Jump to content

Windows 9x/Me Security Thread

loblo

By loblo
in Windows 9x/ME

 Share

Recommended Posts

Foxbat

Foxbat

Posted
Posted

I have installations of Avast! 4.8 Home Edition on two different Win98 systems, installed months apart. On one of them the virus database last updated on December 29, on the other it was January 2. When I click to manually update the database, they hang as if they can't connect to the server.

Are you using Avast! 4.8, and are you still getting virus database updates?

You will need to download the update directly from the website yourself. The file can be obtained from this link.

http://www.avast.com/en-us/download-update

The definitions are updated daily. I have the link bookmarked for easy access. It is unknown how much longer Avast will continue to provide 4.8 updates. Expect support to cease at any moment.

Link to comment
Share on other sites

JorgeA

JorgeA

Posted
Posted

You will need to download the update directly from the website yourself. The file can be obtained from this link.

http://www.avast.com/en-us/download-update

The definitions are updated daily. I have the link bookmarked for easy access. It is unknown how much longer Avast will continue to provide 4.8 updates. Expect support to cease at any moment.

That's great to hear, thanks for the link! I'll go in and try that. It'll be a nice "excuse" to fire up IE6 again. :yes:

--JorgeA

Link to comment
Share on other sites
jds

jds

Posted
Posted
The file doesn't self-modify. I downloaded a fresh copy (hoping it was actually an updated version) but it was in fact byte-identical to my existing copy.

That statement put me in action. And I have good news: the following procedure works. I have just tested it for you. Disconnect the machine physically from the internet. Reset the machine date to some day (I used 19) in January, 2009. Turn off the machine. Wait 10 minutes. Turn it on and boot Win 9x (if it runs Scandisk or NDD, abort the scan or it'll find many "wrong dated" files). Once at the desktop, run Norton_Removal_Tool_9x.exe and it'll run OK. Nothing will be installed, the Norton_Removal_Tool_9x.exe is stand-alone. It removed all Norton products all right, except the Norton CrashGuard, which it didn't touch (then again, I'm possibly the last user of the much maligned CrashGuard, but it works all right for me)!

Yes, you're right in thinking I'd have already thought of the first two ideas. Alas, so have Symantec, evidently. (Sigh, why can't things be easy for once?)

Sure. And in the present case they actually are. :yes:

cheers.gif

Hi Den,

Thanks for trying this out for me. Unfortunately however, MMDV (think YMMV). :(

I tried many times and also with several "variations on the theme" (disabling the NIC in Device Manager, re-installing SAV, installing NAV, double Ctrl-Alt-Delete, reboot, changing date in DOS), but always the result was the same expiry error. The version I have of this tool has an MD5 hash of 316b61ce6f827a8ee48944e5b076f37c.

BTW, I didn't get any "invalid date" errors from ScanDisk. If you get this, it means Symantec has usurped 'scandisk.exe'. If I recall correctly, the way to restore normal ScanDisk behavior is to delete a file called 'scandisk.alt'.

Joe.

Link to comment
Share on other sites
dencorso

dencorso

Posted
Posted

It's the same file. The MD5 is the same (and the SHA1 is BC6F1C1EB7DCD4FA88A2F8C861A492F36A73C047). The key-points in my method are changing the date in the BIOS to a date later than PE Timestamp of the NRT_9x, but before its certificate's expiry date, and then rebooting with the internet cable disconnected. There remains no way the NRT_9x can ascertain the true date, but it can check it's later than the BIOS default date, so it accepts it as the true date, IMO.

You're right: I deliberately use NDD, so there is a 'scandisk.alt' which is another copy of NDD. I had forgotten the "invalid date"is an NDD thing, though. Please do give it another try, just in case. Good luck!

Link to comment
Share on other sites
jds

jds

Posted
Posted (edited)

It's the same file. The MD5 is the same (and the SHA1 is BC6F1C1EB7DCD4FA88A2F8C861A492F36A73C047). The key-points in my method are changing the date in the BIOS to a date later than PE Timestamp of the NRT_9x, but before its certificate's expiry date, and then rebooting with the internet cable disconnected. There remains no way the NRT_9x can ascertain the true date, but it can check it's later than the BIOS default date, so it accepts it as the true date, IMO.

You're right: I deliberately use NDD, so there is a 'scandisk.alt' which is another copy of NDD. I had forgotten the "invalid date"is an NDD thing, though. Please do give it another try, just in case. Good luck!

Hi Den,

Alas, I still get the same expiry problem. Here are the stats : PE = 2008/2/9, signature = 2008/2/9, certificate expiry = 2010/11/25, file (directory) = 2009/1/14, BIOS (system) = 2009/1/22, network disconnected. I think that complies with the above recommendation. I can only think the security system (already) knows the certificate is expired and that the tool uses that fact to decide it is too. :(

Joe.

Edited by jds
Link to comment
Share on other sites
dencorso

dencorso

Posted
Posted

That may well be the case. If so, provided you have an image of the partition from before your 1st attempt, I'd suggest you redeploy the said image and try again as per your latest trial, which sure does comply in every aspect with my own experiment. The rationale for this present suggestion is that if it stored somewhere the info the certificate is expired, that place must be either the registry or (less probably) some other file inside the same partition... which an image redeployment would perforce remove. Good luck!

