Multibooter

My laptop is infected AGAIN with Tenga, but on the first look the infection hasn't spread to other operating systems yet, only my main-Win98 (and new downloads and recovered stuff) seems to be affected. Many .exe files on the laptop got infected at 1:42 PM (about 45 minutes ago), while others got infected while I was making my earlier postings at msfn.org, around 11:50 AM Persfw.conf (the file with the rules) of the Tiny Personal Firewall was modified at 1:41 PM, PFWADMIN.EXE got infected at 01:43, but the actual firewall engine PERSFW.EXE did not get infected. Any suggestions as to what stuff I should save as a .rar, before restoring a clean Win98, so that I may find the cause/culprit of this 2nd infection? I am posting from my 2nd uninfected laptop. I guess there goes my weekend.

ADDENDUM - CORRECTION: The content of this posting is not correct, it seemed to be correct during my 1st infection with Tenga, but during my 2nd infection with Tenga, Tenga infected \Windows\ and \Program Files\ of the currently active Win98. See my posting #62. Multibooter 28-March-2010 Tenga.a does NOT infect .exe files in \Windows\ and in \Program Files\ of the currently active Win98/XP. This characteristic of Tenga.a does not seem to be mentioned in the Internet, and has permitted me to retrace chronologically the infection by Tenga: 1) \Windows\ and \Program Files\ of my main Win98 on the infected internal HDD were NOT infected by Tenga. Since I install nearly all of my software to specially-named folders outside of \Program Files\, e.g. to H:\eMule\, the existence of Tenga under Win98 was noticed immediately, because my apps were infected and wouldn't work anymore, or would not behave as usual. 2) All .exes in the \Windows\ directory of my test-Win98 (exact directory name: F:\W98DIAG\) were infected with Tenga on the infected internal HDD, i.e. the infection must have started under another operating system, NOT under the test-Win98. Tenga, not recognizing that F:\W98DIAG\ was the \Windows\ directory of my test-Win98, infected all .exes in F:\W98DIAG\. I can therefore exclude the possibility that I got the Tenga infection during my experimenting with possibly-infected stuff under my test-Win98. I never experiment with unknown stuff on my main Win98. 3) After the infection with Tenga I had trouble booting into FAT32-based WinXP and shortly afterwards FAT32-based WinXP wouldn't work anymore. Unfortunately I had then restored a clean FAT32-WinXP partition from backup onto the infected internal HDD, so that I don't have a direct proof anymore that the WinXP \Windows\ folder was infected (only possible if WinXP was infected while I was running another operating system, i.e. my main Win98). But here is an indirect proof, answering a very good point raised by Queue in posting #21: Tenga under my main Win98 had infected the .exes in the \Windows\ folder of the FAT32-WinXP partition. When WinXP came up, using infected .exes, it didn't work properly anymore and Tenga, which uses some WinXP APIs, didn't work properly anymore either and couldn't infect files on the NTFS partition of the NTFS-based WinXP.The original infection with Tenga was probably caused on my main Win98 by an undetected trojan downloader, which then downloaded Tenga from somewhere, similar to Trojan-Downloader.Win32.Small.bdc: "When launched, the Trojan checks whether the victim machine is connected to the Internet. If a connection is detected, the Trojan will download the following files from u***ti.lycos.it/vx9: cback.exe – will be detected by Kaspersky Anti-Virus as Backdoor.Win32.Small.gl gaelicum.exe - will be detected by Kaspersky Anti-Virus as Virus.Win32.Tenga.a These files will be saved to the same file that the original Trojan file was saved to. They will be registered in the system registry, and launched for execution." http://www.viruslist.com/en/viruses/encyclopedia?virusid=87572 Whether in my case the trojan also downloaded a backdoor is unknown. If so, the backdoor most likely was ineffective or didn't work under Win98 since my Tiny Personal Firewall didn't report anything and with the subsequent system restore it must have gotten wiped out. In case I get this undetected trojan downloader again, I will probably get Tenga again. I am still pondering how to improve my defenses, with as little effort as possible. The downloader+virus combo seems to be very hard to stop in my current multi-booting setup, unless I spend a lot of time. I probably will focus on improving my backups, especially of the external USB HDD, and just HOPE not to get infected again by something like Tenga. BTW, I have been using Firefox quite a lot over the past few months, and Firefox has been reported to have a lot of security problems recently. Maybe I should use Opera most of the time.

