WMF patch - gdihook.dll infected by trojan?

[Franc Zabkar]

I've been using Paolo Monti's "GDI32 / WMF Patch" for nearly a year
now but it was only recently that AVG told me that the gdihook.dll
component file was infected with the BackDoor.Hupigon4.ADUA trojan. A
scan at Virustotal resulted in 18 out 36 antivirus software detecting
the same malware. Symantec and TrendMicro were two that didn't detect
it.

I'm wondering whether this is a false positive.

Here are the results:

http://www.users.on.net/~fzabkar/gdihook_dll_scan.htm

The package is delivered as a single install.exe file. When this file
is scanned by Virustotal, Sophos identifies "Sus/Madcode-A" malware.
All other antivirus products detect nothing.

I notice the following text strings in gdihook.dll:

====================================================================
forbiddenAPIsMutex madCodeHook warning...
You've tried to hook one of the following APIs:
These APIs are usually hooked in order to hide a process. Of course
madCodeHook can do that just fine. But I don't want virus/trojan
writers to misuse madCodeHook for illegal purposes. So I've decided to
not allow these APIs to be hooked. If you absolutely have to hook
these APIs, and if you have a commercial madCodeHook license, you may
contact me.
====================================================================

BTW, the subject patch is available here:
http://web.archive.org/web/20070203164123/http://d1.nod32.ch/download/wmfpatch11.zip

My research leads me to believe that MadCodeHook is a legitimate
product that has occasionally been misused by malware writers. It is
for this reason that I suspect the WMF patch is being falsely
identified as infected.

- Franc Zabkar
--
Please remove one 'i' from my address when replying by email.

 

[thanatoid]

Franc Zabkar <fzabkar@iinternode.on.net> wrote in
news:gio2g4hu4jss3t3r27r4r4d211e8srh78t@4ax.com:

> I've been using Paolo Monti's "GDI32 / WMF Patch" for
> nearly a year now but it was only recently that AVG told me
> that the gdihook.dll component file was infected with the
> BackDoor.Hupigon4.ADUA trojan. A scan at Virustotal
> resulted in 18 out 36 antivirus software detecting the same
> malware. Symantec and TrendMicro were two that didn't
> detect it.

<SNIP>

Hi again, Franc. Hope you've been well.

I am entering WAY above my head here, but no one else to reply
to

I thought just replacing the gdiplus.dll with the fixed version
was enough.

I googled for "gdihook.dll trojan", and the first 2 (3 if you
read German) hits explain that it is safe but CAN be disguised
and used by malware.

I found this page just baffling, but you may find it
interesting:
http://www.tuts4you.com/forum/index.php?showtopic=14624

I /know/ I should not have gotten into this subject. I don't
even know what a hook is!

--
Those who cast the votes decide nothing. Those who count the
votes decide everything.
- Josef Stalin

NB: Not only is my KF over 4 KB and growing, I am also filtering
everything from discussions.microsoft and google groups, so no
offense if you don't get a reply/comment unless I see you quoted
in another post.

 

[MEB]

Hmm, ESET formerly suggested its use, however, they also suggested removing
it once Microsoft produced the fix....
Hard to say what segment of code of that offering has been picked up as a
virus/Trojan now.... since EVERYONE is attempting to tighten their detection
schemes due to all the junk floating around out here.
Seems there was a lengthy discussion [or was it several] in here during that
time period ....

Then again, the exploit WAS to allow, in part, the Backdoor .haxdoor trogan
and its variants [among others] INTO the system....

Pick it apart if you think its worthwhile...

Additional References:
http://www.dslreports.com/forum/remark,15115819~start=700
http://forums.mozillazine.org/viewtopic.php?p=1989632&sid=feb91de5e6104f433764242b562f8018

