Multibooter

@dencorso: By mistake I just wiped out my posting #22 here, is it possible to restore it? (wiped out, not because I was running without JavaScript/Java, it was just a mistake ). It looks like the posting is NOT cached by Google or Bing either!!!! The following quote was a quote from my posting #22 From my previous posting #22 here. I have made this current posting with Firefox v2.0.0.20 under Win98, with JavaScript and Java off. So the simplest way may be to turn off JavaScript and Java, which is also a safer way to use the internet. Again, msfn.org does seem to work currently with JavaScript and Java OFF.Since some sites do require Java and JavaScript (e.g. for the posting of comments at www.nzz.ch), maybe a practical workaround would be to have the main browser set with JavaScript/Java OFF (e.g. Opera), and another browser (e.g. Firefox, or the other way around) set with JavaScript/Java ON, for sites which require JavaScript/Java, plus marking the desktop shortcut, e.g. "Java ON" or "Java OFF"

I am a little paranoid when it comes to the security of my personal computer, but most likely I will not use real-time scanners on my own computer, there are arguments pro and con regarding real-time scanning.On the computer of my young son, however, who uses only WinXP, I may set continuous virus checking when I am back in the US in June, depending on the size of the zoo on his computer. Before I went on my trip, I made a backup of a clean instance of his WinXP and showed him how to use the WinXP restore feature, WinXP restore is really an excellent virus recovery tool. In any case, I made a forensic .gho image of his HDD before I went on my trip, so restarting shouldn't be difficult, most likely he has installed a lot of stuff in the meantime, which he wasn't supposed to. The damage by Tenga to my computer was not that serious because I make a LOT of backups. The Tenga infection is interesting to me because it was the first time in a long while that I got hit, and it took me less time to recover from Tenga than to write about it in this forum. The Tenga infection, however, has caught me at the wrong time, while I am away from home for a while. I didn't take a backup of the 1TB USB HDD on my trip, although I had same stuff backed up to another partition on this 1TB USB HDD. BTW, using partitions on the USB HDD seems to have limited the damage done by Tenga: apparently only 1 partition plus a small part of a 2nd partition (out of 4 partitions) on the USB HDD was infected by Tenga, but I am still checking, 1TB is a lot of stuff to be virus-checked with an old 700Mhz laptop.

In theory I would agree with you. But here is a posting of a person who had the following experience with Tenga: "Selbst wenn ein Antivirusprogramm aktiv ist kann man nur zusehen wie eine Datei nach der anderen infiziert (und desinfiziert wird) wird." [Translated: "Even if an antivirus program is active, one can only watch and see how one file after the other gets infected and then disinfected"] Posting #7 http://www.trojaner-board.de/40187-virus-win32-tenga-sehr-hartnaeckig.html'>http://www.trojaner-board.de/40187-virus-win32-tenga-sehr-hartnaeckig.html The people at that site did not use your objection, http://www.trojaner-board.de/ is a 10-year-old anti-malware site.Possibly the cause of the infection is not properly identified by AV-software, only the output of the infection, the infected .exe files. "Auch Sophos und Kapersky haben nicht mehr als die infizierten *.exe Dateien gefunden", posting #1 [translated: "Also Sophos and Kaspersky have not found more than the infected .exe files"]. I was just reporting in posting #34 the experience of another person with Tenga, because it sounded interesting. In my posting #16 here I listed the content of DL.exe, which is part of Tenga and was NOT deleted, flagged or disinfected by Kaspersky, i.e. at least one component of Tenga was left by Kaspersky. To have a definite answer, one would have to infect the system with Tenga, then activate the AV-software, and then see whether the experience described on the German site is repeated, i.e. whether the active AV-software is just running behind the infecting Tenga.