Estimated averages per week: Adding 2 new applications, replacing 1 existing application with a more current version, deleting 1 application which I don't expect to use anymore, testing 3 new applications, most of them installed, not standalone. The installations/uninstalls may occur in different operating systems and in multiple instances of an operating system.About once a month I restore the last clean opsys backup (of about a month ago) and repeat very carefully all the recent installations/uninstalls of what I want to make permanent and then create another clean backup. Usually I restore the last clean backup 5-10 times a month, after having creating a new clean backup and before creating the next clean backup, wiping out with the restores malware which Kaspersky may not have detected. Undetected malware could stay 3-5 days on my system, but then it gets wiped out with the next restore. Tenga, unfortunately, just needed a few minutes to infect all operating systems installed on my laptop, except for the NTFS-based WinXP. If I had given internet access to WinXP during my trip, just as WinXP has internet access when I am in the US, the infection with Tenga could have started just as well under WinXP and then spread to Win98. So a tool to allow only permitted processes would have to be active also under WinXP and on all my installed operating systems, which is just too time-consuming.A default-deny tool looks useful to protect a computer which has only a single operating system (or to protect a Win98 installed on a hidden partition, invisible to other operating systems), but less so on a computer with various operating systems, because of possible infections across operating systems, as with Tenga. If I remember right, on the WinXP FAT32 partition even the file avp.exe (= the virus scanning engine of Kaspersky) was infected by Tenga under Win98, but WinXP was killed already at that time. Yes. But my dedicated eMule laptop was not infected. My main laptop, on which I process downloads (virus checks), browse the internet, etc was infected with Tenga. This not-infected dedicated eMule laptop was connected in a peer-to-peer network under Win98 to the infected laptop, and completed downloads were transferred via WLAN from the eMule laptop to the main laptop. The eMule laptop was running normally, it even posted a record uptime then of 7 days 11 hours. I don't know how credible rumors are that some chips have built-in backdoors for the US agencies. But my 10-year-old laptops, built before 11-Setp-2OO1, are unlikely to contain such chips.

@dencorso: By mistake I just wiped out my posting #22 here, is it possible to restore it? (wiped out, not because I was running without JavaScript/Java, it was just a mistake ). It looks like the posting is NOT cached by Google or Bing either!!!! The following quote was a quote from my posting #22 From my previous posting #22 here. I have made this current posting with Firefox v2.0.0.20 under Win98, with JavaScript and Java off. So the simplest way may be to turn off JavaScript and Java, which is also a safer way to use the internet. Again, msfn.org does seem to work currently with JavaScript and Java OFF.Since some sites do require Java and JavaScript (e.g. for the posting of comments at www.nzz.ch), maybe a practical workaround would be to have the main browser set with JavaScript/Java OFF (e.g. Opera), and another browser (e.g. Firefox, or the other way around) set with JavaScript/Java ON, for sites which require JavaScript/Java, plus marking the desktop shortcut, e.g. "Java ON" or "Java OFF"

I am a little paranoid when it comes to the security of my personal computer, but most likely I will not use real-time scanners on my own computer, there are arguments pro and con regarding real-time scanning.On the computer of my young son, however, who uses only WinXP, I may set continuous virus checking when I am back in the US in June, depending on the size of the zoo on his computer. Before I went on my trip, I made a backup of a clean instance of his WinXP and showed him how to use the WinXP restore feature, WinXP restore is really an excellent virus recovery tool. In any case, I made a forensic .gho image of his HDD before I went on my trip, so restarting shouldn't be difficult, most likely he has installed a lot of stuff in the meantime, which he wasn't supposed to. The damage by Tenga to my computer was not that serious because I make a LOT of backups. The Tenga infection is interesting to me because it was the first time in a long while that I got hit, and it took me less time to recover from Tenga than to write about it in this forum. The Tenga infection, however, has caught me at the wrong time, while I am away from home for a while. I didn't take a backup of the 1TB USB HDD on my trip, although I had same stuff backed up to another partition on this 1TB USB HDD. BTW, using partitions on the USB HDD seems to have limited the damage done by Tenga: apparently only 1 partition plus a small part of a 2nd partition (out of 4 partitions) on the USB HDD was infected by Tenga, but I am still checking, 1TB is a lot of stuff to be virus-checked with an old 700Mhz laptop.

