Infection messages?
XP Pro SP3
During the past few weeks, immediately after the initial Windows screen with the blue bar running left right, and before the logon screen, I get a blue screen with white messages. There are dozens of them, all identical, which say something like: Infection: docs and settings my name cookies/index.dat does not exist and cannot be removed. (Pause is inoperative and the normal logon screen appears immediately after.) If I reboot at the logon screen instead of logging on, they have all disappeared. CHKDSK on system disk shows a healthy disk. I have Kaspersky 9 and have run MBAM SAS Asquared etc., nothing found. What is causing these? (There's no anti-virus in my BIOS, BTW.) -- Robin (BrE) Herts, England |
Infection messages?
Robin
They could be ophaned start up items. Perhaps an infection only partly removed. To identify what loads when you boot use Autoruns (freeware) from Microsoft. http://www.microsoft.com/technet/sys.../Autoruns.mspx With Autoruns you can uncheck an item, which disables it from starting,or you can right click an item and then delete it. If you uncheck you can recheck to re-enable the item. It is a much safer approach than editing the Registry and better than using msconfig.. Another useful feature of the programme is that you can right click an item and select Search Online to get information about the item selected. When booting an automatic virus scan can impact significantly on performance. The extent varies according to the anti-virus software, the availability of RAM and the CPU capacity. Is your system error free? Have a look in the System and Application logs in Event Viewer for Errors and Warnings and post copies here. Don't post any more than 48 hours ago. You can access Event Viewer by selecting Start, Control Panel, Administrative Tools, and Event Viewer. When researching the meaning of the error, information regarding Event ID, Source and Description are important. A tip for posting copies of Error Reports! Run Event Viewer and double click on the error you want to copy. In the window, which appears is a button resembling two pages. Click the button and close Event Viewer.Now start your message (email) and do a paste into the body of the message. Make sure this is the first paste after exiting from Event Viewer. -- Hope this helps. Gerry ~~~~ FCA Stourport, England Enquire, plan and execute ~~~~~~~~~~~~~~~~~~~ Robin Bignall wrote: XP Pro SP3 During the past few weeks, immediately after the initial Windows screen with the blue bar running left right, and before the logon screen, I get a blue screen with white messages. There are dozens of them, all identical, which say something like: Infection: docs and settings my name cookies/index.dat does not exist and cannot be removed. (Pause is inoperative and the normal logon screen appears immediately after.) If I reboot at the logon screen instead of logging on, they have all disappeared. CHKDSK on system disk shows a healthy disk. I have Kaspersky 9 and have run MBAM SAS Asquared etc., nothing found. What is causing these? (There's no anti-virus in my BIOS, BTW.) |
Infection messages?
Robin Bignall wrote:
XP Pro SP3 During the past few weeks, immediately after the initial Windows screen with the blue bar running left right, and before the logon screen, I get a blue screen with white messages. There are dozens of them, all identical, which say something like: Infection: docs and settings my name cookies/index.dat does not exist and cannot be removed. (Pause is inoperative and the normal logon screen appears immediately after.) It is very important that you post back with the exact, complete message! It's hard to tell at this moment, but it's possible you have a variation of what is described he http://www.bleepingcomputer.com/viru...irus-1-removal Please post back with the complete message. |
Infection messages?
Robin
What is the exact error message as per verbatim that shows up on the Blue screen . We need that for a proper answer -- Peter Please Reply to Newsgroup for the benefit of others Requests for assistance by email can not and will not be acknowledged. "Robin Bignall" wrote in message ... XP Pro SP3 During the past few weeks, immediately after the initial Windows screen with the blue bar running left right, and before the logon screen, I get a blue screen with white messages. There are dozens of them, all identical, which say something like: Infection: docs and settings my name cookies/index.dat does not exist and cannot be removed. (Pause is inoperative and the normal logon screen appears immediately after.) If I reboot at the logon screen instead of logging on, they have all disappeared. CHKDSK on system disk shows a healthy disk. I have Kaspersky 9 and have run MBAM SAS Asquared etc., nothing found. What is causing these? (There's no anti-virus in my BIOS, BTW.) -- Robin (BrE) Herts, England |
Infection messages?
