Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

Windows 9x/Me Security Thread

- - - - -

  • Please log in to reply
113 replies to this topic

#26
Multibooter

Multibooter

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 896 posts
  • Joined 21-March 08
  • OS:98SE
  • Country: Country Flag

I tried using Eusing Free Registry Cleaner and all it did was delete a bunch of "un-used" file extensions like .zip, .bmp, .jpg and other important file associations... Basically all Eusing did was screw up my computer.

I usually don't try out old little-known Win98 stuff without the recommendation by somebody of authority (like members of msfn.org :) ), unless I am searching for something very specific and after having done some research on my own. In any case, it's good to hear which old can of worms one should definitely not open.

My system is very well backed up, and an opsys restore to the exact state prior to the testing takes me about 10-20 minutes, so if something looks good, I may wind up trying it out.


How to remove advertisement from MSFN

#27
Guest_wsxedcrfv_*

Guest_wsxedcrfv_*
  • Guests
  • Joined --

Jetico blocked the gozi trojan from accessing the network for fetching some other files when it was still a zero-day and went undetected by my then real time antivirus.

According to this: http://www.securewor...h/threats/gozi/ the exploit that was used to transfer gozi to your computer used a hidden iframe containing "JavaScript code using XMLHTTP and ADODB (ActiveX Data Objects) functions to download and run an EXE file which was hosted on the same server". This likely happened no earlier than December 2006, and more likely during the first half of 2007.

I think that for gozi to infect a system, the system must have the MS04-025 (Navigation Method Cross-Domain) vulnerability. This would have been patched as part of an IE 5.5 or IE6 cumulative update for various versions of Windows (including win-98 I believe). You would also have to be using IE for your browser and would have browsed to one of an estimated 2000 hijacked servers that were serving up the hidden iFrame containing the Javascript exploit code. And I'm really not convinced that the gozi infector or loader would have successfully launched itself and operated properly if it found itself on a win-9x system in the first place.

Would you by chance have been running a dual-boot win-98/XP system back during the first half of 2007?

#28
loblo

loblo

    Oldbie

  • Member
  • PipPipPipPipPip
  • 761 posts
  • Joined 12-January 10
  • OS:ME
  • Country: Country Flag
As I've said I got Gozi on my machine through an Internet Explorer javascript/activeX exploit and the details you copy/pasted about it are most certainly correct.

I got infected beginning of February 2007 I believe and FWIW I also believe I have been the first person in the world to post about it in forums and from what I had been told by phone afterwards by a guy claiming to be an IT security journalist who first contacted me about it by PM, the gozi virus was already known by major software security companies but none had published anything about it or had any signatures for it yet

And no I wasn't running a dual boot system, only Windows ME and, as I have already said, even if you don't believe it for whatever reason, Jetico succesfully blocked a first executable from downloading another one, which means it was actually running without crashing on my machine.

I also got infected by a rootkit once, it was nearly undetectable, invisible file, invisible process and invisible registry startup key. Yes there are rootkits for Win 9x as well... :w00t:

Edited by loblo, 13 May 2011 - 10:20 PM.


#29
Foxbat

Foxbat

    Member

  • Member
  • PipPip
  • 122 posts
  • Joined 18-January 11
  • OS:none specified
  • Country: Country Flag

I tried using Eusing Free Registry Cleaner and all it did was delete a bunch of "un-used" file extensions like .zip, .bmp, .jpg and other important file associations.

So then I had to re-associate all those file extensions with the correct programs. Basically all Eusing did was screw up my computer.

The only registry cleaner I use is the one inside CCleaner.

All registry cleaners should be used with caution. CCleaner isn't foolproof either, as it listed registry entries that I know are in use. They should be used as a guide while manually cleaning the registry. Since it's really tedious to often check every nook and cranny of the registry by hand, I find that these can aide in that area. Always review what they've found first before allowing them to delete any entry, and always backup before committing the removal. I personally use Eusing Free Registry Cleaner as part of my registry cleaning toolkit, along with a few others (a second or third or fourth opinion is always nice), and it has been working fine for me.

One thing I never liked about registry cleaners is the way they often refer to the detected entries, "215 errors found"... issues/problems/etc. It should be more like "215 possible unused entries, remove only if you are sure of what you're doing." And beware of registry cleaners that detects an exorbitant number of entries, "2154 errors found." :rolleyes: Why not just flag the entire hive while you're at it?