--
MEB
http://peoplescounsel.org
a Peoples' counsel
_ _
~~
"Franc Zabkar" <fzabkar@iinternode.on.net> wrote in message
news:gio2g4hu4jss3t3r27r4r4d211e8srh78t@4ax.com...
| I've been using Paolo Monti's "GDI32 / WMF Patch" for nearly a year
| now but it was only recently that AVG told me that the gdihook.dll
| component file was infected with the BackDoor.Hupigon4.ADUA trojan. A
| scan at Virustotal resulted in 18 out 36 antivirus software detecting
| the same malware. Symantec and TrendMicro were two that didn't detect
| it.
|
| I'm wondering whether this is a false positive.
|
| Here are the results:
|
| http://www.users.on.net/~fzabkar/gdihook_dll_scan.htm
|
| The package is delivered as a single install.exe file. When this file
| is scanned by Virustotal, Sophos identifies "Sus/Madcode-A" malware.
| All other antivirus products detect nothing.
|
| I notice the following text strings in gdihook.dll:
|
| ====================================================================
| forbiddenAPIsMutex madCodeHook warning...
| You've tried to hook one of the following APIs:
| These APIs are usually hooked in order to hide a process. Of course
| madCodeHook can do that just fine. But I don't want virus/trojan
| writers to misuse madCodeHook for illegal purposes. So I've decided to
| not allow these APIs to be hooked. If you absolutely have to hook
| these APIs, and if you have a commercial madCodeHook license, you may
| contact me.
| ====================================================================
|
| BTW, the subject patch is available here:
|
http://web.archive.org/web/20070203164123/http://d1.nod32.ch/download/wmfpatch11.zip
|
| My research leads me to believe that MadCodeHook is a legitimate
| product that has occasionally been misused by malware writers. It is
| for this reason that I suspect the WMF patch is being falsely
| identified as infected.
|
| - Franc Zabkar
| --
| Please remove one 'i' from my address when replying by email.

 

[PA Bear [MS MVP]]

Are you running AVG Free or Pro? What version? AFAIK, neither AVG Free or
Pro v7.5 is supported in Win9x anymore v8.x has never been supported in
Win9x.

AVG Free Support Forum
http://freeforum.avg.com/

....although I can tell you right now that a search for GDIHOOK in that forum
yields no results.

(Certainly sounds like a F/P to me.)
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/

Franc Zabkar wrote:
> I've been using Paolo Monti's "GDI32 / WMF Patch" for nearly a year
> now but it was only recently that AVG told me that the gdihook.dll
> component file was infected with the BackDoor.Hupigon4.ADUA trojan. A
> scan at Virustotal resulted in 18 out 36 antivirus software detecting
> the same malware. Symantec and TrendMicro were two that didn't detect
> it.
>
> I'm wondering whether this is a false positive.
>
> Here are the results:
>
> http://www.users.on.net/~fzabkar/gdihook_dll_scan.htm
>
> The package is delivered as a single install.exe file. When this file
> is scanned by Virustotal, Sophos identifies "Sus/Madcode-A" malware.
> All other antivirus products detect nothing.
>
> I notice the following text strings in gdihook.dll:
>
> ====================================================================
> forbiddenAPIsMutex madCodeHook warning...
> You've tried to hook one of the following APIs:
> These APIs are usually hooked in order to hide a process. Of course
> madCodeHook can do that just fine. But I don't want virus/trojan
> writers to misuse madCodeHook for illegal purposes. So I've decided to
> not allow these APIs to be hooked. If you absolutely have to hook
> these APIs, and if you have a commercial madCodeHook license, you may
> contact me.
> ====================================================================
>
> BTW, the subject patch is available here:
> http://web.archive.org/web/20070203164123/http://d1.nod32.ch/download/wmfpatch11.zip
>
> My research leads me to believe that MadCodeHook is a legitimate
> product that has occasionally been misused by malware writers. It is
> for this reason that I suspect the WMF patch is being falsely
> identified as infected.
>
> - Franc Zabkar

 

[Franc Zabkar]

On 24 Oct 2008 06:48:29 GMT, thanatoid <waiting@the.exit.invalid> put
finger to keyboard and composed:

>Franc Zabkar <fzabkar@iinternode.on.net> wrote in
>news:gio2g4hu4jss3t3r27r4r4d211e8srh78t@4ax.com:
>
>> I've been using Paolo Monti's "GDI32 / WMF Patch" for
>> nearly a year now but it was only recently that AVG told me
>> that the gdihook.dll component file was infected with the
>> BackDoor.Hupigon4.ADUA trojan. A scan at Virustotal
>> resulted in 18 out 36 antivirus software detecting the same
>> malware. Symantec and TrendMicro were two that didn't
>> detect it.
>
><SNIP>
>
>Hi again, Franc. Hope you've been well.
>
>I am entering WAY above my head here, but no one else to reply
>to
>
>I thought just replacing the gdiplus.dll with the fixed version
>was enough.

I guess I haven't been paying attention to the updates.

