Multibooter

In my infected files the 51st, not the 50th, byte is modified to 56hex. 10 other bytes near the beginning are also modified, e.g. bytes 265-267, but with varying values. Since the URL in DL.exe which I have ("hxxp://utenti.multimania.it/vx9/dl.exe") also differs from the URL stated on all anti-virus sites, I assume that I've got an updated version of Tenga.Tenga-infected .exe files are severely compromised. A good file, for example, install_flash_player_9.exe, was reduced from 1.502.808 bytes to just 68.808 bytes. I have a 4.4 GB DVD full with good installation source (recovered and from clean backup), and on the infected USB HDD still their Tenga-infected counterparts, exactly 527 good exes and 527 infected ones. I don't know why Avira rates the damage potential of Tenga as "medium", Tenga is a real vicious one, once infected you can wipe your HDD. Avira also states that Tenga does not occur in the wild, which I would doubt. The old stuff I have been fiddling around with was pre-2002, so no chance that it contained Tenga, which came out in 2005. http://www.avira.com/en/threats/section/fulldetails/id_vir/2661/w32_stanit.html Here another observation: In posting #16 I wrote that just before I noticed the infection I had trouble booting into WinXP. This may be related to what is mentioned by Panda: "It [Tenga] disables Windows File Protection, in order to be able to infect files belonging to the operating system. It does this by using an undocumented API function and injecting itself in the process winlogon.exe." http://www.pandasecurity.com/homeusers/security-info/82383/information/Tenga.A

Doesn't seem to be for Win98.An interesting question may be: How does Tenga identify the next file to be infected? Panda states: "It creates another thread to search for executable files to infect. It looks in all the system drives, excepting A:, which is usually the floppy drive." http://www.pandasecurity.com/homeusers/security-info/82383/information/Tenga.A Tenga in any case also found the removable USB HDD and did its work there. The infection of the USB HDD took place most likely under WinXP, not under Win98, since I do file copying etc with the external 1TB USB HDD usually under WinXP, not under Win98. So most likely the infection had the following chronology: infection of Win98 -> infection of WinXP -> infection of USB HDD attached under WinXP It would be interesting to know whether Tenga could have infected an attached USB HDD directly under Win98. Also, whether the infection of the USB HDD would have occurred under Win98 with a manufacturer-provided USB 2.0 driver (I am using nusb 3.3 under Win98). P.S.: Here is another story of somebody's Vista 64-bit getting hit by Tenga: http://www.bleepingcomputer.com/forums/topic172167.html This person wound up with 3871 infected .exe files

Hi dencorso,Once I knew that I had a Tenga infection, it was very easy to identify the thousands of infected .exe files, just by searching with Find for all .exe files with a very recent modification date, e.g. between Feb-28 and Mar-3. Unfortunately when Kasperksy finds a Tenga-infected file, Kaspersky sets the modification date of the infected file to the current date, even if I select to "Skip" the infected file. Any .exe file on the USB HDD with a modification date of Feb-28 and later is most likely Tenga-infected. The difficulty with Tenga is not that it is hard to find, but that it can infect so many .exe files so fast. If a responsible member of this forum wants to analyze Tenga in a controlled environment, send me a PM. This virus with its 3,666 bytes does look interesting, I've been wading in dark waters for a long time, and this was the first time I got hit since Jan-2004, when I got Trojan.Win32.Spooner.c (sp.exe).

My estimate somewhere above was that Tenga infects about 1.700 .exe files per minute. Panda writes: "Due to that technique, Tenga.A achieves a large number of infections in a very small time without users noticing". http://www.pandasecurity.com/homeusers/security-info/82383/information/Tenga.A I had noticed the infection by the unusual blinking of the disk activity light. If I remember right I even pulled the plug of the computer to stop this unusual disk activity, instead of shutting down. This also shows the advantage of a laptop over a desktop: a desktop is usually under the desk and one doesn't look at the disk activity light very often, while with a laptop the disk activity light is perfectly visible. This blinking disk activity light may have contributed to Tenga not being able to complete its destructive path on my 1TB USB HDD. A less sophisticated user, with no good back up and with no 2nd computer, probably might just as well have thrown his infected computer against the wall. Tenga is really a mean little thing, eventually I re-use the infected internal HDD, but only after a complete wipe. Also, as I noted somewhere above, huge .exe files don't seem to get infected by Tenga.