On Sun, 22 Nov 2009 11:36:50 -0500, "Daave" wrote:
Robin Bignall wrote: XP Pro SP3 During the past few weeks, immediately after the initial Windows screen with the blue bar running left right, and before the logon screen, I get a blue screen with white messages. There are dozens of them, all identical, which say something like: Infection: docs and settings my name cookies/index.dat does not exist and cannot be removed. (Pause is inoperative and the normal logon screen appears immediately after.) It is very important that you post back with the exact, complete message! It's hard to tell at this moment, but it's possible you have a variation of what is described he http://www.bleepingcomputer.com/viru...irus-1-removal Please post back with the complete message. Difficult. Pause/break stops the screen for a second and then it goes straight to the logon. I just rebooted and all those messages have vanished. None of the virus/malware programs finds anything. I'll post again if those messages reappear. There's nothing in the event log that looks suspicious. -- Robin (BrE) Herts, England |
Infection messages?
Robin Bignall wrote:
On Sun, 22 Nov 2009 11:36:50 -0500, "Daave" wrote: Robin Bignall wrote: XP Pro SP3 During the past few weeks, immediately after the initial Windows screen with the blue bar running left right, and before the logon screen, I get a blue screen with white messages. There are dozens of them, all identical, which say something like: Infection: docs and settings my name cookies/index.dat does not exist and cannot be removed. (Pause is inoperative and the normal logon screen appears immediately after.) It is very important that you post back with the exact, complete message! It's hard to tell at this moment, but it's possible you have a variation of what is described he http://www.bleepingcomputer.com/viru...irus-1-removal Please post back with the complete message. Difficult. Pause/break stops the screen for a second and then it goes straight to the logon. I just rebooted and all those messages have vanished. None of the virus/malware programs finds anything. I'll post again if those messages reappear. There's nothing in the event log that looks suspicious. In the menu you get after hitting F8, do you see an option called "Disable automatic restart on system failure"? If so, choose it. Another way to do this: http://pcsupport.about.com/od/tipstr...utorestart.htm This way, you will be able to write down these messages. |
Infection messages?
On Sun, 22 Nov 2009 19:05:42 -0500, "Daave" wrote:
Robin Bignall wrote: On Sun, 22 Nov 2009 11:36:50 -0500, "Daave" wrote: Robin Bignall wrote: XP Pro SP3 During the past few weeks, immediately after the initial Windows screen with the blue bar running left right, and before the logon screen, I get a blue screen with white messages. There are dozens of them, all identical, which say something like: Infection: docs and settings my name cookies/index.dat does not exist and cannot be removed. (Pause is inoperative and the normal logon screen appears immediately after.) It is very important that you post back with the exact, complete message! It's hard to tell at this moment, but it's possible you have a variation of what is described he http://www.bleepingcomputer.com/viru...irus-1-removal Please post back with the complete message. Difficult. Pause/break stops the screen for a second and then it goes straight to the logon. I just rebooted and all those messages have vanished. None of the virus/malware programs finds anything. I'll post again if those messages reappear. There's nothing in the event log that looks suspicious. In the menu you get after hitting F8, do you see an option called "Disable automatic restart on system failure"? If so, choose it. Another way to do this: http://pcsupport.about.com/od/tipstr...utorestart.htm This way, you will be able to write down these messages. The message is: infection:documents and settings\robin bignall\cookies\index.dat could not be removed. file is no longer existent. -- Robin (BrE) Herts, England |
Infection messages?