>I googled for "gdihook.dll trojan", and the first 2 (3 if you
>read German) hits explain that it is safe but CAN be disguised
>and used by malware.
>
>I found this page just baffling, but you may find it
>interesting:
>http://www.tuts4you.com/forum/index.php?showtopic=14624

I only understand it superficially, but not enough to answer the
question in the subject.

>I /know/ I should not have gotten into this subject. I don't
>even know what a hook is!

I don't really know either, except to say that a program that hooks
(or intercepts) an interrupt gets the first chance to service it
before passing it on to the original interrupt service routine. If,
for example, a running program has a special hotkey such as
Ctrl-Alt-Del, then it will hook the keyboard API (Application Program
Interface) or driver and inspect the input before allowing the API or
driver to handle it, or not. AIUI, a key logger trojan such as
BackDoor.Hupigon4.ADUA may hook an API or keyboard driver.

- Franc Zabkar
--
Please remove one 'i' from my address when replying by email.

 

[Franc Zabkar]

On Fri, 24 Oct 2008 14:00:35 -0400, "PA Bear [MS MVP]"
<PABearMVP@gmail.com> put finger to keyboard and composed:

>Are you running AVG Free or Pro? What version? AFAIK, neither AVG Free or
>Pro v7.5 is supported in Win9x anymore v8.x has never been supported in
>Win9x.

I'm running AVG Free 7.5.549, virus base 270.8.2/1741, release date
23/10/08.

>AVG Free Support Forum
>http://freeforum.avg.com/
>
>...although I can tell you right now that a search for GDIHOOK in that forum
>yields no results.
>
>(Certainly sounds like a F/P to me.)

I have already sent an email query to AVG Support.

Update:

AVG have replied as follows:

======================================================================
Unfortunately, the current virus database version may detect the
mentioned file as infected. We can confirm that it is a false alarm.
We would like to inform you that the false positive will be removed in
the next Definitions update.
======================================================================

- Franc Zabkar
--
Please remove one 'i' from my address when replying by email.

 

[PA Bear [MS MVP]]

Did you tell them you're running Win98??

Franc Zabkar wrote:
> On Fri, 24 Oct 2008 14:00:35 -0400, "PA Bear [MS MVP]"
> <PABearMVP@gmail.com> put finger to keyboard and composed:
>
>> Are you running AVG Free or Pro? What version? AFAIK, neither AVG Free
>> or
>> Pro v7.5 is supported in Win9x anymore v8.x has never been supported in
>> Win9x.
>
> I'm running AVG Free 7.5.549, virus base 270.8.2/1741, release date
> 23/10/08.
>
>> AVG Free Support Forum
>> http://freeforum.avg.com/
>>
>> ...although I can tell you right now that a search for GDIHOOK in that
>> forum yields no results.
>>
>> (Certainly sounds like a F/P to me.)
>
> I have already sent an email query to AVG Support.
>
> Update:
>
> AVG have replied as follows:
>
> ======================================================================
> Unfortunately, the current virus database version may detect the
> mentioned file as infected. We can confirm that it is a false alarm.
> We would like to inform you that the false positive will be removed in
> the next Definitions update.
> ======================================================================
>
> - Franc Zabkar

 

[Franc Zabkar]

On Fri, 24 Oct 2008 19:54:53 -0400, "PA Bear [MS MVP]"
<PABearMVP@gmail.com> put finger to keyboard and composed:

>Did you tell them you're running Win98??

No.

- Franc Zabkar
--
Please remove one 'i' from my address when replying by email.

 

[Franc Zabkar]

On Fri, 24 Oct 2008 17:16:59 +1100, Franc Zabkar
<fzabkar@iinternode.on.net> put finger to keyboard and composed:

>I've been using Paolo Monti's "GDI32 / WMF Patch" for nearly a year
>now but it was only recently that AVG told me that the gdihook.dll
>component file was infected with the BackDoor.Hupigon4.ADUA trojan. A
>scan at Virustotal resulted in 18 out 36 antivirus software detecting
>the same malware. Symantec and TrendMicro were two that didn't detect
>it.
>
>I'm wondering whether this is a false positive.
>
>Here are the results:
>
>http://www.users.on.net/~fzabkar/gdihook_dll_scan.htm
>
>The package is delivered as a single install.exe file. When this file
>is scanned by Virustotal, Sophos identifies "Sus/Madcode-A" malware.
>All other antivirus products detect nothing.

