Sign in with
Sign up | Sign in
Your question
Solved

Need help with Win98/Cekar-4 trojan

Tags:
  • Security
  • Trojan
  • Apps
Last response: in Antivirus / Security / Privacy
Share
January 29, 2013 12:28:51 AM

First of all, I apologize if this is not posted in the right section, I didn't know where else to post it (if there's a better place please let me know).

Lately my ancient Win98 comp has been running even slower than usual, and it was doing something else crazy; I had both Opera and Firefox installed on that computer--sometimes when I opened Firefox it would take me to Opera instead!

I had ClamWin antivirus installed, and ran a scan...I got the resulting message; c:\WINDOWS\CLSPACK.EXE; Win.Trojan.Cekar-4 found. Being as I'm not very computer-literate, I don't even know what CLSPACK is, so I reinstalled 98; still there. Undaunted, I pressed on....this time I wiped the drive clean and did a complete reformat and install; still there.

The programs I had installed on the new install (as well as the old one); ClamWin, Firefox 8, KernelEx. Would I be correct in thinking that it came from one of those three programs?

So....what is this virus/trojan, and how do I get rid of it? Please keep in mind that I'm not very computer-savvy, so running a regedit operation is kinda risky for me.

Any help is much appreciated!

More about : win98 cekar trojan

January 29, 2013 3:36:02 AM

You can try a free scan from Norton: http://us.norton.com/support/DIY/ or
http://us.norton.com/downloads-trial-norton-internet-se...
or Malwarebytes: http://www.malwarebytes.org/lp/malware_lp/?gclid=CLfijJ...
You may need to see if any of those work on Win98.

"What is CLSPACK?
Clspack is a tool that is used to create a new Classes.zip file in the \%Windir%\Java\Classes directory. This tool converts packages that are currently installed via the package manager and writes their contents into a ZIP file. You can find this tool in <sdk-dir>\Bin directory and in the \%Windir%\ directory."
Source: http://support.microsoft.com/kb/183712

http://www.microsoft.com/security/portal/threat/encyclo...!A
m
0
l
January 29, 2013 11:37:17 PM

kenrivers said:
You can try a free scan from Norton: http://us.norton.com/support/DIY/ or
http://us.norton.com/downloads-trial-norton-internet-se...
or Malwarebytes: http://www.malwarebytes.org/lp/malware_lp/?gclid=CLfijJ...
You may need to see if any of those work on Win98.

"What is CLSPACK?
Clspack is a tool that is used to create a new Classes.zip file in the \%Windir%\Java\Classes directory. This tool converts packages that are currently installed via the package manager and writes their contents into a ZIP file. You can find this tool in <sdk-dir>\Bin directory and in the \%Windir%\ directory."
Source: http://support.microsoft.com/kb/183712

http://www.microsoft.com/security/portal/threat/encyclo...!A


Thanks, Ken. So today I installed the Win98 version of Avast antivirus, updated virus definitions and ran it. It picked up /quarantined something, but it wasn't related to the trojan that Clamwin found. After I ran Avast, I ran Clamwin; virus still there, so apparently Avast can't detect it.

How many viruses have you heard of that a complete reformat/install wouldn't get rid of? I know it hasn't infected the bios, as I temporarily installed another hard drive on that computer, installed Win98 and Clamwin; no viruses.

Am I going to have to write off that hard drive because I can't get the trojan off of it? I hope not....the drive itself is good.
m
0
l
Related resources
a b 8 Security
January 30, 2013 1:11:27 AM

The following is the available information on clspack.exe:
Product name Microsoft® Windows® Operating System
Company name Microsoft Corporation
File description Class Package Export Tool
Internal name ClsPack
Original filename ClsPack.EXE
Legal copyright Copyright © Microsoft Corp. 1997-1998
Product version 5.00.2752
File version 5.00.2752
m
0
l
January 30, 2013 1:14:21 AM

9xer said:
Thanks, Ken. So today I installed the Win98 version of Avast antivirus, updated virus definitions and ran it. It picked up /quarantined something, but it wasn't related to the trojan that Clamwin found. After I ran Avast, I ran Clamwin; virus still there, so apparently Avast can't detect it.

How many viruses have you heard of that a complete reformat/install wouldn't get rid of? I know it hasn't infected the bios, as I temporarily installed another hard drive on that computer, installed Win98 and Clamwin; no viruses.

Am I going to have to write off that hard drive because I can't get the trojan off of it? I hope not....the drive itself is good.


One suggestion I have read is to boot with the Win98 disk and get to a command prompt. Then run fdisk with the /mbr switch, this will allow you to rewrite the Master Boot Record (where the virus may be hiding). Read the instructions on the following links for more information.
http://support.microsoft.com/kb/255867
http://www.computerhope.com/fdiskhlp.htm
http://www.computerhope.com/issues/ch000175.htm
You will want to delete the current partition and then create a new partition. During the Win98 install you will format the drive.
m
0
l
January 30, 2013 1:30:16 AM

Ken, I think you are onto something! When I reinstalled 98, I did NOT use the mbr command (didn't even know it existed). I've been reading up on that, and it looks like this trojan affects the master boot record, which would explain why it keeps coming back.

I'm going to do another reformat/reinstall, but this time I'll reformat the mbr. Thanks for the info!
m
0
l

Best solution

January 30, 2013 1:45:05 AM

9xer said:
Ken, I think you are onto something! When I reinstalled 98, I did NOT use the mbr command (didn't even know it existed). I've been reading up on that, and it looks like this trojan affects the master boot record, which would explain why it keeps coming back.

I'm going to do another reformat/reinstall, but this time I'll reformat the mbr. Thanks for the info!

Glad to help, let me know if that works.
Share
February 3, 2013 6:47:42 PM

Well, I did a complete reformat and reinstall, this time using the fdisk/mbr command to clear the master boot record; the trojan is still there. How is that possible?
m
0
l
February 12, 2013 11:45:52 PM

Best answer selected by 9xer.
m
0
l
!