herbalist

Just saw your last post. I don't remember where I saw it, but I remember reading about malware that's executed by the AVs attempt to parse the file. Regardless, it's clear that your AV isn't recognizing the source of the infection. Regarding the firewall executables, it appears that the malware can't infect a running file, persfw.exe, which is loaded early in the boot process. I'd also suggest checking the dates of any registry backups your system made and see if any predate the infection. If one does, use it. I have seen malware that can hide its registry autostart entries on 98. You may have one of these. There is a registry editor that's supposed to work in DOS. Have you tried using it to check your autostart keys? I'd consider setting up a bare bones system with USB support and an anti-executable like SSM installed. A stripped Win2K would be a good choice as it works with online AVs. Start copying your infected files to a flash drive and scan them on that system. If an AV scan is triggering the virus to execute, SSM should intercept it and alert you, provided it's set restrictively enough.

Default-deny works on single OS and multi-boot alike. This PC has 2 operating systems. My HP has 5. It's no different with the conventional approach to security. An AV only provides real time protection for the OS it's installed on. It's useless if you switch to another OS. It's not necessary that each OS be protected by the same security policy. You could use default-deny on 98 and a different approach on the NT systems. With NT systems, your options are wide open. Virtualization and sandboxing are 2 very good options. Sandboxie is an excellent security app for NT systems. Its default settings leave something to be desired but that can be said about any security app. The default rules for a firewall are good examples. How you decide to secure each OS isn't that critical, as long as you do secure each one. Even if an OS never directly sees the internet, if it's connected to one that does it has to be protected from internet threats. I'm finding your position and logic very difficult to understand. It takes too much time and effort to set up a good security policy but it's acceptable to spend just as much of both cleaning up after an infection, then trust random chance that it won't happen again? I realize that setting up a default-deny based security system can be a bit intimidating the first time but you don't have to do it all at once or lower any other defenses you have to do so. When I first started testing SSM back when Max was the developer, I still had an AV. Actually, I had 3, 1 resident, 2 for manual scanning. It was a gradual process that slowly moved SSM to the front line of defense while the AV became a secondary layer. As I gained understanding regarding how the different processes interacted, what the attack surface was and how to defend it, the AV became less relevant until I finally shut the resident AV down. After nearly a year of AV scans finding nothing, I removed it. For me, the complete transition took about a year and a half. On my 2K system, I use a slightly different approach. I'm using Sandboxie to isolate the attack surface and SSM to defend the core system. Unknowns are allowed but are limited to the sandbox. On a 9X unit with sufficient RAM and a good processor, VPC 5.1 can fill a similar role as long as the core system is protected. Regarding Firefox vs Opera, in spite of the various claims, both are vulnerable. Browsers will always be vulnerable along with their extensions, plug-ins, etc. Right now, FF has a larger user base so it's being probed for weaknesses more than it used to be. If Opera was more popular, it would have the same problem. It's a safe bet that all of them have lots of unknown or undisclosed vulnerabilities. The browser and its add-ons, components, etc are the single most targeted part of the attack surface. It will always be vulnerable. If it were possible to patch an application to the point that it's secure, IE6 would be the safest browser ever, but the opposite is true. With 98, you've also got the problem of compatibility. KernelEX not withstanding, all 98 users may have to settle for using older versions of their favorite browser, complete with known vulnerabilities. IMO, the best way to deal with the browser is to accept the fact that it is vulnerable and that it will be targeted, sometimes successfully. As much as possible, isolate it from the rest of your system with virtualization, sandboxing, and specific application rules that limit its access to the rest of the system and prohibit it from launching other executables. A good content filter (Proxomitron) out front can make a huge difference as well.