Hmm, this suggests that the compression method used to deliver the
constituent files is recognised by only a few antivirus products. I
wonder how many other viruses are lurking inside executable archives
just waiting to be unpacked.

- Franc Zabkar
--
Please remove one 'i' from my address when replying by email.

 

[Franc Zabkar]

On Fri, 24 Oct 2008 17:16:59 +1100, Franc Zabkar
<fzabkar@iinternode.on.net> put finger to keyboard and composed:

>BTW, the subject patch is available here:
>http://web.archive.org/web/20070203164123/http://d1.nod32.ch/download/wmfpatch11.zip

I should say that the Wayback Machine still has a downloading bug
which was evident way back in 2005. For example, I know that at least
some ZIP files, and possibly EXEs, will be corrupted. This is because
the last byte is not downloaded.

In the above case, Opera told me that the file size was 966,583 bytes,
but it only managed to retrieve 966,582 bytes. I had to add a null
byte (0x00) to the end of the file before Winzip would open it.

You can use DOS Debug to create a file named "zero" containing just
one 0x00 byte, as follows.

C:\your_folder>debug
-e 100
12E9:0100 5D.00
-rcx
CX 0000
:1
-n zero
-w
Writing 00001 bytes
-q

Then use the Copy command to append it to the end of the bad download,
as follows.

ren wmfpatch11.zip bad_ZIP
copy /b bad_ZIP + zero wmfpatch11.zip
del bad_ZIP
del zero

Use double quotation marks if your filename has spaces.

- Franc Zabkar
--
Please remove one 'i' from my address when replying by email.

 

[thanatoid]

Franc Zabkar <fzabkar@iinternode.on.net> wrote in
news:ara4g4deumsl74jijqec8ough4mna4kd2c@4ax.com:

>><SNIP>
>>
>>Hi again, Franc. Hope you've been well.
>>
>>I am entering WAY above my head here, but no one else to
>>reply to
>>
>>I thought just replacing the gdiplus.dll with the fixed
>>version was enough.
>
> I guess I haven't been paying attention to the updates.
>
I pay NO attention to the updates, but this one just happened to
"pass my screen" several times.

<SNIP>

>>I found this page just baffling, but you may find it
>>interesting:
>>http://www.tuts4you.com/forum/index.php?showtopic=14624
>
> I only understand it superficially, but not enough to
> answer the question in the subject.

I thought you might find the complete Madhook collection (+)
link interesting for research purposes.
The page seems like it's frequented by "reverse engineers" and
hackers and crackers and virus writers - but that's what Google
gave me.

>>I /know/ I should not have gotten into this subject. I
>>don't even know what a hook is!
>
> I don't really know either, except to say that a program
> that hooks (or intercepts) an interrupt gets the first
> chance to service it before passing it on to the original
> interrupt service routine. If, for example, a running
> program has a special hotkey such as Ctrl-Alt-Del, then it
> will hook the keyboard API (Application Program Interface)
> or driver and inspect the input before allowing the API or
> driver to handle it, or not. AIUI, a key logger trojan such
> as BackDoor.Hupigon4.ADUA may hook an API or keyboard
> driver.

I think I understand a little better now - but I know I will
never be a programmer -)


Regards
t.



--
Those who cast the votes decide nothing. Those who count the
votes decide everything.
- Josef Stalin

NB: Not only is my KF over 4 KB and growing, I am also filtering
everything from discussions.microsoft and google groups, so no
offense if you don't get a reply/comment unless I see you quoted
in another post.

 

[MEB]

"Franc Zabkar" <fzabkar@iinternode.on.net> wrote in message
news:ufr4g41l8gifvb2d4t1no6kru1e22f4u16@4ax.com...
| On Fri, 24 Oct 2008 17:16:59 +1100, Franc Zabkar
| <fzabkar@iinternode.on.net> put finger to keyboard and composed:
|
| >I've been using Paolo Monti's "GDI32 / WMF Patch" for nearly a year
| >now but it was only recently that AVG told me that the gdihook.dll
| >component file was infected with the BackDoor.Hupigon4.ADUA trojan. A
| >scan at Virustotal resulted in 18 out 36 antivirus software detecting
| >the same malware. Symantec and TrendMicro were two that didn't detect
| >it.
| >
| >I'm wondering whether this is a false positive.
| >
| >Here are the results:
| >
| >http://www.users.on.net/~fzabkar/gdihook_dll_scan.htm
| >
| >The package is delivered as a single install.exe file. When this file
| >is scanned by Virustotal, Sophos identifies "Sus/Madcode-A" malware.
| >All other antivirus products detect nothing.
|
| Hmm, this suggests that the compression method used to deliver the
| constituent files is recognised by only a few antivirus products. I
| wonder how many other viruses are lurking inside executable archives
| just waiting to be unpacked.
|
| - Franc Zabkar
| --
| Please remove one 'i' from my address when replying by email.

