Sign in with
Sign up | Sign in
Your question

anti virus pgm for win98se, 64meg 200mHz system?

Last response: in Windows 95/98/ME
Share
Anonymous
May 6, 2005 3:31:53 AM

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

Can anyone recommend a good (free) anti virus program suitable for a P-200,
64meg, win98se system? I tried AVG but it caused "Kernel protection fault"
error at reboot. I also tried AntiVir but it caused a system freeze during
the "system" scan when the program loads. I finished a Panda Active online
scan and it took 3 hrs and 30 minutes to scan about 4 gig of files (on 8gig
of hdd space). Panda detected 380 files and disinfected them all. But the
system really needs a good anti virus program that is monitoring any more
infections on an ongoing basis.
Anonymous
May 6, 2005 4:07:44 AM

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

Hi Ogg,

See if Avast works out alright on your system:
http://www.avast.com/eng/avast_4_home.html



Regards,

--
Patti MacLeod
Microsoft MVP - Windows Shell/User

"Ogg" <sorry-nopam-wanted@anywhere.com> wrote in message
news:uyBee.9483$VL3.717881@news20.bellglobal.com...
> Can anyone recommend a good (free) anti virus program suitable for a
P-200,
> 64meg, win98se system? I tried AVG but it caused "Kernel protection
fault"
> error at reboot. I also tried AntiVir but it caused a system freeze
during
> the "system" scan when the program loads. I finished a Panda Active
online
> scan and it took 3 hrs and 30 minutes to scan about 4 gig of files (on
8gig
> of hdd space). Panda detected 380 files and disinfected them all. But
the
> system really needs a good anti virus program that is monitoring any more
> infections on an ongoing basis.
>
>
>
>
>
Anonymous
May 6, 2005 5:50:39 AM

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

"kernel error" in avg installs is often a result of one or more windows
files being already bombed by virus when the install is trying to take
place, ditto anti vir.
try running the panda scan, include the spyware option, then while the
system is clean Windows update and avg or antivir install

just threw windows update in there for the hell of it

--
Adaware http://www.lavasoft.de
spybot http://security.kolla.de
AVG free antivirus http://www.grisoft.com
Etrust/Vet/CA.online Antivirus scan
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Panda online AntiVirus scan http://www.pandasoftware.com/ActiveScan/
Catalog of removal tools (1)
http://www.pandasoftware.com/download/utilities/
Catalog of removal tools (2)
http://www3.ca.com/securityadvisor/newsinfo/collateral....
Blocking Unwanted Parasites with a Hosts file
http://mvps.org/winhelp2002/hosts.htm
links provided as a courtesy, read all instructions on the pages before use

Grateful thanks to the authors and webmasters
_
"Ogg" <sorry-nopam-wanted@anywhere.com> wrote in message
news:uyBee.9483$VL3.717881@news20.bellglobal.com...
> Can anyone recommend a good (free) anti virus program suitable for a
P-200,
> 64meg, win98se system? I tried AVG but it caused "Kernel protection
fault"
> error at reboot. I also tried AntiVir but it caused a system freeze
during
> the "system" scan when the program loads. I finished a Panda Active
online
> scan and it took 3 hrs and 30 minutes to scan about 4 gig of files (on
8gig
> of hdd space). Panda detected 380 files and disinfected them all. But
the
> system really needs a good anti virus program that is monitoring any more
> infections on an ongoing basis.
>
>
>
>
>
Related resources
Anonymous
May 6, 2005 10:59:29 AM

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

From: "Ogg" <sorry-nopam-wanted@anywhere.com>

| Can anyone recommend a good (free) anti virus program suitable for a P-200,
| 64meg, win98se system? I tried AVG but it caused "Kernel protection fault"
| error at reboot. I also tried AntiVir but it caused a system freeze during
| the "system" scan when the program loads. I finished a Panda Active online
| scan and it took 3 hrs and 30 minutes to scan about 4 gig of files (on 8gig
| of hdd space). Panda detected 380 files and disinfected them all. But the
| system really needs a good anti virus program that is monitoring any more
| infections on an ongoing basis.
|

If you are going to continue to use a P1 200Mhz computer, which is a dog in Today's
standards, you should increase the RAM to between 256 and 384MB. 64MB is a ridiculously low
amount of RAM especially at Today's prices !