Here is Panda's opinion:"Affected platforms: Windows XP/2000/NT/ME/98/95 [NOTE: WinME is specifically included here!] First detected on: July 14, 2005" "Tenga.A shows a very a complex infection routine, which it uses in order to infect all the executable files on the computer, excepting NTOSKRNL.EXE. It is even capable of infecting files belonging to the operating system, as it disables the characteristic known as Windows File Protection. Tenga.A spreads by attacking IP addresses, in which it tries to exploit the vulnerability RPC DCOM. Additionally, as Tenga.A infects files, it could also reach computers when the infected files are distributed through any of the typical means of tranmission, which include, among others, floppy disks, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer file sharing programs (P2P), etc." http://www.pandasecurity.com/homeusers/security-info/about-malware/encyclopedia/overview.aspx?idvirus=82383&sind=0&sitepanda=particulares Tenga.a seems indeed an interesting little program, but I haven't found info yet on how exactly it picks the files to be infected. Panda is wrong here because Tenga did not infect all the .exe files on my computer, only some of them. P.S.: excellent info here on how Tenga infects files (the best I found so far): http://www.pandasecurity.com/homeusers/security-info/82383/information/Tenga.A Also, panda updated their info page about Tenga.a yesterday, so this virus seems to be still of current interest.

Note by dencorso: The contents of this post have been lost. The two snippets of text below are all we have left at the moment, from its original content. [...]I am using Firefox v2.0.0.20 and Opera v9.64... If you turn off Java + JavaScript, msfn.org comes up really fast, without ads, though I am not sure whether you can post when they are off.[...] [...]Are there any files created by Windows which contain lists of recently accessed files? It might be useful to delete such files, for preventing the spread of potential infections with other malware. I would doubt that Tenga can search the registry or index.dat.[...]

Huh, what a typo , I surely didn't want to allude to Mao's "the imperialists and their running dogs" http://www.marxists.org/reference/archive/mao/works/red-book/ch05.htm. I just came by chance across this news from the bbc: "Google provided US intelligence agencies with a record of its search engine results, the state-run news agency Xinhua said." http://news.bbc.co.uk/2/hi/business/8581393.stm"On Sunday, state media in China attacked Google for what they described as the company's "intricate ties" with the US government." http://news.bbc.co.uk/2/hi/asia-pacific/8582233.stm

I had an ATI TV Wonder Pro Tuner (Philips 1236 MK3) running so-so on my Win98 dual-core desktop, but discarded it, the Sabrent Philips 713x PCI TV Tuner Card card was better. I only tested the ATI TV Wonder card for a short time, it came with a desktop I had bought at ebay. The Sabrent card I liked and used in the US, connected to a cable TV outlet, for maybe 6 months. I have since then set up my Win98 dual core desktop again and have not gotten around to re-install the Sabrent card, I don't watch much TV.Getting the Sabrent card to work properly was tricky, the Win98 software on the CD didn't work properly under Win98, the honestech TVR 2.5 video software, obtained elsewhere, worked eventually Ok under Win98, I had to fiddle around for some time with the remote control driver and the FM tuner. If I remember right the Sabrent TV card had to be connected with a cable to the bfg 7800 GS OC video card and a whole bunch of Win98 drivers had to be installed. It was a time-consuming project. honestech TVR v2.5, for example, worked under Win98 with the ATI TV Wonder card also, but when recording TV, no sound was recorded with the ATI card. Basically you have to have the Win98 drivers for the TV card, the remote control and the TV tuner plus Win98 video display and recording software which works with these drivers and the hardware, a lot of fiddling. I originally got the Sabrent card to convert video tapes PAL <==> NTSC, but never got around doing it.

Definitely, nothing is gained by keeping Norton Antivirus. But Symantec stuff in general is hard to get rid of, the uninstall usually leaves a lot of trash.Make sure to uninstall Norton Antivirus before installing another anti-virus package, having 2 different anti-virus programs on the system is asking for trouble.

