herbalist

Just saw your last post. I don't remember where I saw it, but I remember reading about malware that's executed by the AVs attempt to parse the file. Regardless, it's clear that your AV isn't recognizing the source of the infection. Regarding the firewall executables, it appears that the malware can't infect a running file, persfw.exe, which is loaded early in the boot process. I'd also suggest checking the dates of any registry backups your system made and see if any predate the infection. If one does, use it. I have seen malware that can hide its registry autostart entries on 98. You may have one of these. There is a registry editor that's supposed to work in DOS. Have you tried using it to check your autostart keys? I'd consider setting up a bare bones system with USB support and an anti-executable like SSM installed. A stripped Win2K would be a good choice as it works with online AVs. Start copying your infected files to a flash drive and scan them on that system. If an AV scan is triggering the virus to execute, SSM should intercept it and alert you, provided it's set restrictively enough.

Default-deny works on single OS and multi-boot alike. This PC has 2 operating systems. My HP has 5. It's no different with the conventional approach to security. An AV only provides real time protection for the OS it's installed on. It's useless if you switch to another OS. It's not necessary that each OS be protected by the same security policy. You could use default-deny on 98 and a different approach on the NT systems. With NT systems, your options are wide open. Virtualization and sandboxing are 2 very good options. Sandboxie is an excellent security app for NT systems. Its default settings leave something to be desired but that can be said about any security app. The default rules for a firewall are good examples. How you decide to secure each OS isn't that critical, as long as you do secure each one. Even if an OS never directly sees the internet, if it's connected to one that does it has to be protected from internet threats. I'm finding your position and logic very difficult to understand. It takes too much time and effort to set up a good security policy but it's acceptable to spend just as much of both cleaning up after an infection, then trust random chance that it won't happen again? I realize that setting up a default-deny based security system can be a bit intimidating the first time but you don't have to do it all at once or lower any other defenses you have to do so. When I first started testing SSM back when Max was the developer, I still had an AV. Actually, I had 3, 1 resident, 2 for manual scanning. It was a gradual process that slowly moved SSM to the front line of defense while the AV became a secondary layer. As I gained understanding regarding how the different processes interacted, what the attack surface was and how to defend it, the AV became less relevant until I finally shut the resident AV down. After nearly a year of AV scans finding nothing, I removed it. For me, the complete transition took about a year and a half. On my 2K system, I use a slightly different approach. I'm using Sandboxie to isolate the attack surface and SSM to defend the core system. Unknowns are allowed but are limited to the sandbox. On a 9X unit with sufficient RAM and a good processor, VPC 5.1 can fill a similar role as long as the core system is protected. Regarding Firefox vs Opera, in spite of the various claims, both are vulnerable. Browsers will always be vulnerable along with their extensions, plug-ins, etc. Right now, FF has a larger user base so it's being probed for weaknesses more than it used to be. If Opera was more popular, it would have the same problem. It's a safe bet that all of them have lots of unknown or undisclosed vulnerabilities. The browser and its add-ons, components, etc are the single most targeted part of the attack surface. It will always be vulnerable. If it were possible to patch an application to the point that it's secure, IE6 would be the safest browser ever, but the opposite is true. With 98, you've also got the problem of compatibility. KernelEX not withstanding, all 98 users may have to settle for using older versions of their favorite browser, complete with known vulnerabilities. IMO, the best way to deal with the browser is to accept the fact that it is vulnerable and that it will be targeted, sometimes successfully. As much as possible, isolate it from the rest of your system with virtualization, sandboxing, and specific application rules that limit its access to the rest of the system and prohibit it from launching other executables. A good content filter (Proxomitron) out front can make a huge difference as well.

