Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

Windows 9x/Me Security Thread

- - - - -

  • Please log in to reply
113 replies to this topic

#51
CharlotteTheHarlot

CharlotteTheHarlot

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,054 posts
  • Joined 24-September 07
  • OS:none specified
  • Country: Country Flag

What version is your Mscan32.dll?


(please note the spelling of the filename: McScan32.dll)

3,182,712 . 07-31-09 . 6:40a Mcscan32.dll

File Properties | Version (under WinXP) ... v5.400.0.1158

File Properties | Version (under Win9x) ... v5.4.00

CRC in WinZip ... c2482d68

MORE INFORMATION ... I was able to search through a collection of McAfee DATs and determined that this file (McScan32.dll) has been identical since around the 5741 release circa 2009 September. In other words this file has been unchanged for almost two years.

SUPPOSITION ... at some point this DLL will again be changed and will likely not work with Win9x any longer even though the 10 year old executables will function as always. The question will likely become, will the DAT files of some future time work with an older McScan32.dll on Win9x? Your guess is as good as mine.

None of this would be necessary if all the antivirus vendors and virus research labs simply agreed on a standard DAT database while keeping their engines and applications proprietary. But that would be just too logical.

Does anyone have access to 5100eng9x.exe?


I couldn't find the 5100 DATs on any hard drives I have stored. But I did see 5090 and 5110. McScan32.dll is identical in both of those releases ...

2,867,438 . 06-09-06 . 5:10a Mcscan32.dll

File Properties | Version (under WinXP) ... v5.100.0.194

File Properties | Version (under Win9x) ... v5.1.00 (probably)

CRC in WinZip ... ca1d76ed

... Let him who hath understanding reckon the Number Of The Beast ...



How to remove advertisement from MSFN

#52
JorgeA

JorgeA

    FORMAT B: /V /S

  • MSFN Sponsor
  • 3,292 posts
  • Joined 08-April 10
  • OS:Vista Home Premium x64
  • Country: Country Flag

Norton Anti-Virus 2002 can still be updated by downloading the (free) Symantec Intelligent Updater package.

But is it kosher to download and use this package?

--JorgeA

#53
JorgeA

JorgeA

    FORMAT B: /V /S

  • MSFN Sponsor
  • 3,292 posts
  • Joined 08-April 10
  • OS:Vista Home Premium x64
  • Country: Country Flag
I can confirm that SUPERAntiSpyware version 4.24.0.1004 works on my Win98 (first edition) PC.

Also, FWIW, ZoneAlarm 6.1.744.001 serves as the firewall on my Win98SE laptop.

HTH

--JorgeA

Edited by JorgeA, 15 July 2011 - 08:31 PM.


#54
schwups

schwups

    schwups

  • Member
  • PipPipPip
  • 418 posts
  • Joined 11-November 09
  • OS:ME
  • Country: Country Flag
AVG 7.5

Since two weeks the update (offline) of the AVG Virus Definitions is faulty. The definitions file incavi.avm remains in the install.1 folder (C:\WINDOWS\All Users\Application Data\Grisoft\Avg7Data\avg7upd\install.1). I must copy it in the AVG program folder. Restart required



#55
HardDriv'n

HardDriv'n

    Resident Know-It-Not

  • Member
  • PipPip
  • 142 posts
  • Joined 24-September 09
  • OS:none specified
  • Country: Country Flag
Don't forget that you could also use Linux to scan Windows. I believe you could make a tiny Linux compatible partition around ~200MB, or maybe even smaller. Then do a minimal install of Debian, Fedora, Arch, etc..

I've done this before, and I didn't even install a desktop environment for the distro.

Add the proper repos for your distro, and from the Linux command line, install the program with a package manager.

Debian, Ubuntu;
apt-get  install clamav
OR
aptitude install clamav

Arch;

pacman -S clamav

Gentoo;

emerge clamav

To update the definitions is something like...

freshclam

To scan...

clamscan /media/Windows/
clamscan /mnt/Windows/
clamscan /media/Windows/io.sys
clamscan <path to folder/file>

NOTES;
This method will require you to have a boot manager installed, like one of the GRUB derivatives for instance. This also won't provide "active" protection, but only clean-up after the fact.