This is exactly my view too. On rare exceptions I do use the internet under WinXP, like for downloading with eMule a file >4GB.My young son, however, only wants to use WinXP he needs wireless access to the shared printer on the home network, so the home network is mixed Win98/WinXP , he wants to access the Internet with his Nintendo DS, which works only with WEP , so I am not using WPA. he needs to connect his Asus school-netbook to the home network, so the network has to be set for file sharing his Asus netbook has locked up with virus infections already twice his friends come over and hook up their infected notebooks to the router Life consists of compromises, it's hard to avoid WinXP and other risks in life. I am quite sure that eventually malware which infects hidden partitions will become common, given the increased use of hidden partitions. Does such malware exist already?

http://www.mondoraro.org/2010/03/03/google-irani-il-motore-di-ricerca-targato-regime/Maybe the Iranian and Chinese governments are not only for censorship, but also want to stop Poodle's data gathering. Paranoid concerns with national sovereignty, seeing data-gathering arms of the NFA everywhere? BTW, http://news.cnet.com/Security-firms-on-police-spyware is 404 Although I don't think it's likely, I have also been considering whether the Tenga infection was a targeted installation. ISPs seem to be able to access connected computers with relative ease, I assume a connected computer is just a client in the ISP's network. I am not sure how much Win98 protects against a snooping ISP.

I beg to disagree. My feeling is that by updating with new patches I mainly update spyware and spyware-vulnerabilities to the newest state. My feeling is that not just a search engine, but many big corporations cooperate with the NSA. I view infections with NSA-induced spyware as dangerous, and infections with a virus like Tenga as an entertaining nuisance. I am just choosing between the lesser of two evils, and am fully aware of the risks, which I try to reduce by very intensive backups, by using ex-Soviet malware detectors, by having the WLAN-card removed when using WinXP, by using WinXP as little as possible and by installing a minimum of closed-source US-software created after 11-Sept-2001. The router had always NAT on. Tiny Personal Firewall v2.0.14 is always on under Win98 and WinXP and did not report any calling out.I have checked the still-infected 1TB USB HDD, Tenga.a seems to be a very efficient little program: Tenga infected on one partition 5329 .exe files on the USB HDD on Feb-28 between 9:04 PM and 9:07 PM, i.e. about 1700 files per minutes, with my old 700MHz laptop. On the infected internal HDD, now disinfected, I have found on C:\ a file DL.exe with the modification date of Mar-1 9:18AM. It was not an exe file, just a renamed ASCII file with the following content: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://utenti.multimania.it/vx9/dl.exe">here</a>.</p> </body></html> The URL in my DL.exe differs from the URL listed in http://quickheal.co.in/alerts/archives/alerts-tenga-a.asp [http://]utenti.lycos.it/[REMOVED]/dl.exe [http://]utenti.lycos.it/[REMOVED]/CBACK.EXE [http://]utenti.lycos.it/[REMOVED]/GAELICUM.EXE When I tried to manually download dl.exe from multimania.it, I got a 404; multimania.it had the page title "Lycos Tripod". I did not find cback.exe or gaelicum.exe on the formerly infected HDD. Maybe Tenga was unable to execute all its work on my laptop. Here another observation: Just around the time the USB HDD was infected, I was in Win98 and then tried to boot into WinXP, but somehow couldn't, or WinXP didn't come up properly, I don't remember anymore. In any case, I modified boot.ini, and after the 2nd or 3rd attempt WinXP came up Ok again, no idea why. During my attempts to boot into WinXP I most likely had the infected USB HDD connected (but the old BIOS of my laptop does not see USB devices connected at boot time). Most likely Tenga had started under Win98 and had then infected, under Win98, some critical system files on the FAT32 WinXP partition, so that WinXP had trouble starting up. On my laptop the various operating systems have common access to standalone programs, i.e. there is a single instance of standalone programs, which are accessed under the various operating systems by creating a destop shortcut there. For example, I am using uptime.exe. I run it under Win98 and under WinXP via a desktop shortcut to C:\MiscUtil\uptime.exe. So if C:\MiscUtil\uptime.exe is infected, the infection will spread to other operating systems whenever I click on the shortcut to Uptime under that operating system. The original idea was to avoid duplicate copies of standalone programs, but this may actually be an unsafe practice in a multibooting environment. One of my interests in this topic is to explore "How to prevent cross-operating system infections in a multibooting environment". A virus which could encrypt modern HDDs, similar to ancient One-Half http://www.csie.ntu.edu.tw/~wcchen/asm98/asm/proj/b85506050/ORIGIN/ONEHAL~1.HTM , which I mentioned in the introduction to this topic, could be just as much of a nuisance as Tenga. BTW, it would be interesting to know whether ancient One-Half can infect modern 1TB HDDs. This is also what I suspect, that I must have double-clicked on an infected file. But this is absolutely against my practices, to which I strictly adhere: I ALWAYS check downloads or stuff from my archive with Kaspersky before running it, and Kaspersky does detect Tenga. It is still a puzzle how I got this virus, under which operating system Tenga started and how it spread from one operating system to the next.

