Hi gang,

I have a dual boot 98SE Lite and XPSP3 system. I use 98SE Lite
99.9% of the time. (Let's not get into a discussion of this,
please.)

Two peculiar things happened recently on my XP partition and on
my external USB drive, seemingly unrelated except that they
happened about 10 days apart and I have only gotten one other
infection in over 20 years of doing this.

I should mention that I have the XP partition although I hate XP
and almost never use it. I have it ONLY because of a piece of
hardware which only has XP drivers. Also, another advantage of
having it is that I can run MBAM.

A few days ago I thought it might be time to do an MBAM scan, so
I did. As usual, it found a few minor things (like the fact I
have the Windows Firewall off and do not wish to be informed of
this every time I boot into XP), and one which was not at all
minor - 3 copies (well, it actually listed 3 "memory processes")
of a file called csrss.exe in "Documents and Settings" - NOT the
file which is in the System32 directory. MBAM said it was a
"Trojan.Agent", I let it delete the file and that was that. No
ill effects were observed.

Specifically, the report says, 3 times with a diff. #:

Memory Processes Infected:
e:\documents and settings\admin\application data\csrss.exe
(Trojan.Agent) -> 1336 -> Unloaded process successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen.A) -> Bad:
(Explorer.exe "E:\Documents and Settings\admin\Application
Data\csrss.exe") Good: (Explorer.exe) -> Quarantined and deleted
successfully.

The date of this file was July 14 2011.

There was also this:
HKEY_CURRENT_USER\SOFTWARE\VB AND VBA PROGRAM
SETTINGS\Micronsoft (Malware.Trace) -> Quarantined and deleted
successfully.

and

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\MSWUpdate (Trojan.Agent) -> Value: MSWUpdate -> Quarantined and
deleted successfully.

(Since I never go on the net with XP, I have auto updates turned
off, I don't know what else to say about this.)

I Googled for Micronsoft and got almost nothing except for a
tiny Indian site with some desi actress photos and a few semi-
nasty programs (a crack downloader, etc.) which I have never
seen before.

HOW the csrss.exe file got into the XP partition is a mystery,
since I do not go on the net with XP and I have not installed
anything (let alone a cracked program from a suspicious source)
on the XP partition in months. The main drive with its C
partition with the trusty 98 SE Lite was fine - nothing found.

As usual, I did not bother scanning the other partitions with
MBAM since they only contain data and since I work with them all
the time I would have probably noticed anything strange.

OK, that was more or less "normal", although a little baffling
(as in "where did it come from since I do nothing on that
drive"). I suppose I /did/ do /something/ but never noticed
anything wrong and forgot whatever it was that I did.

Now for the really strange part.

After doing the above, I rebooted into 98SE and switched on my
external USB drive. (It is actually just a regular drive I've
had for several years which I recently put into a $15 USB box. I
use it mainly for data storage/backup, and do not switch it on
every time I use the computer. It works fine. It actually works
better under 98SE Lite than under XP - in XP it gives me one
partition twice, and the partition order and letters are always
totally messed up. Whatever. XP /is/ better, right?)

Everything was fine.

However, when I switched on my USB drive yesterday, I instantly
noticed that EVERY PARTITION on the USB drive had two new files
in its root:

Autorun.inf
SYSTEM.EXE

Both with hrs attribs, and both dated July 23, 2011. I am
99.9999% sure they were not there when I was in XP and ran MBAM
on that day.

The contents of the autorun.inf file are as follows:

[autorun]
shELlexEcUtE=sYStEM.EXE
;
ICON=%WInDir%\SYsTEM32\sHeLl32.DLl,4
;
actioN=Open folder to view files Using explorer
;
shelL\OpeN\coMMAnd=SYSTEM.EXE
shELL\explore\COmmaNd=SYSTEM.EXE
UsEautOPLaY=1

Rather than booting into XP just to see what would happen ;-) I
thought I'd take the cowardly way out, and removed the hrs
attributes of all the files (I have 11 partitions on that drive,
so 22 files total - let's not get into a discussion of
partitions, please), and deleted them. No problem.