Robin Bignall wrote:
On Sun, 22 Nov 2009 19:05:42 -0500, "Daave" wrote: Robin Bignall wrote: On Sun, 22 Nov 2009 11:36:50 -0500, "Daave" wrote: Robin Bignall wrote: XP Pro SP3 During the past few weeks, immediately after the initial Windows screen with the blue bar running left right, and before the logon screen, I get a blue screen with white messages. There are dozens of them, all identical, which say something like: Infection: docs and settings my name cookies/index.dat does not exist and cannot be removed. (Pause is inoperative and the normal logon screen appears immediately after.) It is very important that you post back with the exact, complete message! It's hard to tell at this moment, but it's possible you have a variation of what is described he http://www.bleepingcomputer.com/viru...irus-1-removal Please post back with the complete message. Difficult. Pause/break stops the screen for a second and then it goes straight to the logon. I just rebooted and all those messages have vanished. None of the virus/malware programs finds anything. I'll post again if those messages reappear. There's nothing in the event log that looks suspicious. In the menu you get after hitting F8, do you see an option called "Disable automatic restart on system failure"? If so, choose it. Another way to do this: http://pcsupport.about.com/od/tipstr...utorestart.htm This way, you will be able to write down these messages. The message is: infection:documents and settings\robin bignall\cookies\index.dat could not be removed. file is no longer existent. Googling the above didn't turn up many hits, which already points to malware. I did manage to find a very similar message (with "available" replacing "existent") he http://translate.google.com/translat...tent%26hl%3Den Another possibly relevant hit: http://forums.techguy.org/malware-re...lp-please.html I'm 99.9999999999999% sure you have malware. :-( This page should help: http://www.elephantboycomputers.com/...moving_Malware (also cross-posting to microsoft.public.security.virus ) |
Infection messages?
On Mon, 23 Nov 2009 18:40:34 -0500, "Daave" wrote:
Robin Bignall wrote: On Sun, 22 Nov 2009 19:05:42 -0500, "Daave" wrote: Robin Bignall wrote: On Sun, 22 Nov 2009 11:36:50 -0500, "Daave" wrote: Robin Bignall wrote: XP Pro SP3 During the past few weeks, immediately after the initial Windows screen with the blue bar running left right, and before the logon screen, I get a blue screen with white messages. There are dozens of them, all identical, which say something like: Infection: docs and settings my name cookies/index.dat does not exist and cannot be removed. (Pause is inoperative and the normal logon screen appears immediately after.) It is very important that you post back with the exact, complete message! It's hard to tell at this moment, but it's possible you have a variation of what is described he http://www.bleepingcomputer.com/viru...irus-1-removal Please post back with the complete message. Difficult. Pause/break stops the screen for a second and then it goes straight to the logon. I just rebooted and all those messages have vanished. None of the virus/malware programs finds anything. I'll post again if those messages reappear. There's nothing in the event log that looks suspicious. In the menu you get after hitting F8, do you see an option called "Disable automatic restart on system failure"? If so, choose it. Another way to do this: http://pcsupport.about.com/od/tipstr...utorestart.htm This way, you will be able to write down these messages. The message is: infection:documents and settings\robin bignall\cookies\index.dat could not be removed. file is no longer existent. Googling the above didn't turn up many hits, which already points to malware. I did manage to find a very similar message (with "available" replacing "existent") he http://translate.google.com/translat...tent%26hl%3Den Another possibly relevant hit: http://forums.techguy.org/malware-re...lp-please.html I'm 99.9999999999999% sure you have malware. :-( This page should help: http://www.elephantboycomputers.com/...moving_Malware (also cross-posting to microsoft.public.security.virus ) Thanks for your help. I spent lots of time last night doing full/deep scans using Kaspersky 9, SAS, Asquared and Activescan2. Nothing found. Am now starting MBAM... Will look at your links after breakfast. -- Robin (BrE) Herts, England |
Infection messages?
Robin Bignall wrote:
On Mon, 23 Nov 2009 18:40:34 -0500, "Daave" wrote: Robin Bignall wrote: The message is: infection:documents and settings\robin bignall\cookies\index.dat could not be removed. file is no longer existent. Googling the above didn't turn up many hits, which already points to malware. I did manage to find a very similar message (with "available" replacing "existent") he http://translate.google.com/translat...tent%26hl%3Den Another possibly relevant hit: http://forums.techguy.org/malware-re...lp-please.html I'm 99.9999999999999% sure you have malware. :-( This page should help: http://www.elephantboycomputers.com/...moving_Malware (also cross-posting to microsoft.public.security.virus ) Thanks for your help. I spent lots of time last night doing full/deep scans using Kaspersky 9, SAS, Asquared and Activescan2. Nothing found. Am now starting MBAM... Will look at your links after breakfast. Sounds like you're on the right track. MBAM is quite good. Sometimes, one needs to boot off a rescue CD. Check out these links for more info: http://www.free-av.com/en/tools/12/a...ue_system.html http://www.techmixer.com/free-bootab...download-list/ (This way, the OS is entirely bypassed. Another method is to physically remove your hard drive and slave it to another PC and use the uncompromised PC to perform the scan.) |
Infection messages?
