Multibooter

Tenga hasn't come back up to now, after a thorough house-cleaning. Eventually I'll list here all the steps I have taken. With the "Unofficial Windows 98 SE 256 Colors Icons Explorer EXPLORER 4.72.3612.1710 Fix" by mdgx I am having a little problem with the installer under Win98SE: the Uninstall doesn't work for me. Although the installer Explor98.exe by mdgx updates Ok from the explorer.exe version of nusb, no entry is made in the Add/Remove list. I do like the new My Computer icon of the mdgx-installer better than the previous icon, but how could I get the old icons back? Also, the context menu entries for Quick View v10, which seems to be deeply integrated with Windows explorer, have disappeared after the installation of the mdgx-explorer.exe, but this may also have been caused by my test-installation of Internet Explorer 6 SP1. All other context menu entries, like that of Kaspersky Anti-Virus, are Ok. Previously I had installed the mdgx-explorer.exe by just replacing explorer.exe while in another operating system. CORRECTION: The context menu entries of Quick View did not disappear because of a different explorer.exe or IE SP1. See posting #79

I assume that a "recent" USB Composite Device is a device for which there is no manufacturer-provided Win98 driver. BTW, could you explain very briefly what a Composite Device is, I am not quite sure. I thought it was kind of an internal USB hub, built into the box, under the hood. I am using an HP2605dn Color LaserJet printer, which has a USB connector and an Ethernet connector. On both my laptop and desktop I have installed first the OrangeWare driver, then NUSB 3.3, without uninstalling the OrangeWare driver, so both drivers co-exist. When I installed the HP2605dn printer under Win98SE, it first detected a USB Composite Device and the location of the USB 2.0 driver was \INF\OEM0.INF [=the OrangeWare driver, ousb2.INF]. \INF\USB.INF was used only when I installed the printer at the USB 1.1 connector of my old laptop.The HP2605dn is the only Composite Device I use (except for a special foreign language USB keyboard). It works fine, but it was a big can of worms to install under Win98SE. The HP2605dn has manufacturer-provided drivers for Win98SE, your KVM switch probably doesn't. Congratulations that you got it to work under 98SE2ME anyway. I use NUSB as a driver for USB mass storage devices, not as a driver for a USB hub. Expanding the functionality of nusb to more USB devices would be a great next step.

IE4.01 SP2 can be downloaded here http://browsers.evolt.org/download.php?/ie/win32/4.01-sp2/ie401sp2.exeThe explorer.exe in it is has the same time header stamp as mdgx-explorer.exe, 2/8/1999. I made a little test with this special build of explorer.exe for IE4, and as I had suspected, it has a perceptibly less severe sluggish-file-delete problem than the other versions of explorer.exe for Win98SE. This is a very interesting finding.

I've tried the MiTeC EXE Explorer http://www.mitec.cz/Downloads/EXE.zip you mentioned there, it is an excellent tool for finding header time stamps. I have tried to find where the explorer.exe build 1710 of mdgx comes from, it has a header time stamp of 2/8/99, in contrast to explorer.exe in IE55SP2 and nusb, which have a header time stamp 1/30/99. i found some info here http://www.msfn.org/board/beta-t61749-pid-686070.html/page__view__findpost__p__686070 I modded this one, Gape. explorer.exe build 1710 is no different from 1700 except for very minor tweaks that I'll keep quiet about. but when I looked into the installation source of IE6 SP1, I couldn't find an explorer.exe in it. The MyComputer icon in mdgx-explorer.exe looks like from Win2k. Any idea where erpdude8 got this version of build 1700 from, with the later header time stamp 2/8/99? BTW, finding a full installation source of IE6 SP1 isn't that easy, I found one on my Tenga-infected 1TB USB HDD, as a backup iso image of the original Norton SystemWorks 2005 CD. I have on my main laptop IE6 6.00.2600.0000 of 20-Aug-2001, and have test-installed IE6 SP1. msfn.org seems to load under SP1 substantially slower than under the initial release of IE6. The 2 byte difference is the system tray bit-depth fix. That's also why the safely remove hardware tray icon is darker for you since you reverted. Thanks Queue. BTW, I was only checking on explorer.exe because StartUp Organizer had identified a vulnerability on my system: I had in the startup info just "explorer.exe", without a path to its location in \Windows\. As one of the many precautionary measures I have taken against Tenga was to have StartUp Organizer check every 10 seconds for modifications to my startup entries. This nagged me a little during the test-installation of IE6 SP1, but that's Ok.

