Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account


Photo

Windows 9x/Me Security Thread

- - - - -

  • Please log in to reply
113 replies to this topic

#76
Foxbat

Foxbat

    Member

  • Member
  • PipPip
  • 122 posts
  • OS:none specified
  • Country: Country Flag

I have installations of Avast! 4.8 Home Edition on two different Win98 systems, installed months apart. On one of them the virus database last updated on December 29, on the other it was January 2. When I click to manually update the database, they hang as if they can't connect to the server.

Are you using Avast! 4.8, and are you still getting virus database updates?

You will need to download the update directly from the website yourself. The file can be obtained from this link.
http://www.avast.com...download-update
The definitions are updated daily. I have the link bookmarked for easy access. It is unknown how much longer Avast will continue to provide 4.8 updates. Expect support to cease at any moment.


How to remove advertisement from MSFN

#77
JorgeA

JorgeA

    FORMAT B: /V /S

  • MSFN Sponsor
  • 3,026 posts
  • OS:Vista Home Premium x64
  • Country: Country Flag

You will need to download the update directly from the website yourself. The file can be obtained from this link.
http://www.avast.com...download-update
The definitions are updated daily. I have the link bookmarked for easy access. It is unknown how much longer Avast will continue to provide 4.8 updates. Expect support to cease at any moment.

That's great to hear, thanks for the link! I'll go in and try that. It'll be a nice "excuse" to fire up IE6 again. :yes:

--JorgeA

#78
jds

jds

    -DOS+

  • Member
  • PipPipPipPip
  • 603 posts
  • OS:98SE
  • Country: Country Flag

The file doesn't self-modify. I downloaded a fresh copy (hoping it was actually an updated version) but it was in fact byte-identical to my existing copy.

That statement put me in action. And I have good news: the following procedure works. I have just tested it for you. Disconnect the machine physically from the internet. Reset the machine date to some day (I used 19) in January, 2009. Turn off the machine. Wait 10 minutes. Turn it on and boot Win 9x (if it runs Scandisk or NDD, abort the scan or it'll find many "wrong dated" files). Once at the desktop, run Norton_Removal_Tool_9x.exe and it'll run OK. Nothing will be installed, the Norton_Removal_Tool_9x.exe is stand-alone. It removed all Norton products all right, except the Norton CrashGuard, which it didn't touch (then again, I'm possibly the last user of the much maligned CrashGuard, but it works all right for me)!

Yes, you're right in thinking I'd have already thought of the first two ideas. Alas, so have Symantec, evidently. (Sigh, why can't things be easy for once?)

Sure. And in the present case they actually are. :yes:

Posted Image

Hi Den,

Thanks for trying this out for me. Unfortunately however, MMDV (think YMMV). :(

I tried many times and also with several "variations on the theme" (disabling the NIC in Device Manager, re-installing SAV, installing NAV, double Ctrl-Alt-Delete, reboot, changing date in DOS), but always the result was the same expiry error. The version I have of this tool has an MD5 hash of 316b61ce6f827a8ee48944e5b076f37c.

BTW, I didn't get any "invalid date" errors from ScanDisk. If you get this, it means Symantec has usurped 'scandisk.exe'. If I recall correctly, the way to restore normal ScanDisk behavior is to delete a file called 'scandisk.alt'.

Joe.

#79
dencorso

dencorso

    Adiuvat plus qui nihil obstat

  • Super Moderator
  • 5,782 posts
  • OS:98SE
  • Country: Country Flag

Donator

It's the same file. The MD5 is the same (and the SHA1 is BC6F1C1EB7DCD4FA88A2F8C861A492F36A73C047). The key-points in my method are changing the date in the BIOS to a date later than PE Timestamp of the NRT_9x, but before its certificate's expiry date, and then rebooting with the internet cable disconnected. There remains no way the NRT_9x can ascertain the true date, but it can check it's later than the BIOS default date, so it accepts it as the true date, IMO.
You're right: I deliberately use NDD, so there is a 'scandisk.alt' which is another copy of NDD. I had forgotten the "invalid date"is an NDD thing, though. Please do give it another try, just in case. Good luck!