I scanned the files with ESET and it informed me that SYSTEM.EXE
was a variant of Win32/Injector.HTF trojan. I also looked at
"properties" as well as inside the file and it contained the
name "jgk.exe" as the original file name, and a few other
things, like the author's name, which I have a feeling may not
be authentic ;-) (it's "Riordan Barton", FWIW).

While nothing /really/ happened, I am curious as to how these
two files got onto my external USB drive which is only used
occasionally ***while NOTHING happened to the main drive inside
the computer***.

And, of course, where they came from in the first place.

I think I may have booted into XP for about ten minutes on the
23rd, I'm not sure.

I don't know if this has anything to do with the fake csrss.exe
file which, according to MBAM, appeared on my system a few days
earlier (and is dated about 9 days earlier).

Since I was unable to find anything on the web, I thought I'd
post this story here. I would welcome any comments and
hypotheses, etc.

I have both files saved (renamed) if anyone wants to examine
SYSTEM.EXE or possibly even run it in Sandboxie or however you
guys play with these things.

(I apologize for the length of the post. I try, but I can not be
concise.)

From: "thanatoid" <(E-Mail Removed)>

> Hi gang,
>
> I have a dual boot 98SE Lite and XPSP3 system. I use 98SE Lite
> 99.9% of the time. (Let's not get into a discussion of this,
> please.)
>
> Two peculiar things happened recently on my XP partition and on
> my external USB drive, seemingly unrelated except that they
> happened about 10 days apart and I have only gotten one other
> infection in over 20 years of doing this.
>
> I should mention that I have the XP partition although I hate XP
> and almost never use it. I have it ONLY because of a piece of
> hardware which only has XP drivers. Also, another advantage of
> having it is that I can run MBAM.
>
> A few days ago I thought it might be time to do an MBAM scan, so
> I did. As usual, it found a few minor things (like the fact I
> have the Windows Firewall off and do not wish to be informed of
> this every time I boot into XP), and one which was not at all
> minor - 3 copies (well, it actually listed 3 "memory processes")
> of a file called csrss.exe in "Documents and Settings" - NOT the
> file which is in the System32 directory. MBAM said it was a
> "Trojan.Agent", I let it delete the file and that was that. No
> ill effects were observed.
>
> Specifically, the report says, 3 times with a diff. #:
>
> Memory Processes Infected:
> e:\documents and settings\admin\application data\csrss.exe
> (Trojan.Agent) -> 1336 -> Unloaded process successfully.
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen.A) -> Bad:
> (Explorer.exe "E:\Documents and Settings\admin\Application
> Data\csrss.exe") Good: (Explorer.exe) -> Quarantined and deleted
> successfully.
>
> The date of this file was July 14 2011.
>
> There was also this:
> HKEY_CURRENT_USER\SOFTWARE\VB AND VBA PROGRAM
> SETTINGS\Micronsoft (Malware.Trace) -> Quarantined and deleted
> successfully.
>
> and
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> \MSWUpdate (Trojan.Agent) -> Value: MSWUpdate -> Quarantined and
> deleted successfully.
>
> (Since I never go on the net with XP, I have auto updates turned
> off, I don't know what else to say about this.)
>
> I Googled for Micronsoft and got almost nothing except for a
> tiny Indian site with some desi actress photos and a few semi-
> nasty programs (a crack downloader, etc.) which I have never
