anti virus pgm for win98se, 64meg 200mHz system?

Archived from groups: microsoft.public.win98.gen_discussion (More info?)

Can anyone recommend a good (free) anti virus program suitable for a P-200,
64meg, win98se system? I tried AVG but it caused "Kernel protection fault"
error at reboot. I also tried AntiVir but it caused a system freeze during
the "system" scan when the program loads. I finished a Panda Active online
scan and it took 3 hrs and 30 minutes to scan about 4 gig of files (on 8gig
of hdd space). Panda detected 380 files and disinfected them all. But the
system really needs a good anti virus program that is monitoring any more
infections on an ongoing basis.
18 answers Last reply
More about anti virus win98se 64meg 200mhz system
  1. Archived from groups: microsoft.public.win98.gen_discussion (More info?)

    Hi Ogg,

    See if Avast works out alright on your system:
    http://www.avast.com/eng/avast_4_home.html


    Regards,

    --
    Patti MacLeod
    Microsoft MVP - Windows Shell/User

    "Ogg" <sorry-nopam-wanted@anywhere.com> wrote in message
    news:uyBee.9483$VL3.717881@news20.bellglobal.com...
    > Can anyone recommend a good (free) anti virus program suitable for a
    P-200,
    > 64meg, win98se system? I tried AVG but it caused "Kernel protection
    fault"
    > error at reboot. I also tried AntiVir but it caused a system freeze
    during
    > the "system" scan when the program loads. I finished a Panda Active
    online
    > scan and it took 3 hrs and 30 minutes to scan about 4 gig of files (on
    8gig
    > of hdd space). Panda detected 380 files and disinfected them all. But
    the
    > system really needs a good anti virus program that is monitoring any more
    > infections on an ongoing basis.
    >
    >
    >
    >
    >
  2. Archived from groups: microsoft.public.win98.gen_discussion (More info?)

    "kernel error" in avg installs is often a result of one or more windows
    files being already bombed by virus when the install is trying to take
    place, ditto anti vir.
    try running the panda scan, include the spyware option, then while the
    system is clean Windows update and avg or antivir install

    just threw windows update in there for the hell of it

    --
    Adaware http://www.lavasoft.de
    spybot http://security.kolla.de
    AVG free antivirus http://www.grisoft.com
    Etrust/Vet/CA.online Antivirus scan
    http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
    Panda online AntiVirus scan http://www.pandasoftware.com/ActiveScan/
    Catalog of removal tools (1)
    http://www.pandasoftware.com/download/utilities/
    Catalog of removal tools (2)
    http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?CID=40387
    Blocking Unwanted Parasites with a Hosts file
    http://mvps.org/winhelp2002/hosts.htm
    links provided as a courtesy, read all instructions on the pages before use

    Grateful thanks to the authors and webmasters
    _
    "Ogg" <sorry-nopam-wanted@anywhere.com> wrote in message
    news:uyBee.9483$VL3.717881@news20.bellglobal.com...
    > Can anyone recommend a good (free) anti virus program suitable for a
    P-200,
    > 64meg, win98se system? I tried AVG but it caused "Kernel protection
    fault"
    > error at reboot. I also tried AntiVir but it caused a system freeze
    during
    > the "system" scan when the program loads. I finished a Panda Active
    online
    > scan and it took 3 hrs and 30 minutes to scan about 4 gig of files (on
    8gig
    > of hdd space). Panda detected 380 files and disinfected them all. But
    the
    > system really needs a good anti virus program that is monitoring any more
    > infections on an ongoing basis.
    >
    >
    >
    >
    >
  3. Archived from groups: microsoft.public.win98.gen_discussion (More info?)