#80
jds

jds

    -DOS+

  • Member
  • PipPipPipPip
  • 603 posts
  • OS:98SE
  • Country: Country Flag

It's the same file. The MD5 is the same (and the SHA1 is BC6F1C1EB7DCD4FA88A2F8C861A492F36A73C047). The key-points in my method are changing the date in the BIOS to a date later than PE Timestamp of the NRT_9x, but before its certificate's expiry date, and then rebooting with the internet cable disconnected. There remains no way the NRT_9x can ascertain the true date, but it can check it's later than the BIOS default date, so it accepts it as the true date, IMO.
You're right: I deliberately use NDD, so there is a 'scandisk.alt' which is another copy of NDD. I had forgotten the "invalid date"is an NDD thing, though. Please do give it another try, just in case. Good luck!

Hi Den,

Alas, I still get the same expiry problem. Here are the stats : PE = 2008/2/9, signature = 2008/2/9, certificate expiry = 2010/11/25, file (directory) = 2009/1/14, BIOS (system) = 2009/1/22, network disconnected. I think that complies with the above recommendation. I can only think the security system (already) knows the certificate is expired and that the tool uses that fact to decide it is too. :(

Joe.

Edited by jds, 22 January 2013 - 02:33 AM.


#81
dencorso

dencorso

    Adiuvat plus qui nihil obstat

  • Super Moderator
  • 5,782 posts
  • OS:98SE
  • Country: Country Flag

Donator

That may well be the case. If so, provided you have an image of the partition from before your 1st attempt, I'd suggest you redeploy the said image and try again as per your latest trial, which sure does comply in every aspect with my own experiment. The rationale for this present suggestion is that if it stored somewhere the info the certificate is expired, that place must be either the registry or (less probably) some other file inside the same partition... which an image redeployment would perforce remove. Good luck!

#82
submix8c

submix8c

    Inconceivable!

  • Patrons
  • 4,191 posts
  • OS:none specified
  • Country: Country Flag
Looks like (nearly identical) to what's available on the FTP -
ftp://ftp.symantec.com/public/english_us_canada/removal_tools/
Linked to from here -
https://www-secure.s...0080710133024EN

This document is for Norton products downloaded from your service provider.

For NOT from Service Provider -
https://www-secure.s...0080710133834EN
You must pick a product... - same products though... and gives same link. :(
There's a comment here as well (would prevent services/processes from running) -
http://community.nor...p/109722/page/2

I would boot into Safe Mode and run NRT once and reboot to safe mode and rerun again. After that, delete any folders that are named Symantec or Norton. Before deleting, change the options so you can view hidden files and folders (Explorer > Tools > Folder Options > View and apply to all ).


Norton_Removal_Tool_9x.exe
2007.2.0.14

Welcome to Norton Removal Tool
This tool will remove ALL copies of:
- Norton AntiSpam 2004 and 2005
- Norton AntiVirus 2003 through 2007
- Norton Ghost 2003, 9.0, and 10.0
- Norton GoBack 3.1 through 4.2
- Norton Internet Security 2003 through 2007
- Norton Password Manager
- Norton Personal Firewall 2003 through 2006
- Norton SystemWorks 2003 through 2006
- Norton Confidential Online 2007


Here's something interesting though... Unpacked with WinRAR/UniExtract, it gives a file named "all.cpr" that lists everything that it deletes/services/etc-etc. Be aware that it appears that some fields are "<stringvalue>". Sadly, you would have to manually perform all of the operations within (stop services/processes/etc).

edit - also found this with a different set of procedures and files (BAT/REG/Manual Delete) to "get rid of" Norton/Symantec (the links inside work as well) -
http://filesharingta...pletely*-safely

HTH

Edited by submix8c, 22 January 2013 - 11:06 AM.

Someday the tyrants will be unthroned... Jason "Jay" Chasteen; RIP, bro!