You said "Panda detected 380 files and disinfected them all." -- Do you realize how bad that
is ?

I suggest you do some more scanning !

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

1) Download the TrendMicro Sysclean Front End

Download the utility SYSCLEAN_FE at the following URL --
http://www.ik-cs.com/got-a-virus.htm
SYSCLEAN_FE automates the download and execution process of the Trend Sysclean Package.
Direct URL --
http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe


2) Download and install Ad-aware SE
(free personal version v1.05)
http://www.lavasoftusa.com/
Update Ad-aware with the latest definitions and then exit the software.

3) Execute; SYSCLEAN_FE.EXE
Choose; Unzip
Choose; Close


Execute; c:\sysclean\SYSCLEAN_FE.BAT
{ or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
when you get to the menu exit the utility so you can boot into Safe Mode.

4) Reboot your PC into Safe Mode and shutdown as many applications as possible.

5) Execute; c:\sysclean\sysclean.com
Let SYCLEAN.COM scan your computer.
when done, execute Ad-aware SE and perform a full scan of your PC and delete
all objects found.

6) Restart your PC and perform a "final" Full Scan of your platform
Execute; c:\sysclean\SYSCLEAN_FE.BAT
{ or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
This time, choose to execute SYSCLEAN.COM from the menu.
when done, execute Ad-aware SE and perform a final scan of your PC and delete
all objects found.



* * * Please report back your results * * *

Then install one of the below...

AVAST -
http://www.avast.com/i_idt_1016.html - FREE

AntiVir -
http://www.free-av.com/ - FREE

AVG -
http://free.grisoft.com/freeweb.php/doc/2/lng/us/tpl/v5 - FREE

CA eTrust -
http://www.my-etrust.com/microsoft/index.cfm - FREE for one year.
{ Free offer ends 8/1/05 }


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
May 6, 2005 3:08:09 PM

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

Thank you for the tip about "kernel error" behaviour. I'll give AntiVir
another shot at the install.


"AlmostBob" <anonymous1@discussions.microsoft.com> wrote in message
news:uAHFocfUFHA.3716@TK2MSFTNGP12.phx.gbl...
> "kernel error" in avg installs is often a result of one or more windows
> files being already bombed by virus when the install is trying to take
> place, ditto anti vir.
> try running the panda scan, include the spyware option, then while the
> system is clean Windows update and avg or antivir install
>
> just threw windows update in there for the hell of it
>
Anonymous
May 6, 2005 3:25:48 PM

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

The idea is to replace the P1-200 soon, but perhaps not for another 6
months. I too realize that 64meg is awfully low. Meanwhile, I looked
inside and noticed that the ram is right under the power supply. :( 
That's annoying. The PS would need to be removed inorder to "play" with the
ram. Annoying. I've investigated some more particulars about his mobo
(Aptiva model 2137 E25) and the specs across all the Exx models seem to call
for EDO type. :(  I am not impressed. Time and expense does not warrant
supporting upgrading this particular unit. Getting another machine makes
more sense.

Meanwhile... I'll do the other file-clean suggestions you made. Thanks for
that. I forgot about the temporary dirs and cache. And.. I'll retry an
AnitVir install.

I have to look for a clean version of NOTEPAD.EXE and HH.EXE replacement
(somewhere in the cabs, right?) ..since the first run off Stinger nuked
those.


"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:o 5GPuqiUFHA.628@tk2msftngp13.phx.gbl...