    From: "Ogg" <sorry-nopam-wanted@anywhere.com>

    | Can anyone recommend a good (free) anti virus program suitable for a P-200,
    | 64meg, win98se system? I tried AVG but it caused "Kernel protection fault"
    | error at reboot. I also tried AntiVir but it caused a system freeze during
    | the "system" scan when the program loads. I finished a Panda Active online
    | scan and it took 3 hrs and 30 minutes to scan about 4 gig of files (on 8gig
    | of hdd space). Panda detected 380 files and disinfected them all. But the
    | system really needs a good anti virus program that is monitoring any more
    | infections on an ongoing basis.
    |

    If you are going to continue to use a P1 200Mhz computer, which is a dog in Today's
    standards, you should increase the RAM to between 256 and 384MB. 64MB is a ridiculously low
    amount of RAM especially at Today's prices !

    You said "Panda detected 380 files and disinfected them all." -- Do you realize how bad that
    is ?

    I suggest you do some more scanning !

    Dump the contents of the IE Temporary Internet Folder cache (TIF)
    Start --> Settings --> Control Panel --> Internet Options --> Delete Files

    Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
    Tools --> Options --> Privacy --> Cache --> Clear

    1) Download the TrendMicro Sysclean Front End

    Download the utility SYSCLEAN_FE at the following URL --
    http://www.ik-cs.com/got-a-virus.htm
    SYSCLEAN_FE automates the download and execution process of the Trend Sysclean Package.
    Direct URL --
    http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe


    2) Download and install Ad-aware SE
    (free personal version v1.05)
    http://www.lavasoftusa.com/
    Update Ad-aware with the latest definitions and then exit the software.

    3) Execute; SYSCLEAN_FE.EXE
    Choose; Unzip
    Choose; Close


    Execute; c:\sysclean\SYSCLEAN_FE.BAT
    { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
    when you get to the menu exit the utility so you can boot into Safe Mode.

    4) Reboot your PC into Safe Mode and shutdown as many applications as possible.

    5) Execute; c:\sysclean\sysclean.com
    Let SYCLEAN.COM scan your computer.
    when done, execute Ad-aware SE and perform a full scan of your PC and delete
    all objects found.

    6) Restart your PC and perform a "final" Full Scan of your platform
    Execute; c:\sysclean\SYSCLEAN_FE.BAT
    { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
    This time, choose to execute SYSCLEAN.COM from the menu.
    when done, execute Ad-aware SE and perform a final scan of your PC and delete
    all objects found.


    * * * Please report back your results * * *

    Then install one of the below...

    AVAST -
    http://www.avast.com/i_idt_1016.html - FREE

    AntiVir -
    http://www.free-av.com/ - FREE

    AVG -
    http://free.grisoft.com/freeweb.php/doc/2/lng/us/tpl/v5 - FREE

    CA eTrust -
    http://www.my-etrust.com/microsoft/index.cfm - FREE for one year.
    { Free offer ends 8/1/05 }


    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
  4. Archived from groups: microsoft.public.win98.gen_discussion (More info?)

    Thank you for the tip about "kernel error" behaviour. I'll give AntiVir
    another shot at the install.


    "AlmostBob" <anonymous1@discussions.microsoft.com> wrote in message
    news:uAHFocfUFHA.3716@TK2MSFTNGP12.phx.gbl...
    > "kernel error" in avg installs is often a result of one or more windows
    > files being already bombed by virus when the install is trying to take
    > place, ditto anti vir.
    > try running the panda scan, include the spyware option, then while the
    > system is clean Windows update and avg or antivir install
    >
    > just threw windows update in there for the hell of it
    >
  5. Archived from groups: microsoft.public.win98.gen_discussion (More info?)

    The idea is to replace the P1-200 soon, but perhaps not for another 6
    months. I too realize that 64meg is awfully low. Meanwhile, I looked
    inside and noticed that the ram is right under the power supply. :(
    That's annoying. The PS would need to be removed inorder to "play" with the
    ram. Annoying. I've investigated some more particulars about his mobo
    (Aptiva model 2137 E25) and the specs across all the Exx models seem to call
    for EDO type. :( I am not impressed. Time and expense does not warrant
    supporting upgrading this particular unit. Getting another machine makes
    more sense.

    Meanwhile... I'll do the other file-clean suggestions you made. Thanks for
    that. I forgot about the temporary dirs and cache. And.. I'll retry an
    AnitVir install.