In theory I would agree with you. But here is a posting of a person who had the following experience with Tenga: "Selbst wenn ein Antivirusprogramm aktiv ist kann man nur zusehen wie eine Datei nach der anderen infiziert (und desinfiziert wird) wird." [Translated: "Even if an antivirus program is active, one can only watch and see how one file after the other gets infected and then disinfected"] Posting #7 http://www.trojaner-board.de/40187-virus-win32-tenga-sehr-hartnaeckig.html'>http://www.trojaner-board.de/40187-virus-win32-tenga-sehr-hartnaeckig.html The people at that site did not use your objection, http://www.trojaner-board.de/ is a 10-year-old anti-malware site.Possibly the cause of the infection is not properly identified by AV-software, only the output of the infection, the infected .exe files. "Auch Sophos und Kapersky haben nicht mehr als die infizierten *.exe Dateien gefunden", posting #1 [translated: "Also Sophos and Kaspersky have not found more than the infected .exe files"]. I was just reporting in posting #34 the experience of another person with Tenga, because it sounded interesting. In my posting #16 here I listed the content of DL.exe, which is part of Tenga and was NOT deleted, flagged or disinfected by Kaspersky, i.e. at least one component of Tenga was left by Kaspersky. To have a definite answer, one would have to infect the system with Tenga, then activate the AV-software, and then see whether the experience described on the German site is repeated, i.e. whether the active AV-software is just running behind the infecting Tenga.

The CD in the box of the Vantec eSATA PCCard UGT-ST350CB contained a newer Vista/XP driver, but no Win98 driver, even if Win98 was printed on the box. The older driver, which I used also under WinXP, was on their web site at http://www.vantecusa.com/front/product/view_detail/8 the exact download location of the drivers with Win98 is http://www.vantecusa.com/system/application/media/data_file/ugt-st350.zipVery good card, my 10-year-old laptop, with onboard USB 1.1, now can connect via eSATA. My only gripes are that the e-SATA PCCard is too big, I can't fit both the USB 2.0 and the eSATA card into my 2 PCCard slots at the same time, maybe I have to get a smaller USB 2.0 card. The Vantec eSATA PCCard can also be used to determine whether some problems are caused by USB or by the USB driver. I did have some issues with the Vantec eSATA card when I was experimenting with a 500GB UDF-formatted HDD connected via eSATA, but this is not important, and may have been due to the UDF-formatting software. Again, a fine card.

Yes, the severe truncation of installation source files is not the rule. I checked the recovered/repaired/re-downloaded stuff, which I burnt to a DVD, against the stuff on the Tenga-infected USB HDD: about 15% of the Tenga-infected .exe files are severely truncated, the infected installation source on the infected USB HDD is about 30% smaller (in MBs) than the source on the clean (recovered/repaired/re-downloaded) DVD.The largest file cut down by Tenga on my infected 1TB USB HDD was ie60.exe (MS Internet Explorer v6.00.2600): on the clean DVD it has its original 80MB, but on the infected USB HDD it was cut down to 100kB. Two other large files (143MB and 316MB) were not infected by Tenga. Maybe 5-year-old Tenga cannot infect large .exes (> 128MB???), or the RAM on my old laptop (512MB) was not large enough. Tenga-infected files disinfected by Kaspersky are still tainted, differ from their original, and still contain remnants of the attack by Tenga, although their dangerousness has been removed.