#30
loblo

loblo

    Oldbie

  • Member
  • PipPipPipPipPip
  • 761 posts
  • Joined 12-January 10
  • OS:ME
  • Country: Country Flag

And beware of registry cleaners that detects an exorbitant number of entries, "2154 errors found." :rolleyes:

I am not sure you really know what you are talking about... :rolleyes:

#31
Foxbat

Foxbat

    Member

  • Member
  • PipPip
  • 122 posts
  • Joined 18-January 11
  • OS:none specified
  • Country: Country Flag

I am not sure you really know what you are talking about... :rolleyes:

I admit I was exaggerating for effect. I experimented with many registry cleaners, and some detect significantly more "errors" than others by a wide margin, a very wide margin. Unfortunately, inexperienced users can be fooled by those inflated numbers, thinking that certain cleaners are more thorough, when they're really increasing the chances of a corrupt registry.

#32
Foxbat

Foxbat

    Member

  • Member
  • PipPip
  • 122 posts
  • Joined 18-January 11
  • OS:none specified
  • Country: Country Flag
With most support for Win 9x antivirus and antimalware programs coming to an end, I try to keep an eye on some that are still supported.

Kaspersky 6.0.2.621 virus definitions will be provided until October 2012.
Avast 4.8.1335 virus definitions will be provided until May 2012.
Eset NOD32 2.70.39 virus definitions will be provided until February 2012.
AVG 7.5.557 support has officially ended. Their definitions continue to work, but compatibility could end at any time.
Spybot 1.6.2 is currently supported, but with Beta 2.0 available and quite overdue, it could end soon.
SpywareBlaster 4.4 is currently supported. No sign of when that may end.

2012 is the magic year. Like Multibooter, I suggest downloading and archiving definitions while we still can so at the very least we'll have the most recent version that can still be used years from now when all support has finally ceased.

Edited for clarity

Edited by Foxbat, 16 May 2011 - 10:01 PM.


#33
Guest_wsxedcrfv_*

Guest_wsxedcrfv_*
  • Guests
  • Joined --

With most support for Win 9x antivirus and antimalware programs coming to an end, I try to keep an eye on some that are still supported.

Norton Anti-Virus 2002 can still be updated by downloading the (free) Symantec Intelligent Updater package.

If you once had NAV 2002 on your system, or if you've uninstalled it completely (including deleting the file catalog.livesubscribe) then you can re-install it and it will accept new virus definition updates (from the intelligent updater package) for a year.

#34
submix8c

submix8c

    Inconceivable!

  • Patrons
  • 4,331 posts
  • Joined 14-September 05
  • OS:none specified
  • Country: Country Flag

If you once had NAV 2002 on your system, or if you've uninstalled it completely (including deleting the file catalog.livesubscribe) then you can re-install it and it will accept new virus definition updates (from the intelligent updater package) for a year.

You are aware that there's a "cleanwipe" program made by Symantec to clean remnants of any NAV/NIS in preparation for SEP? I haven't tested it with NAV2002 but it works fine with later versions.

On topic, there's already a topic on firewalls. I had recommended Outpost (see post #33 and #40 for links and info).

Someday the tyrants will be unthroned... Jason "Jay" Chasteen; RIP, bro!

Posted Image


#35
Guest_wsxedcrfv_*

Guest_wsxedcrfv_*
  • Guests
  • Joined --

You are aware that there's a "cleanwipe" program made by Symantec to clean remnants of any NAV/NIS in preparation for SEP? I haven't tested it with NAV2002 but it works fine with later versions.

NAV 2002 doesn't really require special utilities to uninstall or remove it from your system (it's not that complicated or invasive in that regard). But I agree that later versions do require such utilities. But even then I doubt that the file "catalog.livesubscribe" gets removed by any method - you normally have to remove that manually. Unless you remove that file, you can't re-install NAV such that you reset the 1-year virus-definition update clock.

#36
Prozactive

Prozactive

    Member

  • Member
  • PipPip
  • 209 posts
  • Joined 28-October 08
  • OS:98SE
  • Country: Country Flag

Avast 4.8.1335 will be supported until May 2012.


Thanks. I was wondering when Avast! was going to discontinue support for Win9x as it was originally supposed to end last year. Just curious, where did you find that information?

I'm kinda surprised herbalist hasn't joined the discussion but this topic gets periodically rehashed over and over. It's too bad there isn't some good way to consolidate all of the information.