#56
NothingMuchHereToSay

NothingMuchHereToSay

    Junior

  • Member
  • Pip
  • 57 posts
  • Joined 02-July 11
  • OS:none specified
  • Country: Country Flag
http://www.window95..../antivirus.html

I found this website that seems to have some Win9x stuff in there :D

#57
CharlotteTheHarlot

CharlotteTheHarlot

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,054 posts
  • Joined 24-September 07
  • OS:none specified
  • Country: Country Flag
Just a quick update regarding the use of McAfee v6 on Win9x. I extracted the latest DATs v6511 (see details explained above in post #40) ...

..... 640,057 . 10-26-11 . 1:40a Avvclean.dat
..... 445,913 . 10-26-11 . 1:40a Avvnames.dat
. 125,551,486 . 10-26-11 . 1:40a Avvscan.dat


As described previously, just strip the AVV prefix from the default filenames and replace CLEAN.DAT, NAMES.DAT and SCAN.DAT.

The 32-bit engine file, Mcscan32.dll is once again identical to past versions so nothing need be done.

As before, it took a LONGGGGG time for McAfee to initialize and load the DATs (over 5 minutes!). But all went well and McAfee scanned files and folders successfully!

Pretty impressive really because the main executable McAfee file is VSMAIN.EXE v6.01.2000.1 is dated: 2001-11-16. Almost exactly 10 years old.

:thumbup

... Let him who hath understanding reckon the Number Of The Beast ...


#58
Giant2011

Giant2011

    Member

  • Member
  • PipPip
  • 174 posts
  • Joined 05-June 11
  • OS:98SE
  • Country: Country Flag
Registered avast 4.8 antivirus on windows 98se until 1 December 2012

#59
dw2108

dw2108

    Newbie

  • Member
  • 34 posts
  • Joined 05-December 10
  • OS:98SE
  • Country: Country Flag

With most support for Win 9x antivirus and antimalware programs coming to an end, I try to keep an eye on some that are still supported.


BitDefender v10 does have VM and on-access protection. BUT it is flaky and will lock files. Also a ram hog unless KernelEX is installed. You have to disable all of it and reboot just to defrag, but it is good for risky surfing. Fortego's ASE still works on 9x + KEX even though most monitors read from the NT event log.


Dave

#60
Giant2011

Giant2011

    Member

  • Member
  • PipPip
  • 174 posts
  • Joined 05-June 11
  • OS:98SE
  • Country: Country Flag
Just install Avast 4.8 I have registered it until December 1 2012

#61
pcalvert

pcalvert

    Member

  • Member
  • PipPip
  • 132 posts
  • Joined 21-May 05
This runs on Windows 98 and does not rely on signatures: System Safety Monitor

"Thinking is hard work, which is why so few people do it." - Henry Ford

#62
Prozactive

Prozactive

    Member

  • Member
  • PipPip
  • 209 posts
  • Joined 28-October 08
  • OS:98SE
  • Country: Country Flag
herbalist has had many long discussions about the use of SSM. I'll try to find the references.

#63
billyb

billyb

    Newbie

  • Member
  • 33 posts
  • Joined 26-February 09
  • OS:98SE
  • Country: Country Flag
Don't know if this needs to be a new Win 98x Security thread for "2012" topic

Clamwin looks interesting for win98se. I do have the old Norton antivirus 2002... not sure what the "intelligent update" service is that someone mentioned for that. I stopped using Norton 2002 a long time ago when (I think) they sent an email saying no more updates for that one.

Networking the win98se machines to some of my other winxp or win7 machines that have avg free 2012 on them sounds like a do-able plan.

I don't use my win98se machines online much. Maybe I will though after I get the sp3 on.

What about this idea...

My win 98se C drivers are in removable ide bay/trays. So are a couple of my online winxp machines (all have extra drive bays inside for addl drives) that have avg free 2012.

Do you suppose I can slide a win98se fat32 system drive from one machine into ide bay 2 of a winxp online machine, do an avg free 2012 scan of all and catch problems that way? That would certainly be the fastest way for me to do things right now. Anyone try that so far?

I could even do that on a few of the win7 machines that have external ide bays connected.

That would certainly beat the problem of dealing with an antivirus program that may stop win98 support at any moment.

Edited by billyb, 19 April 2012 - 01:16 PM.


#64
JorgeA

JorgeA

    FORMAT B: /V /S

  • MSFN Sponsor
  • 3,292 posts
  • Joined 08-April 10
  • OS:Vista Home Premium x64
  • Country: Country Flag

What about this idea...