On Tue, 24 Nov 2009 08:53:29 -0500, "Daave" wrote:
Robin Bignall wrote: On Mon, 23 Nov 2009 18:40:34 -0500, "Daave" wrote: Robin Bignall wrote: The message is: infection:documents and settings\robin bignall\cookies\index.dat could not be removed. file is no longer existent. Googling the above didn't turn up many hits, which already points to malware. I did manage to find a very similar message (with "available" replacing "existent") he http://translate.google.com/translat...tent%26hl%3Den Another possibly relevant hit: http://forums.techguy.org/malware-re...lp-please.html I'm 99.9999999999999% sure you have malware. :-( This page should help: http://www.elephantboycomputers.com/...moving_Malware (also cross-posting to microsoft.public.security.virus ) Thanks for your help. I spent lots of time last night doing full/deep scans using Kaspersky 9, SAS, Asquared and Activescan2. Nothing found. Am now starting MBAM... Will look at your links after breakfast. Sounds like you're on the right track. MBAM is quite good. Sometimes, one needs to boot off a rescue CD. Check out these links for more info: http://www.free-av.com/en/tools/12/a...ue_system.html http://www.techmixer.com/free-bootab...download-list/ (This way, the OS is entirely bypassed. Another method is to physically remove your hard drive and slave it to another PC and use the uncompromised PC to perform the scan.) MBAM was clean. I'm now going to run everything in safe mode to check. -- Robin (BrE) Herts, England |
Infection messages?
Robin Bignall wrote: On Sun, 22 Nov 2009 19:05:42 -0500, "Daave" wrote: Robin Bignall wrote: On Sun, 22 Nov 2009 11:36:50 -0500, "Daave" wrote: Robin Bignall wrote: XP Pro SP3 During the past few weeks, immediately after the initial Windows screen with the blue bar running left right, and before the logon screen, I get a blue screen with white messages. There are dozens of them, all identical, which say something like: Infection: docs and settings my name cookies/index.dat does not exist and cannot be removed. (Pause is inoperative and the normal logon screen appears immediately after.) It is very important that you post back with the exact, complete message! It's hard to tell at this moment, but it's possible you have a variation of what is described he http://www.bleepingcomputer.com/viru...irus-1-removal Please post back with the complete message. Difficult. Pause/break stops the screen for a second and then it goes straight to the logon. I just rebooted and all those messages have vanished. None of the virus/malware programs finds anything. I'll post again if those messages reappear. There's nothing in the event log that looks suspicious. In the menu you get after hitting F8, do you see an option called "Disable automatic restart on system failure"? If so, choose it. Another way to do this: http://pcsupport.about.com/od/tipstr...utorestart.htm This way, you will be able to write down these messages. The message is: infection:documents and settings\robin bignall\cookies\index.dat could not be removed. file is no longer existent. Try posting this in : alt.privacy.spyware There are some very sharp people in there who could probably help you quickly. Just include the exact message, your OS and what you already tried and the whole story. Buffalo |
Infection messages?
On Tue, 24 Nov 2009 14:42:04 +0000, Robin Bignall
wrote: On Tue, 24 Nov 2009 08:53:29 -0500, "Daave" wrote: Robin Bignall wrote: On Mon, 23 Nov 2009 18:40:34 -0500, "Daave" wrote: Robin Bignall wrote: The message is: infection:documents and settings\robin bignall\cookies\index.dat could not be removed. file is no longer existent. Googling the above didn't turn up many hits, which already points to malware. I did manage to find a very similar message (with "available" replacing "existent") he http://translate.google.com/translat...tent%26hl%3Den Another possibly relevant hit: http://forums.techguy.org/malware-re...lp-please.html I'm 99.9999999999999% sure you have malware. :-( This page should help: http://www.elephantboycomputers.com/...moving_Malware (also cross-posting to microsoft.public.security.virus ) Thanks for your help. I spent lots of time last night doing full/deep scans using Kaspersky 9, SAS, Asquared and Activescan2. Nothing found. Am now starting MBAM... Will look at your links after breakfast. Sounds like you're on the right track. MBAM is quite good. Sometimes, one needs to boot off a rescue CD. Check out these links for more info: http://www.free-av.com/en/tools/12/a...ue_system.html http://www.techmixer.com/free-bootab...download-list/ (This way, the OS is entirely bypassed. Another method is to physically remove your hard drive and slave it to another PC and use the uncompromised PC to perform the scan.) MBAM was clean. I'm now going to run everything in safe mode to check. Just ran MBAM, SAS and Kaspersky full scans in safe mode. Nothing reported. On reboot all "infection" messages had vanished. Weird, huh? -- Robin (BrE) Herts, England |
Infection messages?