#37
dencorso

dencorso

    Iuvat plus qui nihil obstat

  • Supervisor
  • 5,954 posts
  • Joined 07-April 07
  • OS:98SE
  • Country: Country Flag

Donator

Of course there is a way... I can consolidate the previous threads into one. But that would create a huge thread.
So I don't know for sure whether it's such a good idea. Do please post a list of previous threads you think would fit in.
Then we can decide what's the best course to adopt.

#38
Steven W

Steven W

    Advanced Member

  • Member
  • PipPipPip
  • 365 posts
  • Joined 02-June 06
I inadvertently ran across this while looking for other programs:

https://addons.mozil...s-link-checker/

It's a Firefox extension, that

allows you to check any file you are about to download, any page you are about to visit with online version of Dr.Web anti-virus...


Says it works with Firefox version 1 - 4

#39
Foxbat

Foxbat

    Member

  • Member
  • PipPip
  • 122 posts
  • Joined 18-January 11
  • OS:none specified
  • Country: Country Flag


Avast 4.8.1335 will be supported until May 2012.

Thanks. I was wondering when Avast! was going to discontinue support for Win9x as it was originally supposed to end last year. Just curious, where did you find that information?

Yes, Win 9x support ended at the end of 2009. I was referring to the support of virus definitions. I'll fix my post to reflect that.

#40
CharlotteTheHarlot

CharlotteTheHarlot

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,054 posts
  • Joined 24-September 07
  • OS:none specified
  • Country: Country Flag
Well, this thread gave me an excuse to tie up an old loose-end, to see if my old McAfee v6 scanner is still working on Win9x with the latest DATs. I haven't tried this in quite a while since I have other computers configured for AV security functions, mostly WinXP which crashes less and is quicker to recover from a BSOD.

First, I should mention that I never allow these things to auto-update or even to update DATs, I was never interested in realtime protection or letting them automatically update engines or DATs. Instead, I always backed up the previous working DATs and then manually extract the *latest* available DATs and then place the files where they belong. This allows me to fall back to the previous set in the case of a McAfee screwup.

Secondly, and more importantly, this McAfee installation had been highly tamed. Every part unrelated to ON-DEMAND scanning was removed. There was a ton of registry editing, killing all autostart entries and drivers, removing 99% of the MSI Windows Installer references, associations and hooks. Essentially it has been neutered so that it never ran unless I right-clicked a folder and selected the McAfee shell/folder registry entry I made.

The executable McAfee file is VSMAIN.EXE and shows v6.01.2000.1 dated: 2001-11-16.

The two McAfee FTP sites I located are:
ftp://ftp.mcafee.com/pub/antivirus/superdat/intel/
ftp://ftp.mcafee.com/pub/datfiles/english/


Giving me three total files to download:
ftp://ftp.mcafee.com/pub/datfiles/english/avvdat-6346.tar
ftp://ftp.mcafee.com/pub/antivirus/superdat/intel/sdat6346.exe
ftp://ftp.mcafee.com/pub/antivirus/superdat/intel/6346xdat.exe


Man, they are really getting very large these days:
- 111,632,528 . 05-15-11 . 2:03a 6346xdat.exe <------- use /e to extract
- 109,750,272 . 05-15-11 . 2:05a Avvdat-6346.tar <---- just use WinZip
- 117,434,304 . 05-15-11 . 2:05a Sdat6346.exe <------- use /e to extract


Here they are extracted into folders. Note, all the extra hyphens or dots are to keep the columns aligned. The style sheet for this forum software insists on collapsing multiple spaces into one, there seems to be no way to imply the <PRE> tag.

;----------- Avvdat-6346(.tar)
..... 569,961 . 05-14-11 . 1:40a Avvclean.dat
..... 423,049 . 05-14-11 . 1:40a Avvnames.dat
. 108,744,302 . 05-14-11 . 1:40a Avvscan.dat
....... 8,689 . 05-14-11 . 1:40a Legal.txt


;----------- 6346xdat(.exe)
..... 569,961 . 05-14-11 . 6:40a Avvclean.dat <=== IDENTICAL to Avvdat-6346.tar
..... 423,049 . 05-14-11 . 6:40a Avvnames.dat <=== IDENTICAL to Avvdat-6346.tar
. 108,744,302 . 05-14-11 . 6:40a Avvscan.dat <==== IDENTICAL to Avvdat-6346.tar
......... 783 . 05-14-11 . 3:50a Globals.nsg
..... 157,696 . 05-14-11 . 3:50a Gsdsuper.dll
...... 34,644 . 05-14-11 .12:07p Naiscrip.nsc
......... 401 . 05-14-11 . 3:50a Sdatpack.lst