The CD in the box of the Vantec eSATA PCCard UGT-ST350CB contained a newer Vista/XP driver, but no Win98 driver, even if Win98 was printed on the box. The older driver, which I used also under WinXP, was on their web site at http://www.vantecusa.com/front/product/view_detail/8 the exact download location of the drivers with Win98 is http://www.vantecusa.com/system/application/media/data_file/ugt-st350.zipVery good card, my 10-year-old laptop, with onboard USB 1.1, now can connect via eSATA. My only gripes are that the e-SATA PCCard is too big, I can't fit both the USB 2.0 and the eSATA card into my 2 PCCard slots at the same time, maybe I have to get a smaller USB 2.0 card. The Vantec eSATA PCCard can also be used to determine whether some problems are caused by USB or by the USB driver. I did have some issues with the Vantec eSATA card when I was experimenting with a 500GB UDF-formatted HDD connected via eSATA, but this is not important, and may have been due to the UDF-formatting software. Again, a fine card.

Yes, the severe truncation of installation source files is not the rule. I checked the recovered/repaired/re-downloaded stuff, which I burnt to a DVD, against the stuff on the Tenga-infected USB HDD: about 15% of the Tenga-infected .exe files are severely truncated, the infected installation source on the infected USB HDD is about 30% smaller (in MBs) than the source on the clean (recovered/repaired/re-downloaded) DVD.The largest file cut down by Tenga on my infected 1TB USB HDD was ie60.exe (MS Internet Explorer v6.00.2600): on the clean DVD it has its original 80MB, but on the infected USB HDD it was cut down to 100kB. Two other large files (143MB and 316MB) were not infected by Tenga. Maybe 5-year-old Tenga cannot infect large .exes (> 128MB???), or the RAM on my old laptop (512MB) was not large enough. Tenga-infected files disinfected by Kaspersky are still tainted, differ from their original, and still contain remnants of the attack by Tenga, although their dangerousness has been removed.

Infection by just visiting a website? On the German webpage http://www.trojaner-board.de/40187-virus-win32-tenga-sehr-hartnaeckig-2.html somebody registered as Dracon123 on 30-Jan-2010, posted a link to a web page probably containing the Tenga virus (posting #12) and then disappeared into thin air. 90 minutes later the following warning was published in posting #13 there "Auf gar keinen Fall den Link oben anklicken, der id*** hat hier wirklich einen Link auf eine infizierte Datei reingesetzt. Es droht formatieren und neuinstallieren." and 1 hour later the site administrator removed the link (posting #14). There may be a good possibility that one can get somehow infected with Tenga by just visiting a web page, even under Win98. The postings on the German page also state that a continuously running virus scanner doesn't help much because Tenga infects faster than Kaspersky can disinfect, also: "in den 20 Jahren in denen mich PC´s nerven, ist dieser Tenga.a der wirklich brutalste Störenfried der mir über den Weg lief." Maybe the best defense is a forensic backup. With my clean backup I had no re-infection (yet), on the German website they report re-infections and that they can't get rid of the virus, after a while it comes back. Maybe I should turn Java and JavaScript off for a while.

I had bought in Feb.2009 an eSATA-PATA-USB combo card VIA VT6421A for my dual-core desktop with an Asus P5PE-VM motherboard, mainly to be able to connect my eSATA/USB Thermaltake HDD enclosures via eSATA. The Asus P5PE-VM has onboard SATA; its onboard USB requires a special version of the Orangeware driver. I fiddled around with the eSATA combo card, but was never able to get it going properly, after inserting the card the onboard USB became really slow. Maybe it was a conflict with my specific motherboard, maybe the USB of the combo card didn't get along with the special driver for the onboard USB, I don't know. The card is now sitting in a box and I had no time to try another card. Whenever I'll get another eSATA card, it probably won't be a combo card with USB. I was looking briefly for a Win98-compatible eSATA/Firewire card but couldn't find one. Again, my experience was specific to my motherboard, maybe there is no such problem with your motherboard.About 6 months ago I bought for my 10-year-old 700Mhz laptop a "Silicon Image Sil 3512 SATALink Controller" PCCard (Vantec UGT-ST350CB). This eSATA PCCard works great with my laptop. Now my slow laptop has a fast eSATA connection, while my fast Desktop doesn't

Here is a report (in French) of somebody who got infected with Tenga under WinXP SP3 http://forum.malekal.com/infection-par-win32-stanit-t13162.html In posting #30 I had a link to a person with a Tenga infection under Vista 64-bit. I am not sure whether MS band-aids are of much use.The report of the infection under WinXP SP3 made me a little concerned, the computer there was re-infected a month later. I still have the infected 1TB USB HDD connected to my laptop, with five or ten thousand little Tengas just waiting to jump at my laptop...