    I have to look for a clean version of NOTEPAD.EXE and HH.EXE replacement
    (somewhere in the cabs, right?) ..since the first run off Stinger nuked
    those.


    "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
    news:O5GPuqiUFHA.628@tk2msftngp13.phx.gbl...

    > If you are going to continue to use a P1 200Mhz computer, which is a dog
    in Today's
    > standards, you should increase the RAM to between 256 and 384MB. 64MB is
    a ridiculously low
    > amount of RAM especially at Today's prices !
    >
    > You said "Panda detected 380 files and disinfected them all." -- Do you
    realize how bad that
    > is ?
    >
    > I suggest you do some more scanning !
    >
    > Dump the contents of the IE Temporary Internet Folder cache (TIF)
    > Start --> Settings --> Control Panel --> Internet Options --> Delete Files
    >
    > Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
    > Tools --> Options --> Privacy --> Cache --> Clear
    >
    > 1) Download the TrendMicro Sysclean Front End
    >
    > Download the utility SYSCLEAN_FE at the following URL --
    > http://www.ik-cs.com/got-a-virus.htm
    > SYSCLEAN_FE automates the download and execution process of the Trend
    Sysclean Package.
    > Direct URL --
    > http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe
    >
    >
    > 2) Download and install Ad-aware SE
    > (free personal version v1.05)
    > http://www.lavasoftusa.com/
    > Update Ad-aware with the latest definitions and then exit the
    software.
    >
    > 3) Execute; SYSCLEAN_FE.EXE
    > Choose; Unzip
    > Choose; Close
    >
    >
    > Execute; c:\sysclean\SYSCLEAN_FE.BAT
    > { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
    > when you get to the menu exit the utility so you can boot into
    Safe Mode.
    >
    > 4) Reboot your PC into Safe Mode and shutdown as many applications as
    possible.
    >
    > 5) Execute; c:\sysclean\sysclean.com
    > Let SYCLEAN.COM scan your computer.
    > when done, execute Ad-aware SE and perform a full scan of your PC
    and delete
    > all objects found.
    >
    > 6) Restart your PC and perform a "final" Full Scan of your platform
    > Execute; c:\sysclean\SYSCLEAN_FE.BAT
    > { or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
    > This time, choose to execute SYSCLEAN.COM from the menu.
    > when done, execute Ad-aware SE and perform a final scan of your PC
    and delete
    > all objects found.
    >
    >
    >
    > * * * Please report back your results * * *
  6. Archived from groups: microsoft.public.win98.gen_discussion (More info?)

    "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
    news:O5GPuqiUFHA.628@tk2msftngp13.phx.gbl:

    >
    > If you are going to continue to use a P1 200Mhz computer, which is a
    > dog in Today's standards, you should increase the RAM to between 256
    > and 384MB. 64MB is a ridiculously low amount of RAM especially at
    > Today's prices !
    >
    >

    Most P1 chipsets cannot cache more than 64 MB. Which means that the system
    will be slower when you put in more memory, unless you're using programs
    which use more than 64 MB at once. That would be large photo editing or
    something like that.

    EDO ram is not cheap today.
  7. Archived from groups: microsoft.public.win98.gen_discussion (More info?)

    From: "Ingeborg" <a@b.invalid>

    | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
    | news:O5GPuqiUFHA.628@tk2msftngp13.phx.gbl:
    |
    >> If you are going to continue to use a P1 200Mhz computer, which is a
    >> dog in Today's standards, you should increase the RAM to between 256
    >> and 384MB. 64MB is a ridiculously low amount of RAM especially at
    >> Today's prices !
    >>
    | Most P1 chipsets cannot cache more than 64 MB. Which means that the system
    | will be slower when you put in more memory, unless you're using programs
    | which use more than 64 MB at once. That would be large photo editing or
    | something like that.
    |
    | EDO ram is not cheap today.

    Not most, a few Intel chip-sets.
    And even the EDO RAM is cheaper than it was when that platform first came out.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
  8. Archived from groups: microsoft.public.win98.gen_discussion (More info?)