Infection by just visiting a website? On the German webpage http://www.trojaner-board.de/40187-virus-win32-tenga-sehr-hartnaeckig-2.html somebody registered as Dracon123 on 30-Jan-2010, posted a link to a web page probably containing the Tenga virus (posting #12) and then disappeared into thin air. 90 minutes later the following warning was published in posting #13 there "Auf gar keinen Fall den Link oben anklicken, der id*** hat hier wirklich einen Link auf eine infizierte Datei reingesetzt. Es droht formatieren und neuinstallieren." and 1 hour later the site administrator removed the link (posting #14). There may be a good possibility that one can get somehow infected with Tenga by just visiting a web page, even under Win98. The postings on the German page also state that a continuously running virus scanner doesn't help much because Tenga infects faster than Kaspersky can disinfect, also: "in den 20 Jahren in denen mich PC´s nerven, ist dieser Tenga.a der wirklich brutalste Störenfried der mir über den Weg lief." Maybe the best defense is a forensic backup. With my clean backup I had no re-infection (yet), on the German website they report re-infections and that they can't get rid of the virus, after a while it comes back. Maybe I should turn Java and JavaScript off for a while.

I had bought in Feb.2009 an eSATA-PATA-USB combo card VIA VT6421A for my dual-core desktop with an Asus P5PE-VM motherboard, mainly to be able to connect my eSATA/USB Thermaltake HDD enclosures via eSATA. The Asus P5PE-VM has onboard SATA; its onboard USB requires a special version of the Orangeware driver. I fiddled around with the eSATA combo card, but was never able to get it going properly, after inserting the card the onboard USB became really slow. Maybe it was a conflict with my specific motherboard, maybe the USB of the combo card didn't get along with the special driver for the onboard USB, I don't know. The card is now sitting in a box and I had no time to try another card. Whenever I'll get another eSATA card, it probably won't be a combo card with USB. I was looking briefly for a Win98-compatible eSATA/Firewire card but couldn't find one. Again, my experience was specific to my motherboard, maybe there is no such problem with your motherboard.About 6 months ago I bought for my 10-year-old 700Mhz laptop a "Silicon Image Sil 3512 SATALink Controller" PCCard (Vantec UGT-ST350CB). This eSATA PCCard works great with my laptop. Now my slow laptop has a fast eSATA connection, while my fast Desktop doesn't

Here is a report (in French) of somebody who got infected with Tenga under WinXP SP3 http://forum.malekal.com/infection-par-win32-stanit-t13162.html In posting #30 I had a link to a person with a Tenga infection under Vista 64-bit. I am not sure whether MS band-aids are of much use.The report of the infection under WinXP SP3 made me a little concerned, the computer there was re-infected a month later. I still have the infected 1TB USB HDD connected to my laptop, with five or ten thousand little Tengas just waiting to jump at my laptop...

In my infected files the 51st, not the 50th, byte is modified to 56hex. 10 other bytes near the beginning are also modified, e.g. bytes 265-267, but with varying values. Since the URL in DL.exe which I have ("hxxp://utenti.multimania.it/vx9/dl.exe") also differs from the URL stated on all anti-virus sites, I assume that I've got an updated version of Tenga.Tenga-infected .exe files are severely compromised. A good file, for example, install_flash_player_9.exe, was reduced from 1.502.808 bytes to just 68.808 bytes. I have a 4.4 GB DVD full with good installation source (recovered and from clean backup), and on the infected USB HDD still their Tenga-infected counterparts, exactly 527 good exes and 527 infected ones. I don't know why Avira rates the damage potential of Tenga as "medium", Tenga is a real vicious one, once infected you can wipe your HDD. Avira also states that Tenga does not occur in the wild, which I would doubt. The old stuff I have been fiddling around with was pre-2002, so no chance that it contained Tenga, which came out in 2005. http://www.avira.com/en/threats/section/fulldetails/id_vir/2661/w32_stanit.html Here another observation: In posting #16 I wrote that just before I noticed the infection I had trouble booting into WinXP. This may be related to what is mentioned by Panda: "It [Tenga] disables Windows File Protection, in order to be able to infect files belonging to the operating system. It does this by using an undocumented API function and injecting itself in the process winlogon.exe." http://www.pandasecurity.com/homeusers/security-info/82383/information/Tenga.A