> seen before.
>
> HOW the csrss.exe file got into the XP partition is a mystery,
> since I do not go on the net with XP and I have not installed
> anything (let alone a cracked program from a suspicious source)
> on the XP partition in months. The main drive with its C
> partition with the trusty 98 SE Lite was fine - nothing found.
>
> As usual, I did not bother scanning the other partitions with
> MBAM since they only contain data and since I work with them all
> the time I would have probably noticed anything strange.
>
> OK, that was more or less "normal", although a little baffling
> (as in "where did it come from since I do nothing on that
> drive"). I suppose I /did/ do /something/ but never noticed
> anything wrong and forgot whatever it was that I did.
>
> Now for the really strange part.
>
> After doing the above, I rebooted into 98SE and switched on my
> external USB drive. (It is actually just a regular drive I've
> had for several years which I recently put into a $15 USB box. I
> use it mainly for data storage/backup, and do not switch it on
> every time I use the computer. It works fine. It actually works
> better under 98SE Lite than under XP - in XP it gives me one
> partition twice, and the partition order and letters are always
> totally messed up. Whatever. XP /is/ better, right?)
>
> Everything was fine.
>
> However, when I switched on my USB drive yesterday, I instantly
> noticed that EVERY PARTITION on the USB drive had two new files
> in its root:
>
> Autorun.inf
> SYSTEM.EXE
>
> Both with hrs attribs, and both dated July 23, 2011. I am
> 99.9999% sure they were not there when I was in XP and ran MBAM
> on that day.
>
> The contents of the autorun.inf file are as follows:
>
> [autorun]
> shELlexEcUtE=sYStEM.EXE
> ;
> ICON=%WInDir%\SYsTEM32\sHeLl32.DLl,4
> ;
> actioN=Open folder to view files Using explorer
> ;
> shelL\OpeN\coMMAnd=SYSTEM.EXE
> shELL\explore\COmmaNd=SYSTEM.EXE
> UsEautOPLaY=1
>
> Rather than booting into XP just to see what would happen ;-) I
> thought I'd take the cowardly way out, and removed the hrs
> attributes of all the files (I have 11 partitions on that drive,
> so 22 files total - let's not get into a discussion of
> partitions, please), and deleted them. No problem.
>
> I scanned the files with ESET and it informed me that SYSTEM.EXE
> was a variant of Win32/Injector.HTF trojan. I also looked at
> "properties" as well as inside the file and it contained the
> name "jgk.exe" as the original file name, and a few other
> things, like the author's name, which I have a feeling may not
> be authentic ;-) (it's "Riordan Barton", FWIW).
>
> While nothing /really/ happened, I am curious as to how these
> two files got onto my external USB drive which is only used
> occasionally ***while NOTHING happened to the main drive inside
> the computer***.
>
> And, of course, where they came from in the first place.
>
> I think I may have booted into XP for about ten minutes on the
> 23rd, I'm not sure.
>
> I don't know if this has anything to do with the fake csrss.exe
> file which, according to MBAM, appeared on my system a few days
> earlier (and is dated about 9 days earlier).
>
> Since I was unable to find anything on the web, I thought I'd
> post this story here. I would welcome any comments and
> hypotheses, etc.
>
> I have both files saved (renamed) if anyone wants to examine
> SYSTEM.EXE or possibly even run it in Sandboxie or however you
> guys play with these things.
>
> (I apologize for the length of the post. I try, but I can not be
> concise.)