This will take a lot of time, and may be good on a system to which few new applications are added. My Win98 may eventually become such a system, but currently I am still installing a lot of new stuff under Win98.What do you consider to be "installing a lot", a few per week, several each day? Do you keep all these apps or are you just testing them, looking for keepers? Full installs or "unzip and go" apps? There is a fair amount of time involved the first time you set up such a policy. Once you've done it a few times, it goes quick. Unlike an NT system, there aren't that many system processes to make rules for. A 9X system is much easier to control. Even so, I'd bet it would take less time than cleaning up after tenga has. Adding new apps to an existing whitelist is no big deal. My FE unit has been protected by default-deny for years and has somewhere around 150 applications and utilities on it. True, default-deny is best suited for static systems and making sure that they stay that way, but it can also be used to intercept and alert to new/unknown processes and activities. If you do have large quantities of apps to try out, I'd suggest using a separate unit just for that purpose or a virtual system on a well protected host after scanning them at VirusTotal. Virtual PC 5.1 will do this on 98. It takes a little work, but you could make a virtual copy of your primary system for Virtual PC. The copied OS would need to change its drivers to work in Virtual PC, but with the exception of those drivers, you'd have a virtual copy of your system for trying new software on. This way, you could also check the new apps for conflicts with your existing system and software, not including the changed drivers. I don't install many apps on my 98 units. With "unzip and use" apps, I make a registry and core system backup first. With installed apps, I make a backup of the whole partition and disconnect the external drive first. So far, I haven't needed to use a system backup because of malware or infection, but I have used them to revert to a previous version of an app when the new version has undesired changes or other effects on my system. 98 might not be targeted nearly as much as NT systems, but if even one piece of malware causes permanent data loss, IMO, that's too many. It also depends on who you're referring to as targeting 98. The criminal element might be largely ignoring it but I wouldn't bet on the NSA, RIAA, or other such groups doing so. I'm sure the anti-P2P groups are very aware that 98 does get used as dedicated P2P units. It's entirely possible that you've encountered a modified version of tenga that the AV didn't recognize. That's another advantage of default-deny. Anything it doesn't recognize as allowed is blocked. It also eliminates the question of whether your security apps will ignore "official" spyware. Several years ago, because of information I posted on the web, I was targeted by what I suspect was "official spyware". My resident AV didn't detect it. Neither did several online scans. It dialed out at 3AM, granted itself internet access through the firewall, sent out a large quantity of data that matched the size of an encrypted container file I had, then apparently deleted itself. The only things I know for certain is that it used a normally allowed system process, rundll32.exe so it was most likely in DLL form. I seriously doubt that any AV or anti-spyware is going to detect "official spyware' no matter what the vendor claims. It also wouldn't surprise me one bit if that spyware was built into Windows, at least into the NT systems. I share your concern about updates, but instead of avoiding updates after a specific date, I apply only the ones I need/want. The XP unit I have is also SP2. SP3 breaks some of the apps I use.

I recently installed RP9 on my Kernel EX equipped Lite-98SE unit. Everything seems to be working well except for one problem. If I'm using any window skin other than the default, PDF-Xchange crashes when I open a document. If the PDF is already open when I switch themes, the reader crashes when the skin is applied. The error message is as follows: PDFXCVIEW caused an invalid page fault in module <unknown> at 0000:bf9c5138. Registers: EAX=fffffdff CS=016f EIP=bf9c5138 EFLGS=00210202 EBX=00000004 SS=0177 ESP=01005bb4 EBP=01005c34 ECX=00000004 DS=0177 ESI=00000000 FS=291f EDX=000101f1 ES=0177 EDI=00000000 GS=0000 Bytes at CS:EIP: 0f b7 0b 23 c1 8b 5d 80 66 89 03 eb 13 b8 00 02 Stack dump: 00000004 82c082a0 00000000 00000000 00000000 001301a7 00000000 0be79be2 001317cf 00000001 23440048 00000000 23440048 00000000 bff728a2 00000000 This happens with both the installed and free standing viewers, versions 2.0.0047.0000 and 2.0.0049.0000. None of the other RP9 settings or options have any effect on the problem. The 32 bit icons look good, as does that black mesa theme. I only wish I could use it without having to switch back to classic whenever I open a PDF.

I'm sorry to hear that you got hit but I am relieved to hear that you've realized that 98 is still vulnerable and not immune to attack. A good backup system for both system and data should be part of any system protection against both infection and hardware failure. That said, neither is any help against malware that steals passwords or logs keystrokes. The other problem with relying on backups is knowing when you're infected. Even on 98, malware is not always visible in process monitors. The only sure solution is default-deny and knowing every process that's allowed on your main system, and install new software on a separate test system first. It's a bit of a hassle, but much less so than cleaning up after an infection.

I respectfully disagree. More info here: CALL. On my present 98SE unit, adding "command /c exit" to the called batch file did prevent the system from booting. On my 98FE unit, I call a batch file from autoexec.bat that's very similar to the one in my signature. That batch file ends with "command /c exit" and the system will not finish booting if I remove it. I can't explain this discrepancy unless FE and SE behave that much differently, or something else I did on that system is changing that behavior. Right now, the monitor for my FE unit failed so I can't compare them. I did make a VPC copy of that FE system, allowing it to change drivers as necessary, hoping to test this on it. Batch files don't run properly on VPC.