;----------- Sdat6346(.exe)
..... 569,961 . 05-14-11 . 6:40a Avvclean.dat <=== IDENTICAL to Avvdat-6346.tar
..... 423,049 . 05-14-11 . 6:40a Avvnames.dat <=== IDENTICAL to Avvdat-6346.tar
. 108,744,302 . 05-14-11 . 6:40a Avvscan.dat <==== IDENTICAL to Avvdat-6346.tar
....... 5,644 . 07-31-09 . 6:40a Config.dat
......... 783 . 05-14-11 . 3:50a Globals.nsg
..... 157,696 . 05-14-11 . 3:50a Gsdsuper.dll
..... 159,744 . 07-31-09 . 6:40a Mcprodinfo.exe
... 3,182,712 . 07-31-09 . 6:40a Mcscan32.dll ... (engine) IDENTICAL to existing
... 4,706,936 . 07-31-09 . 6:40a Mscan64a.dll
...... 93,794 . 05-14-11 .12:07p Naiscrip.nsc
......... 562 . 05-14-11 . 3:50a Sdatpack.lst
....... 7,842 . 07-31-09 . 6:40a Signlic.txt
....... 5,644 . 07-31-09 . 6:40a __X64_Config.dat
....... 7,842 . 07-31-09 . 6:40a __X64_Signlic.txt
....... 1,056 . 07-31-09 . 6:40a __X64_License.dat


So it looks like you only need to download that one TAR file to get the current DATs, the pertinent files are identical, the superfluous files are unnecessary.

First I determined that the target location for the DATs and Engine is in here:
<YourPath>\McAfee\Network Associates\Virusscan Engine\4.0.xx

Then I compared the Mcscan32.dll from Sdat6346.exe against the existing old one and they are still identical. Cool!

So I grabbed the three DAT files and realized that they are using new names these days with 'AVV' prepended, so first I had to rename them ...

..... 569,961 . 05-14-11 . 1:40a Avvclean.dat RENAME TO: Clean.dat
..... 423,049 . 05-14-11 . 1:40a Avvnames.dat RENAME TO: Names.dat
. 108,744,302 . 05-14-11 . 1:40a Avvscan.dat .RENAME TO: Scan.dat


Then off they go into the above-mentioned folder.

Ok, fire up McAfee v6 by rightclicking a test folder. Note, this step from click to the McAfee GUI took a loooonnnng time, at least 5 minutes! Whatever.

Finally ... "Security Status" page shows this ...
Virus Definitions: 4.0.6346
Created On: 05/14/2011


Bingo! They were recognized. I let it scan the folder (fast as ever). Success! on this ten-year old engine.

Hope this is good news for somebody.

... Let him who hath understanding reckon the Number Of The Beast ...


#41
Prozactive

Prozactive

    Member

  • Member
  • PipPip
  • 209 posts
  • Joined 28-October 08
  • OS:98SE
  • Country: Country Flag



Avast 4.8.1335 will be supported until May 2012.

Thanks. I was wondering when Avast! was going to discontinue support for Win9x as it was originally supposed to end last year. Just curious, where did you find that information?

Yes, Win 9x support ended at the end of 2009. I was referring to the support of virus definitions. I'll fix my post to reflect that.

@Foxbat:
I understood what you meant. I was also referring to virus definitions support, which was supposed to be discontinued at the end of 2010 but has surprisingly still continued.


Of course there is a way... I can consolidate the previous threads into one. But that would create a huge thread.
So I don't know for sure whether it's such a good idea. Do please post a list of previous threads you think would fit in.
Then we can decide what's the best course to adopt.

@dencorso:
Thanks. Now that I think about it, seems like you did something similar for the "Large HDDs >137 GB" topic where you created a "super" post with links to all the relevant threads. I'll look for those threads and get back to you.

@CharlotteTheHarlot:
That's interesting that McAfee 6 still works with the latest definitions. My first AV was McAfee 4.0.3 and I used it for an extremely long time, updating it with the sdat files you referenced, until it became way too slow. As I recall, it caused overall system response to become so sluggish as to be almost unusable. Along the way, they also provided a free download of version 8 to settle some class action lawsuit. I tried it but didn't like it for some reason.

Edited by Prozactive, 17 May 2011 - 09:05 AM.