All that you posted were malware. No doubt about that with the last being an AutoRun
worm.

No execxutables should be in %appdata%. They are there because you have full rights to
write there rather than limited rights (using LUA) in the %windir% folder.

I'll be glad to look at ant file you have; http://www.uploadmalware.com/ and report back
my findings.


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:(E-Mail Removed):

> From: "thanatoid" <(E-Mail Removed)>

<snip>

> All that you posted were malware. No doubt about that with
> the last being an AutoRun worm.

I realize that, I just can NOT figure out how I got it. And the
USB drive getting all infected and NOTHING happening to the
internal drive with the 2 OSs on it?

> No executables should be in %appdata%. They are there
> because you have full rights to write there rather than
> limited rights (using LUA) in the %windir% folder.

I have 2 other LUAs, but the way XP is a completely different
machine for each user is one of the things driving me crazy, and
since I hardly ever boot into it, I just go as admin. Also, it
never connects to the internet.

> I'll be glad to look at ant file you have;
> http://www.uploadmalware.com/ and report back my findings.

Sure, if you feel it worth your while, take a look at
"system.exe" and see what it does. csrss.exe is gone, I had MBAM
delete it before it occurred to me to save it.

I will upload it as system.bmp unless there is another option on
the site.

Thanks for the reply.

From: "thanatoid" <(E-Mail Removed)>

> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
> news:(E-Mail Removed):
>
>> From: "thanatoid" <(E-Mail Removed)>
>
> <snip>
>
>> All that you posted were malware. No doubt about that with
>> the last being an AutoRun worm.
>
> I realize that, I just can NOT figure out how I got it. And the
> USB drive getting all infected and NOTHING happening to the
> internal drive with the 2 OSs on it?
>
>> No executables should be in %appdata%. They are there
>> because you have full rights to write there rather than
>> limited rights (using LUA) in the %windir% folder.
>
> I have 2 other LUAs, but the way XP is a completely different
> machine for each user is one of the things driving me crazy, and
> since I hardly ever boot into it, I just go as admin. Also, it
> never connects to the internet.
>
>> I'll be glad to look at ant file you have;
>> http://www.uploadmalware.com/ and report back my findings.
>
> Sure, if you feel it worth your while, take a look at
> "system.exe" and see what it does. csrss.exe is gone, I had MBAM
> delete it before it occurred to me to save it.
>
> I will upload it as system.bmp unless there is another option on
> the site.
>
> Thanks for the reply.

Received, analyzed and report sent to you.


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

thanatoid wrote:
> Hi gang,
>
> I have a dual boot 98SE Lite and XPSP3 system. I use 98SE Lite
> 99.9% of the time. (Let's not get into a discussion of this,
> please.)

[...]

Just out of curiosity (or it may be relevant) did you use NTFS at all or
were your intentions to use FAT32 so you could access your XP filesystem
with 98?

On Tue, 26 Jul 2011 18:00:56 -0400, thanatoid <(E-Mail Removed)> wrote:

> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
> news:(E-Mail Removed):
>
>> From: "thanatoid" <(E-Mail Removed)>
>
> <snip>
>
>> All that you posted were malware. No doubt about that with
>> the last being an AutoRun worm.
>
> I realize that, I just can NOT figure out how I got it. And the
> USB drive getting all infected and NOTHING happening to the
> internal drive with the 2 OSs on it?

Do you have a router?

You've already stated that you have the xp firewall off, and
are not applying updates.

If you are not behind a router, and the network connection has
been set up in xp (even if you don't use it), the computer is
vulnerable to attack.

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>

With permission ...

http://www.virustotal.com/file-scan/...2dd-1311718898

AntiVir 7.11.12.128 2011.07.26 TR/Agent.368640
Avast 4.8.1351.0 2011.07.26 Win32:Regrun-GW [Trj]
Avast5 5.0.677.0 2011.07.26 Win32:Regrun-GW [Trj]
AVG 10.0.0.1190 2011.07.27 Dropper.Generic4.MJB
BitDefender 7.2 2011.07.27 Gen:Trojan.Heur.VP.wm1@aythGgei
Emsisoft 5.1.0.8 2011.07.26 Trojan.Win32.Ircbrute!IK
F-Secure 9.0.16440.0 2011.07.27 Gen:Trojan.Heur.VP.wm1@aythGgei
Fortinet 4.2.257.0 2011.07.26 W32/VBKrypt.EEQS!tr
GData 22 2011.07.27 Gen:Trojan.Heur.VP.wm1@aythGgei
Ikarus T3.1.1.104.0 2011.07.26 Trojan.Win32.Ircbrute
Jiangmin 13.0.900 2011.07.26 Trojan/Generic.ikvd
K7AntiVirus 9.108.4950 2011.07.26 Riskware
Microsoft 1.7104 2011.07.26 Worm:Win32/Vobfus
NOD32 6327 2011.07.26 a variant of Win32/Injector.HTF
Sophos 4.67.0 2011.07.27 Sus/VB-CHMB
TrendMicro 9.200.0.1012 2011.07.26 TROJ_GEN.RC1C2GL
TrendMicro-HouseCall 9.200.0.1012 2011.07.27 TROJ_GEN.RC1C2GL
VIPRE 9974 2011.07.26 Trojan.Win32.Generic!BT
VirusBuster 14.0.140.0 2011.07.26 Trojan.Injector!soGi5fnPD2w