The "/s" switch for regedit is invalid in autoexec.bat. You should be able to launch regedit directly from autoexec.bat. Try it using this syntax: REGEDIT C:\folder\MYREG1.REG REGEDIT C:\folder\MYREG2.REG It would also be better if you have the .reg files in a folder instead of your root directory. I seem to remember that there's some limitation regarding the number of file entries in the root directory.

You need to exit the command prompt interpreter for the called batch file. Add this to the end of the called batch file: command /c exit

Remove the empty lines at the end of autoexec.bat. Every empty line after the last entry in autoexec.bat will cause the prompt to be displayed in an additional line.

Disney's Pirates of the Caribbean Online game installs and runs with KEX. The game works but the graphics are terrible when compared to playing it on XP. Someone with better hardware and/or drivers may have better luck with the display quality.

It's easier to label someone as paranoid than it is to admit what they'd rather not. Calling home becomes more prevalent every time a new Windows comes out. It's one of the main reasons my primary system is 98. I have one XP system, and its only purpose is to play one specific game that I haven't got around to trying on 2K. That could change with time. I'd speculate that there's more people doing things with 2K than we know of but they aren't aware of each other and haven't come together the way the 98 supporters have. 2K is a good system. It should be easier to keep it alive than 98 is. If you can't find that support community you're looking for, then it's time to start building it.

Now you're talking I don't know what other info I can give you that I didn't already post. Here, the resource drain is reproducible using any PDFs over 1MB in size. All it takes is opening 3 of them from file in their own tabs, then start switching between the tabs. The GDI resources drop with every tab change until they run out. Gave the OS, KEX version and the version of Foxit being used along with a link to the files I first used. What other info do you want?

Deep Purple, Made in Japan album. Song: Child in Time. Sweet child in time. Don't see the line drawn between the good of us and the bad of us. See the blind man. He's shooting at the world. The bullets flying. They're killing everyone. If you've been bad, Lord, I bet you have, and you've not been hit by flying lead. You better close your eyes. You better bow your head, waiting for the ricochet.

All it takes to reproduce it here is to open several large PDFs in their own tabs and start switching between them. It isn't necessary to scroll. I used copies of an old herbal publication, 11 parts that average 4700KB each. Opening 4-5 and alternating between them was sufficient. The files are at http://www.swsbm.com/ManualsOther/Culbreth.html Download about 4 of them, open them in tabs, and start switching between them. It's GDI resources that are drained the most. edit, additional info Closing the individual tabs doesn't free up the resources much at all. I've closed all the documents but left Foxit open. GDI is at 17%. They returned to 71% when Foxit was closed. You can forget about running it on 9x. It's deeply tied to NT kernel with it's kernel driver 'SbieDrv.sys' plus it has a lot of dependencies on NT security related functionality. You'd better stick to VPC.I wasn't really expecting this to be possible but decided to throw the idea out there, just in case. KernelEX has already accomplished more than most ever thought would be possible so I thought I'd ask. Connectix VPC-5.1 is fine if you can find it, although it probably contains a host of vulnerabilities that won't be fixed in that version, which requires that the host system is also protected. Was hoping a viable security solution that's suitable for the typical user and uses modern software was possible.

Foxit 3.14 still depletes resources on 9X systems. I opened and scrolled several PDFs in the 4MB size range with it. After several minutes, system, user, and GDI resources were all down to the low 20% range. Although I'm just now trying it for the first time, the present version of PDF-Xchange viewer (2.0 build47) works with KernelEX and doesn't deplete resources, although it's memory usage can get high when multiple documents are opened. So far, it seems stable with KernelEX, enough so that I'm considering making it my default PDF reader. So far, the latest version of KernelEX seems to be working quite well on my 98SE unit. I did experience some short lived graphics issues on a website with interactive Java maps. These disappeared when I left the page and didn't reappear when I returned. The earlier incompatibility with SSM is gone. No problems with VPC 5.1 or any other software I'm using. The present version of SeaMonkey is working quite well with it. Can't test printing with it at this time. I'd like to see what else would be necessary to get Sandboxie running on 98. Probably asking too much with this one.

The Vc_r_9x.exe installer seem to run when you click on it, but doesn't appear to do anything. I ran the installer through Inctrl5 and it reported no new files or registry changes. Extract the files manually to a temp location, then right click on Vcredi90.inf and select install. The files will be copied to their proper locations and an uninstall string will be created.