> If you are going to continue to use a P1 200Mhz computer, which is a dog
in Today's
> standards, you should increase the RAM to between 256 and 384MB. 64MB is
a ridiculously low
> amount of RAM especially at Today's prices !
>
> You said "Panda detected 380 files and disinfected them all." -- Do you
realize how bad that
> is ?
>
> I suggest you do some more scanning !
>
> Dump the contents of the IE Temporary Internet Folder cache (TIF)
> Start --> Settings --> Control Panel --> Internet Options --> Delete Files
>
> Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
> Tools --> Options --> Privacy --> Cache --> Clear
>
> 1) Download the TrendMicro Sysclean Front End
>
> Download the utility SYSCLEAN_FE at the following URL --
> http://www.ik-cs.com/got-a-virus.htm
> SYSCLEAN_FE automates the download and execution process of the Trend
Sysclean Package.
> Direct URL --
> http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe
>
>
> 2) Download and install Ad-aware SE
> (free personal version v1.05)
> http://www.lavasoftusa.com/
> Update Ad-aware with the latest definitions and then exit the
software.
>
> 3) Execute; SYSCLEAN_FE.EXE
> Choose; Unzip
> Choose; Close
>
>
> Execute; c:\sysclean\SYSCLEAN_FE.BAT
> { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
> when you get to the menu exit the utility so you can boot into
Safe Mode.
>
> 4) Reboot your PC into Safe Mode and shutdown as many applications as
possible.
>
> 5) Execute; c:\sysclean\sysclean.com
> Let SYCLEAN.COM scan your computer.
> when done, execute Ad-aware SE and perform a full scan of your PC
and delete
> all objects found.
>
> 6) Restart your PC and perform a "final" Full Scan of your platform
> Execute; c:\sysclean\SYSCLEAN_FE.BAT
> { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
> This time, choose to execute SYSCLEAN.COM from the menu.
> when done, execute Ad-aware SE and perform a final scan of your PC
and delete
> all objects found.
>
>
>
> * * * Please report back your results * * *
Anonymous
May 6, 2005 3:34:33 PM

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:o 5GPuqiUFHA.628@tk2msftngp13.phx.gbl:

>
> If you are going to continue to use a P1 200Mhz computer, which is a
> dog in Today's standards, you should increase the RAM to between 256
> and 384MB. 64MB is a ridiculously low amount of RAM especially at
> Today's prices !
>
>

Most P1 chipsets cannot cache more than 64 MB. Which means that the system
will be slower when you put in more memory, unless you're using programs
which use more than 64 MB at once. That would be large photo editing or
something like that.

EDO ram is not cheap today.
Anonymous
May 6, 2005 3:34:34 PM

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

From: "Ingeborg" <a@b.invalid>

| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
| news:o 5GPuqiUFHA.628@tk2msftngp13.phx.gbl:
|
>> If you are going to continue to use a P1 200Mhz computer, which is a
>> dog in Today's standards, you should increase the RAM to between 256
>> and 384MB. 64MB is a ridiculously low amount of RAM especially at
>> Today's prices !
>>
| Most P1 chipsets cannot cache more than 64 MB. Which means that the system
| will be slower when you put in more memory, unless you're using programs
| which use more than 64 MB at once. That would be large photo editing or
| something like that.
|
| EDO ram is not cheap today.

Not most, a few Intel chip-sets.
And even the EDO RAM is cheaper than it was when that platform first came out.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
May 6, 2005 3:34:34 PM

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

The P1-200 is actually an Aptiva E25 (mobo 2137). Do you know if this one
has the cache limitation?


"Ingeborg" <a@b.invalid> wrote in message
news:Xns964E8A1BAF1Dabinvalid@216.168.3.44...

> Most P1 chipsets cannot cache more than 64 MB. Which means that the system
> will be slower when you put in more memory, unless you're using programs
> which use more than 64 MB at once. That would be large photo editing or
> something like that.
>
> EDO ram is not cheap today.
Anonymous
May 6, 2005 3:34:35 PM

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:%23JRDRSjUFHA.2136@TK2MSFTNGP10.phx.gbl...
> From: "Ingeborg" <a@b.invalid>
>
> | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
> | news:o 5GPuqiUFHA.628@tk2msftngp13.phx.gbl:
> |
> >> If you are going to continue to use a P1 200Mhz computer, which is a
> >> dog in Today's standards, you should increase the RAM to between 256
> >> and 384MB. 64MB is a ridiculously low amount of RAM especially at
> >> Today's prices !
> >>
> | Most P1 chipsets cannot cache more than 64 MB. Which means that the
system
> | will be slower when you put in more memory, unless you're using programs
> | which use more than 64 MB at once. That would be large photo editing or
> | something like that.
> |
> | EDO ram is not cheap today.
>
> Not most, a few Intel chip-sets.
> And even the EDO RAM is cheaper than it was when that platform first came
out.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

