than sorry)

Yeah, that's my sense of it too. But I do wonder -- some people say that Win98 is safe (or safer) because the bad guys aren't writing new malware for it anymore. But that leaves two questions remaining:

  1. What about old malware for Win98 still floating around the 'Net?
  2. What about Win98-compatible versions of Flash Player and Java -- does "modern malware" also work against those old versions? Or does the same principle of "security through obsolescence" apply to Flash and Java?

BTW, thanks to @MiKl re: NoScript. I didn't know that it still works on Win98-era browsers. Amazing! But suppose that you're not using NoScript: is a Win98 system safer, or less safe, or equally safe from those kinds of threats as a modern PC?

--JorgeA

Edited by JorgeA
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.