No, I wasn't lucky and I probably didn't identify the cause. Ten minutes after I posted the previous posting (5 days ago), Tenga was back. This was my 3rd infection with Tenga.Since then I have restored the HDD from a .gho forensic backup, and taken all safety precautions I could think of. Tenga hasn't come back since. I cannot exclude the possibility that the 3rd infection was caused by a handling error while I had the 2 HDDs with still-Tenga-infected stuff connected to my laptop. It's still an unresolved puzzle how binder.exe and findfast.exe were infected in July 2009, and why Tenga was sleeping for half a year. The clean findfast.exe cannot have contributed to this infection #3 because I had it renamed on the restored .gho image, just in case. But I think that the most likely cause of the 3rd infection was unidentified malware on the supposedly clean .gho backup. I have the feeling that there is an invisible tank somewhere doing target practice at my laptop, with Tenga being the shell. I have installed a 2nd virus checker, Avast, on another operating system, but no major findings, probably all false positives. When I searched the Internet for experiences with Tenga, I didn't find any useful recipe for recovering from a Tenga infection, except for formating the HDD and re-installing everything from original installation CDs. I assume the anti-virus people don't know yet how the infection really starts, because people having a Tenga infection reformat their HDDs, thereby wiping its origin. I am not posting all the measures I have taken, it would take just too long, I have probably been just barking up the wrong tree in most cases. I am only posting measures where I have open questions. Question 1: Does nusb install a more vulnerable version of explorer.exe? The software and setup of my dedicated eMule computer is very similar to that of my main laptop; both laptops are identical models, Inspiron 7500. The dedicated eMule computer, however, contains an earlier version of the stuff on my main laptop and uses manufacturer-provided USB drivers, while my main laptop contains nusb v3.3. I had installed nusb3e on my main laptop on 20-Jun-2010. The unnoticed infection of binder.exe and findfast.exe on my main laptop occurred on 21-Jul-2010. Again, binder.exe and findfast.exe on my non-nusb laptop were not infected. BTW the dedicated eMule laptop is used only very rarely for browsing the Internet, it is used nearly exclusively for eMule, as a print server and for transferring downloaded files in a peer-to-peer network. The reason for using a dedicated computer for eMule is to obtain a long uptime (e.g. 7+ days under full load), without system hangs caused by other applications. Given that the dedicated eMule computer was not Tenga-infected, I would exclude the possibility that the Tenga-infection is related to a vulnerability of the eMule software. When I checked the files installed by nusb3e, I noticed 2 puzzling things: a) 2 bytes of explorer.exe installed by nusb3e differ from explorer.exe in the digitally signed ie4shl95.cab in MS Internet Explorer v5.5 SP1 and SP2. Why? b ) Why does nusb3e replace Explorer.exe v4.72.3110.1 of 4/23/99, which came with Win98SE, with an older and smaller Explorer.exe v4.72.3612.1700 of 1/29/99? There is an apparent inconsistency between the build numbers and the modification dates of explorer.exe. I suspect (please correct me if I am wrong) that the more current version in this case is indicated by the later modification date, NOT by the higher build number. Explorer.exe of Win98FE [version of 24-Nov-1998], for example, has the same size and build number as that of Win98SE, but is different, only the modification date of 5/11/98 indicates that it is an earlier version. Did MS release different versions of IE5.5 for different operating systems, with Explorer.exe v4.72.3612.1900 possibly intended for Win95 systems, not for Win98 systems? One version of IE5.5 in my archive, apparently for WinME, does not include ie4shl95.cab. See also http://www.msfn.org/board/maximus-decim-native-drivers-t43605-pid-787828.html/page__view__findpost__p__787828 Could it be that MS has removed vulnerabilities from the Explorer.exe of Win98SE, which still exist in the Explorer.exe released with IE4 and which is used by nusb, assuming the 2-byte-difference is not important? Could this explain why the nusb-system was infected, but not the non-nusb system? BTW, the name "ie4shl95.cab" of the archive containing explorer.exe used by nusb, implies that this version of explorer.exe was originally made for Win95. I have currently replaced on my main laptop the 3 instances of nusb-explorer.exe with Win98SE-explorer.exe in the locations \Windows\Explorer.exe, \Windows\\Options\Cabs\explorer.exe and \Windows\Explorer.sav. But I am not sure whether this precautionary measures is useful, or whether I am barking up the wrong tree. My main laptop has been running nusb with the Win98SE-explorer.exe for the past 24 hours, the Safely-remove icon in the system tray is of a slightly darker green, and Windows Explorer seems to be slightly slower. I have not encountered any problems yet with Win98SE-explorer.exe under nusb3 when connecting and re-connecting USB devices. ADDENDUM: I have just tried out mdgx's modification of Explorer.exe http://www.mdgx.com/files/EXPLORER.EXE (displays "Windows 98 Second Edition" when pressing the Start button, also the My Computer icon looks different, more info at http://www.mdgx.com/files/explor9x.php, installer at http://www.mdgx.com/files/EXPLOR98.EXE ). On the first look it seems to work fine with nusb, also with WinBoost v4.60. BTW, after I had replaced the nusb-explorer.exe with the Win98SE-explorer.exe, WinBoost wouldn't come up anymore, it gave an error msg when loading, strange, but no major problem, I haven't used it for a long time and might uninstall it.