My win 98se C drivers are in ide bay/trays. So are a couple of my online winxp machines that have avg free 2012. Do you suppose I can slide a win98se fat32 system drive from one machine into bay 2 of a winxp online machine, do an avg free 2012 scan of all and catch problems that way? That would certainly be the fastest way for me to do things right now. Anyone try that so far?

I could even do that on a few of the win7 machines that have external ide bays connected.

That would certainly beat the problem of dealing with an antivirus program that may stop win98 support at any moment.

I don't use AVG, so I can't speak directly to that, but -- if your AV software can find the 98SE drives where you normally keep them, you should be able to scan them without needing to physically move the drives around.

This is what I do with my Win98 systems and the ESET NOD Online Scanner. Within the application, I tell it to search the network and then I select the drive(s) that I want scanned.

I've also done this with Avast, installed on an XP machine, scanning a 98SE machine over the network. SuperAntiSpyware will do it, too, IIRC.

Hope this helps.

BTW, you can still install and use Spybot Search & Destroy 1.6.2 on Win98 systems (any flavor), including the real-time protection portions of the program.

--JorgeA

#65
CharlotteTheHarlot

CharlotteTheHarlot

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,054 posts
  • Joined 24-September 07
  • OS:none specified
  • Country: Country Flag
UPDATE: Success using the latest DATs v6845 with McAfee v6 on Win9x.
  • See above Post #40 for the first time I tried this using DATs v6346 ( has detailed instructions ).
  • See above Post #57 when I tried it again using DATs v6511.
Note that the time/dates shown for these files reflects the download and extraction, which was today. The three downloads that I found ...
- 2012-09-24 ... 16:29 ... 108,306,264 ... 6845xdat.exe
- 2012-09-24 ... 16:31 ... 106,425,344 ... Avvdat-6845.tar
- 2012-09-24 ... 16:31 ... 114,108,032 ... Sdat6845.exe


All three packages contain the same three DAT definition files ...
- 2012-09-24 ... 06:40 ....... 718,817 ... Avvclean.dat
- 2012-09-24 ... 06:40 ....... 487,057 ... Avvnames.dat
- 2012-09-24 ... 06:40 ... 105,206,916 ... Avvscan.dat


As described previously, just strip the "AVV" prefix from the default filenames and replace CLEAN.DAT, NAMES.DAT and SCAN.DAT. Note that the SCAN.DAT actually is smaller by about 20 MB this time compared to last.

The McAfee scan engines contained in the SDAT package still hasn't been changed ...
- 2009-07-31 ... 06:40 ..... 3,182,712 ... Mcscan32.dll
- 2009-07-31 ... 06:40 ..... 4,706,936 ... Mscan64a.dll

... so I updated no other files beyond the three DATs.

As before, it took a long time for McAfee to initialize and load the DATs ( likewise when I changed directories to test scan some known infected files ). But all went well and McAfee scanned files and folders successfully once again.

Pretty impressive because the main executable McAfee file is VSMAIN.EXE v6.01.2000.1 is dated: 2001-11-16. Almost 11 years old.

:thumbup

P.S. Maybe the OP should change the title to: Windows 9x/Me Security Thread for 2011-2012

... Let him who hath understanding reckon the Number Of The Beast ...


#66
jds

jds

    -DOS+

  • Member
  • PipPipPipPip
  • 603 posts
  • Joined 03-June 08
  • OS:98SE
  • Country: Country Flag
I have previously reported that Symantec Antivrus 9 "real time" (auto protect) functionality was broken if you installed virus definitions post ca. Aug. 2009, although "on demand" (manual) scanning remained functional.

I can sadly report that "on demand" (manual) scanning is now also broken with the latest virus definitions.

To add insult to injury, their 'Norton_Removal_Tool_9x.exe' tool now reports it's expired and I can't figure a way to convince it otherwise. Typically, it directs you to a Symantec site for an updated version, but it's still the same version and it still reports it's expired. As some of you will know, the normal uninstall for SAV still leaves behind lots of files and registry settings, which is why the removal tool was created.

Joe.

#67
CharlotteTheHarlot

CharlotteTheHarlot

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,054 posts
  • Joined 24-September 07
  • OS:none specified
  • Country: Country Flag

To add insult to injury, their 'Norton_Removal_Tool_9x.exe' tool now reports it's expired and I can't figure a way to convince it otherwise. Typically, it directs you to a Symantec site for an updated version, but it's still the same version and it still reports it's expired. As some of you will know, the normal uninstall for SAV still leaves behind lots of files and registry settings, which is why the removal tool was created.

Four ideas, though I'll bet you tried the first two already ...