Doesn't seem to be for Win98.An interesting question may be: How does Tenga identify the next file to be infected? Panda states: "It creates another thread to search for executable files to infect. It looks in all the system drives, excepting A:, which is usually the floppy drive." http://www.pandasecurity.com/homeusers/security-info/82383/information/Tenga.A Tenga in any case also found the removable USB HDD and did its work there. The infection of the USB HDD took place most likely under WinXP, not under Win98, since I do file copying etc with the external 1TB USB HDD usually under WinXP, not under Win98. So most likely the infection had the following chronology: infection of Win98 -> infection of WinXP -> infection of USB HDD attached under WinXP It would be interesting to know whether Tenga could have infected an attached USB HDD directly under Win98. Also, whether the infection of the USB HDD would have occurred under Win98 with a manufacturer-provided USB 2.0 driver (I am using nusb 3.3 under Win98). P.S.: Here is another story of somebody's Vista 64-bit getting hit by Tenga: http://www.bleepingcomputer.com/forums/topic172167.html This person wound up with 3871 infected .exe files

Hi dencorso,Once I knew that I had a Tenga infection, it was very easy to identify the thousands of infected .exe files, just by searching with Find for all .exe files with a very recent modification date, e.g. between Feb-28 and Mar-3. Unfortunately when Kasperksy finds a Tenga-infected file, Kaspersky sets the modification date of the infected file to the current date, even if I select to "Skip" the infected file. Any .exe file on the USB HDD with a modification date of Feb-28 and later is most likely Tenga-infected. The difficulty with Tenga is not that it is hard to find, but that it can infect so many .exe files so fast. If a responsible member of this forum wants to analyze Tenga in a controlled environment, send me a PM. This virus with its 3,666 bytes does look interesting, I've been wading in dark waters for a long time, and this was the first time I got hit since Jan-2004, when I got Trojan.Win32.Spooner.c (sp.exe).

My estimate somewhere above was that Tenga infects about 1.700 .exe files per minute. Panda writes: "Due to that technique, Tenga.A achieves a large number of infections in a very small time without users noticing". http://www.pandasecurity.com/homeusers/security-info/82383/information/Tenga.A I had noticed the infection by the unusual blinking of the disk activity light. If I remember right I even pulled the plug of the computer to stop this unusual disk activity, instead of shutting down. This also shows the advantage of a laptop over a desktop: a desktop is usually under the desk and one doesn't look at the disk activity light very often, while with a laptop the disk activity light is perfectly visible. This blinking disk activity light may have contributed to Tenga not being able to complete its destructive path on my 1TB USB HDD. A less sophisticated user, with no good back up and with no 2nd computer, probably might just as well have thrown his infected computer against the wall. Tenga is really a mean little thing, eventually I re-use the infected internal HDD, but only after a complete wipe. Also, as I noted somewhere above, huge .exe files don't seem to get infected by Tenga.

Here is Panda's opinion:"Affected platforms: Windows XP/2000/NT/ME/98/95 [NOTE: WinME is specifically included here!] First detected on: July 14, 2005" "Tenga.A shows a very a complex infection routine, which it uses in order to infect all the executable files on the computer, excepting NTOSKRNL.EXE. It is even capable of infecting files belonging to the operating system, as it disables the characteristic known as Windows File Protection. Tenga.A spreads by attacking IP addresses, in which it tries to exploit the vulnerability RPC DCOM. Additionally, as Tenga.A infects files, it could also reach computers when the infected files are distributed through any of the typical means of tranmission, which include, among others, floppy disks, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer file sharing programs (P2P), etc." http://www.pandasecurity.com/homeusers/security-info/about-malware/encyclopedia/overview.aspx?idvirus=82383&sind=0&sitepanda=particulares Tenga.a seems indeed an interesting little program, but I haven't found info yet on how exactly it picks the files to be infected. Panda is wrong here because Tenga did not infect all the .exe files on my computer, only some of them. P.S.: excellent info here on how Tenga infects files (the best I found so far): http://www.pandasecurity.com/homeusers/security-info/82383/information/Tenga.A Also, panda updated their info page about Tenga.a yesterday, so this virus seems to be still of current interest.