I would say lots, but then merely using a program like Universal Extractor
[which doesn't do them all but does supply a number of the individual
utilities {51 in 1.5}] or another multipurpose extractor should give a hint.
The vast number of compressors and executives creators increases the
likelihood that a download was compressed/encoded with something untoward
within...

If the Anti-Virus program can't enter the archive or recognize the
compressed or encoded executive, then there is know way to detect any
malicious activity or inclusion until its run or opened. Even then, an
unknown executive or DLL format may go undetected.

Add that to the obvious conclusion that most people never even check what
they've downloaded NOR monitor their running systems {relying upon what
applications they have installed to supposedly protect them}, and the hack
and delivery method may never be discovered until someone finally notices a
problem and reports it to one of the services and works through a diagnostic
routine..... [hence my recent bot farm post]

It appear to me {to get back to the WMF/gdi issue} that the other suggested
work-arounds MAY have been of more long term value. ALL of the fancy stuff
found on the Internet brings its own vulnerabilities, and they ARE being
exploited.

--
MEB
http://peoplescounsel.org
a Peoples' counsel
_ _
~~

 

[PA Bear [MS MVP]]

Franc Zabkar wrote:
>
>> Did you tell them you're running Win98??
>
> No.

And are you aware that AVG Free v7.5 is no longer supported in Win98 or any
other Windows version?

 

[Franc Zabkar]

On Sat, 25 Oct 2008 17:13:39 -0400, "PA Bear [MS MVP]"
<PABearMVP@gmail.com> put finger to keyboard and composed:

>Franc Zabkar wrote:
>>
>>> Did you tell them you're running Win98??
>>
>> No.
>
>And are you aware that AVG Free v7.5 is no longer supported in Win98 or any
>other Windows version?

Yes, but I'm still using a lot of other unsupported software,
including this OS. I have other antivirus products, including Avast,
to fall back on. I can still use PC-cillin, if I manually download the
virus patterns, but the scan engine is not being updated so there may
be cases where malware will not be detected by the older scan engine.
Then there's always Virustotal for an online scan ...

- Franc Zabkar
--
Please remove one 'i' from my address when replying by email.

 

[Sunny]

"PA Bear [MS MVP]" <PABearMVP@gmail.com> wrote in message
news:eIKf3guNJHA.1144@TK2MSFTNGP05.phx.gbl...
> Franc Zabkar wrote:
>>
>>> Did you tell them you're running Win98??
>>
>> No.
>
> And are you aware that AVG Free v7.5 is no longer supported in Win98 or
> any other Windows version?

I am still getting updates for AVG 7.5 on my Win98 PC.
(Got another update today)

 

[98 Guy]

Sunny wrote:

> > And are you aware that AVG Free v7.5 is no longer supported in
> > Win98 or any other Windows version?
>
> I am still getting updates for AVG 7.5 on my Win98 PC.
> (Got another update today)

Symantec Intelligent Updater will still update the scan engine and virus
definition files for NAV 2002.

 

[PA Bear [MS MVP]]

Sunny wrote:
> "PA Bear [MS MVP]" <PABearMVP@gmail.com> wrote in message
> news:eIKf3guNJHA.1144@TK2MSFTNGP05.phx.gbl...
>> Franc Zabkar wrote:
>>>
>>>> Did you tell them you're running Win98??
>>>
>>> No.
>>
>> And are you aware that AVG Free v7.5 is no longer supported in Win98 or
>> any other Windows version?
>
> I am still getting updates for AVG 7.5 on my Win98 PC.
> (Got another update today)

And another thread is hijacked...

Are you running AVG Free 7.5? (Just because it's working doesn't mean it's
supported by AVG, Sunny, and there WILL come a time when AVG 7.5 will not
auto-update.)