What's happening? http://www.xosl.org/ "Domain for sale" System Commander has already died, RIP.

I have been thinking about hidden partitions ever since you described your setup several months ago.Hiding all operating systems from one another may be useful in preventing virus infections from spreading to other operating systems, as I have just recently experienced Luckily I was able to recreate the whole HDD quickly, so the infection across operating systems was not a major problem. The major pain of the infection was the infected 1TB USB HDD, which probably would have happened even if I my operating systems had been hidden from one another. So I still prefer operating systems which can see each other's partitions. @LoneCrusader: How easy was it to convert from System Commander to BootIT NG? Do you use BootIT NG on your main system?

I was lucky to have started with v3.05, when System Commander came without wizards. Afterwards I installed newer versions using my experience with the earlier version, without a wizard. Maybe the subject matter is too complicated to have a one-size-fits-all wizard. I considered their wizards to be marketing gimmicks. The guys a V-COM were excessively concerned with protecting their intellectual property rights. Knowing that copy-protected stuff doesn't sell, they created a whole bunch of snares, in Spanish you would call it "trampas". The original floppy disk of old v3, for example, got written to/modified after entering the serial number during installation. The boot code of the computer where System Commander was installed originally was somehow stored on the system floppy; when trying to install/uninstall System Commander with a floppy already used on another computer, the boot code of computer 1 would be transferred to computer 2, with unpleasant consequences. Those guys knew a whole bunch of tricks, they were the authors of Sourcer, which 15 years ago was considered to be the best disassembler. Not using a sealed original floppy of System Commander could lead to surprises.I still like System Commander, it took me, for example, just 2-3 hours to install Vista (uninstalled now, I didn't need it) on a 2nd HDD as another opsys selection, besides DOS, Win98SE, WinXP, keeping my FAT-16 boot partition on the 1st HDD.

Win98 was not immune to infection. At Win98 startup 2 files infected with tenga were run via the Win98 registry. By infecting most .exe files, and thereby also by chance those which are run thru the Win98 registry at startup, Tenga was active every time Win98 was loaded. I assume the same happened under WinXP and Win2k. Yes. It may also have come from my old software archive on CDs, DVD, HDDs on which I was working around that time. Maybe I had archived stuff years ago, at a time when Kaspersky didn't detect Tenga yet. Eventually I will find out. It may also have come out of some old infected email boxes, which I had tried to clean before archiving, around Feb-28, see my posting My WinXP is SP2, without any patches added. WinXP was definitely not connected to the Internet, nor was the infected laptop connected to the WLAN router via cable. I am currently away from the US, were most of my computer tools and resources are located, so I always eject the USB 2.0 WLAN card before running WinXP (my old laptop has no built-in WLAN card), to make sure that there is no Internet or network connection under WinXP which could infect WinXP.The Tenga infection cannot have occurred earlier under WinXP in the US, where the laptop does have internet access under WinXP, because the system backup I made just before leaving was clean.

No, I only make ooccasional on-demand scans, I don't have a virus checker running all the time. No, I had not booted into DOS around Feb-28. On Feb-28 I had moved downloaded files via WLAN under Win98 from the eMule laptop (it's a dedicated laptop running only eMule under Win98, WinXP is hardly ever used there) to the later infected laptop (Win98)

I didn't know that, but multibooting is a very difficult subject matter. I have been using System Commander for the past 15 years, and System Commander has protected me from all these intricacies.The choice of a boot manager is probably the least reversable computer decision. LoneCrusader probably will not change his working setup with System Commander; jaclaz will probably not change his boot manager, except for a newer version, maybe. It's also nearly impossible to try out boot manager Y if you have already a working setup with boot manager X. In 1997, when I had System Commander v3.05 installed, I dared to test-install another boot manager, I believe it was from Paragon, at that time still software from Russia. As a result, the laptop became completely corrupted. When I selected one operating system selection, it came up fine, but after rebooting, that previously selected operating system had disappeared from the OS selection menu. Every time I changed the operating system, the OS selection menu became smaller, one OS after the other was gone. I eventually did recover. This experience was no incentive to try out other boot managers.