I'd like to keep the swap files, but with zeroed out content. BTW, when you have multiple operating systems on your computer, you can delete index.dat etc of the other non-active operating systems (if the current opsys can access the files of those other operating systems).

Is there a utility which zeroes out Win98 and WinXP swapfiles, similar to sdelete, leaving zeroed out but functioning swapfiles? This could reduce the size of compressed disk/partition images containing swapfiles, besides deleting bad stuff, such as spyware or infected files. No idea whether a computer could get infected via the content of a swapfile.

\WINDOWS\UserData\ contains an index.dat file, so you are trying to interfere with stuff put there by Microsoft for some purpose. Could it have something to do with US agencies? "Remember earlier we talked briefly about a computer forensics expert being able to retrieve data regarding everywhere a computer has been on the Internet? The key to this is the index.dat files. These files are mini-databases cataloging the contents of directories relating to your Internet behavior. Your search queries, cookies, web history and other peculiar items are recorded in these files. You can easily delete the contents of Internet Explorer directories (history, cookies, temporary files), but you cannot easily delete the index.dat files that record their contents. Interestingly enough, it seems that Microsoft does not want you to play with these index files, so if you attempt to access or display them, access will be denied" http://www.5starsupport.com/tutorial/windows-data-security.htm Maybe this helps: http://support.it-mate.co.uk/?mode=Products&p=index.datsuite

