[loblo]

wsxedcrfv, on 11 May 2011 - 10:14 PM, said:

Out of curiosity - did you (or can you) take note of any changes to the time or date-stamps on any EXE files on your system? There are some reports that your file time or date will be changed to reflect when the virus infected the file.

Not sure if time stamps had been altered, I didn't check that but I monitor a certain number of files/folder for changes at least once daily using Syslog and Md5Checker so it hadn't been running for too long until I became aware there was a problem.

Quote

Also, do you run a Gnutella client (ie Limewire or other)? That is one of the methods known to spread this virus (but I'm not sure how exactly the virus can be executed without the user's knowledge or direct intention).

I run uTorrent and eMule from time to time but I don't download executables with them and they aren't Gnutella clients anyway AFAIK. Anyway those malware reports that are copy/pasted everywhere are usually a mixture of good info and rubbish IMO.

Quote

You probably downloaded and ran a file that was already infected with Polipos.

That's most probably what happened when I was sorting and running some of the massive number of programs I had downloaded from sites such as leetupload, vxchaos and so on sometime ago..

Quote

Most likely the files that were tampered with (infected) will be limited to your /program_files and /windows directories.

Nope, I had files altered by it in various other directories, including some on other drives.

[loblo]

wsxedcrfv, on 11 May 2011 - 10:23 PM, said:

There is a lot of malware that knows how to disable or circumvent any software firewall you may have running.

While this is true, I don't think it means firewalls are useless as the larger number of malware don't use firewall circumvention methods and I selected Jetico as my firewall as it would appear most circumvention methods don't work with it (Perhaps not so true today as it was some years ago since I use version 1 which doesn't get updated anymore).

Quote

I've asked here before if people could post their experiences with windows 98 and software firewalls and give examples of how the software firewall detected a bona-fide (real) instance of malware trying to make an external connection to the internet to download additional malware.

Jetico blocked the gozi trojan from accessing the network for fetching some other files when it was still a zero-day and went undetected by my then real time antivirus. I then uploaded the file on Jotti for online scan and it was deemed clean by all scanners. I was still using IE at the time and it ended on my machine through a javascript/active X exploit.

Quote

I don't believe any such examples were ever posted.

I posted about it under another nickname a few years ago.

[Fredledingue]

No AV, no FireWall, not even Spybot S&D or similar.
No software to protect my computer at all!
It's been years I don't use them anymore and I'v never been infected. (It's still possible that a virus came and crashed instantly but I don't think so).

However I disable many things that was designed by Microsoft to allow viruses to penetrate and propagate into a computer:

1/ ActiveX. With the help of Maxthon I dosable this, but that can be done in K-Meleon or another w9x compatible browser. The downside of it is that it disable YouTube and flv videos. So I re-activate it when I realy want to watch a video in the YouTube format, and only on very well-known websites and only on the tab and for the session where I want to watch this video.

2/ Javascript. On dangerous or very-dangerous websites (I do go to such websites sometimes) I completely disable javascript. While I think that disabling ActiveX is enough safe, disabling Javascript is even better psychologicaly. I also disable javascript to increase speed.

3/ e-mail HTML. In Outlook Express I read all my e-mail as plain text. No HTML for me in my input box, even when the message is unreadable. Poeple have to send me pure text if they want an answer.

4/ Windows Media Player. I don't use it because it has features to download and install stuffs. This was exploited in the past on various platforms.

5/ Auto Insert Notification. That thing that pops up and run the virus installed on a CD. Even when there is no virus it's so annoying that you want it disabled.

6/ Spam. My service provider is effective in filtering span and I edited over the years good spam filtering rules. And of course suspicious attachements are immediately deleted. But that goes without saying.
When spam are automaticaly deleted from the server they don't even touch your computer. That alone must stop a bunch of viruses IMO.

Probably I forgot other stuffs... I don't consider myself as being safe by the use I do with my computer, yet it's been ages since I have seen a virus here.

[Steven W]

Here's something I always thought was overkill, "Registry Protection" programs, like RegistryProt:

http://www.tucows.com/preview/218922

I've found them far more annoying than useful.