Posted Image


#83
dencorso

dencorso

    Adiuvat plus qui nihil obstat

  • Super Moderator
  • 5,782 posts
  • OS:98SE
  • Country: Country Flag

Donator

One idea: look for and delete the key HKLM\Software\SYMNRT and all subkeys and values under it. Then disconnect the internet, reset the bios date and try again.

#84
jds

jds

    -DOS+

  • Member
  • PipPipPipPip
  • 603 posts
  • OS:98SE
  • Country: Country Flag

Looks like (nearly identical) to what's available on the FTP -
ftp://ftp.symantec.com/public/english_us_canada/removal_tools/
Linked to from here -
https://www-secure.s...0080710133024EN

This document is for Norton products downloaded from your service provider.

For NOT from Service Provider -
https://www-secure.s...0080710133834EN
You must pick a product... - same products though... and gives same link. :(

Yep, I have versions 2007.2.0.11 (2007/1/12) and 2007.2.0.14 (2008/2/9). They both exhibit this expiry problem.

There's a comment here as well (would prevent services/processes from running) -
http://community.nor...p/109722/page/2

I would boot into Safe Mode and run NRT once and reboot to safe mode and rerun again. After that, delete any folders that are named Symantec or Norton. Before deleting, change the options so you can view hidden files and folders (Explorer > Tools > Folder Options > View and apply to all ).

Humbug! If you run the tool in Safe mode, it tells you it won't run in Safe mode.

Norton_Removal_Tool_9x.exe
2007.2.0.14

Welcome to Norton Removal Tool
This tool will remove ALL copies of:
- Norton AntiSpam 2004 and 2005
- Norton AntiVirus 2003 through 2007
- Norton Ghost 2003, 9.0, and 10.0
- Norton GoBack 3.1 through 4.2
- Norton Internet Security 2003 through 2007
- Norton Password Manager
- Norton Personal Firewall 2003 through 2006
- Norton SystemWorks 2003 through 2006
- Norton Confidential Online 2007


Here's something interesting though... Unpacked with WinRAR/UniExtract, it gives a file named "all.cpr" that lists everything that it deletes/services/etc-etc. Be aware that it appears that some fields are "<stringvalue>". Sadly, you would have to manually perform all of the operations within (stop services/processes/etc).

edit - also found this with a different set of procedures and files (BAT/REG/Manual Delete) to "get rid of" Norton/Symantec (the links inside work as well) -
http://filesharingta...pletely*-safely

Checked those alternative procedures, downloaded the files, turned out to be for NT only, not compatible with W9X.

One idea: look for and delete the key HKLM\Software\SYMNRT and all subkeys and values under it. Then disconnect the internet, reset the bios date and try again.

Den, you're a genius! :thumbup Thank you.
That was the missing piece of the puzzle - SAV is now vanquished! :)

Joe.

#85
submix8c

submix8c

    Inconceivable!

  • Patrons
  • 4,191 posts
  • OS:none specified
  • Country: Country Flag
Running Norton_Removal_Tool_9x.exe for Dummies:
(it must be Version: 2007.2.0.14, MD5: 316B61CE6F827A8EE48944E5B076F37C, SHA-1: BC6F1C1EB7DCD4FA88A2F8C861A492F36A73C047,
CRC32: 5FB68354, Digitally Signed by Symantec Corporation, with a VeriSign Class 3 Certificate valid from 10/30/2007 to 11/24/2010)

1 - Disconnect the machine physically from the internet.
2 - Run REGEDIT and delete (if exists) "HKLM\Software\SYMNRT"
3 - Reset the machine date to some day (e.g. 19) in January, 2009.
4 - Shut Down/Turn Off the machine.
Note: This is an "insurance" step to enusre everything "sticks".
5 - Turn the machine on.
6 - Boot Win9x.
Note: If it runs Scandisk or NDD, abort the scan
or it'll find many "wrong dated" files.
7 - Once at the desktop, run Norton_Removal_Tool_9x.exe.
8 - Reset Date to Current.
9 - Repeat Steps #4 thru #6
Note: Ignore #6 Note as the Date has been Reset (#8).
Done!