In my infected files the 51st, not the 50th, byte is modified to 56hex. 10 other bytes near the beginning are also modified, e.g. bytes 265-267, but with varying values. Since the URL in DL.exe which I have ("hxxp://utenti.multimania.it/vx9/dl.exe") also differs from the URL stated on all anti-virus sites, I assume that I've got an updated version of Tenga.Tenga-infected .exe files are severely compromised. A good file, for example, install_flash_player_9.exe, was reduced from 1.502.808 bytes to just 68.808 bytes. I have a 4.4 GB DVD full with good installation source (recovered and from clean backup), and on the infected USB HDD still their Tenga-infected counterparts, exactly 527 good exes and 527 infected ones. I don't know why Avira rates the damage potential of Tenga as "medium", Tenga is a real vicious one, once infected you can wipe your HDD. Avira also states that Tenga does not occur in the wild, which I would doubt. The old stuff I have been fiddling around with was pre-2002, so no chance that it contained Tenga, which came out in 2005. http://www.avira.com/en/threats/section/fulldetails/id_vir/2661/w32_stanit.html Here another observation: In posting #16 I wrote that just before I noticed the infection I had trouble booting into WinXP. This may be related to what is mentioned by Panda: "It [Tenga] disables Windows File Protection, in order to be able to infect files belonging to the operating system. It does this by using an undocumented API function and injecting itself in the process winlogon.exe." http://www.pandasecurity.com/homeusers/security-info/82383/information/Tenga.A

Doesn't seem to be for Win98.An interesting question may be: How does Tenga identify the next file to be infected? Panda states: "It creates another thread to search for executable files to infect. It looks in all the system drives, excepting A:, which is usually the floppy drive." http://www.pandasecurity.com/homeusers/security-info/82383/information/Tenga.A Tenga in any case also found the removable USB HDD and did its work there. The infection of the USB HDD took place most likely under WinXP, not under Win98, since I do file copying etc with the external 1TB USB HDD usually under WinXP, not under Win98. So most likely the infection had the following chronology: infection of Win98 -> infection of WinXP -> infection of USB HDD attached under WinXP It would be interesting to know whether Tenga could have infected an attached USB HDD directly under Win98. Also, whether the infection of the USB HDD would have occurred under Win98 with a manufacturer-provided USB 2.0 driver (I am using nusb 3.3 under Win98). P.S.: Here is another story of somebody's Vista 64-bit getting hit by Tenga: http://www.bleepingcomputer.com/forums/topic172167.html This person wound up with 3871 infected .exe files

Hi dencorso,Once I knew that I had a Tenga infection, it was very easy to identify the thousands of infected .exe files, just by searching with Find for all .exe files with a very recent modification date, e.g. between Feb-28 and Mar-3. Unfortunately when Kasperksy finds a Tenga-infected file, Kaspersky sets the modification date of the infected file to the current date, even if I select to "Skip" the infected file. Any .exe file on the USB HDD with a modification date of Feb-28 and later is most likely Tenga-infected. The difficulty with Tenga is not that it is hard to find, but that it can infect so many .exe files so fast. If a responsible member of this forum wants to analyze Tenga in a controlled environment, send me a PM. This virus with its 3,666 bytes does look interesting, I've been wading in dark waters for a long time, and this was the first time I got hit since Jan-2004, when I got Trojan.Win32.Spooner.c (sp.exe).

My estimate somewhere above was that Tenga infects about 1.700 .exe files per minute. Panda writes: "Due to that technique, Tenga.A achieves a large number of infections in a very small time without users noticing". http://www.pandasecurity.com/homeusers/security-info/82383/information/Tenga.A I had noticed the infection by the unusual blinking of the disk activity light. If I remember right I even pulled the plug of the computer to stop this unusual disk activity, instead of shutting down. This also shows the advantage of a laptop over a desktop: a desktop is usually under the desk and one doesn't look at the disk activity light very often, while with a laptop the disk activity light is perfectly visible. This blinking disk activity light may have contributed to Tenga not being able to complete its destructive path on my 1TB USB HDD. A less sophisticated user, with no good back up and with no 2nd computer, probably might just as well have thrown his infected computer against the wall. Tenga is really a mean little thing, eventually I re-use the infected internal HDD, but only after a complete wipe. Also, as I noted somewhere above, huge .exe files don't seem to get infected by Tenga.