Hi herbalist,I guess I was lucky. I am making this posting now from the formerly Tenga-infected laptop, after having restored my system from a backup of 25-Jan-2010. I most likely have identified the cause of the system-wide infection with Tenga, without using a default-deny tool. When I re-checked the system restored from the backup of 25-Jan-2010, Kaspersky detected 2 infected files on it: - H:\MSOffice\Office\Binder.exe, infected with Tenga.a, modification date 21-Jul-2009 8:43AM - H:\MSOffice\Office\Findfast.exe, infected with "new threat type_Win32 (modification)", Kaspersky didn't have a name for it, modification date also 21-Jul-2009 8:43AM No other .exe file besides Binder.exe was infected with Tenga.a in the backup of 25-Jan-2010. So the original infection with Tenga started on 21-Jul-2009, not on 28-Feb-2010, with the infection of 2 files of MS Office 2000, installed under Win98. Tenga apparently was just sleeping for a while because I had previously de-activated Findfast.exe from startup, I don't like unneeded startup processes. Restoring from an already infected backup is not a smart thing to do. The blazing speed with which Tenga can infect .exe files is probably explained by its use of Microsoft's Findfast.exe I have restored clean versions of Binder.exe and Findfast.exe from an uninfected backup of 5-Jun-2009. To reduce the risk of re-infection with Tenga (I have on my 1TB USB HDD still 10.000+ Tenga-infected .exe files to be dealt with), I have disabled the clean Binder.exe and Findfast.exe by renaming them. MS Office/Word 2000 seem to run fine without Binder.exe and Fastfind.exe. What does puzzle me is that after the 2nd infection with Tenga the file binder.exe, already Tenga-infected on 21-Jul-2009, had a changed modification date of 27-Mar-2010; Tenga supposedly doesn't modify already Tenga-infected files, that's what the "V" marker (=virus) in byte 51 is for. Maybe the virus writer allowed this exception, to make the search for the source of the infection more difficult. After the 2nd infection with Tenga, binder.exe has a later modification date (27-Mar-2010 11:18) than the first newly-infected .exe file BC2.exe (27-Mar-2010 11:13). It looks like the infection with tenga.a on my system has been solved. I will eventually post here what I have done to improve the security of my system.

Before doing anything else I have backed up most of the infected HDD into .rar files, in contrast to my 1st Tenga infection. I have also backed up the infected E: partition, which contained the infected Win98, as a .gho image. Maybe these snapshots of the infected HDD help me later identify how the 2nd infection started.In my posting #24 I quoted Panda "Tenga.A shows a very a complex infection routine" http://www.pandasecurity.com/homeusers/security-info/about-malware/encyclopedia/overview.aspx?idvirus=82383&sind=0&sitepanda=particulares Usually things look quite simple once you fully understand them. This 2nd infection with Tenga.a is different from the 1st infection: .exe files in \Windows\ and \Program Files\ of the infected Win98 WERE infected, in contrast to the 1st infection. Also, the FAT32-based WinXP and the NTFS-based WinXP were not infected, maybe because I was fast enough to detect an ongoing re-infection. All .exe files in the test-Win98, which I had not used for a while, were infected, as during my 1st infection. There is a slight possibility that I may have triggered the 2nd Tenga-infection inadvertently myself, when I was dragging Tenga-infected .exes to separate folders, maybe I double-clicked on one instead of selecting it. On the internal HDD there was no file "C:\DL.exe" after the 2nd infection with Tenga, in contrast to the 1st infection.

Hi herbalist,This Tenga infection has hit me just at the wrong time: I am travelling in Europe, away from my desktop in the US, until about June. I don't have all my resources, they are back in the US. What I miss most is my fast dual-core desktop. Using a 10-year-old 700-Mhz laptop for virus-scanning, burning DVDs, raring up stuff, creating and restoring backups is really slow. On the positive side, my computer stuff back in the US is most likely not Tenga-infected (yet).

This may be Panda's name for the trojan downloader I mentioned in posting #49 I had noticed about 2 days ago that the registry files were about 400kB larger than one the restored backup of 25-Jan. Thanks.BTW, I am right now raring up all relevant stuff on the HDD, to help me trace later the cause of the infection. WinRAR just gave me an err msg "Cannot open F:\W98DIAG\MSNMGSR1.EXE and SIGVERIF.EXE. The file or directory is corrupted and unreadable". When I had noticed the 2nd infection (again unusual flashing disk activity light), I had pulled the plug. Maybe Tenga was at that moment in the process of infecting these 2 files when I pulled the plug. F:\W98DIAG\ is the name of the \Windows\ directory of my test-Win98. I haven't repaired the lost clusters yet. That's one more possibility...Another possibility is that I got re-infected by comparing with Beyond Compare and its Hex Viewer infected vs. clean files. Time-wise, the 1st .exe file to get infected/modified on the system was BC2.exe (Beyond Compare) at 11:13:38. H:\Beyond Compare\ is, alphabetically, not the 1st folder on my H: partition. Beyond Compare triggering the infection????