This will take a lot of time, and may be good on a system to which few new applications are added. My Win98 may eventually become such a system, but currently I am still installing a lot of new stuff under Win98.What do you consider to be "installing a lot", a few per week, several each day? Do you keep all these apps or are you just testing them, looking for keepers? Full installs or "unzip and go" apps? There is a fair amount of time involved the first time you set up such a policy. Once you've done it a few times, it goes quick. Unlike an NT system, there aren't that many system processes to make rules for. A 9X system is much easier to control. Even so, I'd bet it would take less time than cleaning up after tenga has. Adding new apps to an existing whitelist is no big deal. My FE unit has been protected by default-deny for years and has somewhere around 150 applications and utilities on it. True, default-deny is best suited for static systems and making sure that they stay that way, but it can also be used to intercept and alert to new/unknown processes and activities. If you do have large quantities of apps to try out, I'd suggest using a separate unit just for that purpose or a virtual system on a well protected host after scanning them at VirusTotal. Virtual PC 5.1 will do this on 98. It takes a little work, but you could make a virtual copy of your primary system for Virtual PC. The copied OS would need to change its drivers to work in Virtual PC, but with the exception of those drivers, you'd have a virtual copy of your system for trying new software on. This way, you could also check the new apps for conflicts with your existing system and software, not including the changed drivers. I don't install many apps on my 98 units. With "unzip and use" apps, I make a registry and core system backup first. With installed apps, I make a backup of the whole partition and disconnect the external drive first. So far, I haven't needed to use a system backup because of malware or infection, but I have used them to revert to a previous version of an app when the new version has undesired changes or other effects on my system. 98 might not be targeted nearly as much as NT systems, but if even one piece of malware causes permanent data loss, IMO, that's too many. It also depends on who you're referring to as targeting 98. The criminal element might be largely ignoring it but I wouldn't bet on the NSA, RIAA, or other such groups doing so. I'm sure the anti-P2P groups are very aware that 98 does get used as dedicated P2P units. It's entirely possible that you've encountered a modified version of tenga that the AV didn't recognize. That's another advantage of default-deny. Anything it doesn't recognize as allowed is blocked. It also eliminates the question of whether your security apps will ignore "official" spyware. Several years ago, because of information I posted on the web, I was targeted by what I suspect was "official spyware". My resident AV didn't detect it. Neither did several online scans. It dialed out at 3AM, granted itself internet access through the firewall, sent out a large quantity of data that matched the size of an encrypted container file I had, then apparently deleted itself. The only things I know for certain is that it used a normally allowed system process, rundll32.exe so it was most likely in DLL form. I seriously doubt that any AV or anti-spyware is going to detect "official spyware' no matter what the vendor claims. It also wouldn't surprise me one bit if that spyware was built into Windows, at least into the NT systems. I share your concern about updates, but instead of avoiding updates after a specific date, I apply only the ones I need/want. The XP unit I have is also SP2. SP3 breaks some of the apps I use.

I recently installed RP9 on my Kernel EX equipped Lite-98SE unit. Everything seems to be working well except for one problem. If I'm using any window skin other than the default, PDF-Xchange crashes when I open a document. If the PDF is already open when I switch themes, the reader crashes when the skin is applied. The error message is as follows: PDFXCVIEW caused an invalid page fault in module <unknown> at 0000:bf9c5138. Registers: EAX=fffffdff CS=016f EIP=bf9c5138 EFLGS=00210202 EBX=00000004 SS=0177 ESP=01005bb4 EBP=01005c34 ECX=00000004 DS=0177 ESI=00000000 FS=291f EDX=000101f1 ES=0177 EDI=00000000 GS=0000 Bytes at CS:EIP: 0f b7 0b 23 c1 8b 5d 80 66 89 03 eb 13 b8 00 02 Stack dump: 00000004 82c082a0 00000000 00000000 00000000 001301a7 00000000 0be79be2 001317cf 00000001 23440048 00000000 23440048 00000000 bff728a2 00000000 This happens with both the installed and free standing viewers, versions 2.0.0047.0000 and 2.0.0049.0000. None of the other RP9 settings or options have any effect on the problem. The 32 bit icons look good, as does that black mesa theme. I only wish I could use it without having to switch back to classic whenever I open a PDF.

I'm sorry to hear that you got hit but I am relieved to hear that you've realized that 98 is still vulnerable and not immune to attack. A good backup system for both system and data should be part of any system protection against both infection and hardware failure. That said, neither is any help against malware that steals passwords or logs keystrokes. The other problem with relying on backups is knowing when you're infected. Even on 98, malware is not always visible in process monitors. The only sure solution is default-deny and knowing every process that's allowed on your main system, and install new software on a separate test system first. It's a bit of a hassle, but much less so than cleaning up after an infection.

I respectfully disagree. More info here: CALL. On my present 98SE unit, adding "command /c exit" to the called batch file did prevent the system from booting. On my 98FE unit, I call a batch file from autoexec.bat that's very similar to the one in my signature. That batch file ends with "command /c exit" and the system will not finish booting if I remove it. I can't explain this discrepancy unless FE and SE behave that much differently, or something else I did on that system is changing that behavior. Right now, the monitor for my FE unit failed so I can't compare them. I did make a VPC copy of that FE system, allowing it to change drivers as necessary, hoping to test this on it. Batch files don't run properly on VPC.