Here is Panda's opinion:"Affected platforms: Windows XP/2000/NT/ME/98/95 [NOTE: WinME is specifically included here!] First detected on: July 14, 2005" "Tenga.A shows a very a complex infection routine, which it uses in order to infect all the executable files on the computer, excepting NTOSKRNL.EXE. It is even capable of infecting files belonging to the operating system, as it disables the characteristic known as Windows File Protection. Tenga.A spreads by attacking IP addresses, in which it tries to exploit the vulnerability RPC DCOM. Additionally, as Tenga.A infects files, it could also reach computers when the infected files are distributed through any of the typical means of tranmission, which include, among others, floppy disks, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer file sharing programs (P2P), etc." http://www.pandasecurity.com/homeusers/security-info/about-malware/encyclopedia/overview.aspx?idvirus=82383&sind=0&sitepanda=particulares Tenga.a seems indeed an interesting little program, but I haven't found info yet on how exactly it picks the files to be infected. Panda is wrong here because Tenga did not infect all the .exe files on my computer, only some of them. P.S.: excellent info here on how Tenga infects files (the best I found so far): http://www.pandasecurity.com/homeusers/security-info/82383/information/Tenga.A Also, panda updated their info page about Tenga.a yesterday, so this virus seems to be still of current interest.

Note by dencorso: The contents of this post have been lost. The two snippets of text below are all we have left at the moment, from its original content. [...]I am using Firefox v2.0.0.20 and Opera v9.64... If you turn off Java + JavaScript, msfn.org comes up really fast, without ads, though I am not sure whether you can post when they are off.[...] [...]Are there any files created by Windows which contain lists of recently accessed files? It might be useful to delete such files, for preventing the spread of potential infections with other malware. I would doubt that Tenga can search the registry or index.dat.[...]

Huh, what a typo , I surely didn't want to allude to Mao's "the imperialists and their running dogs" http://www.marxists.org/reference/archive/mao/works/red-book/ch05.htm. I just came by chance across this news from the bbc: "Google provided US intelligence agencies with a record of its search engine results, the state-run news agency Xinhua said." http://news.bbc.co.uk/2/hi/business/8581393.stm"On Sunday, state media in China attacked Google for what they described as the company's "intricate ties" with the US government." http://news.bbc.co.uk/2/hi/asia-pacific/8582233.stm

I had an ATI TV Wonder Pro Tuner (Philips 1236 MK3) running so-so on my Win98 dual-core desktop, but discarded it, the Sabrent Philips 713x PCI TV Tuner Card card was better. I only tested the ATI TV Wonder card for a short time, it came with a desktop I had bought at ebay. The Sabrent card I liked and used in the US, connected to a cable TV outlet, for maybe 6 months. I have since then set up my Win98 dual core desktop again and have not gotten around to re-install the Sabrent card, I don't watch much TV.Getting the Sabrent card to work properly was tricky, the Win98 software on the CD didn't work properly under Win98, the honestech TVR 2.5 video software, obtained elsewhere, worked eventually Ok under Win98, I had to fiddle around for some time with the remote control driver and the FM tuner. If I remember right the Sabrent TV card had to be connected with a cable to the bfg 7800 GS OC video card and a whole bunch of Win98 drivers had to be installed. It was a time-consuming project. honestech TVR v2.5, for example, worked under Win98 with the ATI TV Wonder card also, but when recording TV, no sound was recorded with the ATI card. Basically you have to have the Win98 drivers for the TV card, the remote control and the TV tuner plus Win98 video display and recording software which works with these drivers and the hardware, a lot of fiddling. I originally got the Sabrent card to convert video tapes PAL <==> NTSC, but never got around doing it.

Definitely, nothing is gained by keeping Norton Antivirus. But Symantec stuff in general is hard to get rid of, the uninstall usually leaves a lot of trash.Make sure to uninstall Norton Antivirus before installing another anti-virus package, having 2 different anti-virus programs on the system is asking for trouble.