Thanks for helping. In my earlier posting, now corrected, I had gotten the time mixed up, it was not AM that the infection occurred (when I was running the overnight AV scan-job), but around 1:42PM, I got confused with the time displayed on my NTFS-based WinXP, which is an ideosyncratic Middle Eastern version. It will be a challenge to fix this infection, without knowing what caused it. Yes. For now I'll use my clean backup of 25-Jan. But in contrast to my first infection with Tenga, I am now backing up everything conceivable accessed under Win98 as .rar before having Kaspersky run as virus checker, so that will keep me busy for a little while. Kaspersky changes the modification dates of files it detects as infected with Tenga. If I later need to, I will have all files, including registry backups, as they were very shortly after the 2nd infection.

Thanks dencorso, but it's not that important, I am much more concerned with the 2nd infection by Tenga.

My laptop is infected AGAIN with Tenga, but on the first look the infection hasn't spread to other operating systems yet, only my main-Win98 (and new downloads and recovered stuff) seems to be affected. Many .exe files on the laptop got infected at 1:42 PM (about 45 minutes ago), while others got infected while I was making my earlier postings at msfn.org, around 11:50 AM Persfw.conf (the file with the rules) of the Tiny Personal Firewall was modified at 1:41 PM, PFWADMIN.EXE got infected at 01:43, but the actual firewall engine PERSFW.EXE did not get infected. Any suggestions as to what stuff I should save as a .rar, before restoring a clean Win98, so that I may find the cause/culprit of this 2nd infection? I am posting from my 2nd uninfected laptop. I guess there goes my weekend.

ADDENDUM - CORRECTION: The content of this posting is not correct, it seemed to be correct during my 1st infection with Tenga, but during my 2nd infection with Tenga, Tenga infected \Windows\ and \Program Files\ of the currently active Win98. See my posting #62. Multibooter 28-March-2010 Tenga.a does NOT infect .exe files in \Windows\ and in \Program Files\ of the currently active Win98/XP. This characteristic of Tenga.a does not seem to be mentioned in the Internet, and has permitted me to retrace chronologically the infection by Tenga: 1) \Windows\ and \Program Files\ of my main Win98 on the infected internal HDD were NOT infected by Tenga. Since I install nearly all of my software to specially-named folders outside of \Program Files\, e.g. to H:\eMule\, the existence of Tenga under Win98 was noticed immediately, because my apps were infected and wouldn't work anymore, or would not behave as usual. 2) All .exes in the \Windows\ directory of my test-Win98 (exact directory name: F:\W98DIAG\) were infected with Tenga on the infected internal HDD, i.e. the infection must have started under another operating system, NOT under the test-Win98. Tenga, not recognizing that F:\W98DIAG\ was the \Windows\ directory of my test-Win98, infected all .exes in F:\W98DIAG\. I can therefore exclude the possibility that I got the Tenga infection during my experimenting with possibly-infected stuff under my test-Win98. I never experiment with unknown stuff on my main Win98. 3) After the infection with Tenga I had trouble booting into FAT32-based WinXP and shortly afterwards FAT32-based WinXP wouldn't work anymore. Unfortunately I had then restored a clean FAT32-WinXP partition from backup onto the infected internal HDD, so that I don't have a direct proof anymore that the WinXP \Windows\ folder was infected (only possible if WinXP was infected while I was running another operating system, i.e. my main Win98). But here is an indirect proof, answering a very good point raised by Queue in posting #21: Tenga under my main Win98 had infected the .exes in the \Windows\ folder of the FAT32-WinXP partition. When WinXP came up, using infected .exes, it didn't work properly anymore and Tenga, which uses some WinXP APIs, didn't work properly anymore either and couldn't infect files on the NTFS partition of the NTFS-based WinXP.The original infection with Tenga was probably caused on my main Win98 by an undetected trojan downloader, which then downloaded Tenga from somewhere, similar to Trojan-Downloader.Win32.Small.bdc: "When launched, the Trojan checks whether the victim machine is connected to the Internet. If a connection is detected, the Trojan will download the following files from u***ti.lycos.it/vx9: cback.exe – will be detected by Kaspersky Anti-Virus as Backdoor.Win32.Small.gl gaelicum.exe - will be detected by Kaspersky Anti-Virus as Virus.Win32.Tenga.a These files will be saved to the same file that the original Trojan file was saved to. They will be registered in the system registry, and launched for execution." http://www.viruslist.com/en/viruses/encyclopedia?virusid=87572 Whether in my case the trojan also downloaded a backdoor is unknown. If so, the backdoor most likely was ineffective or didn't work under Win98 since my Tiny Personal Firewall didn't report anything and with the subsequent system restore it must have gotten wiped out. In case I get this undetected trojan downloader again, I will probably get Tenga again. I am still pondering how to improve my defenses, with as little effort as possible. The downloader+virus combo seems to be very hard to stop in my current multi-booting setup, unless I spend a lot of time. I probably will focus on improving my backups, especially of the external USB HDD, and just HOPE not to get infected again by something like Tenga. BTW, I have been using Firefox quite a lot over the past few months, and Firefox has been reported to have a lot of security problems recently. Maybe I should use Opera most of the time.