@dencorso, [off topic]I had built myself a similar device a year and a half ago, as an "eMule download station", using a multi-card reader cum hub + 3 SDHC cards. I had used it for about 6 months, then rejected it, because eMule took about 10 minutes to start up and 10 minutes to shut down with it, my download list had between 1000-1500 files, my SDHC cards were just slow (fine during download, even at 200kB/s, but slow during startup and shut down of eMule). A 2nd HDD in the right-bay module of my laptop is much superior, also the regular internal HDD.[/off topic]BTW, not that far away offtopic, since files damaged by tenga on the USB HDD were on such a device. In the back of my mind I have been pondering whether tenga may have been planted recently onto eMule, to destroy extracted downloads. Some people may have been loading eMule with malware, about 90% of the downloads are now infected, especially shareware stuff, maybe intentionally as a malguided defensive measure.

Vulnerable to old viruses like Tenga, but Win98 has probably a very low vulnerability to new malware.I am still puzzled on how I got this Tenga infection. It's quite unlikely that such an old virus still exists in the wild. The last WildList if have seen which mentions Tenga.a is of March 2007 http://www.wildlist.org/WildList/200703.htm , with a stated date of Feb-2006. I have been fiddling around during the past year with my old software archives, stuff from many years ago. Maybe I got the infection from old stuff in my archives, maybe some Jurassic-Park-type self-inflicted pain. Maybe I was not aware of the danger lurking in old software archives. In any case this tenga infection shows that an old virus can still be a pain years later. I wonder whether Tenga runs under Vista/Win7. Because of its ability to infect USB HDDs and across operating systems it's still a very dangerous little program. This will take a lot of time, and may be good on a system to which few new applications are added. My Win98 may eventually become such a system, but currently I am still installing a lot of new stuff under Win98.I have budgeted about 5% of my time on the computer for virus-checking and virus-problems, so I view the Tenga infection just as an eventual use of previously budgeted time, and as an interesting intellectual exercise. The time lost getting the laptop back up again was not serious, in contrast to the time lost recovering data on the infected USB HDD. I am not yet sure how my experience with Tenga will change my precautionary measures against future malware infections; maybe I'll just have to make more frequent backups of new, not-yet-processed downloads stored on my USB HDDs.