When I bypass Proxomitron, the forum slows down significantly. Part of that seems due to the Vibrant ads, which are flash ads for all purposes. There's just more content to load. I didn't know the Vibrant ads were there at all until I bypassed Proxomitron filtering. I thought those were supposed to be gone once you logged in. Maybe I'm wrong. It does feel hard on the eyes. I turned down the "blue" on the monitor, which made the page less harsh and easier on the eyes. It dulls some other sites more than I'd like but it'll do until I figure out how to make a Proxomitron filter and site list that accomplishes the same thing.

I haven't checked to see if it's related to scripts as Proxomitron is blocking a lot of that for me. The site does seem much slower than before. Don't like this new setup at all.

The config.sys and autoexec.bat are text files and can be built and/or edited from Windows with notepad or another text editor. In DOS, edit.com does the same job. The easiest way to make a bootdisk is to let 98 do it for you. Go to the control panel, then add\remove programs, startup disk tab. This will make a standard 98 bootdisk. Use it as a starting point for your own, add, edit, and update drivers and files as you choose. VPC is an ideal environment for this as it enables you to use an image file format instead of actually floppies or CDs. It might not be absolutely necessary to understand DOS or to be able to build your own custom bootdisks. That said, DOS can be a 9X users best friend. With some knowledge and imagination, there's almost no limit to what you can do with it, much of which can't be done from within Windows. DOS batch files are powerful tools, especially when you add a few 3rd party applications. The link at the bottom of my signature is a small example of what you can do with batch files.

DOS USB drivers would be most commonly used on bootable CDs and floppies. If you're setting up a built in "boot to DOS" option, put the drivers in a separate folder with your DOS utilities. I use C:\DOS\ and C:\4DOS\ as standard locations for anything used in pure DOS. A DOSboot option is often used to service or modify Windows. I use a command line version of 7zip as a backup/restore utility for the Windows and Program Files folders, with the archived folders stored on my external drive. That would be impossible if the DOS files in use were in the folders being replaced. Keep all of your DOS drivers, files, and utilities together in a location that's easy to get to and outside of Windows. Most of the time, "installing" DOS drivers means putting the files in the folder of your choosing and adding the necessary entries for it to config.sys and autoexec.bat.

Have you tried looking for the pages in archive.org?

Malicious sites don't just drop 1 or 2 files on the user anymore. A lot of them use scripting to detect the specific OS, the browser being used, even the currentness of the patching before deciding which payload the user will get. Some have been found to use as many as 40 different exploits and payloads. Leaving one in the collection that works on 9X would be a simple matter. It wasn't that long ago that a zero day vulnerability in Adobe Reader worked as well on 9X as it did on XP. The demo just used the mail handler to launch the calculator. It could have just as easily added startup entries to the registry. In spite of all their differences, 9X and NT systems do have a lot in common that can be and is targeted. We've got malicious code that can tell when it's in a sandbox or virtual environment and will change its behavior. Detecting the OS it's installing on would be easy in comparison. Default-deny can be implemented on any version of Windows. Connectix Vitrual PC (the pre-MS versions) run on 98. The only option that isn't available for 98 as far as I know is sandboxing software. If KernelEX keeps progressing, even that might become possible. I'll agree that 9X users are safer than they used to be, but that doesn't mean that the web is safe enough for us to go unprotected.

Malware doesn't have to target Win98 directly to function. A large percentage of it targets applications, many of which still run on 98. I have several trojans given to me by other members that are quite recent, some of which behave very much like a rootkit does on an NT system. A fair amount of trojans run on both 9X and NT systems. 9X isn't targeted as much as it used to be, but don't believe for a minute that it's unaffected by todays malware. There's also the possibility that the additional functions added by projects like KernelEX could allow more than just user software to function on 9X systems. By "modernizing" Win98, we may make it vulnerable to more of the modern threats in the process. This is completely unexplored territory. Regardless of whether it's a 9X system, XP, or Win-7, the overall effectiveness of AVs has been declining, not just in detections but in their ability to remove malware when it's discovered. There's better ways to secure Windows than AVs, including virtual systems, sandboxing, and default-deny security policies.

Does Clam Sentinel use polling or does it detect changes in real time?

Building a bootable DOS CD or floppy with USB support involves adding several drivers, each of which serves a specific function. There's DPMI and long file name support in addition to being able to access USB devices. Building it requires writing your own config.sys and autoexec.bat to load these drivers. They often have to be loaded in a specific order using specific switches. Give MDGX's site a good look. He's got some good DOS pages there that we'd be hard pressed to do any better. What drivers you add really depends on what you're going to do with that disk, and like Jaclaz said, this is a very big subject that could take many pages to cover.