[AlteredAaron]

I tried using Eusing Free Registry Cleaner and all it did was delete a bunch of "un-used" file extensions like .zip, .bmp, .jpg and other important file associations.

So then I had to re-associate all those file extensions with the correct programs. Basically all Eusing did was screw up my computer.

The only registry cleaner I use is the one inside CCleaner.

[Multibooter]

AlteredAaron, on 13 May 2011 - 04:03 PM, said:

I tried using Eusing Free Registry Cleaner and all it did was delete a bunch of "un-used" file extensions like .zip, .bmp, .jpg and other important file associations... Basically all Eusing did was screw up my computer.

I usually don't try out old little-known Win98 stuff without the recommendation by somebody of authority (like members of msfn.org ), unless I am searching for something very specific and after having done some research on my own. In any case, it's good to hear which old can of worms one should definitely not open.

My system is very well backed up, and an opsys restore to the exact state prior to the testing takes me about 10-20 minutes, so if something looks good, I may wind up trying it out.

[loblo]

As I've said I got Gozi on my machine through an Internet Explorer javascript/activeX exploit and the details you copy/pasted about it are most certainly correct.

I got infected beginning of February 2007 I believe and FWIW I also believe I have been the first person in the world to post about it in forums and from what I had been told by phone afterwards by a guy claiming to be an IT security journalist who first contacted me about it by PM, the gozi virus was already known by major software security companies but none had published anything about it or had any signatures for it yet

And no I wasn't running a dual boot system, only Windows ME and, as I have already said, even if you don't believe it for whatever reason, Jetico succesfully blocked a first executable from downloading another one, which means it was actually running without crashing on my machine.

I also got infected by a rootkit once, it was nearly undetectable, invisible file, invisible process and invisible registry startup key. Yes there are rootkits for Win 9x as well...

This post has been edited by loblo: 13 May 2011 - 10:20 PM

[Foxbat]

AlteredAaron, on 13 May 2011 - 04:03 PM, said:

I tried using Eusing Free Registry Cleaner and all it did was delete a bunch of "un-used" file extensions like .zip, .bmp, .jpg and other important file associations.

So then I had to re-associate all those file extensions with the correct programs. Basically all Eusing did was screw up my computer.

The only registry cleaner I use is the one inside CCleaner.

All registry cleaners should be used with caution. CCleaner isn't foolproof either, as it listed registry entries that I know are in use. They should be used as a guide while manually cleaning the registry. Since it's really tedious to often check every nook and cranny of the registry by hand, I find that these can aide in that area. Always review what they've found first before allowing them to delete any entry, and always backup before committing the removal. I personally use Eusing Free Registry Cleaner as part of my registry cleaning toolkit, along with a few others (a second or third or fourth opinion is always nice), and it has been working fine for me.

One thing I never liked about registry cleaners is the way they often refer to the detected entries, "215 errors found"... issues/problems/etc. It should be more like "215 possible unused entries, remove only if you are sure of what you're doing." And beware of registry cleaners that detects an exorbitant number of entries, "2154 errors found." Why not just flag the entire hive while you're at it?

[loblo]

Foxbat, on 14 May 2011 - 02:49 AM, said:

And beware of registry cleaners that detects an exorbitant number of entries, "2154 errors found."

I am not sure you really know what you are talking about...

[Foxbat]

loblo, on 14 May 2011 - 03:08 AM, said:

I am not sure you really know what you are talking about...

I admit I was exaggerating for effect. I experimented with many registry cleaners, and some detect significantly more "errors" than others by a wide margin, a very wide margin. Unfortunately, inexperienced users can be fooled by those inflated numbers, thinking that certain cleaners are more thorough, when they're really increasing the chances of a corrupt registry.

[Foxbat]

With most support for Win 9x antivirus and antimalware programs coming to an end, I try to keep an eye on some that are still supported.

Kaspersky 6.0.2.621 virus definitions will be provided until October 2012.
Avast 4.8.1335 virus definitions will be provided until May 2012.
Eset NOD32 2.70.39 virus definitions will be provided until February 2012.
AVG 7.5.557 support has officially ended. Their definitions continue to work, but compatibility could end at any time.
Spybot 1.6.2 is currently supported, but with Beta 2.0 available and quite overdue, it could end soon.
SpywareBlaster 4.4 is currently supported. No sign of when that may end.