This is exactly my view too. On rare exceptions I do use the internet under WinXP, like for downloading with eMule a file >4GB.My young son, however, only wants to use WinXP he needs wireless access to the shared printer on the home network, so the home network is mixed Win98/WinXP , he wants to access the Internet with his Nintendo DS, which works only with WEP , so I am not using WPA. he needs to connect his Asus school-netbook to the home network, so the network has to be set for file sharing his Asus netbook has locked up with virus infections already twice his friends come over and hook up their infected notebooks to the router Life consists of compromises, it's hard to avoid WinXP and other risks in life. I am quite sure that eventually malware which infects hidden partitions will become common, given the increased use of hidden partitions. Does such malware exist already?

http://www.mondoraro.org/2010/03/03/google-irani-il-motore-di-ricerca-targato-regime/Maybe the Iranian and Chinese governments are not only for censorship, but also want to stop Poodle's data gathering. Paranoid concerns with national sovereignty, seeing data-gathering arms of the NFA everywhere? BTW, http://news.cnet.com/Security-firms-on-police-spyware is 404 Although I don't think it's likely, I have also been considering whether the Tenga infection was a targeted installation. ISPs seem to be able to access connected computers with relative ease, I assume a connected computer is just a client in the ISP's network. I am not sure how much Win98 protects against a snooping ISP.

I beg to disagree. My feeling is that by updating with new patches I mainly update spyware and spyware-vulnerabilities to the newest state. My feeling is that not just a search engine, but many big corporations cooperate with the NSA. I view infections with NSA-induced spyware as dangerous, and infections with a virus like Tenga as an entertaining nuisance. I am just choosing between the lesser of two evils, and am fully aware of the risks, which I try to reduce by very intensive backups, by using ex-Soviet malware detectors, by having the WLAN-card removed when using WinXP, by using WinXP as little as possible and by installing a minimum of closed-source US-software created after 11-Sept-2001. The router had always NAT on. Tiny Personal Firewall v2.0.14 is always on under Win98 and WinXP and did not report any calling out.I have checked the still-infected 1TB USB HDD, Tenga.a seems to be a very efficient little program: Tenga infected on one partition 5329 .exe files on the USB HDD on Feb-28 between 9:04 PM and 9:07 PM, i.e. about 1700 files per minutes, with my old 700MHz laptop. On the infected internal HDD, now disinfected, I have found on C:\ a file DL.exe with the modification date of Mar-1 9:18AM. It was not an exe file, just a renamed ASCII file with the following content: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://utenti.multimania.it/vx9/dl.exe">here</a>.</p> </body></html> The URL in my DL.exe differs from the URL listed in http://quickheal.co.in/alerts/archives/alerts-tenga-a.asp [http://]utenti.lycos.it/[REMOVED]/dl.exe [http://]utenti.lycos.it/[REMOVED]/CBACK.EXE [http://]utenti.lycos.it/[REMOVED]/GAELICUM.EXE When I tried to manually download dl.exe from multimania.it, I got a 404; multimania.it had the page title "Lycos Tripod". I did not find cback.exe or gaelicum.exe on the formerly infected HDD. Maybe Tenga was unable to execute all its work on my laptop. Here another observation: Just around the time the USB HDD was infected, I was in Win98 and then tried to boot into WinXP, but somehow couldn't, or WinXP didn't come up properly, I don't remember anymore. In any case, I modified boot.ini, and after the 2nd or 3rd attempt WinXP came up Ok again, no idea why. During my attempts to boot into WinXP I most likely had the infected USB HDD connected (but the old BIOS of my laptop does not see USB devices connected at boot time). Most likely Tenga had started under Win98 and had then infected, under Win98, some critical system files on the FAT32 WinXP partition, so that WinXP had trouble starting up. On my laptop the various operating systems have common access to standalone programs, i.e. there is a single instance of standalone programs, which are accessed under the various operating systems by creating a destop shortcut there. For example, I am using uptime.exe. I run it under Win98 and under WinXP via a desktop shortcut to C:\MiscUtil\uptime.exe. So if C:\MiscUtil\uptime.exe is infected, the infection will spread to other operating systems whenever I click on the shortcut to Uptime under that operating system. The original idea was to avoid duplicate copies of standalone programs, but this may actually be an unsafe practice in a multibooting environment. One of my interests in this topic is to explore "How to prevent cross-operating system infections in a multibooting environment". A virus which could encrypt modern HDDs, similar to ancient One-Half http://www.csie.ntu.edu.tw/~wcchen/asm98/asm/proj/b85506050/ORIGIN/ONEHAL~1.HTM , which I mentioned in the introduction to this topic, could be just as much of a nuisance as Tenga. BTW, it would be interesting to know whether ancient One-Half can infect modern 1TB HDDs. This is also what I suspect, that I must have double-clicked on an infected file. But this is absolutely against my practices, to which I strictly adhere: I ALWAYS check downloads or stuff from my archive with Kaspersky before running it, and Kaspersky does detect Tenga. It is still a puzzle how I got this virus, under which operating system Tenga started and how it spread from one operating system to the next.

