Nomen

Searching a few drives I have handy at the moment for CTL3D32.dll versions: (1) 2.31.000 26,624 bytes Jan 26/1998 (2) 2.26.000 26,112 bytes Nov 6/1997 (3) 2.31.000 45,056 bytes April 23/1999 (4) 2.31.000 27,136 bytes July 13/1995 (5) 2.31.000 45,056 bytes June 8/2000 (1) is what my win-98 system is currently using (2) located in a Coreldraw 9 program directory (3) located in an archived copy of a win-98 installation from another computer (4) located in a \temp\_istmp0.dir directory of another archived copy of a win-98 installation (5) located in a folder containing unpacked files from Win-ME cd (3) and (5) are same size, but not binary identical. A directory containing an unpacked win-98 CD is not handy at the moment, so I don't know what version of CTL3D32.dll is there. Based on file date, this computer seems to be using a version from win-98 FE? Nothing has changed as far as being able to use skype 3.8.0.188 on this system (see my earlier posts in this thread). It doesn't see or recognize audio components, and I can't change my skype user image or icon picture (see post #11 in this thread). Would CTL3D32.DLL play a role in BOTH of these problems?

Last week I downloaded the daily build "intelligent updater" package from Symantec for an XP machine running NAV 2002. This was only to scan the slaved NTFS hard drive of a suspect win-7 laptop (ordinarily NAV is not running on the XP system in question). The Symantec package was over 700 mb in size (6 or so years ago it was 100 mb). The package updated the NAV 2002 scan engine and definitions to current standards. NAV 2002 runs on win-98 just fine. Now why you need or want to waste CPU power running an anti-virus program on win-98, that's the larger question here.

I took the drive to a different machine that is dual boot XP/7. The machine was off, but it was in win-7 suspend mode because I hooked up the drive and powered it on and it came up (resumed) and was having some difficulty with the drive. The task bar said it was "installing new hardware", and while that was going on I brought up the drive managment console and I think it was showing 2 instances of the drive, showing the same drive identification number and showing it/them as uninitialized. But it wouldn't let me do anything with it. I rebooted the machine and started it in XP, but never got past the spash screen (with the 3 blue boxes scrolling left to right). Drive light showed what looked like random or intermittent activity. I let it go for about 15 minutes and hit the reset and started win-7, but again it never got past the spash screen. So there is something about this drive that not even the "power" of an NT-based OS can overcome.

I had a spare 400 gb sata drive that was pulled from an old XP machine that I wanted to temporarily slave to my win-98 machine (intel 845-based motherboard with 2-port SATA controller add-on PCI board). I disconnected one of the two SATA drives connected to the PCI card and connected the 400 gb drive in its place. Windows 98 booted fine, but (as expected) did not see the 400 gb drive. I then booted into DOS and ran free fdisk 1.2.1 where I deleted the single NTFS partition on the 400 gb drive and then created a single FAT32 partition (I did not reboot between those 2 actions). I then rebooted, but the system would not boot. I tried pressing f8 during startup, but that menu never came up. The bios was set to boot floppy first, then drive-0 (which is an IDE connected to Master primary). I disconnected the 400 gb drive and was able to boot normally. I set the bios to only boot from floppy, and a floppy formatted with win-98 dos (format a: /s /u) with no config.sys or autoexec.bat booted normally. But the floppy won't boot with the 400 gb drive connected to the system. Even if that's the only drive (no other IDE or sata drives) the floppy shows disk activity for about 10 seconds then stops. I'm going to take the drive and slave it to another (XP) system and mess with it until I'm able to connect it back to the win-98 system, but I was wondering what sort of state the partition table must be in for DOS and win-98 to freeze up during boot when the drive is present. ? I've connected many IDE and sata hard drives to various win-98 systems in the past and have never encountered a situation where just physically connecting a drive to the system prevented full booting into win-98 - or even DOS.

This thread should have been added to the sticky "motherboards for win-98" thread.

So what is the relationship to the beautifier output vs the wepawet.iseclab.org output? The wepawet.iseclab.org output indicates a dependency or utilization of an activex component, and it seems to be constructing a target .exe file to download from the above-mentioned domains based on some sort of algorythm using a random number generator. Would be useful to generate one and download the payload from one of those domains - assuming they're still serving up the payload.