- It may simply read the date/time. Set the clock back ( I know, it's obvious )

- It may phone home. Disconnect internet first, prevent it from getting the current date/time or status from a server somewhere.

- It may have flagged itself as expired. Use a clean original non-executed copy of the Symantec file if you have one, this is to prevent self-modification which happens more frequently than people might imagine. It can easily flag a bit in itself as expired which would make the clock setting irrelevant.

- It may have flagged an external bit as expired. Use a clean original non-executed copy of the file on a computer that has never seen the program run before. Save registry export and filelist before and after. The idea is to capture any changes such as a registry value or even a changed file date/time somewhere that it reads before execution.

Unless I am completely senile I cannot imagine any other avenue it could use to stop working on Win9x. But I could be wrong.

... Let him who hath understanding reckon the Number Of The Beast ...


#68
jds

jds

    -DOS+

  • Member
  • PipPipPipPip
  • 603 posts
  • Joined 03-June 08
  • OS:98SE
  • Country: Country Flag

To add insult to injury, their 'Norton_Removal_Tool_9x.exe' tool now reports it's expired and I can't figure a way to convince it otherwise. Typically, it directs you to a Symantec site for an updated version, but it's still the same version and it still reports it's expired. As some of you will know, the normal uninstall for SAV still leaves behind lots of files and registry settings, which is why the removal tool was created.

Four ideas, though I'll bet you tried the first two already ...

- It may simply read the date/time. Set the clock back ( I know, it's obvious )

- It may phone home. Disconnect internet first, prevent it from getting the current date/time or status from a server somewhere.

- It may have flagged itself as expired. Use a clean original non-executed copy of the Symantec file if you have one, this is to prevent self-modification which happens more frequently than people might imagine. It can easily flag a bit in itself as expired which would make the clock setting irrelevant.

- It may have flagged an external bit as expired. Use a clean original non-executed copy of the file on a computer that has never seen the program run before. Save registry export and filelist before and after. The idea is to capture any changes such as a registry value or even a changed file date/time somewhere that it reads before execution.

Unless I am completely senile I cannot imagine any other avenue it could use to stop working on Win9x. But I could be wrong.

Hi Charlotte,

Yes, you're right in thinking I'd have already thought of the first two ideas. Alas, so have Symantec, evidently. (Sigh, why can't things be easy for once?)

The file doesn't self-modify. I downloaded a fresh copy (hoping it was actually an updated version) but it was in fact byte-identical to my existing copy.

Unfortunately, I don't have a spare machine to risk installing this now worse-than-useless Symantec bloatware. However, I have used RegMon and FileMon to try to see what this Removal Tool is looking at. I can see it takes a keen interest in some encryption stuff in the registry (apart from looking up what Symantec packages are installed) and also seems to rewrite WIN.INI, however, nothing in either place seems relevant to my eyes.

Because of its keen interest in encryption, it occurs to me that this Removal Tool may actually use its signing certificate to decide if it's expired. Looking at this, I see that it was signed on 2008/2/9 with a certificate valid from 2007/6/15 to 2012/6/15. Now normally, if the signing timestamp is within the validity period, the package is deemed to be valid in perpetuity. However, I suspect Symantec have chosen to use the certificate expiry date as the expiry date for this tool. No doubt when it checks for the validity of the signing certificate, the system will report it is valid but also that the certificate is expired. I'm sure the security checks used on certificates can't be fooled into thinking an expired certificate isn't, by setting the system date or any other simple means.

Going with the "signing certificate validity date" theory, I signed the tool with my company's code signing certificate (which is still current, of course). Unfortunately however, the tool then reported that it wasn't signed, which in other words, meant it was specifically looking for Symantec's signing certificate. Grrr!

Joe.

#69
dencorso

dencorso

    Iuvat plus qui nihil obstat

  • Supervisor
  • 6,088 posts
  • Joined 07-April 07
  • OS:98SE
  • Country: Country Flag

Donator

The file doesn't self-modify. I downloaded a fresh copy (hoping it was actually an updated version) but it was in fact byte-identical to my existing copy.

That statement put me in action. And I have good news: the following procedure works. I have just tested it for you. Disconnect the machine physically from the internet. Reset the machine date to some day (I used 19) in January, 2009. Turn off the machine. Wait 10 minutes. Turn it on and boot Win 9x (if it runs Scandisk or NDD, abort the scan or it'll find many "wrong dated" files). Once at the desktop, run Norton_Removal_Tool_9x.exe and it'll run OK. Nothing will be installed, the Norton_Removal_Tool_9x.exe is stand-alone. It removed all Norton products all right, except the Norton CrashGuard, which it didn't touch (then again, I'm possibly the last user of the much maligned CrashGuard, but it works all right for me)!