Estimated averages per week: Adding 2 new applications, replacing 1 existing application with a more current version, deleting 1 application which I don't expect to use anymore, testing 3 new applications, most of them installed, not standalone. The installations/uninstalls may occur in different operating systems and in multiple instances of an operating system.About once a month I restore the last clean opsys backup (of about a month ago) and repeat very carefully all the recent installations/uninstalls of what I want to make permanent and then create another clean backup. Usually I restore the last clean backup 5-10 times a month, after having creating a new clean backup and before creating the next clean backup, wiping out with the restores malware which Kaspersky may not have detected. Undetected malware could stay 3-5 days on my system, but then it gets wiped out with the next restore. Tenga, unfortunately, just needed a few minutes to infect all operating systems installed on my laptop, except for the NTFS-based WinXP. If I had given internet access to WinXP during my trip, just as WinXP has internet access when I am in the US, the infection with Tenga could have started just as well under WinXP and then spread to Win98. So a tool to allow only permitted processes would have to be active also under WinXP and on all my installed operating systems, which is just too time-consuming.A default-deny tool looks useful to protect a computer which has only a single operating system (or to protect a Win98 installed on a hidden partition, invisible to other operating systems), but less so on a computer with various operating systems, because of possible infections across operating systems, as with Tenga. If I remember right, on the WinXP FAT32 partition even the file avp.exe (= the virus scanning engine of Kaspersky) was infected by Tenga under Win98, but WinXP was killed already at that time. Yes. But my dedicated eMule laptop was not infected. My main laptop, on which I process downloads (virus checks), browse the internet, etc was infected with Tenga. This not-infected dedicated eMule laptop was connected in a peer-to-peer network under Win98 to the infected laptop, and completed downloads were transferred via WLAN from the eMule laptop to the main laptop. The eMule laptop was running normally, it even posted a record uptime then of 7 days 11 hours. I don't know how credible rumors are that some chips have built-in backdoors for the US agencies. But my 10-year-old laptops, built before 11-Setp-2OO1, are unlikely to contain such chips.