    The P1-200 is actually an Aptiva E25 (mobo 2137). Do you know if this one
    has the cache limitation?


    "Ingeborg" <a@b.invalid> wrote in message
    news:Xns964E8A1BAF1Dabinvalid@216.168.3.44...

    > Most P1 chipsets cannot cache more than 64 MB. Which means that the system
    > will be slower when you put in more memory, unless you're using programs
    > which use more than 64 MB at once. That would be large photo editing or
    > something like that.
    >
    > EDO ram is not cheap today.
  9. Archived from groups: microsoft.public.win98.gen_discussion (More info?)

    "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
    news:%23JRDRSjUFHA.2136@TK2MSFTNGP10.phx.gbl...
    > From: "Ingeborg" <a@b.invalid>
    >
    > | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
    > | news:O5GPuqiUFHA.628@tk2msftngp13.phx.gbl:
    > |
    > >> If you are going to continue to use a P1 200Mhz computer, which is a
    > >> dog in Today's standards, you should increase the RAM to between 256
    > >> and 384MB. 64MB is a ridiculously low amount of RAM especially at
    > >> Today's prices !
    > >>
    > | Most P1 chipsets cannot cache more than 64 MB. Which means that the
    system
    > | will be slower when you put in more memory, unless you're using programs
    > | which use more than 64 MB at once. That would be large photo editing or
    > | something like that.
    > |
    > | EDO ram is not cheap today.
    >
    > Not most, a few Intel chip-sets.
    > And even the EDO RAM is cheaper than it was when that platform first came
    out.
    >
    > --
    > Dave
    > http://www.claymania.com/removal-trojan-adware.html
    > http://www.ik-cs.com/got-a-virus.htm
    >
    >

    Agreed, the 64MB caching limit was a rarity. There may be MB capacity limit
    on each SIMM socket. If it's built-in, soldered RAM, and adding RAM to SIMM
    slots, it may get hairy but doable. Crucial is pretty good at offering only
    what will work for a particular model motherboard. EDO may not be what's
    needed, but may work.
  10. Archived from groups: microsoft.public.win98.gen_discussion (More info?)

    From: "Ogg" <sorry-nopam-wanted@anywhere.com>

    | The P1-200 is actually an Aptiva E25 (mobo 2137). Do you know if this one
    | has the cache limitation?
    |


    Too bad...

    The IBM Aptiva 2137 uses a max. of 64MB using two 32MB EDO 168pin nonECC DIMM.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
  11. Archived from groups: microsoft.public.win98.gen_discussion (More info?)

    >
    > I have to look for a clean version of NOTEPAD.EXE and HH.EXE replacement
    > (somewhere in the cabs, right?) ..since the first run off Stinger nuked
    > those.
    >
    Thats the only thing the SFC utility is good for
    Start
    run
    sfc
    extract one file from distribution disk

    follow the prompts and point the browse function at the folder containing
    the .cab files and it will do the extraction
    DO NOT USE THE CHECK FUNCTION OF SFC, it doesnt work right unless every time
    software or windows updates were ever installed the version database was
    also updated within sfc. else there will be hundreds new system files
    replaced with older versions
    instant FUBAR
    DLL hell
    and the pc wets itself and dies a painful death
  12. Archived from groups: microsoft.public.win98.gen_discussion (More info?)

    "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in messag..

    > You said "Panda detected 380 files and disinfected them all." -- Do you
    realize how bad that
    > is ?
    >
    > I suggest you do some more scanning !
    > * * * Please report back your results * * *

    I'm back, ..but the Win98 system isn't! :( I decided to download the
    Trend Micro SysClean. All started fine. I selected the Manual
    Clean/Delete/Leave alone option for the scan. It discovered PE_DUPATOR.1503
    in memory and started revealing the same virus in many .EXE files. Even
    some .SYS and .DLL's were infected. The C)lean option worked for everything
    until it reached a detection in KERNEL32.DLL. I selected C)lean but it
    reported unable to. Then Sysclean proceeded to the D drive. All seemed to
    go well until Windows reported a "Syslean performed an illegal operation.
    The program will now close." Fine.. I needed to reboot to get rid of the
    PE_DUPATOR.1503 from memory anyway, right? At reboot, I got "Explorer
    performed an illegal operation" ...and further bootup was impossible.