Note by dencorso: The contents of this post have been lost. The two snippets of text below are all we have left at the moment, from its original content. [...]I am using Firefox v2.0.0.20 and Opera v9.64... If you turn off Java + JavaScript, msfn.org comes up really fast, without ads, though I am not sure whether you can post when they are off.[...] [...]Are there any files created by Windows which contain lists of recently accessed files? It might be useful to delete such files, for preventing the spread of potential infections with other malware. I would doubt that Tenga can search the registry or index.dat.[...]

Huh, what a typo , I surely didn't want to allude to Mao's "the imperialists and their running dogs" http://www.marxists.org/reference/archive/mao/works/red-book/ch05.htm. I just came by chance across this news from the bbc: "Google provided US intelligence agencies with a record of its search engine results, the state-run news agency Xinhua said." http://news.bbc.co.uk/2/hi/business/8581393.stm"On Sunday, state media in China attacked Google for what they described as the company's "intricate ties" with the US government." http://news.bbc.co.uk/2/hi/asia-pacific/8582233.stm

I had an ATI TV Wonder Pro Tuner (Philips 1236 MK3) running so-so on my Win98 dual-core desktop, but discarded it, the Sabrent Philips 713x PCI TV Tuner Card card was better. I only tested the ATI TV Wonder card for a short time, it came with a desktop I had bought at ebay. The Sabrent card I liked and used in the US, connected to a cable TV outlet, for maybe 6 months. I have since then set up my Win98 dual core desktop again and have not gotten around to re-install the Sabrent card, I don't watch much TV.Getting the Sabrent card to work properly was tricky, the Win98 software on the CD didn't work properly under Win98, the honestech TVR 2.5 video software, obtained elsewhere, worked eventually Ok under Win98, I had to fiddle around for some time with the remote control driver and the FM tuner. If I remember right the Sabrent TV card had to be connected with a cable to the bfg 7800 GS OC video card and a whole bunch of Win98 drivers had to be installed. It was a time-consuming project. honestech TVR v2.5, for example, worked under Win98 with the ATI TV Wonder card also, but when recording TV, no sound was recorded with the ATI card. Basically you have to have the Win98 drivers for the TV card, the remote control and the TV tuner plus Win98 video display and recording software which works with these drivers and the hardware, a lot of fiddling. I originally got the Sabrent card to convert video tapes PAL <==> NTSC, but never got around doing it.

Definitely, nothing is gained by keeping Norton Antivirus. But Symantec stuff in general is hard to get rid of, the uninstall usually leaves a lot of trash.Make sure to uninstall Norton Antivirus before installing another anti-virus package, having 2 different anti-virus programs on the system is asking for trouble.

This is exactly my view too. On rare exceptions I do use the internet under WinXP, like for downloading with eMule a file >4GB.My young son, however, only wants to use WinXP he needs wireless access to the shared printer on the home network, so the home network is mixed Win98/WinXP , he wants to access the Internet with his Nintendo DS, which works only with WEP , so I am not using WPA. he needs to connect his Asus school-netbook to the home network, so the network has to be set for file sharing his Asus netbook has locked up with virus infections already twice his friends come over and hook up their infected notebooks to the router Life consists of compromises, it's hard to avoid WinXP and other risks in life. I am quite sure that eventually malware which infects hidden partitions will become common, given the increased use of hidden partitions. Does such malware exist already?

http://www.mondoraro.org/2010/03/03/google-irani-il-motore-di-ricerca-targato-regime/Maybe the Iranian and Chinese governments are not only for censorship, but also want to stop Poodle's data gathering. Paranoid concerns with national sovereignty, seeing data-gathering arms of the NFA everywhere? BTW, http://news.cnet.com/Security-firms-on-police-spyware is 404 Although I don't think it's likely, I have also been considering whether the Tenga infection was a targeted installation. ISPs seem to be able to access connected computers with relative ease, I assume a connected computer is just a client in the ISP's network. I am not sure how much Win98 protects against a snooping ISP.