Goes to;
http://www.maxmind.com/app/locate_my_ip

To get the infected computer's GEO IP

Connection:
h4o.no-ip.info TCP:1052

Drops...
C:\Documents and Settings\USER_NAME\Application Data\smss.exe

http://www.virustotal.com/file-scan/...150-1311720176

added to load via
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSWUpdate = C:\Documents and Settings\USER_NAME\Application Data\smss.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
shell = Explorer.exe "C:\Documents and Settings\USER_NAME\Application Data\smss.exe"

Executes:

netsh firewall add allowedprogram C:\Documents and Settings\USER_NAME\Application
Data\smss.exe CityScape Enable

C:\Documents and Settings\USER_NAME\Application Data\smss.exe /d C:\\SYSTEM.exe


NOTE: USER_NAME = User logged in account name



--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

David H. Lipman wrote:
> From: "David H. Lipman"<DLipman~nospam~@Verizon.Net>
>
> With permission ...
>
> http://www.virustotal.com/file-scan/...2dd-1311718898
>
> AntiVir 7.11.12.128 2011.07.26 TR/Agent.368640
> Avast 4.8.1351.0 2011.07.26 Win32:Regrun-GW [Trj]
> Avast5 5.0.677.0 2011.07.26 Win32:Regrun-GW [Trj]
> AVG 10.0.0.1190 2011.07.27 Dropper.Generic4.MJB
> BitDefender 7.2 2011.07.27 Gen:Trojan.Heur.VP.wm1@aythGgei
> Emsisoft 5.1.0.8 2011.07.26 Trojan.Win32.Ircbrute!IK
> F-Secure 9.0.16440.0 2011.07.27 Gen:Trojan.Heur.VP.wm1@aythGgei
> Fortinet 4.2.257.0 2011.07.26 W32/VBKrypt.EEQS!tr
> GData 22 2011.07.27 Gen:Trojan.Heur.VP.wm1@aythGgei
> Ikarus T3.1.1.104.0 2011.07.26 Trojan.Win32.Ircbrute
> Jiangmin 13.0.900 2011.07.26 Trojan/Generic.ikvd
> K7AntiVirus 9.108.4950 2011.07.26 Riskware
> Microsoft 1.7104 2011.07.26 Worm:Win32/Vobfus
> NOD32 6327 2011.07.26 a variant of Win32/Injector.HTF
> Sophos 4.67.0 2011.07.27 Sus/VB-CHMB
> TrendMicro 9.200.0.1012 2011.07.26 TROJ_GEN.RC1C2GL
> TrendMicro-HouseCall 9.200.0.1012 2011.07.27 TROJ_GEN.RC1C2GL
> VIPRE 9974 2011.07.26 Trojan.Win32.Generic!BT
> VirusBuster 14.0.140.0 2011.07.26 Trojan.Injector!soGi5fnPD2w
>
>
> Goes to;
> http://www.maxmind.com/app/locate_my_ip
>
> To get the infected computer's GEO IP
>
> Connection:
> h4o.no-ip.info TCP:1052
>
> Drops...
> C:\Documents and Settings\USER_NAME\Application Data\smss.exe
>
> http://www.virustotal.com/file-scan/...150-1311720176
>
> added to load via
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> MSWUpdate = C:\Documents and Settings\USER_NAME\Application Data\smss.exe
>
> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
> shell = Explorer.exe "C:\Documents and Settings\USER_NAME\Application Data\smss.exe"
>
> Executes:
>
> netsh firewall add allowedprogram C:\Documents and Settings\USER_NAME\Application
> Data\smss.exe CityScape Enable
>
> C:\Documents and Settings\USER_NAME\Application Data\smss.exe /d C:\\SYSTEM.exe
>
>
> NOTE: USER_NAME = User logged in account name

Was it "C:\" or "%userprofile%"?

His "E:\" should be an indication of what OS was running when the
infestation occurred if an environment variable was used. Sure looks
like he was running in XP not 98.

