98SE - Probable Malware Infection

[HoppaLong]

I want my elderly dad to move on to a newer Windows system.

He won't, and I'm not going to argue with him at his age.

He used 98SE mainly for email, so his system has always been

relatively safe.

My dad's firewall is practically screaming, MALWARE ALERT!

Here's the popup from his firewall:

"Windows Explorer has changed since the last time you opened it.

This could be because you have updated it recently. Do you want

to allow it access to the network?"

Almost everything I could find about this repititious warning is negative.

Some kind of file that shouldn't be on your computer is trying to access

the web. Ironically, I found a post from Bob Proffitt at CNET that gives

a few benign reasons for this firewall popup.

His main antivirus app is Avast. It found nothing.

Running the latest version of Spybot (1.6.2) is a nightmare. The progress

loading bar gets to the end and almost freezes. If the app actually launches,

the system crashes during the scan. Even in Safe Mode it won't run.

He has SystemSuite_v6.0 which includes an antivirus and spyware scanner.

The definition updates are always weeks or months old for SystemSuite.

It wouldn't hurt to run it anyway.

I thought I could install SuperAntiSpyware as a substitute for Spybot. Right on

their website they list a version compatible with 98SE. Unfortunately, their

definition files won't load on a 98 system.

I was looking at the list of apps right here at MSFN. Some I've never heard of

like ClamWin.

Online scans are not a good idea for an old desktop with limited system resources.

I need some help selecting one or two more anti-malware apps. After the system

has been scanned several times, I'll run HijackThis. Since HijackThis can only create

a list of everything good and bad on your system, I would rather run a bunch of

scans first, then I'll let HijackThis do its thing.

A little help picking a couple of apps that will run smoothly on 98SE is what I need.

Thanks MSFN members!

[CharlesF]

1- With Process Explorer (or Ctrl + Alt + Del) have a look to what is running, ...and kill what is not suppose to

2- In Start ->Run ->MsConfig (tab 'Startup') untick what is not suppose to be launched

3- With HijackThis (even last version is running with Win98SE: http://go.trendmicro.com/free-tools/hijack...HijackThis.exe) have a deeper insight of the crap of your system, ...and clean it.

4- I'm running also last Spybot S&D: slowly (= 90 mn for a complete scan), ...but it works.

Charles.

[Prozactive]

I recently helped some friends with some particularly complex nasty malware rootkit infections, and one of the tools I found out about and used was AVZ (AntiViral Toolkit). It's not particularly user-friendly (developed in Russian) but it does seem very powerful and it runs in Win98. You can get it from here:

http://www.z-oleg.com/avz4.zip

You need to update the definitions database via its update menu or you can manually DL and install the latest definitions via this file:

http://z-oleg.com/secur/avz_up/avzbase.zip

The general advice for running a system scan is to use the "File" menu => "Standard scripts" and mark the "Advanced System Analysis with Malware removal mode enabled" checkbox.

HTH

[lightning slinger]

I thought I could install SuperAntiSpyware as a substitute for Spybot. Right on

their website they list a version compatible with 98SE. Unfortunately, their

definition files won't load on a 98 system.

The last version of SAS Free that runs well on 98Se is V.4.24.1004 see

http://www.msfn.org/board/index.php?showto...5936&st=363

That version can be downloaded at

http://www.filehippo.com/download_superantispyware/5052/

Before you download any definition updates, go to Preference and the Updates tab and remove both checks from the Automatic Updates!

Big problem with SAS nowadays is opening the program and running updates as it really does bog the system down even on mine with a 1.4Ghz CPU and 1GB RAM. On a lesser system it might just bog it down to the point were it just freezes the PC. Trying it right after a reboot may help.

The ESET or Symantec Online AV scanners in IE should not be too demanding on system resources.

HTH

[submix8c]

Newest version of SpyBot runs poorly on older PC's. Run it in Safe Mode and let it load and run the scan (yes, it will still be extremely slow but it should run). Inside it (in Advanced Mode) you should be able to disable Startup items. As an alternative to disabling Startup Items, you can use CCleaner (which should also clear Temp files etc as well).

Windows Explorer (EXPLORER.EXE) should only exist in the WINDOWS folder and should be dated 4/23/99 exact size 180,224 bytes. You could potentially extract the original (from WIN98_45.CAB?) and overlay the "changed" one (and ONLY one) from SafeMode/CommandPrompt.