    Thankfully, the Win98 setup files are all in the CABs on the hdd. I am in
    the process of reinstalling from scratch.

    :((((

    This pe_dupator.1503 is one slick puppy.
  13. Archived from groups: microsoft.public.win98.gen_discussion (More info?)

    From: "Ogg" <sorry-nopam-wanted@anywhere.com>

    |
    | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in messag..
    |
    >> You said "Panda detected 380 files and disinfected them all." -- Do you
    | realize how bad that
    >> is ?
    >>
    >> I suggest you do some more scanning !
    >> * * * Please report back your results * * *
    |
    | I'm back, ..but the Win98 system isn't! :( I decided to download the
    | Trend Micro SysClean. All started fine. I selected the Manual
    | Clean/Delete/Leave alone option for the scan. It discovered PE_DUPATOR.1503
    | in memory and started revealing the same virus in many .EXE files. Even
    | some .SYS and .DLL's were infected. The C)lean option worked for everything
    | until it reached a detection in KERNEL32.DLL. I selected C)lean but it
    | reported unable to. Then Sysclean proceeded to the D drive. All seemed to
    | go well until Windows reported a "Syslean performed an illegal operation.
    | The program will now close." Fine.. I needed to reboot to get rid of the
    | PE_DUPATOR.1503 from memory anyway, right? At reboot, I got "Explorer
    | performed an illegal operation" ...and further bootup was impossible.
    |
    | Thankfully, the Win98 setup files are all in the CABs on the hdd. I am in
    | the process of reinstalling from scratch.
    |
    | :((((
    |
    | This pe_dupator.1503 is one slick puppy.
    |

    I am sorry to hear that you were hit with a TRUE virus (not a Trojan). But proactive
    mitigation of infectors, especially viruses, is very important.

    Details:
    Kernel32.dll Infection

    When an infected file is executed, this virus infects the Kernel32.dll file. It patches the
    export table of Kernel32.dll such that the function GetFileAttributesA points to its virus
    code.

    Since Kernel32.dll is always loaded, this virus is able to load every time Windows starts
    and then stay memory resident.

    This virus has been around since 1999/2000. The questions that come up are...

    How long have you been infected ?
    Have you spread the infection (infects SYS, EXE and SCR files) to others ?
    Are there infected files (DLL, SYS, EXE and/or SCR) residing on alternate media ?

    If you have files that are DLL, SYS, EXE and/or SCR on other media it would be a good idea
    to scan the alternate media after the Win98 OS has been reinstalled/repaired. You have to
    take appropriate action to prevent re-infection.

    pe_dupator.1503 --
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_DUPATOR.1503

    W32/Dupator -- http://vil.nai.com/vil/content/v_99800.htm

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
  14. Archived from groups: microsoft.public.win98.gen_discussion (More info?)

    "Ogg" <sorry-nopam-wanted@anywhere.com> wrote in
    news:Z2Mee.13580$VL3.760473@news20.bellglobal.com:

    > The P1-200 is actually an Aptiva E25 (mobo 2137). Do you know if this
    > one has the cache limitation?
    >
    >

    According to this site
    <http://www.shop.eet.dk/EETShop/xml/page.aspx?pageno=CONFIGURATORSEARCHRESULTS&model=824100>
    it does.
  15. Archived from groups: microsoft.public.win98.gen_discussion (More info?)

    "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote..

    > | I'm back, ..but the Win98 system isn't! :(
    > | This pe_dupator.1503 is one slick puppy.
    > |
    >
    > I am sorry to hear that you were hit with a TRUE virus (not a Trojan).
    But proactive
    > mitigation of infectors, especially viruses, is very important.
    >
    > Details:
    > Kernel32.dll Infection...


    Yep.. thanks. I read about kernel32.dll infections and the dynamics of
    pe_dupator.1503 before the failed kernel32 happend. I was hoping that
    TrendMicro's sysclean would be able to "clean" it. But obviously it
    rendered the OS dead.