I just don't know under which operating system I got infected. I am switching quite frequently between operating systems, but 90% of the time I am using Win98, 10% WinXP. I can definitely exclude that I got the tenga virus via a network under WinXP since I am currently outside of the US and have changed IP settings, passwords, etc only under Win98, not under WinXP; I have currently no network/internet access under WinXP. I have not installed any new software under WinXP since I made the last clean backup and in general don't test-install software under WinXP, only under a special test-Win98. So everything points in the direction of Win98 as the first infected operating system .Also, a 2nd WinXP on an NTFS partition did not get infected at all, which is kind of a puzzle, maybe because I use this specific operating system selection only very rarely, or because the infection started under Win98 and tenga.a could not see the NTFS partition under Win98, or because I detected the infection early on, before the infected WinXP on the FAT32 partition could infect the not-yet infected WinXP on the NTFS partition. This tenga.a seems to be an interesting little program. If you want to investigate whether or how Tenga.a infects under Win98, send me a PM, I have enough copies. I did have, and still have, Kaspersky AV v6 with a current signature on Win98. Tenga.a was specifically detected when I ran under Win98 an on-demand scan with Kaspersky of the whole computer (except for the WinXP on the NTFS partition, invisible under Win98).Unfortunately I initially selected maybe the first 30 infected files to be deleted, instead of having them disinfected or skipping them, so the original culprit may have been deleted. After I got aware of the extent of the infection I selected disinfection, and after a while I just stopped. When I tried to reboot, none of my Win9x/Win2k/WinXP operating system selections worked anymore, too many critical .exe files had been deleted/disinfected, only the NTFS-based WinXP still worked. I still have the infected internal HDD, now completely disinfected by Kaspersky, and the still-infected external USB HDD (1TB), where I did not let Kaspersky delete or disinfect files. It is very easy to know, without Kaspersky, which files on the external USB HDD are infected, by just looking at the modification date: all .exe files with a modification date between Feb-28 and Mar-3 on the USB HDD are infected with tenga. There must be more than a thousand infected .exe files on the infected internal HDD and on the infected USB HDD, so it's quite time consuming to find out which .exe file got infected first. What alo complicates matters is that when Kaspersky AV identifies an instance of tenga.a, it changes the modification date of the infected .exe to the current date, even if I selected "skip".It was very easy to identify with Beyond Compare which .exe files were infected, they all had modification dates between Feb-28 and Mar-3 (Mar-3 was the last time I ran Kasperksy on the infected internal HDD and the external USB HDD, Feb-28 was probably the date of infection). In order to repair the infected installation sources on the USB HDD I first made a copy of them, then replaced on the copy the infected .exe files, as identified with their modification date, with the corresponding .exes from other backups/rars/isos. For about 90% of the infected installation sources I had on the USB HDD also an untainted .rar file containing the whole good installation source rared up as a 2nd instance, so recreating a good installation source from the rars was not a problem. About 10% of the infected installation sources, where I had no 2nd .rar instance, I had to download again from the Internet. This was relatively fast with FlashGet because I usually document the exact download URL (not just the html download page) of files downloaded. Maybe 10 installation sources, however, did not exist anymore under their original download URL, including software purchased from Digital River, and were lost for good, unless I can find backups when I am back in the US. BTW, I was very careful and did not get re-infected when I worked with the clean restored internal HDD on the attached infected USB HDD and on the infected internal HDD inserted into the right-bay HDD module of my laptop. Since tenga.a is an old virus, I would assume that all AV packages detect it. When was Tenga detected for the first time? In 2003 or in 2005? I don't know. I usually only double-click on an unknown file after having checked it with Kaspersky, and only in a test-win98 which then gets wiped out + restored from a clean backup. I never use any MS patches, my gut feeling is that the cure is worse than the disease.I remember having manually deleted a file dl.exe from \Win98\, possibly days before I noticed the tenga infection, because I hadn't seen it before in \Win98\. dl.exe is actually a part of tenga.a. Could it be that tenga.a contains a timer which starts to activate at the end of the month (Feb-28 = end of month), and that the actual infection occurred much earlier? The infected laptop was connected via a peer-to-peer Win98 wireless network to another identical laptop running eMule under Win98. The eMule laptop was not infected, so the infection could not have come from the WLAN network or the eMule computer. I am using the Tiny Personal Firewall v2.0.14 on both laptops, and Tiny did not inform of any calling out from the infected laptop. I checked with Beyond Compare Hex Viewer, Tenga also makes minor changes in the initial part of the file. Kaspersky can disinfect a tenga-infected file, but the disinfected files always differed somewhere from the original uninfected files.Usually the infected files were about 3kb bigger, with stuff mainly added at the end. Some infected .exe files, however, were really damaged (e.g. reduced from 2MB to 30kb), a few infected files were even a little smaller than the original uninfected file.

If your computer doesn't boot, boot from a DOS 6 or DOS 7 floppy, then run Setup.exe in the Win9x folder. If you computer can boot without a boot floppy, it already contains an operating system.

Getting all operating systems back to work as before took about 5 hours, from a 4-week-old backup. I am away from the US currently, so I will be able to know for sure whether I lost data on the 1 TB USB HDD when I am back in the US in June. I may have made a backup of the 192GB work partition there, before my trip, but I am not sure, I usually make backups before leaving/entering the US, there are horror stories about confiscated laptops etc. Yes, a forensic .gho image would be excellent, but storing it onto a USB HDD might be good enough, viruses probably don't infect .gho image files on re-writable media. The tenga.a virus did not infect .iso, .rar, only executable 32-bit .exe files. I have a good .gho image of my desktop in the US, but unfortunately not of my old Inspiron laptop, which got infected, so restoring the internal HDD took quite some time. Creating a .gho image of the recovered laptop is on the top of my list now. I have up-to-date Kaspersky AVP v6.0.2.621 under both Win98 and WinXP, but I only scan new downloads. The infection happened very quickly, maybe 5 hours before I noticed it and ran Kaspersky, so a daily scan might not have been timely enough. Also, it was a 5-year-old virus, so a current virus signature update was not needed to detect tenga.a. I just don't know how I got tenga.a, and I suspect that only a continuously running virus-scanner could have prevented the infection .Kaspersky is actually able to disinfect tenga-infected files. Unfortunately, the disinfected files are not identical to the original files. Some .exe files are completely destroyed by tenga, e.g. reduced from 2MB to 30kB, so the disinfected file is of no use. Other disinfected .exe files/archives differ from the original .exe, but extract the identical files as the original .exe. Yes. I had a 2nd identical Inspiron laptop with me, but only with a HDD which had older software on it, of about 2 years ago. I recovered the infected laptop with the help of this 2nd laptop: I partitioning a blank HDD in a USB enclosure connected to laptop #2, inserted the freshly partitioned HDD into laptop #1, installed DOS from a boot floppy, put the HDD back into the USB enclosure, extracted .rar partition backups (from the infected USB HDD, but the .rars were not infected!) onto the HDD, put the HDD back into laptop #1, re-installed System Commander (from a CD burnt on laptop #2 from a .iso on the infected USB HDD!) Without the 2nd laptop recovery of laptop #1 would have been much more difficult.

