Need help with Win98/Cekar-4 trojan

[9xer]

First of all, I apologize if this is not posted in the right section, I didn't know where else to post it (if there's a better place please let me know).

Lately my ancient Win98 comp has been running even slower than usual, and it was doing something else crazy; I had both Opera and Firefox installed on that computer--sometimes when I opened Firefox it would take me to Opera instead!

I had ClamWin antivirus installed, and ran a scan...I got the resulting message; c:\WINDOWS\CLSPACK.EXE; Win.Trojan.Cekar-4 found. Being as I'm not very computer-literate, I don't even know what CLSPACK is, so I reinstalled 98; still there. Undaunted, I pressed on....this time I wiped the drive clean and did a complete reformat and install; still there.

The programs I had installed on the new install (as well as the old one); ClamWin, Firefox 8, KernelEx. Would I be correct in thinking that it came from one of those three programs?

So....what is this virus/trojan, and how do I get rid of it? Please keep in mind that I'm not very computer-savvy, so running a regedit operation is kinda risky for me.

Any help is much appreciated!

 

[kenrivers]

You can try a free scan from Norton: http/us.norton.com/support/DIY/ or
http/us.norton.com/downloads-trial-norton-internet-security
or Malwarebytes: http/www.malwarebytes.org/lp/malware_lp/?gclid=CLfijJTsjLUCFQ3nnAod0hkADw
You may need to see if any of those work on Win98.

"What is CLSPACK?
Clspack is a tool that is used to create a new Classes.zip file in the \%Windir%\Java\Classes directory. This tool converts packages that are currently installed via the package manager and writes their contents into a ZIP file. You can find this tool in <sdk-dir>\Bin directory and in the \%Windir%\ directory."
Source: http/support.microsoft.com/kb/183712

http/www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader%3AWin32%2FCekar.gen!A

 

[9xer]

You can try a free scan from Norton: http/us.norton.com/support/DIY/ or
http/us.norton.com/downloads-trial-norton-internet-security
or Malwarebytes: http/www.malwarebytes.org/lp/malware_lp/?gclid=CLfijJTsjLUCFQ3nnAod0hkADw
You may need to see if any of those work on Win98.

"What is CLSPACK?
Clspack is a tool that is used to create a new Classes.zip file in the \%Windir%\Java\Classes directory. This tool converts packages that are currently installed via the package manager and writes their contents into a ZIP file. You can find this tool in <sdk-dir>\Bin directory and in the \%Windir%\ directory."
Source: http/support.microsoft.com/kb/183712

http/www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader%3AWin32%2FCekar.gen!A

Thanks, Ken. So today I installed the Win98 version of Avast antivirus, updated virus definitions and ran it. It picked up /quarantined something, but it wasn't related to the trojan that Clamwin found. After I ran Avast, I ran Clamwin; virus still there, so apparently Avast can't detect it.

How many viruses have you heard of that a complete reformat/install wouldn't get rid of? I know it hasn't infected the bios, as I temporarily installed another hard drive on that computer, installed Win98 and Clamwin; no viruses.

Am I going to have to write off that hard drive because I can't get the trojan off of it? I hope not....the drive itself is good.

 

[Dark Lord of Tech]

The following is the available information on clspack.exe:
Product name Microsoft® Windows® Operating System
Company name Microsoft Corporation
File description Class Package Export Tool
Internal name ClsPack
Original filename ClsPack.EXE
Legal copyright Copyright © Microsoft Corp. 1997-1998
Product version 5.00.2752
File version 5.00.2752

 

[kenrivers]

Thanks, Ken. So today I installed the Win98 version of Avast antivirus, updated virus definitions and ran it. It picked up /quarantined something, but it wasn't related to the trojan that Clamwin found. After I ran Avast, I ran Clamwin; virus still there, so apparently Avast can't detect it.

How many viruses have you heard of that a complete reformat/install wouldn't get rid of? I know it hasn't infected the bios, as I temporarily installed another hard drive on that computer, installed Win98 and Clamwin; no viruses.

Am I going to have to write off that hard drive because I can't get the trojan off of it? I hope not....the drive itself is good.

One suggestion I have read is to boot with the Win98 disk and get to a command prompt. Then run fdisk with the /mbr switch, this will allow you to rewrite the Master Boot Record (where the virus may be hiding). Read the instructions on the following links for more information.
http/support.microsoft.com/kb/255867
http/www.computerhope.com/fdiskhlp.htm
http/www.computerhope.com/issues/ch000175.htm
You will want to delete the current partition and then create a new partition. During the Win98 install you will format the drive.

 

[9xer]

Ken, I think you are onto something! When I reinstalled 98, I did NOT use the mbr command (didn't even know it existed). I've been reading up on that, and it looks like this trojan affects the master boot record, which would explain why it keeps coming back.

I'm going to do another reformat/reinstall, but this time I'll reformat the mbr. Thanks for the info!

 

[kenrivers]

Ken, I think you are onto something! When I reinstalled 98, I did NOT use the mbr command (didn't even know it existed). I've been reading up on that, and it looks like this trojan affects the master boot record, which would explain why it keeps coming back.

I'm going to do another reformat/reinstall, but this time I'll reformat the mbr. Thanks for the info!

Glad to help, let me know if that works.

 

[9xer]

Well, I did a complete reformat and reinstall, this time using the fdisk/mbr command to clear the master boot record; the trojan is still there. How is that possible?

 

[9xer]

Best answer selected by 9xer.