Nothing will be installed.
The Norton_Removal_Tool_9x.exe is stand-alone.
It removes all Norton products except Norton CrashGuard,
which it didn't touch.

Additional Notes:
Step #3 may be instead performed after #5 in the BIOS.

====

Does the above cover it? :thumbup

Odd that it doesn't self-clean (ref. "all.cpr") and has the NERVE to insert REG Keys/Values. :puke: Still, that file DOES have everything listed that it performs/cleans.

Edited by dencorso, 23 January 2013 - 03:12 PM.

Someday the tyrants will be unthroned... Jason "Jay" Chasteen; RIP, bro!

Posted Image


#86
dencorso

dencorso

    Adiuvat plus qui nihil obstat

  • Super Moderator
  • 5,782 posts
  • OS:98SE
  • Country: Country Flag

Donator

That was the missing piece of the puzzle - SAV is now vanquished! :)

Yay! Posted Image

@submix8c: Great how-to, thanks! :thumbup
I've added some info, because the date selected in step 3 must fall in between the vallid dates of the certificate.

#87
dencorso

dencorso

    Adiuvat plus qui nihil obstat

  • Super Moderator
  • 5,782 posts
  • OS:98SE
  • Country: Country Flag

Donator

Bumping just to call attention to two interesting Symantec KB documents I've found:

Manually Uninstalling Symantec AntiVirus 9.x from Windows 98/Me
http://www.symantec....ocs/TECH100617'>Manually Uninstalling Symantec Client Security 2.0 from Windows 98/Me

@jds: It might be interesting to give a look in all of those places, since SAV is not officially indicated as one of the packages the NRT_9x removes.
Who says you won't find up some leftovers lurking in some obscure nook or cranny?

#88
JorgeA

JorgeA

    FORMAT B: /V /S

  • MSFN Sponsor
  • 3,026 posts
  • OS:Vista Home Premium x64
  • Country: Country Flag
Go figure -- Avast 4.8 updated twice today (at 6:30 AM and 10 PM) on one of my Win98 systems. (The other one is offline, but I'll turn it back on to see what happens.)

--JorgeA

#89
CharlotteTheHarlot

CharlotteTheHarlot

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,054 posts
  • OS:none specified
  • Country: Country Flag
( Sorry, I forgot to post this from about three weeks ago )

UPDATE: Success using DATs v6883 and v7040 with McAfee v6 on Win9x.
  • See above Post #40 for the first time I tried this using DATs v6346 ( has detailed instructions ).
  • See above Post #57 when I tried it again using DATs v6511.
  • See above Post #65 when I tried it again using DATs v6845.
Strangely, just three days after I downloaded the 6883 DATs, they updated the FTP servers with 7040, ( only 6883 downloads are shown here ). Note that the time/dates shown for these files reflects the download and extraction. The three downloads that I found ...
- 2013-04-06 ... 14:40 ... 110,494,296 ... 6883xdat.exe
- 2013-04-06 ... 14:42 ... 108,612,096 ... Avvdat-6883.tar
- 2013-04-06 ... 14:43 ... 116,296,064 ... Sdat6883.exe


As has been the case, all three packages contain the same three DAT definition files.

This was 6883 ...
- 2012-11-01 ... 01:40 ....... 727,193 ... Avvclean.dat
- 2012-11-01 ... 01:40 ....... 489,337 ... Avvnames.dat
- 2012-11-01 ... 01:40 ... 107,382,892 ... Avvscan.dat


And here is 7040 ...
- 2013-04-09 ... 06:40 ....... 749,177 ... Avvclean.dat
- 2013-04-09 ... 06:40 ....... 534,921 ... Avvnames.dat
- 2013-04-09 ... 06:40 ... 103,458,908 ... Avvscan.dat


As described previously, just strip the "AVV" prefix from the default filenames and replace CLEAN.DAT, NAMES.DAT and SCAN.DAT. Note that the SCAN.DAT actually got smaller between the last two versions.