If you want to see the "beautified" (more readable) version, I put a copy here: http://pastebin.com/raw.php?i=K7DjsewG See the first link (to wepawet.iseclab.org) I gave in the first post. That is the "de-obfuscated" version of this JS script. I don't know if taking the de-obfuscated output and saving it as a text file (with .js suffix) would result in a functional .js file (that you can throw into a browser to see what it does). ??? I tried it and got nowhere.

I ran the .js file through an on-line script "beautifier" (jsbeautifier.org) and saved the result as a test .js file. FF2 opens it as a text file. IE6 opens it as a script, gives me a warning, and then gives the same error as above - except that I know what line the error is happening on. Its the very last line of the file. Here is what the last few lines look like: ------------------------- for (var xuow = 1; xuow <= 229; xuow++) { tz += this['nbny' + (xuow * 3562)](); }; this[nbny243()](tz); ------------------------- The line starting with "this" is line 817 - the line that the error is happening on (which is also the last line of the file). So I don't know if this file was malformed to start with, or what...

Last week (and again today), for the first time ever, I'm seeing zip-compressed .js files as spam email attachments. These are polymorphic files that seem to have very low initial detection rates (such as less than 10 out of 57 at Virus Total). An analysis of today's .JS file can be found here: http://wepawet.iseclab.org/view.php?hash=1404be252a3d2861fdffc6af412d2495&type=js I'm trying to understand how an end-user, using a windows-based email client (such as outlook, thunderbird, etc) would end up executing the attachment. For example, after saving the attachment and decompressing the .zip file, I dragged the resulting .js file over to a few of my installed browsers. Firefox 2.0.0.20, Netscape 9.0.0.6 and Opera 12.02 all did the same thing - just opened it as a text file and displayed the text of the .js file. IE 6 seems to have actually known it was a script file, because it first threw up a warning if I wanted to open, run or save a potentially dangerous file. I said sure - run it. It then threw up this error: -------------- Windows Script Host Script: (path to js file)\Invoice_whatever.doc.js Line: 1 Char: 15876 Error: Arguments are of the wrong type, are out of acceptable range, or are in conflict with one another. Code: 800A0BB9 Source: ADODB.Stream --------------- I had to dismiss that error message about 10 times before it went away. I would have thought that Opera 12, being somewhat "new" or newer, would have known how to handle or execute a .js file. Is IE the only browser that opens / executes .js files if you drop the file onto the browser? Is this unique for IE6, or do other versions of IE also do this? Do newer versions of Mozilla-based browsers execute .js files if you drop them on them? Is the Windows Script Host (or file-handler?) that Win-9x/me has somehow "invulnerable" to this seemingly recent development in malware email attachment techniques?

It's not Kex that you're testing. It's a specific program / software that you're testing. And there are certain specific deficiencies in those old P2's and P3's that affect multimedia / video rendering if I'm not mistaken. Absolutely no reason to be putzing with win-98 on anything less than a socket 478 P4 with 512 mb ram these days. Five years ago you could find PC's like that sitting on the side of the road - being thrown out with the garbage.

Probably something to do with your hardware. Video driver, or not enough system ram, or old (non-P4) CPU. If not hardware or drivers, then what updates / patches / tweaks to your system files do you have as a starting point before you try KernelEx?

I make extensive (even insane) use of my HOSTS file to block contact with any host that I figure my win-98 computer doesn't need to talk to. I add entries based on what I see when I examine web-page code and also what my router shows in the out-going contact logs. Some of these entries probably makes browsing on some sites difficult or impossible (it's hard to know which entries are responsible) but if FF2 can't perform then Opera 12.02 frequently can. In an effort to see if I can serve up some of the frequently accessed files locally, I installed Abyss Web Server free version, which you must choose either http or https service (I chose https). So it serves up quite a lot of .js files that I've retrieved manually and placed in the local web-server directory (214 files at last count, 90 of them being .js files, 22 of them .css files, etc). Various jquery.js files being the most common. I examine these .js files (expand them when necessary and store them that way) and look for references to other hosts and mung them for the fun of it. I mention all this because one of the things that Abyss has is this: the host that is shown in that example (apis.google.com) is currently rem'd out in my hosts file. It will serve up TLS/SSL ciphers on port 443 for any hosts that I have in my HOSTS file. Here is the Abyss help-page for these functions: http://www.aprelium.com/data/doc/2/abyssws-win-doc-html/ssl.html I don't know if any of this would help outlook when contacting a mail host (like gmail) as a way to get around SSL or Certificate errors during login... ?