Link to comment
Share on other sites
submix8c

submix8c

Posted
Posted (edited)

Looks like (nearly identical) to what's available on the FTP -

ftp://ftp.symantec.com/public/english_us_canada/removal_tools/

Linked to from here -

https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?ct=us&lg=en&product=home&pvid=f-home&version=1&docid=20080710133024EN

This document is for Norton products downloaded from your service provider.

For NOT from Service Provider -

https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?ct=us&lg=en&product=home&pvid=f-home&version=1&docid=20080710133834EN

You must pick a product... - same products though... and gives same link. :(

There's a comment here as well (would prevent services/processes from running) -

http://community.norton.com/t5/Norton-Internet-Security-Norton/Can-t-remove-Norton/td-p/109722/page/2

I would boot into Safe Mode and run NRT once and reboot to safe mode and rerun again. After that, delete any folders that are named Symantec or Norton. Before deleting, change the options so you can view hidden files and folders (Explorer > Tools > Folder Options > View and apply to all ).

Norton_Removal_Tool_9x.exe

2007.2.0.14

Welcome to Norton Removal Tool

This tool will remove ALL copies of:

- Norton AntiSpam 2004 and 2005

- Norton AntiVirus 2003 through 2007

- Norton Ghost 2003, 9.0, and 10.0

- Norton GoBack 3.1 through 4.2

- Norton Internet Security 2003 through 2007

- Norton Password Manager

- Norton Personal Firewall 2003 through 2006

- Norton SystemWorks 2003 through 2006

- Norton Confidential Online 2007

Here's something interesting though... Unpacked with WinRAR/UniExtract, it gives a file named "all.cpr" that lists everything that it deletes/services/etc-etc. Be aware that it appears that some fields are "<stringvalue>". Sadly, you would have to manually perform all of the operations within (stop services/processes/etc).

edit - also found this with a different set of procedures and files (BAT/REG/Manual Delete) to "get rid of" Norton/Symantec (the links inside work as well) -

http://filesharingtalk.com/threads/111599-Remove-Norton-*completely*-safely

HTH

Edited by submix8c
Link to comment
Share on other sites
jds

jds

Posted
Posted

Looks like (nearly identical) to what's available on the FTP -

ftp://ftp.symantec.com/public/english_us_canada/removal_tools/

Linked to from here -

https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?ct=us&lg=en&product=home&pvid=f-home&version=1&docid=20080710133024EN

This document is for Norton products downloaded from your service provider.

For NOT from Service Provider -

https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?ct=us&lg=en&product=home&pvid=f-home&version=1&docid=20080710133834EN

You must pick a product... - same products though... and gives same link. :(

Yep, I have versions 2007.2.0.11 (2007/1/12) and 2007.2.0.14 (2008/2/9). They both exhibit this expiry problem.

There's a comment here as well (would prevent services/processes from running) -

http://community.norton.com/t5/Norton-Internet-Security-Norton/Can-t-remove-Norton/td-p/109722/page/2

I would boot into Safe Mode and run NRT once and reboot to safe mode and rerun again. After that, delete any folders that are named Symantec or Norton. Before deleting, change the options so you can view hidden files and folders (Explorer > Tools > Folder Options > View and apply to all ).

Humbug! If you run the tool in Safe mode, it tells you it won't run in Safe mode.

Norton_Removal_Tool_9x.exe

2007.2.0.14

Welcome to Norton Removal Tool

This tool will remove ALL copies of:

- Norton AntiSpam 2004 and 2005

- Norton AntiVirus 2003 through 2007

- Norton Ghost 2003, 9.0, and 10.0

- Norton GoBack 3.1 through 4.2

- Norton Internet Security 2003 through 2007

- Norton Password Manager

- Norton Personal Firewall 2003 through 2006

- Norton SystemWorks 2003 through 2006

- Norton Confidential Online 2007

Here's something interesting though... Unpacked with WinRAR/UniExtract, it gives a file named "all.cpr" that lists everything that it deletes/services/etc-etc. Be aware that it appears that some fields are "<stringvalue>". Sadly, you would have to manually perform all of the operations within (stop services/processes/etc).

edit - also found this with a different set of procedures and files (BAT/REG/Manual Delete) to "get rid of" Norton/Symantec (the links inside work as well) -

http://filesharingtalk.com/threads/111599-Remove-Norton-*completely*-safely

Checked those alternative procedures, downloaded the files, turned out to be for NT only, not compatible with W9X.

One idea: look for and delete the key HKLM\Software\SYMNRT and all subkeys and values under it. Then disconnect the internet, reset the bios date and try again.

Den, you're a genius! :thumbup Thank you.

That was the missing piece of the puzzle - SAV is now vanquished! :)

Joe.