Yes, you're right in thinking I'd have already thought of the first two ideas. Alas, so have Symantec, evidently. (Sigh, why can't things be easy for once?)

Sure. And in the present case they actually are. :yes:

Posted Image

#70
submix8c

submix8c

    Inconceivable!

  • Patrons
  • 4,403 posts
  • Joined 14-September 05
  • OS:none specified
  • Country: Country Flag

<snip>Wait 10 minutes<snip>

Huh? Really? Hot dates? :w00t:

Ennyhoo, I appreciate the "hey, did it occur to you?" about using it because - I haven't used it for some time now. It appears that I'm running 9x sans-AV but using Outpost (the free one)...

Someday the tyrants will be unthroned... Jason "Jay" Chasteen; RIP, bro!

Posted Image


#71
dencorso

dencorso

    Iuvat plus qui nihil obstat

  • Supervisor
  • 6,088 posts
  • Joined 07-April 07
  • OS:98SE
  • Country: Country Flag

Donator

<snip>Wait 10 minutes<snip>

Huh? Really? Hot dates? :w00t:

No. Delivery chinese food. :P

#72
JorgeA

JorgeA

    FORMAT B: /V /S

  • MSFN Sponsor
  • 3,292 posts
  • Joined 08-April 10
  • OS:Vista Home Premium x64
  • Country: Country Flag

The file doesn't self-modify. I downloaded a fresh copy (hoping it was actually an updated version) but it was in fact byte-identical to my existing copy.

That statement put me in action. And I have good news: the following procedure works. I have just tested it for you. Disconnect the machine physically from the internet. Reset the machine date to some day (I used 19) in January, 2009. Turn off the machine. Wait 10 minutes. Turn it on and boot Win 9x (if it runs Scandisk or NDD, abort the scan or it'll find many "wrong dated" files). Once at the desktop, run Norton_Removal_Tool_9x.exe and it'll run OK. Nothing will be installed, the Norton_Removal_Tool_9x.exe is stand-alone. It removed all Norton products all right, except the Norton CrashGuard, which it didn't touch (then again, I'm possibly the last user of the much maligned CrashGuard, but it works all right for me)!

This sounds VERY promising. I ran into this Norton problem with lingering remnants the last time I had to reinstall Win98FE -- couldn't reinstall Norton Internet Security, no matter what I tried with that Removal Tool or how many references to Symantec/Norton I deleted from the Registry. Ended up installing Avast! 4.8 instead, but as of the end of 2012 that's no longer receiving updates (must have been due to the Mayan Calendar) so I may as well uninstall that and try your procedure. Thanks very much for reporting it.

--JorgeA

#73
Foxbat

Foxbat

    Member

  • Member
  • PipPip
  • 122 posts
  • Joined 18-January 11
  • OS:none specified
  • Country: Country Flag

Ended up installing Avast! 4.8 instead, but as of the end of 2012 that's no longer receiving updates (must have been due to the Mayan Calendar) so I may as well uninstall that and try your procedure.

Avast continues to release definitions for 4.8, despite their official announcement of not releasing new definitions after May 2012.

#74
JorgeA

JorgeA

    FORMAT B: /V /S

  • MSFN Sponsor
  • 3,292 posts
  • Joined 08-April 10
  • OS:Vista Home Premium x64
  • Country: Country Flag


Ended up installing Avast! 4.8 instead, but as of the end of 2012 that's no longer receiving updates (must have been due to the Mayan Calendar) so I may as well uninstall that and try your procedure.

Avast continues to release definitions for 4.8, despite their official announcement of not releasing new definitions after May 2012.

I have installations of Avast! 4.8 Home Edition on two different Win98 systems, installed months apart. On one of them the virus database last updated on December 29, on the other it was January 2. When I click to manually update the database, they hang as if they can't connect to the server.

Are you using Avast! 4.8, and are you still getting virus database updates?

--JorgeA

#75
Giant2011

Giant2011

    Member

  • Member
  • PipPip
  • 174 posts
  • Joined 05-June 11
  • OS:98SE
  • Country: Country Flag
Hello I registered Avast 4.8 until November 1 2013. I do not know what happens if Ï would install it off course.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users