MalwareBytes may run, so get a copy of that. Safe Mode is best to use while scanning and best to be disconnected from internet (in all cases). HijackThis attachment is recommended (preferably after other scans).

As I remember, this is one of those malwares that alter a number of files in addition to "generating" hard-to-kill processes under "strange names".

[HoppaLong]

All your replies are really great! Thank you guys.

I Googled for any app that would stilll run on 98SE.

I installed SAS_v4.24.1004 and manually downloaded the latest

definitions file. The definitions file will not load on a 98 system.

An error box appears letting you know that your system is too old.

I posted on the SAS forum about this. Big surprise, no replies.

If the defintions file won't load on a 98 system, all the links to

v4.24.1004 should be removed. What good is this older version

of the app, if the latest definitions file is incompatible with 98?

I purchased this desktop years ago when 98 was king. It's loaded

with all sorts of system info and tweaker apps. Process Explorer

shows nothing unusual.

A tweaker app called WinBoost made backups of several critical system

files when it was installed, including explorer.exe. This firewall popup

about explorer started a few weeks ago. The backup of explorer.exe was

made years ago, so I don't see how it could be the cause of this problem.

Believe me, I've tried over and over with Spybot. In Safe Mode, the

progress loading bar reaches the end and then you get the BSOD.

A few times, I got it running in the normal Windows environment.

After several minutes the system pops up another error box, or it

locks up forcing a restart.

I've read about that Russian app, AVZ. I'll definitely try this one. It may

find some deeply buried or disguised file that's causing this problem.

If you've been using computer for many years, like I have, you can almost

"smell" malware. I became a "reg hacker" back in days of Windows 95, so

I'm very comfortable with the registry. I've fixed a million problems that

my friends and business partners thought were some kind of horrible virus.

Obviously, millions of computers are infected with malware everyday. This

desktop my dad is using may have a nasty virus. I'm going to do everything

I can to track it down, if it exists.

I've joined hundreds of forums over the years. I'm not sure why, but MSFN

seems to attract more advanced and expert level computer users.

Thanks again!

Edited January 26, 2010 by HoppaLong

[submix8c]

FWIW, it may be the new version of SpyBot just won't run if you don't have sufficient RAM. Here is an older version that might work. Download and install it, then get the latest INCLUDES here (Detection Updates) and install after. Running this on an old HP (around 500mhz? + 256mb RAM) right now (LOADED w/bad stuff). And... if you have another stick of compatible RAM, that may help.

edit -

You mentioned that the "firewall" is what issues this message. Never heard of a firewall doing that. A quick search on the partial string indicated another user elsewhere (XP) had this message AND was running WinPatrol. Is this by chance what made the "backups" and is issuing the message?

Oops - Sygate Firewall?...

Edited January 26, 2010 by submix8c

[Prozactive]

I think you'll be pleased with AVZ. It seems very sophisticated and powerful, searching for rootkits, keyloggers, and the like.

Curious you're having so many problems with Spybot. I'm running Spybot 1.6.2 on my old fairly slow RAM-limited Win98SE laptop without any problems, although it does continue to take more and more time loading as I keep its definitions updated. Right now it's up to around 5 minutes to load, which is very aggravating, but it does load without any errors or crashes. Ditto with the system scans.

Thanks for the info about SuperAntiSpyware. I DL'ed it a while back and was thinking about loading it and trying it out, just to have another anti-malware tool in my arsenal. I may still do so to see if I encounter the same definitions compatibility problem you reported.

I don't believe MBAM works in Win9x/ME although I have not tried it to see. They officially state it only works in Win2K/XP/Vista/7. I do use it and find it to be one of the best, most effective anti-malware tools out there. All of my Win98 systems are dual-boot, so I load MBAM and other non-Win98-compatible anti-malware programs in WinXP and scan my Win98 partition from there.

Good luck and keep us posted.

[lightning slinger]

I installed SAS_v4.24.1004 and manually downloaded the latest

definitions file. The definitions file will not load on a 98 system.

An error box appears letting you know that your system is too old.

I posted on the SAS forum about this. Big surprise, no replies.

If the defintions file won't load on a 98 system, all the links to

v4.24.1004 should be removed. What good is this older version

of the app, if the latest definitions file is incompatible with 98?

I see from the SAS Forum that on January 25th you were advised by the Site Admin to "update the definitions file from within the program". If you had followed that advice and removed the checks from Automatic Updates, which prevents program updates as mentioned by both the Site Admin and myself, you would have V.4.24.1004 fully working.