The McAfee scan engines contained in the SDAT package still hasn't been changed ...
- 2009-07-31 ... 06:40 ..... 3,182,712 ... Mcscan32.dll
- 2009-07-31 ... 06:40 ..... 4,706,936 ... Mscan64a.dll

... so I updated no other files beyond the three DATs.

As before, it took a long time for McAfee to initialize and load the DATs, approximately 3 minutes at 2.6 GHz ( likewise when I changed directories to test scan some known infected files ). But all went well and McAfee scanned files and folders successfully once again.

Posted Image


See in the screenshot that the main executable McAfee file is VSMAIN.EXE v6.01.2000.1 is dated: 2001-11-16. Over 11 years old. :thumbup

P.S. Maybe the OP should change the title to: Windows 9x/Me Security Thread for 2011 ... 2012 ... 2013 ( or just leave off the date! )

... Let him who hath understanding reckon the Number Of The Beast ...


#90
JorgeA

JorgeA

    FORMAT B: /V /S

  • MSFN Sponsor
  • 3,026 posts
  • OS:Vista Home Premium x64
  • Country: Country Flag
Both of my Windows 98 systems (one SE, one FE) have Avast! "virus recovery database" dated 4/29/13. :thumbup

--JorgeA

#91
JorgeA

JorgeA

    FORMAT B: /V /S

  • MSFN Sponsor
  • 3,026 posts
  • OS:Vista Home Premium x64
  • Country: Country Flag

An update on Avast! 4.8 support for Windows 98 (SE).

 

I just renewed the free one-year license for my 98SE laptop last night and there were zero problems. Then it downloaded the current virus definition files. Good to go for another year. :)

 

--JorgeA



#92
Nomen

Nomen

    Member

  • Member
  • PipPip
  • 187 posts
  • OS:98SE
  • Country: Country Flag

An update on Avast! 4.8 support for Windows 98 (SE). I just renewed the free one-year license for my 98SE laptop last night and there were zero problems. Then it downloaded the current virus definition files. Good to go for another year. :) --JorgeA

Now if only there was malware circulating on the internet that actually runs on win-98 without crashing - there would actually be something you need protection from!

#93
JorgeA

JorgeA

    FORMAT B: /V /S

  • MSFN Sponsor
  • 3,026 posts
  • OS:Vista Home Premium x64
  • Country: Country Flag

So, in your view, is Win98 actually more secure than current versions of Windows (XP/Vista/7/8)?

 

Note: I'm not trying to start an argument, I'm sincerely interested. I've heard it argued before that Win98 is safer, but am not convinced strongly enough to do without malware protection.

 

How do others feel about it?

 

--JorgeA



#94
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,036 posts
  • OS:none specified
  • Country: Country Flag

How do others feel about it?

Personally, quite comfortable ;).

Comeon :), this is one of those topics you cannot touch :w00t: without starting a flame war :ph34r: if you are looking for "popularity" you may want to start a poll, otherwise what you will get will be "anecdotal evidence", about people that is running Windows 9x without any form of antivirus and never got one, but you cannot base yourself on that, as you cannot know how "smart", "knowledgeable" and "attentive" the user is, it is well possible that his/her activities on the PC are "low risk" and that that is the reason for the apparent lack of security failures.

 

jaclaz 



#95
lolnousernameforyou

lolnousernameforyou

    Newbie

  • Member
  • 36 posts
  • OS:98SE
  • Country: Country Flag

 

How do others feel about it?

Personally, quite comfortable ;).

Comeon :), this is one of those topics you cannot touch :w00t: without starting a flame war :ph34r: if you are looking for "popularity" you may want to start a poll, otherwise what you will get will be "anecdotal evidence", about people that is running Windows 9x without any form of antivirus and never got one, but you cannot base yourself on that, as you cannot know how "smart", "knowledgeable" and "attentive" the user is, it is well possible that his/her activities on the PC are "low risk" and that that is the reason for the apparent lack of security failures.

 

jaclaz 

 

That is absolutely right really the "true" security of a computer goes down to the user.


Edited by lolnousernameforyou, 20 August 2013 - 10:15 PM.