@dencorso: By mistake I just wiped out my posting #22 here, is it possible to restore it? (wiped out, not because I was running without JavaScript/Java, it was just a mistake ). It looks like the posting is NOT cached by Google or Bing either!!!! The following quote was a quote from my posting #22 From my previous posting #22 here. I have made this current posting with Firefox v2.0.0.20 under Win98, with JavaScript and Java off. So the simplest way may be to turn off JavaScript and Java, which is also a safer way to use the internet. Again, msfn.org does seem to work currently with JavaScript and Java OFF.Since some sites do require Java and JavaScript (e.g. for the posting of comments at www.nzz.ch), maybe a practical workaround would be to have the main browser set with JavaScript/Java OFF (e.g. Opera), and another browser (e.g. Firefox, or the other way around) set with JavaScript/Java ON, for sites which require JavaScript/Java, plus marking the desktop shortcut, e.g. "Java ON" or "Java OFF"

I am a little paranoid when it comes to the security of my personal computer, but most likely I will not use real-time scanners on my own computer, there are arguments pro and con regarding real-time scanning.On the computer of my young son, however, who uses only WinXP, I may set continuous virus checking when I am back in the US in June, depending on the size of the zoo on his computer. Before I went on my trip, I made a backup of a clean instance of his WinXP and showed him how to use the WinXP restore feature, WinXP restore is really an excellent virus recovery tool. In any case, I made a forensic .gho image of his HDD before I went on my trip, so restarting shouldn't be difficult, most likely he has installed a lot of stuff in the meantime, which he wasn't supposed to. The damage by Tenga to my computer was not that serious because I make a LOT of backups. The Tenga infection is interesting to me because it was the first time in a long while that I got hit, and it took me less time to recover from Tenga than to write about it in this forum. The Tenga infection, however, has caught me at the wrong time, while I am away from home for a while. I didn't take a backup of the 1TB USB HDD on my trip, although I had same stuff backed up to another partition on this 1TB USB HDD. BTW, using partitions on the USB HDD seems to have limited the damage done by Tenga: apparently only 1 partition plus a small part of a 2nd partition (out of 4 partitions) on the USB HDD was infected by Tenga, but I am still checking, 1TB is a lot of stuff to be virus-checked with an old 700Mhz laptop.

In theory I would agree with you. But here is a posting of a person who had the following experience with Tenga: "Selbst wenn ein Antivirusprogramm aktiv ist kann man nur zusehen wie eine Datei nach der anderen infiziert (und desinfiziert wird) wird." [Translated: "Even if an antivirus program is active, one can only watch and see how one file after the other gets infected and then disinfected"] Posting #7 http://www.trojaner-board.de/40187-virus-win32-tenga-sehr-hartnaeckig.html'>http://www.trojaner-board.de/40187-virus-win32-tenga-sehr-hartnaeckig.html The people at that site did not use your objection, http://www.trojaner-board.de/ is a 10-year-old anti-malware site.Possibly the cause of the infection is not properly identified by AV-software, only the output of the infection, the infected .exe files. "Auch Sophos und Kapersky haben nicht mehr als die infizierten *.exe Dateien gefunden", posting #1 [translated: "Also Sophos and Kaspersky have not found more than the infected .exe files"]. I was just reporting in posting #34 the experience of another person with Tenga, because it sounded interesting. In my posting #16 here I listed the content of DL.exe, which is part of Tenga and was NOT deleted, flagged or disinfected by Kaspersky, i.e. at least one component of Tenga was left by Kaspersky. To have a definite answer, one would have to infect the system with Tenga, then activate the AV-software, and then see whether the experience described on the German site is repeated, i.e. whether the active AV-software is just running behind the infecting Tenga.

The CD in the box of the Vantec eSATA PCCard UGT-ST350CB contained a newer Vista/XP driver, but no Win98 driver, even if Win98 was printed on the box. The older driver, which I used also under WinXP, was on their web site at http://www.vantecusa.com/front/product/view_detail/8 the exact download location of the drivers with Win98 is http://www.vantecusa.com/system/application/media/data_file/ugt-st350.zipVery good card, my 10-year-old laptop, with onboard USB 1.1, now can connect via eSATA. My only gripes are that the e-SATA PCCard is too big, I can't fit both the USB 2.0 and the eSATA card into my 2 PCCard slots at the same time, maybe I have to get a smaller USB 2.0 card. The Vantec eSATA PCCard can also be used to determine whether some problems are caused by USB or by the USB driver. I did have some issues with the Vantec eSATA card when I was experimenting with a 500GB UDF-formatted HDD connected via eSATA, but this is not important, and may have been due to the UDF-formatting software. Again, a fine card.