2012 is the magic year. Like Multibooter, I suggest downloading and archiving definitions while we still can so at the very least we'll have the most recent version that can still be used years from now when all support has finally ceased.

Edited for clarity

This post has been edited by Foxbat: 16 May 2011 - 10:01 PM

[submix8c]

wsxedcrfv, on 15 May 2011 - 07:18 AM, said:

If you once had NAV 2002 on your system, or if you've uninstalled it completely (including deleting the file catalog.livesubscribe) then you can re-install it and it will accept new virus definition updates (from the intelligent updater package) for a year.

You are aware that there's a "cleanwipe" program made by Symantec to clean remnants of any NAV/NIS in preparation for SEP? I haven't tested it with NAV2002 but it works fine with later versions.

On topic, there's already a topic on firewalls. I had recommended Outpost (see post #33 and #40 for links and info).

[Prozactive]

Foxbat, on 15 May 2011 - 03:13 AM, said:

Avast 4.8.1335 will be supported until May 2012.

Thanks. I was wondering when Avast! was going to discontinue support for Win9x as it was originally supposed to end last year. Just curious, where did you find that information?

I'm kinda surprised herbalist hasn't joined the discussion but this topic gets periodically rehashed over and over. It's too bad there isn't some good way to consolidate all of the information.

[dencorso]

Of course there is a way... I can consolidate the previous threads into one. But that would create a huge thread.
So I don't know for sure whether it's such a good idea. Do please post a list of previous threads you think would fit in.
Then we can decide what's the best course to adopt.

[Steven W]

I inadvertently ran across this while looking for other programs:

https://addons.mozil...s-link-checker/

It's a Firefox extension, that

Quote

allows you to check any file you are about to download, any page you are about to visit with online version of Dr.Web anti-virus...

Says it works with Firefox version 1 - 4

[Foxbat]

Prozactive, on 16 May 2011 - 09:30 AM, said:

Foxbat, on 15 May 2011 - 03:13 AM, said:

Avast 4.8.1335 will be supported until May 2012.

Thanks. I was wondering when Avast! was going to discontinue support for Win9x as it was originally supposed to end last year. Just curious, where did you find that information?

Yes, Win 9x support ended at the end of 2009. I was referring to the support of virus definitions. I'll fix my post to reflect that.

[CharlotteTheHarlot]

Well, this thread gave me an excuse to tie up an old loose-end, to see if my old McAfee v6 scanner is still working on Win9x with the latest DATs. I haven't tried this in quite a while since I have other computers configured for AV security functions, mostly WinXP which crashes less and is quicker to recover from a BSOD.

First, I should mention that I never allow these things to auto-update or even to update DATs, I was never interested in realtime protection or letting them automatically update engines or DATs. Instead, I always backed up the previous working DATs and then manually extract the *latest* available DATs and then place the files where they belong. This allows me to fall back to the previous set in the case of a McAfee screwup.

Secondly, and more importantly, this McAfee installation had been highly tamed. Every part unrelated to ON-DEMAND scanning was removed. There was a ton of registry editing, killing all autostart entries and drivers, removing 99% of the MSI Windows Installer references, associations and hooks. Essentially it has been neutered so that it never ran unless I right-clicked a folder and selected the McAfee shell/folder registry entry I made.

The executable McAfee file is VSMAIN.EXE and shows v6.01.2000.1 dated: 2001-11-16.

The two McAfee FTP sites I located are:
ftp://ftp.mcafee.com...superdat/intel/
ftp://ftp.mcafee.com...tfiles/english/

Giving me three total files to download:
ftp://ftp.mcafee.com...avvdat-6346.tar
ftp://ftp.mcafee.com...el/sdat6346.exe
ftp://ftp.mcafee.com...el/6346xdat.exe

Man, they are really getting very large these days:
- 111,632,528 . 05-15-11 . 2:03a 6346xdat.exe <------- use /e to extract
- 109,750,272 . 05-15-11 . 2:05a Avvdat-6346.tar <---- just use WinZip
- 117,434,304 . 05-15-11 . 2:05a Sdat6346.exe <------- use /e to extract

Here they are extracted into folders. Note, all the extra hyphens or dots are to keep the columns aligned. The style sheet for this forum software insists on collapsing multiple spaces into one, there seems to be no way to imply the <PRE> tag.