> And no, most probably I will never find out Jaclaz - do you not have a PC with 4 gb with a floppy drive? That's all you need to find out yourself by booting DOS 7.1 from a floppy and seeing if you can load smartdrv with the regular himem.sys (and any suggested switches). The system I was working with is now at another location, but later today I will be able to test numhandles on several different machines with various amounts of ram. Regarding the Numhandles argument - after looking through the results of many web searches, I can find: - no authoritative explanation from any source as to what NUMHANDLES is for, what it does, when to use it, etc, and - no explanation as to how NUMHANDLES affects or alters himem.sys's ability to provide XMS memory to applications such as smartdrv.exe, especially in situations when a system has a large amount of installed ram.

While we're on the subject - some quotes from http://www.programdoc.com/1017_4787_1.htm here: ============ "The script to get the setup started works but immediately before the file copy starts in earnest (it has copied the udb file) setup stops with a heap of disk activity lasting several hours. Setup does eventually continue and complete correctly. Is the an entry in the unattend file to skip disk checks or do a quick format perhaps? or am I missing something else?" "The short answer is that you need to load smartdrv. This "feature" was introduced in Windows XP" "smartdrv.exe as the setup-from-DOS 'feature' was introduced in NT4" "Using smartdrv.exe always made it faster. But you could do an NT or 2k install without smartdrv and only pay a penalty of a few extra minutes. Starting with XP, that penalty increased to hours. Thus the need for (?). The XP (and Server 2003) winnt.exe performs a tremendous number of tiny writes. The NT (and 2k) winnt.exe does not." ================= By all indications, DOS 7.1 himem.sys should be compatible with 4 gb ram, but all I can find on that topic is unsubstantiated comments that DOS (or himem, or smartdrv.exe) has problems with more than 2 gb ram: https://community.landesk.com/support/message/34771 I don't think this helps to explain anything here: https://support.microsoft.com/en-us/kb/95555

My last test (if you read my previous post) was to invoke smartdrv from the command prompt with no arguments. I got the same message that it can't load because the XMS driver himem.sys is not loaded. That message must be built into smartdrv.exe. I was just doing web searches for combinations of smartdrive, smartdrv, xms, himem.sys, and get very little, even when doing google search on site:microsoft.com. One thing I did come across was this: ftp.microsoft.com/MISC1/peropsys/WINDOWS/KB/Q85/4/24.TXT It should be easy enough for anyone with a PC with 4 gb ram and a floppy drive to create a DOS 7.1 boot floppy with smartdrv.exe on it and see if you get the same thing I do. But I'm not able to bring up anything from the ftp.microsoft.com server, not even when log in using an FTP client. And I can't find any archive of that "peropsys" folder.

During previous attempts I had removed the load-high, so that line was this: C:\DOS\SMARTDRV.EXE A- B- C+ /V 4096 4096 /E:8192 /B:8192 But as one final test, I removed the autoexec.bat completely and booted into dos with no config.sys or autoexec.bat. Then I executed the command smartdrv (with no arguments) from the dos prompt, and AGAIN was told that smartdrive can't load because the XMS driver himem.sys is not loaded and I should check config.sys for device=himem.sys. I haven't searched the web for this for any authoritative confirmation - but is this fact (that DOS 7.1 smartdrv.exe must have XMS memory available to it, which means himem.sys must be used) not known to us?

> what happens on your machine without any config.sys nor autoexec.bat, > simply running SMARTDRV on command line? Starting the system in question without any config.sys (but with smartdrv in the autoexec.bat - as the only active line in that file) does not work. Smartdrv says it's can't load because the XMS driver (himem.sys) is not loaded.