If you installed WinXP to the G: FAT32 partition, you probably don't have to worry about your drive letters. Simply split the 105GB partition into e.g. an 80 GB FAT32 partition and a 25GB NTFS partition for huge data files. WinXP installed under FAT32 can handle huge files on the NTFS partition.I prefer WinXP under FAT32. But I have a more complicated setup, with 2 instances of WinXP installed, one on a FAT32 partition, the other on an NTFS partition. By having 2 instances of WinXP, I can easily delete and restore the other WinXP by simply extracting a backup .rar file. BTW, I am using System Commander, like LoneCrusader, and am quite happy with it; jaclaz prefers another boot manager. P.S.: I am not sure whether splitting the 105GB partition will work, because of the limitation of 4 primary partitions per HDD. I had assumed C: was primary and D-G were logical.

About 3 weeks ago my laptop got the worst virus infection ever, with the tenga.a virus http://forum.kaspersky.com/lofiversion/index.php/t7172.html and http://www.f-secure.com/v-descs/tenga_a.shtml It was much worse than the infection I had 14 years ago with One-Half, which slowly but steadily encrypted cylinders of my HDD. The tenga.a infection has shattered my mistaken belief that Win98 is not vulnerable to infection anymore, in 2010. Tenga.a came out around 2005 http://www.viruslist.com/en/weblog/167434325/Classical_viruses_ITW_never_say_die Tenga.a infects most .exe files it can find. It has infected all FAT32-based Win98/2k/XP operating systems on my multi-booting laptop. Only one operating system/partition, an NTFS-WinXP rarely accessed, was not infected. The most serious damage was the infection of one 192GB partition of an external 1TB USB HDD, which contained about 100GB of software downloads + installable programs, many not backed up because it was a work disk. I became aware of the tenga.a infection maybe after 5 hours, when I noticed that the disk access light kept showing activity, even when I was doing nothing on the laptop. But then it was too late, the infection had spread across operating systems/partitions, also to the attached USB HDD. I still have no idea how I got the virus, with maybe a thousand .exe files infected. Maybe it was my bad habit of double-clicking even on suspicious files in a special test windows, and then restoring a clean test windows. Double-clicking on an infected file may have initiated the infection of a .exe on another partition, of another operating system, and started in this way an infection across operating systems. Getting the laptop clean again was relatively easy, I had to restore all partitions/operating systems/directories from backup onto a clean virgin HDD. The major problem was to recover the infected installation sources on the USB HDD; some of them may have been lost for good. Here some lessons I learnt from this infection: 1) Virus infection is still a real danger under Windows 98 2) The only defense against viruses like Tenga.a, if using only occasional on-demand scanning, is a very good backup and recovery procedure. 3) Don't rely on USB HDDs as a backup storage media of software because of their vulnerability to virus infections 4) Backing up installation sources onto write-once media (CD-R, DVD-R) is still an absolute must 5) Installation sources should always be backed up also into an additional .rar or .iso file, which are not as easily infected as .exe 6) It is very important to document the actual download locations of software, in case it has to be downloaded again 7) About 10% of my time with the computer is spent creating, archiving and deleting backups. This is time well spent and has saved my neck already a couple of times. 8) A spare blank HDD, of the same size as in the computer, also comes very handy if a complete HDD has to be restored from backup 9) Maybe I should look again into UDF-formatted HDDs, as supplementary backup devices which can be set to read-only and are therefore not vulnerable to virus infection.