I beg to disagree. My feeling is that by updating with new patches I mainly update spyware and spyware-vulnerabilities to the newest state. My feeling is that not just a search engine, but many big corporations cooperate with the NSA. I view infections with NSA-induced spyware as dangerous, and infections with a virus like Tenga as an entertaining nuisance. I am just choosing between the lesser of two evils, and am fully aware of the risks, which I try to reduce by very intensive backups, by using ex-Soviet malware detectors, by having the WLAN-card removed when using WinXP, by using WinXP as little as possible and by installing a minimum of closed-source US-software created after 11-Sept-2001. The router had always NAT on. Tiny Personal Firewall v2.0.14 is always on under Win98 and WinXP and did not report any calling out.I have checked the still-infected 1TB USB HDD, Tenga.a seems to be a very efficient little program: Tenga infected on one partition 5329 .exe files on the USB HDD on Feb-28 between 9:04 PM and 9:07 PM, i.e. about 1700 files per minutes, with my old 700MHz laptop. On the infected internal HDD, now disinfected, I have found on C:\ a file DL.exe with the modification date of Mar-1 9:18AM. It was not an exe file, just a renamed ASCII file with the following content: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://utenti.multimania.it/vx9/dl.exe">here</a>.</p> </body></html> The URL in my DL.exe differs from the URL listed in http://quickheal.co.in/alerts/archives/alerts-tenga-a.asp [http://]utenti.lycos.it/[REMOVED]/dl.exe [http://]utenti.lycos.it/[REMOVED]/CBACK.EXE [http://]utenti.lycos.it/[REMOVED]/GAELICUM.EXE When I tried to manually download dl.exe from multimania.it, I got a 404; multimania.it had the page title "Lycos Tripod". I did not find cback.exe or gaelicum.exe on the formerly infected HDD. Maybe Tenga was unable to execute all its work on my laptop. Here another observation: Just around the time the USB HDD was infected, I was in Win98 and then tried to boot into WinXP, but somehow couldn't, or WinXP didn't come up properly, I don't remember anymore. In any case, I modified boot.ini, and after the 2nd or 3rd attempt WinXP came up Ok again, no idea why. During my attempts to boot into WinXP I most likely had the infected USB HDD connected (but the old BIOS of my laptop does not see USB devices connected at boot time). Most likely Tenga had started under Win98 and had then infected, under Win98, some critical system files on the FAT32 WinXP partition, so that WinXP had trouble starting up. On my laptop the various operating systems have common access to standalone programs, i.e. there is a single instance of standalone programs, which are accessed under the various operating systems by creating a destop shortcut there. For example, I am using uptime.exe. I run it under Win98 and under WinXP via a desktop shortcut to C:\MiscUtil\uptime.exe. So if C:\MiscUtil\uptime.exe is infected, the infection will spread to other operating systems whenever I click on the shortcut to Uptime under that operating system. The original idea was to avoid duplicate copies of standalone programs, but this may actually be an unsafe practice in a multibooting environment. One of my interests in this topic is to explore "How to prevent cross-operating system infections in a multibooting environment". A virus which could encrypt modern HDDs, similar to ancient One-Half http://www.csie.ntu.edu.tw/~wcchen/asm98/asm/proj/b85506050/ORIGIN/ONEHAL~1.HTM , which I mentioned in the introduction to this topic, could be just as much of a nuisance as Tenga. BTW, it would be interesting to know whether ancient One-Half can infect modern 1TB HDDs. This is also what I suspect, that I must have double-clicked on an infected file. But this is absolutely against my practices, to which I strictly adhere: I ALWAYS check downloads or stuff from my archive with Kaspersky before running it, and Kaspersky does detect Tenga. It is still a puzzle how I got this virus, under which operating system Tenga started and how it spread from one operating system to the next.

What's happening? http://www.xosl.org/ "Domain for sale" System Commander has already died, RIP.

I have been thinking about hidden partitions ever since you described your setup several months ago.Hiding all operating systems from one another may be useful in preventing virus infections from spreading to other operating systems, as I have just recently experienced Luckily I was able to recreate the whole HDD quickly, so the infection across operating systems was not a major problem. The major pain of the infection was the infected 1TB USB HDD, which probably would have happened even if I my operating systems had been hidden from one another. So I still prefer operating systems which can see each other's partitions. @LoneCrusader: How easy was it to convert from System Commander to BootIT NG? Do you use BootIT NG on your main system?