Replaced himem.sys with himemx. This did not work: DEVICE=C:\DOS\HIMEMX.EXE/X2MAX32 But this did: DEVICE=C:\DOS\HIMEMX.EXE /MAX=512000 Smartdrive now loads and can see / use some XMS ram. And let me tell you - when you're installing XP from a CD copied to a source directory on a FAT32 hard drive and installing it on the same drive, you really do need smartdrive running. Prior to fixing this, I let the install run for 3 hours - and it looked like the install had hung. Every time I restarted and tried resuming the install, XP said it couldn't find the EULA and couldn't go any further.

DOS boots fine with emm386. It's just that smartdrv.exe isin't loaded because there is, apparently, no available XMS memory. This is what's in my autoexec.bat: LH C:\DOS\SMARTDRV.EXE A- B- C+ /V 4096 4096 /E:8192 /B:8192 And this is in my config.sys: DEVICE=C:\DOS\HIMEM.SYS /verbose DEVICE=C:\DOS\EMM386.EXE NOEMS VERBOSE DOS=HIGH,UMB,NOAUTO BUFFERSHIGH=50,0 FILESHIGH=50 STACKSHIGH=32,512 SWITCHES /F /W BREAK=ON Does emm386.exe have problems detecting / allocating XMS memory when a system has 4 gb ram?

How exactly do I construct the autoexec and config.sys for DOS 7.1 booting on a system with 4 gb ram so that I don't get the message that there is "not enough XMS memory for Smartdrive" because what I normally have in those startup files isin't working. If I recall correctly, according to the mem command DOS isin't detecting or hasn't allocated any XMS memory. If this involves the use of any custom / modded himem.sys or emm386.exe, then naturally I'm going to need the details...

So just a bit of an update. I appear to be getting the irritating "0x80096004" message/error for both the Gmail IMAP and POP logon's each time that outlook performs a mail-check (not just the first time, but every time). Answering Yes or No to the question "Do you want to continue using this server?" seems to do nothing in terms of how it handles the next IMAP or POP login into Gmail. Searching around, I found that this registry setting: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\9.0\Outlook\Security Dword value SupressNameChecks = 1 In my case, the Security key did not exist - so I created it and then added the SupressNameChecks dword value and set it to 1. I also created the dword value Options and set it to 1. I also found references to a string value "RequiredCA" but don't know how to use it (or if it can be used) to prevent the offending security certificate issue. Also, for those running Office 2000 / Outlook 2000, you might get confused by the existance of this registry key path / tree: HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\ I have that key path, but I don't know why. Outlook 2000 (Office 2000) and below seems to store it's reg values in HKEY_LOCAL_MACHINE, but newer versions of outlook / office seem to use HKEY_CURRENT_USER. I still get the 0x80096004 message when Outlook performs the first mail-check on the Gmail IMAP and POP accounts, but adding SupressNameChecks = 1 to the registry seems to stop all subsequent message pop-ups while outlook is running, and the gmail accounts are indeed checked for new mail. It would be useful to know what the "Options" string registry value does, and also if there are other values in the outlook Security key that could further improve this situation. Also, I came across (and installed) a .CER file that didn't help - but I'm wondering if there might a .CER file out there somewhere (or if one can be constructed) that would satisfy Win-98/Outlook 2000 in the case of Gmail servers (imap.gmail.com and pop.gmail.com). I also noticed that many XP users had trouble in the past with the 0x80096004 error while using iTunes. Many questions were posted in several different blogs / forums - and the only answer seemed to be to upgrade from SP2 to SP3. Which raises the question - what is known about the security certificate handling of XP-SP2 that could only be fixed by upgrading to SP3? Knowing the answer to that question might tell us if the 0x80096004 certificate error can ever be fixed for win-98.