[HoppaLong]

I apologize for not returning to MSFN sooner.

I'm trying to run a business, and fix my dad's Gateway when I have

some spare time. Not an easy thing to do!

I found a way to run Spybot on this old desktop. The procedure I

used is somewhat complicated, so I'll post it seperately. The results

were much better than I expected. Spybot ran like a champ!

If I understand correctly, SAS_v4.24.1004 can be updated manually if I

remove the ticks from Automatic Updates. In other words, the definitions

file will load on this 98 desktop, and that error box about the system being

too old was erroneous. Is that what you are saying, lightning slinger?

I freely admit guys, I'm don't like posting on any forum. When I do post,

if there is no reply after a couple of hours I ususally don't return for weeks.

The fact is, I'm a very shy person. I've been a partner in a small business

for 15 years. Our clients almost never talk to me. I'm definitely not a

good salesperson.

When you reach a certain level of computer expertise, it's almost painful

to post about any computer problem. After I've tried everything I can

think of, I force myself to post a question. 98% of the time I get no reply.

As an example, I posted a clean HJT log, along with the text from that

firewall popup. About 150 views, no replies. I wouldn't reply either! When

a solution is not easy or obvious, plugging away, sometimes for weeks,

may be the only way to resolve a difficult problem.

I'm convinced that this desktop clean.

Avast, Trend Micro (part of SystemSuite) Spybot, and AVZ found nothing.

Well, AVZ listed a script I created for my dad's desktop as a possible threat!

I've been creating scripts for years to automate all sorts of processes that

would be incredibly repititous and time consuming if done manually. This is

the first time a script created by me has appeared on a list of possible malware.

It's kind of depressing. If you ran fifty scans using different apps how many

false positives would there be? A few hundred, I bet.

From a full command prompt, I deleted the old copy of explorer.exe and

replaced it with a fresh one. Before deleting the old copy, I removed

Windows Explorer from the firewall list of apps. After the new copy

was back in the Windows directory, I put explorer.exe back on the

firewall list as a blocked entry. So far, my dad says that popup hasn't

returned. Maybe the old copy of Windows Explorer was corrupt. I

hope the problem is fixed. Only time will tell.

Edited January 30, 2010 by HoppaLong

[lightning slinger]

If I understand correctly, SAS_v4.24.1004 can be updated manually if I

remove the ticks from Automatic Updates. In other words, the definitions

file will load on this 98 desktop, and that error box about the system being

too old was erroneous. Is that what you are saying, lightning slinger?

With V.4.24.1004 on 98SE before anything else go to Preferences, Updates tab and yes remove the checks under the heading "Automatic Updates". Yes ,it is badly worded terminology SAS has used here.

The check at "Automatically check for program and definition updates every 8hrs" is for SAS Pro only and not the free version. The important check to remove is that for "Check for program updates when the application starts". This will keep you on V.4.24.1004 and not automatically download the newest program version which will not run on 98SE.

Then you must update from within the program with the "Check for Updates" button on the opening GUI, this will download first the core definitions and secondly the trace defintions. Downloading from the Manual Installer does not work as you have found.

By the way addition of KernelEx will allow you to run the latest version of SAS Free which is alot less thirsty as regards CPU and RAM usage.

I don't think any malware infection is easy to deal with if not recognised straight away, I have just spent my spare time of the last three days removing 24 infections from a friends XP machine using a combination of around half a dozen apps from BitDefender Rescue Disc 2009 through Malwarebytes etc and the only app that would remove the last stubborn infected file was TrendMicro's HouseCall Online scanner of all things.

HTH

[Prozactive]

I don't know what's causing your problem with Windows Explorer but I'm pretty sure you don't have a malware problem if Avast, Spybot, and AVZ scans are clean. AVZ is very thorough and does seem to flag various legitimate processes and files for various reasons. If you know you're the author of a script, then it's obviously not a problem. I have a similar and more aggravating problem with AntiVir in that it continues to detect several batch files I've created as FPs, and I can't seem to exclude them from its real-time scan. BTW, I came across another anti-malware program called Dr.Web CureIT! that claims to work in Win98. It gets good reviews but I have not personally tried it yet.

You may want to try updating your version of Windows Explorer. Mine has been updated by NUSB33 (Native USB drivers) then again by Explor98, both of which are available at MDGx's website. HTH

And thanks lightning slinger for the information on how to update SAS for Win98SE.