 

[Sunny]

"PA Bear [MS MVP]" <PABearMVP@gmail.com> wrote in message
news:uiA737uNJHA.1668@TK2MSFTNGP06.phx.gbl...
> Sunny wrote:
>> "PA Bear [MS MVP]" <PABearMVP@gmail.com> wrote in message
>> news:eIKf3guNJHA.1144@TK2MSFTNGP05.phx.gbl...
>>> Franc Zabkar wrote:
>>>>
>>>>> Did you tell them you're running Win98??
>>>>
>>>> No.
>>>
>>> And are you aware that AVG Free v7.5 is no longer supported in Win98
>>> or
>>> any other Windows version?
>>
>> I am still getting updates for AVG 7.5 on my Win98 PC.
>> (Got another update today)
>
> And another thread is hijacked...
>
> Are you running AVG Free 7.5? (Just because it's working doesn't mean
> it's supported by AVG, Sunny, and there WILL come a time when AVG 7.5
> will not auto-update.)

Yep it's AVG 7.5 free. I check for updates twice a week.
The Win98 box is connected to two other WinXP computers, through a
router/4 port switch, and I use NetBEUI for file/printer sharing. Still
need an AV though.
Don't know where to go when AVG Free stops

 

[PA Bear [MS MVP]]

Avast4 is the only free AV app still supported in Win9x, Sunny.

PS: You should check for an install available definition updates at least
once a day!


Sunny wrote:
> "PA Bear [MS MVP]" <PABearMVP@gmail.com> wrote in message
> news:uiA737uNJHA.1668@TK2MSFTNGP06.phx.gbl...
>> Sunny wrote:
>>> "PA Bear [MS MVP]" <PABearMVP@gmail.com> wrote in message
>>> news:eIKf3guNJHA.1144@TK2MSFTNGP05.phx.gbl...
>>>> Franc Zabkar wrote:
>>>>>
>>>>>> Did you tell them you're running Win98??
>>>>>
>>>>> No.
>>>>
>>>> And are you aware that AVG Free v7.5 is no longer supported in Win98
>>>> or
>>>> any other Windows version?
>>>
>>> I am still getting updates for AVG 7.5 on my Win98 PC.
>>> (Got another update today)
>>
>> And another thread is hijacked...
>>
>> Are you running AVG Free 7.5? (Just because it's working doesn't mean
>> it's supported by AVG, Sunny, and there WILL come a time when AVG 7.5
>> will not auto-update.)
>
> Yep it's AVG 7.5 free. I check for updates twice a week.
> The Win98 box is connected to two other WinXP computers, through a
> router/4 port switch, and I use NetBEUI for file/printer sharing. Still
> need an AV though.
> Don't know where to go when AVG Free stops

 

[Sunny]

Thanks PA Bear, AVG Web Site states that 7.5 support will cease on 31 Dec
2008.
Hope Avast keep Win98 support a bit longer than that.

"PA Bear [MS MVP]" <PABearMVP@gmail.com> wrote in message
news:%23MPLvu8NJHA.1896@TK2MSFTNGP02.phx.gbl...
> Avast4 is the only free AV app still supported in Win9x, Sunny.
>
> PS: You should check for an install available definition updates at
> least once a day!
>
>
> Sunny wrote:
>> "PA Bear [MS MVP]" <PABearMVP@gmail.com> wrote in message
>> news:uiA737uNJHA.1668@TK2MSFTNGP06.phx.gbl...
>>> Sunny wrote:
>>>> "PA Bear [MS MVP]" <PABearMVP@gmail.com> wrote in message
>>>> news:eIKf3guNJHA.1144@TK2MSFTNGP05.phx.gbl...
>>>>> Franc Zabkar wrote:
>>>>>>
>>>>>>> Did you tell them you're running Win98??
>>>>>>
>>>>>> No.
>>>>>
>>>>> And are you aware that AVG Free v7.5 is no longer supported in Win98
>>>>> or
>>>>> any other Windows version?
>>>>
>>>> I am still getting updates for AVG 7.5 on my Win98 PC.
>>>> (Got another update today)
>>>
>>> And another thread is hijacked...
>>>
>>> Are you running AVG Free 7.5? (Just because it's working doesn't mean
>>> it's supported by AVG, Sunny, and there WILL come a time when AVG 7.5
>>> will not auto-update.)
>>
>> Yep it's AVG 7.5 free. I check for updates twice a week.
>> The Win98 box is connected to two other WinXP computers, through a
>> router/4 port switch, and I use NetBEUI for file/printer sharing.
>> Still
>> need an AV though.
>> Don't know where to go when AVG Free stops
>