    > This virus has been around since 1999/2000. The questions that come up
    are...
    > How long have you been infected ?
    > Have you spread the infection (infects SYS, EXE and SCR files) to others ?
    > Are there infected files (DLL, SYS, EXE and/or SCR) residing on alternate
    media ?

    Good questions! ;) Well.. this particular system belongs a couple of
    senior friends in my town. They called me to investige a weird slowdown when
    they used the internet. The system was infected with several WORM_OPASERV
    variants. I fixed that immediately and applied the MS patch for the
    exploit.

    But the machine had NO anti vir prgm at the time. Infact.. when their
    Norton expired, and they looked for another replacement, they couldn't find
    a good compatible alternative. I don't think they were aware of the FREE
    ones available. Based on some of the "modified" dates of some of the
    corrupted files, it looks like they were using the machine for atleast a
    year without any anti vir. Obviously, by then, kernel32 was already
    corrupted and pe_dupator.1503 was busy modifying any .exe file that was
    being used or viewed via Attributes. Even the Panda, TrendMicro, Adware,
    and Spybot executables were modified after I used them.

    I just finished installing W98 (original). I am now rerunning TrendMicro's
    Sysclean. Then it will be the Win98SE upgrade.
  16. Archived from groups: microsoft.public.win98.gen_discussion (More info?)

    From: "Ogg" <sorry-nopam-wanted@anywhere.com>

    |
    | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote..
    |
    |>> I'm back, ..but the Win98 system isn't! :(
    |>> This pe_dupator.1503 is one slick puppy.
    |>>
    >> I am sorry to hear that you were hit with a TRUE virus (not a Trojan).
    | But proactive
    >> mitigation of infectors, especially viruses, is very important.
    >>
    >> Details:
    >> Kernel32.dll Infection...
    |
    | Yep.. thanks. I read about kernel32.dll infections and the dynamics of
    | pe_dupator.1503 before the failed kernel32 happend. I was hoping that
    | TrendMicro's sysclean would be able to "clean" it. But obviously it
    | rendered the OS dead.
    |
    >> This virus has been around since 1999/2000. The questions that come up
    | are...
    >> How long have you been infected ?
    >> Have you spread the infection (infects SYS, EXE and SCR files) to others ?
    >> Are there infected files (DLL, SYS, EXE and/or SCR) residing on alternate
    | media ?
    |
    | Good questions! ;) Well.. this particular system belongs a couple of
    | senior friends in my town. They called me to investige a weird slowdown when
    | they used the internet. The system was infected with several WORM_OPASERV
    | variants. I fixed that immediately and applied the MS patch for the
    | exploit.
    |
    | But the machine had NO anti vir prgm at the time. Infact.. when their
    | Norton expired, and they looked for another replacement, they couldn't find
    | a good compatible alternative. I don't think they were aware of the FREE
    | ones available. Based on some of the "modified" dates of some of the
    | corrupted files, it looks like they were using the machine for atleast a
    | year without any anti vir. Obviously, by then, kernel32 was already
    | corrupted and pe_dupator.1503 was busy modifying any .exe file that was
    | being used or viewed via Attributes. Even the Panda, TrendMicro, Adware,
    | and Spybot executables were modified after I used them.
    |
    | I just finished installing W98 (original). I am now rerunning TrendMicro's
    | Sysclean. Then it will be the Win98SE upgrade.
    |


    If I had a Crystal Ball I would not have suggested the Trend Sysclean Front End utility I
    wrote. Sysclean requires running under Windows. If I had the forethought I would have
    suggested the McAfee Command Line Scanner (MCLS) Front End I wrote.

    In that case you would have executed the script in Windows and it would downloaded the
    McAfee SuperDAT and then would have extracted the scanner and DAT files. Then you could
    have booted off a Win98 Emergency Boot Disk (EBD) or other DOS Disk where you could have
    executed the MCLS under DOS. It would have been more effective and maybe would have cleaned
    the infected files without a problem rather than deleteing them. The Trend Scanner was an
    insurance based upon the number of infected files the Panda online scanner caught. I didn't
    think a major virus would be resident.