;----------- Avvdat-6346(.tar)
..... 569,961 . 05-14-11 . 1:40a Avvclean.dat
..... 423,049 . 05-14-11 . 1:40a Avvnames.dat
. 108,744,302 . 05-14-11 . 1:40a Avvscan.dat
....... 8,689 . 05-14-11 . 1:40a Legal.txt

;----------- 6346xdat(.exe)
..... 569,961 . 05-14-11 . 6:40a Avvclean.dat <=== IDENTICAL to Avvdat-6346.tar
..... 423,049 . 05-14-11 . 6:40a Avvnames.dat <=== IDENTICAL to Avvdat-6346.tar
. 108,744,302 . 05-14-11 . 6:40a Avvscan.dat <==== IDENTICAL to Avvdat-6346.tar
......... 783 . 05-14-11 . 3:50a Globals.nsg
..... 157,696 . 05-14-11 . 3:50a Gsdsuper.dll
...... 34,644 . 05-14-11 .12:07p Naiscrip.nsc
......... 401 . 05-14-11 . 3:50a Sdatpack.lst

;----------- Sdat6346(.exe)
..... 569,961 . 05-14-11 . 6:40a Avvclean.dat <=== IDENTICAL to Avvdat-6346.tar
..... 423,049 . 05-14-11 . 6:40a Avvnames.dat <=== IDENTICAL to Avvdat-6346.tar
. 108,744,302 . 05-14-11 . 6:40a Avvscan.dat <==== IDENTICAL to Avvdat-6346.tar
....... 5,644 . 07-31-09 . 6:40a Config.dat
......... 783 . 05-14-11 . 3:50a Globals.nsg
..... 157,696 . 05-14-11 . 3:50a Gsdsuper.dll
..... 159,744 . 07-31-09 . 6:40a Mcprodinfo.exe
... 3,182,712 . 07-31-09 . 6:40a Mcscan32.dll ... (engine) IDENTICAL to existing
... 4,706,936 . 07-31-09 . 6:40a Mscan64a.dll
...... 93,794 . 05-14-11 .12:07p Naiscrip.nsc
......... 562 . 05-14-11 . 3:50a Sdatpack.lst
....... 7,842 . 07-31-09 . 6:40a Signlic.txt
....... 5,644 . 07-31-09 . 6:40a __X64_Config.dat
....... 7,842 . 07-31-09 . 6:40a __X64_Signlic.txt
....... 1,056 . 07-31-09 . 6:40a __X64_License.dat

So it looks like you only need to download that one TAR file to get the current DATs, the pertinent files are identical, the superfluous files are unnecessary.

First I determined that the target location for the DATs and Engine is in here:
<YourPath>\McAfee\Network Associates\Virusscan Engine\4.0.xx

Then I compared the Mcscan32.dll from Sdat6346.exe against the existing old one and they are still identical. Cool!

So I grabbed the three DAT files and realized that they are using new names these days with 'AVV' prepended, so first I had to rename them ...

..... 569,961 . 05-14-11 . 1:40a Avvclean.dat RENAME TO: Clean.dat
..... 423,049 . 05-14-11 . 1:40a Avvnames.dat RENAME TO: Names.dat
. 108,744,302 . 05-14-11 . 1:40a Avvscan.dat .RENAME TO: Scan.dat

Then off they go into the above-mentioned folder.

Ok, fire up McAfee v6 by rightclicking a test folder. Note, this step from click to the McAfee GUI took a loooonnnng time, at least 5 minutes! Whatever.

Finally ... "Security Status" page shows this ...
Virus Definitions: 4.0.6346
Created On: 05/14/2011

Bingo! They were recognized. I let it scan the folder (fast as ever). Success! on this ten-year old engine.

Hope this is good news for somebody.