Agreed, the 64MB caching limit was a rarity. There may be MB capacity limit
on each SIMM socket. If it's built-in, soldered RAM, and adding RAM to SIMM
slots, it may get hairy but doable. Crucial is pretty good at offering only
what will work for a particular model motherboard. EDO may not be what's
needed, but may work.
Anonymous
May 6, 2005 7:09:00 PM

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

>
> I have to look for a clean version of NOTEPAD.EXE and HH.EXE replacement
> (somewhere in the cabs, right?) ..since the first run off Stinger nuked
> those.
>
Thats the only thing the SFC utility is good for
Start
run
sfc
extract one file from distribution disk

follow the prompts and point the browse function at the folder containing
the .cab files and it will do the extraction
DO NOT USE THE CHECK FUNCTION OF SFC, it doesnt work right unless every time
software or windows updates were ever installed the version database was
also updated within sfc. else there will be hundreds new system files
replaced with older versions
instant FUBAR
DLL hell
and the pc wets itself and dies a painful death
Anonymous
May 6, 2005 10:28:05 PM

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in messag..

> You said "Panda detected 380 files and disinfected them all." -- Do you
realize how bad that
> is ?
>
> I suggest you do some more scanning !
> * * * Please report back your results * * *

I'm back, ..but the Win98 system isn't! :(  I decided to download the
Trend Micro SysClean. All started fine. I selected the Manual
Clean/Delete/Leave alone option for the scan. It discovered PE_DUPATOR.1503
in memory and started revealing the same virus in many .EXE files. Even
some .SYS and .DLL's were infected. The C)lean option worked for everything
until it reached a detection in KERNEL32.DLL. I selected C)lean but it
reported unable to. Then Sysclean proceeded to the D drive. All seemed to
go well until Windows reported a "Syslean performed an illegal operation.
The program will now close." Fine.. I needed to reboot to get rid of the
PE_DUPATOR.1503 from memory anyway, right? At reboot, I got "Explorer
performed an illegal operation" ...and further bootup was impossible.

Thankfully, the Win98 setup files are all in the CABs on the hdd. I am in
the process of reinstalling from scratch.

:( (((

This pe_dupator.1503 is one slick puppy.
Anonymous
May 6, 2005 11:10:42 PM

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

From: "Ogg" <sorry-nopam-wanted@anywhere.com>

|
| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in messag..
|
>> You said "Panda detected 380 files and disinfected them all." -- Do you
| realize how bad that
>> is ?
>>
>> I suggest you do some more scanning !
>> * * * Please report back your results * * *
|
| I'm back, ..but the Win98 system isn't! :(  I decided to download the
| Trend Micro SysClean. All started fine. I selected the Manual
| Clean/Delete/Leave alone option for the scan. It discovered PE_DUPATOR.1503
| in memory and started revealing the same virus in many .EXE files. Even
| some .SYS and .DLL's were infected. The C)lean option worked for everything
| until it reached a detection in KERNEL32.DLL. I selected C)lean but it
| reported unable to. Then Sysclean proceeded to the D drive. All seemed to
| go well until Windows reported a "Syslean performed an illegal operation.
| The program will now close." Fine.. I needed to reboot to get rid of the
| PE_DUPATOR.1503 from memory anyway, right? At reboot, I got "Explorer
| performed an illegal operation" ...and further bootup was impossible.
|
| Thankfully, the Win98 setup files are all in the CABs on the hdd. I am in
| the process of reinstalling from scratch.
|
| :( (((
|
| This pe_dupator.1503 is one slick puppy.
|

I am sorry to hear that you were hit with a TRUE virus (not a Trojan). But proactive
mitigation of infectors, especially viruses, is very important.

Details:
Kernel32.dll Infection

When an infected file is executed, this virus infects the Kernel32.dll file. It patches the
export table of Kernel32.dll such that the function GetFileAttributesA points to its virus
code.

Since Kernel32.dll is always loaded, this virus is able to load every time Windows starts
and then stay memory resident.

This virus has been around since 1999/2000. The questions that come up are...

How long have you been infected ?
Have you spread the infection (infects SYS, EXE and SCR files) to others ?
Are there infected files (DLL, SYS, EXE and/or SCR) residing on alternate media ?