    For future reference, here is that set of instructions...

    Dump the contents of the IE Temporary Internet Folder cache (TIF)
    Start --> Settings --> Control Panel --> Internet Options --> Delete Files

    Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
    Tools --> Options --> Privacy --> Cache --> Clear


    Download CLEAN.EXE from the URL --
    http://www.ik-cs.com/programs/virtools/clean.exe

    It is a self-extracting ZIP file that contains the Kixtart Script Interpreter
    { http://kixtart.org Kixtart is CareWare } three batch files, two Kixtart scripts, two Link
    (.lnk) files and a PDF instruction file.

    GETFILES.BAT -- For downloading (FTP) the files needed to run the McAfee Command Line
    Scanner. If you are using Windows XP, you may have to disable the Windows XP FireWall to
    allow the FTP utility to download the needed files

    CLEAN.BAT -- For running within Windows after running c:\mcafee\GetFiles.BAT. If you choose
    to scan again at a future date, run this batch file. It will automatically check the date
    of the McAfee DAT files and if it is a couple of days old, it will download (FTP) the latest
    signature files and install them before performing the scan.

    DOSCLEAN.BAT -- For use on a Win9x/ME PC or on a Win2K/WinXP PC that is using FAT32 after
    you have booted from an Emergency Boot Disk or DOS disk and have already executed;
    c:\mcafee\GetFiles.BAT from within Windows. DOS disk boot images can be obtained from;
    http://www.bootdisk.com/bootdisk.htm

    I need you to perform the following...

    Execute; CLEAN.EXE
    Choose; Unzip
    Choose; Close

    Execute; c:\mcafee\GetFiles.BAT
    { or Double-click on 'GetFiles Link' in c:\mcafee }

    Reboot the PC into Safe Mode [F8 key during boot]

    Shutdown as many applications as possible !
    It would also help for you to read - "How to perform a clean boot in Windows XP"
    http://support.microsoft.com/kb/310353

    Execute; c:\mcafee\CLEAN.BAT
    { or Double-click on 'Clean Link' in c:\mcafee }

    A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
    end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
    It is suggested that you move the report out of c:\mcafee before performing another scan.
    It would be a good idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
    report for each session.


    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
  17. Archived from groups: microsoft.public.win98.gen_discussion (More info?)

    On Fri, 6 May 2005 19:10:42 -0400, "David H. Lipman"
    >From: "Ogg" <sorry-nopam-wanted@anywhere.com>
    >| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in messag..

    >| I'm back, ..but the Win98 system isn't! :( I decided to download the
    >| Trend Micro SysClean. All started fine. I selected the Manual
    >| Clean/Delete/Leave alone option for the scan. It discovered PE_DUPATOR.1503
    >| in memory and started revealing the same virus in many .EXE files. Even
    >| some .SYS and .DLL's were infected. The C)lean option worked for everything
    >| until it reached a detection in KERNEL32.DLL.

    You are on Win98xx, using FATxx. There's no reason for you to mess
    around with tools weakened by running them from within the infected
    system, as an XP on NTFS victim would be forced to do.

    http://cquirke.mvps.org/9x/virtest.htm refers; suitable DOS scanners
    are available from www.f-prot.com, www.nod32.com or www.sophos.com

    >| Windows reported a "Syslean performed an illegal operation.
    >| The program will now close."

    Add www.memtest86.com to the stack. Malware isn't the only thing that
    goes wrong on PCs; check RAM, motherboard caps, HD, fans etc. as per
    http://cquirke.mvps.org/9x/bthink.htm

    >| Thankfully, the Win98 setup files are all in the CABs on the hdd. I am in
    >| the process of reinstalling from scratch.

    Not the best possible outcome. Jeez, the only reason XP victims have
    given up on formal av scanning is because that platform is so crippled
    (no mOS for NTFS) that they have no choice. The need to formally scan
    for malware (i.e. scan while the malware is not running) is as strong
    as it ever was, especially in an age of "rootkits" (i.e. malware that
    actually does what it has always been possible for malware to do).