Ok, so here's what I did. In Outlook 2000, in order for me to see IMAP server options when creating new accounts, I need to do something that was called (I think) - "Reconfigure Outlook". I believe my outlook was operating in some sort of corporate workgroup mode, and this reconfiguration took me out of that mode. In order to complete the process, outlook was asking for "data1.msi" that is found on the Office 2000 Premium SR1 CD - which I had to look for. After that, I create a new outlook account, where it can access the test gmail account using IMAP. I then used some newer version of Firefox running on an XP machine to log into the gmail account and enable IMAP access and then I enabled access for the so-called "less secure" device (which it did not identify but was Outlook 2k running on win-98). After that, I report that I can indeed access the test gmail account using both pop and imap under Outlook 2000 running under win-98se. The only issue is that upon starting outlook and performing the first mail retrieval from all the various accounts, I get this message: --------------- The server you are connected to is using a security certificate that could not be verified. 0x80096004 Do you want to continue using this server? (yes)(no) ----------------- I say yes and I don't believe I get that error again while outlook is running. I don't know if the error is associated with the pop access to the gmail account, or the imap, or both. If there's a way to fix this certificate issue, or even some way to tell outlook to automatically ignore it (maybe a registry entry?) let me know.

This is outlook 2000's log file when connecting to gmail.com for pop-mail login with "Log on using Secure Password Authentication" enabled, port 995, with SSL: Connecting to 'pop.gmail.com' on port 995. srv_name = "pop.gmail.com" srv_addr = 173.194.196.109 Negotiating secure connection with 'Microsoft Unified Security Protocol Provider'. +OK Gpop ready for requests from (...) AUTH -ERR malformed command QUIT +OK Bye This is what happens when "Log on using Secure Password Authentication" is disabled: Connecting to 'pop.gmail.com' on port 995. srv_name = "pop.gmail.com" srv_addr = 209.85.145.108 Negotiating secure connection with 'Microsoft Unified Security Protocol Provider'. +OK Gpop ready for requests from (my IP) USER (someone)@gmail.com +OK send PASS PASS ******** -ERR [AUTH] Web login required: https://support.google.com/mail/answer/78754 Connection to '' closed. I then log into gmail using various browsers, using various forged user-agents to see what I can do. This explains the issue: =============== Someone just tried to sign in to your Google Account (what-ever) from an app that doesn't meet modern security standards. We strongly recommend that you use a secure app, like Gmail, to access your account. All apps made by Google meet these security standards. Using a less secure app, on the other hand, could leave your account vulnerable. Learn more. Google stopped this sign-in attempt, but you should review your recently used devices: REVIEW YOUR DEVICES NOW Allowing less secure apps to access your account Google may block sign in attempts from some apps or devices that do not use modern security standards. Since these apps and devices are easier to break into, blocking them helps keep your account safer. Some examples of apps that do not support the latest security standards include: The Mail app on your iPhone or iPad with iOS 6 or below The Mail app on your Windows phone preceding the 8.1 release Some Desktop mail clients like Microsoft Outlook and Mozilla Thunderbird ============== I don't know (yet) to what extent gmail will allow me to edit or change any settings to allow outlook to have pop3 access to the account. The various browsers I'm using (on win-98) won't allow me full accessibility to the gmail interface. I'm going to have to try it on a PC running a more modern browser. Note also that you need to enable POP access to your account in the first place in order to get this far.

> Hey Nomen, since you said you have Outlook 2000, I'm going to ask you. > Do you still actively use it Yes. It's the primary mail client on a few of my win-98 systems. > and if so, what email provider do you use? Outlook (on my home PC) connects to a few different accounts associated with my ISP (which is operated by Microsoft as a sort of hotmail account) which are just legacy accounts which get very little mail and also connects to the mail server at $dayjob (which is my primary email account). And this is pop3 for both of those - not IMAP. > I'm using Gmail and I have Office 2000 upgraded all the way up to service pack 3 > and it doesn't seem to want to connect to Gmail, it seems to complain about a > server certificate and when you do a send/receive using imap, it seems to just > hang. I've double and triple checked my settings and it never seems to work out > like it is suppose to. I could try to see if my outlook 2000 can connect using pop3 to gmail if you'd like me to try. I was just checking and I don't see any options to use IMAP under the outlook server settings.

> The reason for MS Outlook not working on my system is due to > this PATCH, MPR.DLL 4.10.1999 from SP3 > > Replace MPR.DLL 4.10.1999 from SP3 with the original Windows 98 version 4.10.1998 I can confirm that I have the original 4.10.1998 version of MPR.DLL (and hence do not have this problem with Outlook 2000). Since we're on the topic - has anyone tested the win-ME version of MPR.DLL (4.90.3000) on win-98? They have the extact same file-size...