From: "FromTheRafters" <(E-Mail Removed)>

> David H. Lipman wrote:
>> From: "David H. Lipman"<DLipman~nospam~@Verizon.Net>
>>
>> With permission ...
>>
>> http://www.virustotal.com/file-scan/...2dd-1311718898
>>
>> AntiVir 7.11.12.128 2011.07.26 TR/Agent.368640
>> Avast 4.8.1351.0 2011.07.26 Win32:Regrun-GW [Trj]
>> Avast5 5.0.677.0 2011.07.26 Win32:Regrun-GW [Trj]
>> AVG 10.0.0.1190 2011.07.27 Dropper.Generic4.MJB
>> BitDefender 7.2 2011.07.27 Gen:Trojan.Heur.VP.wm1@aythGgei
>> Emsisoft 5.1.0.8 2011.07.26 Trojan.Win32.Ircbrute!IK
>> F-Secure 9.0.16440.0 2011.07.27 Gen:Trojan.Heur.VP.wm1@aythGgei
>> Fortinet 4.2.257.0 2011.07.26 W32/VBKrypt.EEQS!tr
>> GData 22 2011.07.27 Gen:Trojan.Heur.VP.wm1@aythGgei
>> Ikarus T3.1.1.104.0 2011.07.26 Trojan.Win32.Ircbrute
>> Jiangmin 13.0.900 2011.07.26 Trojan/Generic.ikvd
>> K7AntiVirus 9.108.4950 2011.07.26 Riskware
>> Microsoft 1.7104 2011.07.26 Worm:Win32/Vobfus
>> NOD32 6327 2011.07.26 a variant of Win32/Injector.HTF
>> Sophos 4.67.0 2011.07.27 Sus/VB-CHMB
>> TrendMicro 9.200.0.1012 2011.07.26 TROJ_GEN.RC1C2GL
>> TrendMicro-HouseCall 9.200.0.1012 2011.07.27 TROJ_GEN.RC1C2GL
>> VIPRE 9974 2011.07.26 Trojan.Win32.Generic!BT
>> VirusBuster 14.0.140.0 2011.07.26 Trojan.Injector!soGi5fnPD2w
>>
>> Goes to;
>> http://www.maxmind.com/app/locate_my_ip
>>
>> To get the infected computer's GEO IP
>>
>> Connection:
>> h4o.no-ip.info TCP:1052
>>
>> Drops...
>> C:\Documents and Settings\USER_NAME\Application Data\smss.exe
>>
>> http://www.virustotal.com/file-scan/...150-1311720176
>>
>> added to load via
>> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>> HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>> MSWUpdate = C:\Documents and Settings\USER_NAME\Application Data\smss.exe
>>
>> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
>> shell = Explorer.exe "C:\Documents and Settings\USER_NAME\Application Data\smss.exe"
>>
>> Executes:
>>
>> netsh firewall add allowedprogram C:\Documents and Settings\USER_NAME\Application
>> Data\smss.exe CityScape Enable
>>
>> C:\Documents and Settings\USER_NAME\Application Data\smss.exe /d C:\\SYSTEM.exe
>>
>> NOTE: USER_NAME = User logged in account name
>
> Was it "C:\" or "%userprofile%"?
>
> His "E:\" should be an indication of what OS was running when the infestation occurred
> if an environment variable was used. Sure looks like he was running in XP not 98.

I don't know what it did on his PC and the software used for analysis doesn't use implicit
variables, it expresses them as explicit paths.


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

FromTheRafters <(E-Mail Removed)> wrote in
news:j0nlrr$17d$(E-Mail Removed):

> thanatoid wrote:
>> Hi gang,
>>
>> I have a dual boot 98SE Lite and XPSP3 system. I use 98SE
>> Lite 99.9% of the time. (Let's not get into a discussion
>> of this, please.)
>
> [...]
>
> Just out of curiosity (or it may be relevant) did you use
> NTFS at all or were your intentions to use FAT32 so you
> could access your XP filesystem with 98?

If it ain't broke, don't fix it. FAT32 all the way.

FWIW - I've been using it since 95 came out and I have **never**
had (nor heard of anyone I personally know that did) a problem
with that file system.