    >Details:
    >Kernel32.dll Infection
    >
    >When an infected file is executed, this virus infects the Kernel32.dll file. It patches the
    >export table of Kernel32.dll such that the function GetFileAttributesA points to its virus
    >code.
    >
    >Since Kernel32.dll is always loaded, this virus is able to load every time Windows starts
    >and then stay memory resident.
    >
    >This virus has been around since 1999/2000. The questions that come up are...
    >
    >How long have you been infected ?
    >Have you spread the infection (infects SYS, EXE and SCR files) to others ?
    >Are there infected files (DLL, SYS, EXE and/or SCR) residing on alternate media ?
    >
    >If you have files that are DLL, SYS, EXE and/or SCR on other media it would be a good idea
    >to scan the alternate media after the Win98 OS has been reinstalled/repaired. You have to
    >take appropriate action to prevent re-infection.

    >pe_dupator.1503 --
    >http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_DUPATOR.1503
    >
    >W32/Dupator -- http://vil.nai.com/vil/content/v_99800.htm

    Yep. I'd worry about infected installation media in particular, as
    well as "data" backups riddled with infected code files. The chances
    of this being the infection source, as opposed to Internet exposure,
    is high when it comes to years-old generic Win32PE infectors. I've
    seen these on conterfeit aluminium-pressed CD-ROM disks.


    >---------- ----- ---- --- -- - - - -
    Gone to bloggery: http://cquirke.blogspot.com
    >---------- ----- ---- --- -- - - - -
  18. Archived from groups: microsoft.public.win98.gen_discussion (More info?)

    On Fri, 6 May 2005 21:17:00 -0400, "Ogg"
    >"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote..

    >Yep.. thanks. I read about kernel32.dll infections and the dynamics of
    >pe_dupator.1503 before the failed kernel32 happend. I was hoping that
    >TrendMicro's sysclean would be able to "clean" it. But obviously it
    >rendered the OS dead.

    Well duh, the malware's running before SysClean gets off the deck.

    If you stand framed in a well-lit doorway and let a burglar hidden
    somewhere in a dark room take the first shot, what outcome do you
    expect? You can't always count on intruders leaving thier gun at
    home, or being "nice" enough to meekly submit to arrest.

    >The system was infected with several WORM_OPASERV variants.

    There's a heads-up that the system's setup is brain-dead.

    OpaServ spreads *ONLY* via File and Print Sharing, no other way. So
    you know this PC is waving it's ass at infected networks - and the
    Internet is the mother of all infected networks - with the whole of
    C:\ shared for writes. That's like smearing yourself with blood and
    jumping into a shark tank - stupidity that beggars belief.

    >I fixed that immediately and applied the MS patch for the exploit.

    Patch? Pfffft. It's not a code bug, it's brain-dead OS design - I
    hope you didn't leave the whole of C:\ write-shared and File and Print
    Sharing bound to the Internet connection? And yes, MS were indeed so
    stupid in the 1990s as to bind File and print Sharing to Internet
    connection, just as they are stupid enough in 2005 to full-share C:\
    via hidden admin shares with known names, bind File and Print Sharing
    to wireless LAN, and then offer to join every network it sniffs.

    >But the machine had NO anti vir prgm at the time.

    The av is the goalie of last resort. One of the other 10 players who
    should have caught the ball first would have been the clue not to
    full-share any part of the startup axis, and not to bind File and
    Print Sharing to Internet. Stop reading this, fix those bad settings
    immediately, then come back and carry on reading ;-)

    The good news is that things were so ^&%$ing bad, that just about
    anything you do for them can only be an improvement. Start with
    http://cquirke.mvps.org/9x/riskfix.htm (Win9x-specific)

    There's FAR more to this stuff than "in av we trust"


    >---------- ----- ---- --- -- - - - -
    Gone to bloggery: http://cquirke.blogspot.com
    >---------- ----- ---- --- -- - - - -
Ask a new question

Read More

Microsoft Antivirus Panda Windows