Yes, the severe truncation of installation source files is not the rule. I checked the recovered/repaired/re-downloaded stuff, which I burnt to a DVD, against the stuff on the Tenga-infected USB HDD: about 15% of the Tenga-infected .exe files are severely truncated, the infected installation source on the infected USB HDD is about 30% smaller (in MBs) than the source on the clean (recovered/repaired/re-downloaded) DVD.The largest file cut down by Tenga on my infected 1TB USB HDD was ie60.exe (MS Internet Explorer v6.00.2600): on the clean DVD it has its original 80MB, but on the infected USB HDD it was cut down to 100kB. Two other large files (143MB and 316MB) were not infected by Tenga. Maybe 5-year-old Tenga cannot infect large .exes (> 128MB???), or the RAM on my old laptop (512MB) was not large enough. Tenga-infected files disinfected by Kaspersky are still tainted, differ from their original, and still contain remnants of the attack by Tenga, although their dangerousness has been removed.

Infection by just visiting a website? On the German webpage http://www.trojaner-board.de/40187-virus-win32-tenga-sehr-hartnaeckig-2.html somebody registered as Dracon123 on 30-Jan-2010, posted a link to a web page probably containing the Tenga virus (posting #12) and then disappeared into thin air. 90 minutes later the following warning was published in posting #13 there "Auf gar keinen Fall den Link oben anklicken, der id*** hat hier wirklich einen Link auf eine infizierte Datei reingesetzt. Es droht formatieren und neuinstallieren." and 1 hour later the site administrator removed the link (posting #14). There may be a good possibility that one can get somehow infected with Tenga by just visiting a web page, even under Win98. The postings on the German page also state that a continuously running virus scanner doesn't help much because Tenga infects faster than Kaspersky can disinfect, also: "in den 20 Jahren in denen mich PC´s nerven, ist dieser Tenga.a der wirklich brutalste Störenfried der mir über den Weg lief." Maybe the best defense is a forensic backup. With my clean backup I had no re-infection (yet), on the German website they report re-infections and that they can't get rid of the virus, after a while it comes back. Maybe I should turn Java and JavaScript off for a while.

I had bought in Feb.2009 an eSATA-PATA-USB combo card VIA VT6421A for my dual-core desktop with an Asus P5PE-VM motherboard, mainly to be able to connect my eSATA/USB Thermaltake HDD enclosures via eSATA. The Asus P5PE-VM has onboard SATA; its onboard USB requires a special version of the Orangeware driver. I fiddled around with the eSATA combo card, but was never able to get it going properly, after inserting the card the onboard USB became really slow. Maybe it was a conflict with my specific motherboard, maybe the USB of the combo card didn't get along with the special driver for the onboard USB, I don't know. The card is now sitting in a box and I had no time to try another card. Whenever I'll get another eSATA card, it probably won't be a combo card with USB. I was looking briefly for a Win98-compatible eSATA/Firewire card but couldn't find one. Again, my experience was specific to my motherboard, maybe there is no such problem with your motherboard.About 6 months ago I bought for my 10-year-old 700Mhz laptop a "Silicon Image Sil 3512 SATALink Controller" PCCard (Vantec UGT-ST350CB). This eSATA PCCard works great with my laptop. Now my slow laptop has a fast eSATA connection, while my fast Desktop doesn't

Here is a report (in French) of somebody who got infected with Tenga under WinXP SP3 http://forum.malekal.com/infection-par-win32-stanit-t13162.html In posting #30 I had a link to a person with a Tenga infection under Vista 64-bit. I am not sure whether MS band-aids are of much use.The report of the infection under WinXP SP3 made me a little concerned, the computer there was re-infected a month later. I still have the infected 1TB USB HDD connected to my laptop, with five or ten thousand little Tengas just waiting to jump at my laptop...