If you have files that are DLL, SYS, EXE and/or SCR on other media it would be a good idea
to scan the alternate media after the Win98 OS has been reinstalled/repaired. You have to
take appropriate action to prevent re-infection.

pe_dupator.1503 --
http://www.trendmicro.com/vinfo/virusencyclo/default5.a...

W32/Dupator -- http://vil.nai.com/vil/content/v_99800.htm

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
May 7, 2005 12:30:06 AM

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

"Ogg" <sorry-nopam-wanted@anywhere.com> wrote in
news:Z2Mee.13580$VL3.760473@news20.bellglobal.com:

> The P1-200 is actually an Aptiva E25 (mobo 2137). Do you know if this
> one has the cache limitation?
>
>

According to this site
<http://www.shop.eet.dk/EETShop/xml/page.aspx?pageno=CON...;
it does.
Anonymous
May 7, 2005 1:17:00 AM

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote..

> | I'm back, ..but the Win98 system isn't! :( 
> | This pe_dupator.1503 is one slick puppy.
> |
>
> I am sorry to hear that you were hit with a TRUE virus (not a Trojan).
But proactive
> mitigation of infectors, especially viruses, is very important.
>
> Details:
> Kernel32.dll Infection...


Yep.. thanks. I read about kernel32.dll infections and the dynamics of
pe_dupator.1503 before the failed kernel32 happend. I was hoping that
TrendMicro's sysclean would be able to "clean" it. But obviously it
rendered the OS dead.

> This virus has been around since 1999/2000. The questions that come up
are...
> How long have you been infected ?
> Have you spread the infection (infects SYS, EXE and SCR files) to others ?
> Are there infected files (DLL, SYS, EXE and/or SCR) residing on alternate
media ?

Good questions! ;)  Well.. this particular system belongs a couple of
senior friends in my town. They called me to investige a weird slowdown when
they used the internet. The system was infected with several WORM_OPASERV
variants. I fixed that immediately and applied the MS patch for the
exploit.

But the machine had NO anti vir prgm at the time. Infact.. when their
Norton expired, and they looked for another replacement, they couldn't find
a good compatible alternative. I don't think they were aware of the FREE
ones available. Based on some of the "modified" dates of some of the
corrupted files, it looks like they were using the machine for atleast a
year without any anti vir. Obviously, by then, kernel32 was already
corrupted and pe_dupator.1503 was busy modifying any .exe file that was
being used or viewed via Attributes. Even the Panda, TrendMicro, Adware,
and Spybot executables were modified after I used them.

I just finished installing W98 (original). I am now rerunning TrendMicro's
Sysclean. Then it will be the Win98SE upgrade.
Anonymous
May 7, 2005 2:13:12 AM

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

From: "Ogg" <sorry-nopam-wanted@anywhere.com>

|
| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote..
|
|>> I'm back, ..but the Win98 system isn't! :( 
|>> This pe_dupator.1503 is one slick puppy.
|>>
>> I am sorry to hear that you were hit with a TRUE virus (not a Trojan).
| But proactive
>> mitigation of infectors, especially viruses, is very important.
>>
>> Details:
>> Kernel32.dll Infection...
|
| Yep.. thanks. I read about kernel32.dll infections and the dynamics of
| pe_dupator.1503 before the failed kernel32 happend. I was hoping that
| TrendMicro's sysclean would be able to "clean" it. But obviously it
| rendered the OS dead.
|
>> This virus has been around since 1999/2000. The questions that come up
| are...
>> How long have you been infected ?
>> Have you spread the infection (infects SYS, EXE and SCR files) to others ?
>> Are there infected files (DLL, SYS, EXE and/or SCR) residing on alternate
| media ?
|
| Good questions! ;)  Well.. this particular system belongs a couple of
| senior friends in my town. They called me to investige a weird slowdown when
| they used the internet. The system was infected with several WORM_OPASERV
| variants. I fixed that immediately and applied the MS patch for the
| exploit.
|
| But the machine had NO anti vir prgm at the time. Infact.. when their
| Norton expired, and they looked for another replacement, they couldn't find
| a good compatible alternative. I don't think they were aware of the FREE
| ones available. Based on some of the "modified" dates of some of the
| corrupted files, it looks like they were using the machine for atleast a
| year without any anti vir. Obviously, by then, kernel32 was already
| corrupted and pe_dupator.1503 was busy modifying any .exe file that was
| being used or viewed via Attributes. Even the Panda, TrendMicro, Adware,
| and Spybot executables were modified after I used them.
|
| I just finished installing W98 (original). I am now rerunning TrendMicro's
| Sysclean. Then it will be the Win98SE upgrade.
|