The "/s" switch for regedit is invalid in autoexec.bat. You should be able to launch regedit directly from autoexec.bat. Try it using this syntax: REGEDIT C:\folder\MYREG1.REG REGEDIT C:\folder\MYREG2.REG It would also be better if you have the .reg files in a folder instead of your root directory. I seem to remember that there's some limitation regarding the number of file entries in the root directory.

You need to exit the command prompt interpreter for the called batch file. Add this to the end of the called batch file: command /c exit

Remove the empty lines at the end of autoexec.bat. Every empty line after the last entry in autoexec.bat will cause the prompt to be displayed in an additional line.

Disney's Pirates of the Caribbean Online game installs and runs with KEX. The game works but the graphics are terrible when compared to playing it on XP. Someone with better hardware and/or drivers may have better luck with the display quality.

It's easier to label someone as paranoid than it is to admit what they'd rather not. Calling home becomes more prevalent every time a new Windows comes out. It's one of the main reasons my primary system is 98. I have one XP system, and its only purpose is to play one specific game that I haven't got around to trying on 2K. That could change with time. I'd speculate that there's more people doing things with 2K than we know of but they aren't aware of each other and haven't come together the way the 98 supporters have. 2K is a good system. It should be easier to keep it alive than 98 is. If you can't find that support community you're looking for, then it's time to start building it.

Now you're talking I don't know what other info I can give you that I didn't already post. Here, the resource drain is reproducible using any PDFs over 1MB in size. All it takes is opening 3 of them from file in their own tabs, then start switching between the tabs. The GDI resources drop with every tab change until they run out. Gave the OS, KEX version and the version of Foxit being used along with a link to the files I first used. What other info do you want?

Deep Purple, Made in Japan album. Song: Child in Time. Sweet child in time. Don't see the line drawn between the good of us and the bad of us. See the blind man. He's shooting at the world. The bullets flying. They're killing everyone. If you've been bad, Lord, I bet you have, and you've not been hit by flying lead. You better close your eyes. You better bow your head, waiting for the ricochet.

All it takes to reproduce it here is to open several large PDFs in their own tabs and start switching between them. It isn't necessary to scroll. I used copies of an old herbal publication, 11 parts that average 4700KB each. Opening 4-5 and alternating between them was sufficient. The files are at http://www.swsbm.com/ManualsOther/Culbreth.html Download about 4 of them, open them in tabs, and start switching between them. It's GDI resources that are drained the most. edit, additional info Closing the individual tabs doesn't free up the resources much at all. I've closed all the documents but left Foxit open. GDI is at 17%. They returned to 71% when Foxit was closed. You can forget about running it on 9x. It's deeply tied to NT kernel with it's kernel driver 'SbieDrv.sys' plus it has a lot of dependencies on NT security related functionality. You'd better stick to VPC.I wasn't really expecting this to be possible but decided to throw the idea out there, just in case. KernelEX has already accomplished more than most ever thought would be possible so I thought I'd ask. Connectix VPC-5.1 is fine if you can find it, although it probably contains a host of vulnerabilities that won't be fixed in that version, which requires that the host system is also protected. Was hoping a viable security solution that's suitable for the typical user and uses modern software was possible.

Foxit 3.14 still depletes resources on 9X systems. I opened and scrolled several PDFs in the 4MB size range with it. After several minutes, system, user, and GDI resources were all down to the low 20% range. Although I'm just now trying it for the first time, the present version of PDF-Xchange viewer (2.0 build47) works with KernelEX and doesn't deplete resources, although it's memory usage can get high when multiple documents are opened. So far, it seems stable with KernelEX, enough so that I'm considering making it my default PDF reader. So far, the latest version of KernelEX seems to be working quite well on my 98SE unit. I did experience some short lived graphics issues on a website with interactive Java maps. These disappeared when I left the page and didn't reappear when I returned. The earlier incompatibility with SSM is gone. No problems with VPC 5.1 or any other software I'm using. The present version of SeaMonkey is working quite well with it. Can't test printing with it at this time. I'd like to see what else would be necessary to get Sandboxie running on 98. Probably asking too much with this one.