Link to comment
Share on other sites
submix8c

submix8c

Posted
Posted (edited)

Running Norton_Removal_Tool_9x.exe for Dummies:

(it must be Version: 2007.2.0.14, MD5: 316B61CE6F827A8EE48944E5B076F37C, SHA-1: BC6F1C1EB7DCD4FA88A2F8C861A492F36A73C047,

CRC32: 5FB68354, Digitally Signed by Symantec Corporation, with a VeriSign Class 3 Certificate valid from 10/30/2007 to 11/24/2010)

1 - Disconnect the machine physically from the internet.

2 - Run REGEDIT and delete (if exists) "HKLM\Software\SYMNRT"

3 - Reset the machine date to some day (e.g. 19) in January, 2009.

4 - Shut Down/Turn Off the machine.

Note: This is an "insurance" step to enusre everything "sticks".

5 - Turn the machine on.

6 - Boot Win9x.

Note: If it runs Scandisk or NDD, abort the scan

or it'll find many "wrong dated" files.

7 - Once at the desktop, run Norton_Removal_Tool_9x.exe.

8 - Reset Date to Current.

9 - Repeat Steps #4 thru #6

Note: Ignore #6 Note as the Date has been Reset (#8).

Done!

Nothing will be installed.

The Norton_Removal_Tool_9x.exe is stand-alone.

It removes all Norton products except Norton CrashGuard,

which it didn't touch.

Additional Notes:

Step #3 may be instead performed after #5 in the BIOS.

====

Does the above cover it? :thumbup

Odd that it doesn't self-clean (ref. "all.cpr") and has the NERVE to insert REG Keys/Values. :puke: Still, that file DOES have everything listed that it performs/cleans.

Edited by dencorso
Link to comment
Share on other sites
dencorso

dencorso

Posted
Posted
That was the missing piece of the puzzle - SAV is now vanquished! :)

Yay! yahoo.gif

@submix8c: Great how-to, thanks! :thumbup

I've added some info, because the date selected in step 3 must fall in between the vallid dates of the certificate.

Link to comment
Share on other sites
dencorso

dencorso

Posted
Posted

Bumping just to call attention to two interesting Symantec KB documents I've found:

Manually Uninstalling Symantec AntiVirus 9.x from Windows 98/Me

Manually Uninstalling Symantec Client Security 2.0 from Windows 98/Me

@jds: It might be interesting to give a look in all of those places, since SAV is not officially indicated as one of the packages the NRT_9x removes.

Who says you won't find up some leftovers lurking in some obscure nook or cranny?

Link to comment
Share on other sites
  • 3 months later...
CharlotteTheHarlot

CharlotteTheHarlot

Posted
Posted

( Sorry, I forgot to post this from about three weeks ago )

UPDATE: Success using DATs v6883 and v7040 with McAfee v6 on Win9x.

  • See above Post #40 for the first time I tried this using DATs v6346 ( has detailed instructions ).
  • See above Post #57 when I tried it again using DATs v6511.
  • See above Post #65 when I tried it again using DATs v6845.

Strangely, just three days after I downloaded the 6883 DATs, they updated the FTP servers with 7040, ( only 6883 downloads are shown here ). Note that the time/dates shown for these files reflects the download and extraction. The three downloads that I found ...

- 2013-04-06 ... 14:40 ... 110,494,296 ... 6883xdat.exe

- 2013-04-06 ... 14:42 ... 108,612,096 ... Avvdat-6883.tar

- 2013-04-06 ... 14:43 ... 116,296,064 ... Sdat6883.exe

As has been the case, all three packages contain the same three DAT definition files.

This was 6883 ...

- 2012-11-01 ... 01:40 ....... 727,193 ... Avvclean.dat

- 2012-11-01 ... 01:40 ....... 489,337 ... Avvnames.dat

- 2012-11-01 ... 01:40 ... 107,382,892 ... Avvscan.dat

And here is 7040 ...

- 2013-04-09 ... 06:40 ....... 749,177 ... Avvclean.dat

- 2013-04-09 ... 06:40 ....... 534,921 ... Avvnames.dat

- 2013-04-09 ... 06:40 ... 103,458,908 ... Avvscan.dat

As described previously, just strip the "AVV" prefix from the default filenames and replace CLEAN.DAT, NAMES.DAT and SCAN.DAT. Note that the SCAN.DAT actually got smaller between the last two versions.

The McAfee scan engines contained in the SDAT package still hasn't been changed ...

- 2009-07-31 ... 06:40 ..... 3,182,712 ... Mcscan32.dll

- 2009-07-31 ... 06:40 ..... 4,706,936 ... Mscan64a.dll

... so I updated no other files beyond the three DATs.

As before, it took a long time for McAfee to initialize and load the DATs, approximately 3 minutes at 2.6 GHz ( likewise when I changed directories to test scan some known infected files ). But all went well and McAfee scanned files and folders successfully once again.

yBc2epx.jpg

See in the screenshot that the main executable McAfee file is VSMAIN.EXE v6.01.2000.1 is dated: 2001-11-16. Over 11 years old. :thumbup

P.S. Maybe the OP should change the title to: Windows 9x/Me Security Thread for 2011 ... 2012 ... 2013 ( or just leave off the date! )

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...