#42
Foxbat

Foxbat

    Member

  • Member
  • PipPip
  • 122 posts
  • Joined 18-January 11
  • OS:none specified
  • Country: Country Flag

I understood what you meant. I was also referring to virus definitions support, which was supposed to be discontinued at the end of 2010 but has surprisingly still continued.

The source of the definitions support date was directly from Avast's website over a year ago. Now, a Google search brings up multiple forums all referring to one user asking an Avast rep whose response was that definitions will be supported until the end of 2010. This causes some confusion. It's possible Avast may have changed the date somewhere down the line, but they are still releasing updated 4.8 definitions from their website, which is concurrent with their original end date.

#43
cdoublejj

cdoublejj

    Member

  • Member
  • PipPip
  • 141 posts
  • Joined 26-July 09
Holy heck i'm floored i didn't think any of the outdated A/Vs could get updates i had thought of getting an older yet some what recent A/v but, never really put any more thought to it. i use WOT in palemoon witch i have version specialized for Pentium 3's and if you don't know palemoon is windows optimized version of FF. any i didn't think there was anything left for 98se might be interesting to scan it some time but, for the most part i don't have or run any thing as far as A/v i'm sure it helps with performance some.

#44
Lipper

Lipper

    Newbie

  • Member
  • 38 posts
  • Joined 08-February 11
  • OS:98
  • Country: Country Flag
There's a new version of Clam Sentinel: v1.16 May 28, 2011.
You must have ClamWin AV (installed or portable) to use.

http://clamsentinel.sourceforge.net

#45
Lipper

Lipper

    Newbie

  • Member
  • 38 posts
  • Joined 08-February 11
  • OS:98
  • Country: Country Flag
ClamWin AV .97.1 has been released. It's not noted in the change log but this update has added QRecover support for Win98 and WinME. QRecover (a ClamWin utility aka Quarantine Browser) allows users to easily restore files from quarantine, if necessary.

http://www.filehippo...ownload_clamwin

This new version works great with Clam Sentinel 1.16, which acts as it's integrated real time front end.

Edit: adding ClamWin Portable .97.1 (states for Win2k and higher, but works on Win98 and probably WinME without KernelEx). Can be used in conjunction with Clam Sentinel from a flash drive. See the two guides at the bottom of http://clamsentinel.sourceforge.net for setup procedures. Also, I could never get ClamWin (installed or portable) to scan a NTFS volume even with Paragon's NTFS for Win98 installed. My remedy was to re-format the NTFS drive to FAT32. This is a ClamWin problem, not Clam Sentinel.

Edited by Lipper, 20 June 2011 - 04:11 PM.


#46
Lipper

Lipper

    Newbie

  • Member
  • 38 posts
  • Joined 08-February 11
  • OS:98
  • Country: Country Flag
Though it's days are surely numbered, Avast AV 4.8.1368 still works on 98/ME and receives updates several times per day.

http://www.filehippo...antivirus/6635/

#47
Lipper

Lipper

    Newbie

  • Member
  • 38 posts
  • Joined 08-February 11
  • OS:98
  • Country: Country Flag
Editing a post doesn't bump a thread on this forum, so I'm manually bumping that others will know there's new content. :thumbup

#48
NothingMuchHereToSay

NothingMuchHereToSay

    Junior

  • Member
  • Pip
  • 57 posts
  • Joined 02-July 11
  • OS:none specified
  • Country: Country Flag
There doesn't seem to be that many antivirus for Windows 95 available. What a shame. :(

#49
Foxbat

Foxbat

    Member

  • Member
  • PipPip
  • 122 posts
  • Joined 18-January 11
  • OS:none specified
  • Country: Country Flag
That's expected the older an OS gets. But, two antivirus programs still support Windows 95:

Avast 4.8
Eset NOD32 2.7

See post #32 for support dates.

#50
PROBLEMCHYLD

PROBLEMCHYLD

    The Resurrector for old Windows OS

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,528 posts
  • Joined 07-October 05
  • OS:98SE
  • Country: Country Flag

... 3,182,712 . 07-31-09 . 6:40a Mcscan32.dll ... (engine) IDENTICAL to existing

What version is your Mscan32.dll?

Does anyone have access to 5100eng9x.exe?

Edited by PROBLEMCHYLD, 12 July 2011 - 08:03 PM.

Believe God is the Alpha and Omega.
Believe Jesus Christ died for our sins.
Repent for your sins now or there will be
BLOOD

The Path to God


U98SESP3 03-11-2013





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users