If I had a Crystal Ball I would not have suggested the Trend Sysclean Front End utility I
wrote. Sysclean requires running under Windows. If I had the forethought I would have
suggested the McAfee Command Line Scanner (MCLS) Front End I wrote.

In that case you would have executed the script in Windows and it would downloaded the
McAfee SuperDAT and then would have extracted the scanner and DAT files. Then you could
have booted off a Win98 Emergency Boot Disk (EBD) or other DOS Disk where you could have
executed the MCLS under DOS. It would have been more effective and maybe would have cleaned
the infected files without a problem rather than deleteing them. The Trend Scanner was an
insurance based upon the number of infected files the Panda online scanner caught. I didn't
think a major virus would be resident.

For future reference, here is that set of instructions...

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear


Download CLEAN.EXE from the URL --
http://www.ik-cs.com/programs/virtools/clean.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter
{ http://kixtart.org Kixtart is CareWare } three batch files, two Kixtart scripts, two Link
(.lnk) files and a PDF instruction file.

GETFILES.BAT -- For downloading (FTP) the files needed to run the McAfee Command Line
Scanner. If you are using Windows XP, you may have to disable the Windows XP FireWall to
allow the FTP utility to download the needed files

CLEAN.BAT -- For running within Windows after running c:\mcafee\GetFiles.BAT. If you choose
to scan again at a future date, run this batch file. It will automatically check the date
of the McAfee DAT files and if it is a couple of days old, it will download (FTP) the latest
signature files and install them before performing the scan.

DOSCLEAN.BAT -- For use on a Win9x/ME PC or on a Win2K/WinXP PC that is using FAT32 after
you have booted from an Emergency Boot Disk or DOS disk and have already executed;
c:\mcafee\GetFiles.BAT from within Windows. DOS disk boot images can be obtained from;
http://www.bootdisk.com/bootdisk.htm

I need you to perform the following...

Execute; CLEAN.EXE
Choose; Unzip
Choose; Close

Execute; c:\mcafee\GetFiles.BAT
{ or Double-click on 'GetFiles Link' in c:\mcafee }

Reboot the PC into Safe Mode [F8 key during boot]

Shutdown as many applications as possible !
It would also help for you to read - "How to perform a clean boot in Windows XP"
http://support.microsoft.com/kb/310353

Execute; c:\mcafee\CLEAN.BAT
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.
It would be a good idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
May 9, 2005 5:29:57 PM

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

On Fri, 6 May 2005 19:10:42 -0400, "David H. Lipman"
>From: "Ogg" <sorry-nopam-wanted@anywhere.com>
>| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in messag..

>| I'm back, ..but the Win98 system isn't! :(  I decided to download the
>| Trend Micro SysClean. All started fine. I selected the Manual
>| Clean/Delete/Leave alone option for the scan. It discovered PE_DUPATOR.1503
>| in memory and started revealing the same virus in many .EXE files. Even
>| some .SYS and .DLL's were infected. The C)lean option worked for everything
>| until it reached a detection in KERNEL32.DLL.

You are on Win98xx, using FATxx. There's no reason for you to mess
around with tools weakened by running them from within the infected
system, as an XP on NTFS victim would be forced to do.

http://cquirke.mvps.org/9x/virtest.htm refers; suitable DOS scanners
are available from www.f-prot.com, www.nod32.com or www.sophos.com

>| Windows reported a "Syslean performed an illegal operation.
>| The program will now close."

Add www.memtest86.com to the stack. Malware isn't the only thing that
goes wrong on PCs; check RAM, motherboard caps, HD, fans etc. as per
http://cquirke.mvps.org/9x/bthink.htm

>| Thankfully, the Win98 setup files are all in the CABs on the hdd. I am in
>| the process of reinstalling from scratch.