#96
JorgeA

JorgeA

    FORMAT B: /V /S

  • MSFN Sponsor
  • 3,026 posts
  • OS:Vista Home Premium x64
  • Country: Country Flag

All right, let me offer a scenario. Suppose that you have a Windows 98 machine sitting behind a hardware firewall. It also has installed the last version of (say) ZoneAlarm's software firewall that worked on Win98, plus up-to-date definitions for Avast 4.8.

 

Further (and perhaps crucially), let's say that, for the sake of getting as much functionality on the Web as you can for this machine, you're also running on it the last versions of Adobe Flash, Acrobat Reader, and Java that ran on Win98.

 

Lastly, suppose that you use this machine to visit only well-known news websites -- no sites of "dubious" themes, or even entertainment (TV/movies/celebrities) sites.

 

How likely would such a machine be to get infected, relative to a PC that had a current version of Windows and up-to-date applications? I guess that my biggest (though not my only) doubt has to do with the security of those old Flash and Java versions. (Anymore, it's hard to get much done on the Web without both of those.)

 

Let's leave aside the likelihood that many sites that use Flash and Java won't work with these old versions. In our scenario, you're limiting yourself to sites where they do work. How safe is your machine?

 

Curious,

 

--JorgeA



#97
MiKl

MiKl

    Member

  • Member
  • PipPip
  • 106 posts
  • OS:98SE
  • Country: Country Flag

All right, let me offer a scenario. Suppose that you have a Windows 98 machine sitting behind a hardware firewall. It also has installed the last version of (say) ZoneAlarm's software firewall that worked on Win98, plus up-to-date definitions for Avast 4.8.

 

Further (and perhaps crucially), let's say that, for the sake of getting as much functionality on the Web as you can for this machine, you're also running on it the last versions of Adobe Flash, Acrobat Reader, and Java that ran on Win98.

 

Well, for the web you should install NoScript (still supported, current version 2.6.7.1) and Adblock Plus (last version 1.3.10, but still usefull) in your browser !! (Or similar apps, of course)

I am visiting sometimes doubtful websites ;-) but with these apps running I never had a problem.



#98
lolnousernameforyou

lolnousernameforyou

    Newbie

  • Member
  • 36 posts
  • OS:98SE
  • Country: Country Flag

 

Well, for the web you should install NoScript (still supported, current version 2.6.7.1) and Adblock Plus (last version 1.3.10, but still usefull) in your browser !! (Or similar apps, of course)

I am visiting sometimes doubtful websites ;-) but with these apps running I never had a problem.

 

The latest versions of adblock or adblock plus work if your using opera 12.02. (kernel ex required)



#99
lolnousernameforyou

lolnousernameforyou

    Newbie

  • Member
  • 36 posts
  • OS:98SE
  • Country: Country Flag
How do others feel about it?

 

--JorgeA

 


I would still use virus data base since we dont know how a particular program would work on an old computer. (it would most likely fail but I would rather be safe than sorry)



#100
JorgeA

JorgeA

    FORMAT B: /V /S

  • MSFN Sponsor
  • 3,026 posts
  • OS:Vista Home Premium x64
  • Country: Country Flag

 

How do others feel about it?

 

--JorgeA

 


I would still use virus data base since we dont know how a particular program would work on an old computer. (it would most likely fail but I would rather be safe than sorry)

 

 

Yeah, that's my sense of it too. But I do wonder -- some people say that Win98 is safe (or safer) because the bad guys aren't writing new malware for it anymore. But that leaves two questions remaining:

  1. What about old malware for Win98 still floating around the 'Net?
  2. What about Win98-compatible versions of Flash Player and Java -- does "modern malware" also work against those old versions? Or does the same principle of "security through obsolescence" apply to Flash and Java?

BTW, thanks to @MiKl re: NoScript. I didn't know that it still works on Win98-era browsers. Amazing! But suppose that you're not using NoScript: is a Win98 system safer, or less safe, or equally safe from those kinds of threats as a modern PC? 

 

--JorgeA


Edited by JorgeA, 21 August 2013 - 04:48 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users



How to remove advertisement from MSFN