What's happening? http://www.xosl.org/ "Domain for sale" System Commander has already died, RIP.

I have been thinking about hidden partitions ever since you described your setup several months ago.Hiding all operating systems from one another may be useful in preventing virus infections from spreading to other operating systems, as I have just recently experienced Luckily I was able to recreate the whole HDD quickly, so the infection across operating systems was not a major problem. The major pain of the infection was the infected 1TB USB HDD, which probably would have happened even if I my operating systems had been hidden from one another. So I still prefer operating systems which can see each other's partitions. @LoneCrusader: How easy was it to convert from System Commander to BootIT NG? Do you use BootIT NG on your main system?

I was lucky to have started with v3.05, when System Commander came without wizards. Afterwards I installed newer versions using my experience with the earlier version, without a wizard. Maybe the subject matter is too complicated to have a one-size-fits-all wizard. I considered their wizards to be marketing gimmicks. The guys a V-COM were excessively concerned with protecting their intellectual property rights. Knowing that copy-protected stuff doesn't sell, they created a whole bunch of snares, in Spanish you would call it "trampas". The original floppy disk of old v3, for example, got written to/modified after entering the serial number during installation. The boot code of the computer where System Commander was installed originally was somehow stored on the system floppy; when trying to install/uninstall System Commander with a floppy already used on another computer, the boot code of computer 1 would be transferred to computer 2, with unpleasant consequences. Those guys knew a whole bunch of tricks, they were the authors of Sourcer, which 15 years ago was considered to be the best disassembler. Not using a sealed original floppy of System Commander could lead to surprises.I still like System Commander, it took me, for example, just 2-3 hours to install Vista (uninstalled now, I didn't need it) on a 2nd HDD as another opsys selection, besides DOS, Win98SE, WinXP, keeping my FAT-16 boot partition on the 1st HDD.

Win98 was not immune to infection. At Win98 startup 2 files infected with tenga were run via the Win98 registry. By infecting most .exe files, and thereby also by chance those which are run thru the Win98 registry at startup, Tenga was active every time Win98 was loaded. I assume the same happened under WinXP and Win2k. Yes. It may also have come from my old software archive on CDs, DVD, HDDs on which I was working around that time. Maybe I had archived stuff years ago, at a time when Kaspersky didn't detect Tenga yet. Eventually I will find out. It may also have come out of some old infected email boxes, which I had tried to clean before archiving, around Feb-28, see my posting My WinXP is SP2, without any patches added. WinXP was definitely not connected to the Internet, nor was the infected laptop connected to the WLAN router via cable. I am currently away from the US, were most of my computer tools and resources are located, so I always eject the USB 2.0 WLAN card before running WinXP (my old laptop has no built-in WLAN card), to make sure that there is no Internet or network connection under WinXP which could infect WinXP.The Tenga infection cannot have occurred earlier under WinXP in the US, where the laptop does have internet access under WinXP, because the system backup I made just before leaving was clean.

No, I only make ooccasional on-demand scans, I don't have a virus checker running all the time. No, I had not booted into DOS around Feb-28. On Feb-28 I had moved downloaded files via WLAN under Win98 from the eMule laptop (it's a dedicated laptop running only eMule under Win98, WinXP is hardly ever used there) to the later infected laptop (Win98)