Not the best possible outcome. Jeez, the only reason XP victims have
given up on formal av scanning is because that platform is so crippled
(no mOS for NTFS) that they have no choice. The need to formally scan
for malware (i.e. scan while the malware is not running) is as strong
as it ever was, especially in an age of "rootkits" (i.e. malware that
actually does what it has always been possible for malware to do).

>Details:
>Kernel32.dll Infection
>
>When an infected file is executed, this virus infects the Kernel32.dll file. It patches the
>export table of Kernel32.dll such that the function GetFileAttributesA points to its virus
>code.
>
>Since Kernel32.dll is always loaded, this virus is able to load every time Windows starts
>and then stay memory resident.
>
>This virus has been around since 1999/2000. The questions that come up are...
>
>How long have you been infected ?
>Have you spread the infection (infects SYS, EXE and SCR files) to others ?
>Are there infected files (DLL, SYS, EXE and/or SCR) residing on alternate media ?
>
>If you have files that are DLL, SYS, EXE and/or SCR on other media it would be a good idea
>to scan the alternate media after the Win98 OS has been reinstalled/repaired. You have to
>take appropriate action to prevent re-infection.

>pe_dupator.1503 --
>http://www.trendmicro.com/vinfo/virusencyclo/default5.a...
>
>W32/Dupator -- http://vil.nai.com/vil/content/v_99800.htm

Yep. I'd worry about infected installation media in particular, as
well as "data" backups riddled with infected code files. The chances
of this being the infection source, as opposed to Internet exposure,
is high when it comes to years-old generic Win32PE infectors. I've
seen these on conterfeit aluminium-pressed CD-ROM disks.





>---------- ----- ---- --- -- - - - -
Gone to bloggery: http://cquirke.blogspot.com
>---------- ----- ---- --- -- - - - -
Anonymous
May 9, 2005 5:41:19 PM

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

On Fri, 6 May 2005 21:17:00 -0400, "Ogg"
>"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote..

>Yep.. thanks. I read about kernel32.dll infections and the dynamics of
>pe_dupator.1503 before the failed kernel32 happend. I was hoping that
>TrendMicro's sysclean would be able to "clean" it. But obviously it
>rendered the OS dead.

Well duh, the malware's running before SysClean gets off the deck.

If you stand framed in a well-lit doorway and let a burglar hidden
somewhere in a dark room take the first shot, what outcome do you
expect? You can't always count on intruders leaving thier gun at
home, or being "nice" enough to meekly submit to arrest.

>The system was infected with several WORM_OPASERV variants.

There's a heads-up that the system's setup is brain-dead.

OpaServ spreads *ONLY* via File and Print Sharing, no other way. So
you know this PC is waving it's ass at infected networks - and the
Internet is the mother of all infected networks - with the whole of
C:\ shared for writes. That's like smearing yourself with blood and
jumping into a shark tank - stupidity that beggars belief.

>I fixed that immediately and applied the MS patch for the exploit.

Patch? Pfffft. It's not a code bug, it's brain-dead OS design - I
hope you didn't leave the whole of C:\ write-shared and File and Print
Sharing bound to the Internet connection? And yes, MS were indeed so
stupid in the 1990s as to bind File and print Sharing to Internet
connection, just as they are stupid enough in 2005 to full-share C:\
via hidden admin shares with known names, bind File and Print Sharing
to wireless LAN, and then offer to join every network it sniffs.

>But the machine had NO anti vir prgm at the time.

The av is the goalie of last resort. One of the other 10 players who
should have caught the ball first would have been the clue not to
full-share any part of the startup axis, and not to bind File and
Print Sharing to Internet. Stop reading this, fix those bad settings
immediately, then come back and carry on reading ;-)

The good news is that things were so ^&%$ing bad, that just about
anything you do for them can only be an improvement. Start with
http://cquirke.mvps.org/9x/riskfix.htm (Win9x-specific)

There's FAR more to this stuff than "in av we trust"



>---------- ----- ---- --- -- - - - -
Gone to bloggery: http://cquirke.blogspot.com
>---------- ----- ---- --- -- - - - -
!