On Tue, 24 Nov 2009 08:42:03 -0700, "Buffalo"
wrote: Robin Bignall wrote: On Sun, 22 Nov 2009 19:05:42 -0500, "Daave" wrote: Robin Bignall wrote: On Sun, 22 Nov 2009 11:36:50 -0500, "Daave" wrote: Robin Bignall wrote: XP Pro SP3 During the past few weeks, immediately after the initial Windows screen with the blue bar running left right, and before the logon screen, I get a blue screen with white messages. There are dozens of them, all identical, which say something like: Infection: docs and settings my name cookies/index.dat does not exist and cannot be removed. (Pause is inoperative and the normal logon screen appears immediately after.) It is very important that you post back with the exact, complete message! It's hard to tell at this moment, but it's possible you have a variation of what is described he http://www.bleepingcomputer.com/viru...irus-1-removal Please post back with the complete message. Difficult. Pause/break stops the screen for a second and then it goes straight to the logon. I just rebooted and all those messages have vanished. None of the virus/malware programs finds anything. I'll post again if those messages reappear. There's nothing in the event log that looks suspicious. In the menu you get after hitting F8, do you see an option called "Disable automatic restart on system failure"? If so, choose it. Another way to do this: http://pcsupport.about.com/od/tipstr...utorestart.htm This way, you will be able to write down these messages. The message is: infection:documents and settings\robin bignall\cookies\index.dat could not be removed. file is no longer existent. Try posting this in : alt.privacy.spyware There are some very sharp people in there who could probably help you quickly. Just include the exact message, your OS and what you already tried and the whole story. Buffalo I'll give that a try later. -- Robin (BrE) Herts, England |
Infection messages?
Robin Bignall wrote:
On Tue, 24 Nov 2009 14:42:04 +0000, Robin Bignall wrote: On Tue, 24 Nov 2009 08:53:29 -0500, "Daave" wrote: Robin Bignall wrote: On Mon, 23 Nov 2009 18:40:34 -0500, "Daave" wrote: Robin Bignall wrote: The message is: infection:documents and settings\robin bignall\cookies\index.dat could not be removed. file is no longer existent. Googling the above didn't turn up many hits, which already points to malware. I did manage to find a very similar message (with "available" replacing "existent") he http://translate.google.com/translat...tent%26hl%3Den Another possibly relevant hit: http://forums.techguy.org/malware-re...lp-please.html I'm 99.9999999999999% sure you have malware. :-( This page should help: http://www.elephantboycomputers.com/...moving_Malware (also cross-posting to microsoft.public.security.virus ) Thanks for your help. I spent lots of time last night doing full/deep scans using Kaspersky 9, SAS, Asquared and Activescan2. Nothing found. Am now starting MBAM... Will look at your links after breakfast. Sounds like you're on the right track. MBAM is quite good. Sometimes, one needs to boot off a rescue CD. Check out these links for more info: http://www.free-av.com/en/tools/12/a...ue_system.html http://www.techmixer.com/free-bootab...download-list/ (This way, the OS is entirely bypassed. Another method is to physically remove your hard drive and slave it to another PC and use the uncompromised PC to perform the scan.) MBAM was clean. I'm now going to run everything in safe mode to check. Just ran MBAM, SAS and Kaspersky full scans in safe mode. Nothing reported. On reboot all "infection" messages had vanished. Weird, huh? Yes. I still smell something rotten. I would still boot off a rescue CD and scan or use another PC to scan. An alternative to removing the drive and slaving it is to use a device like this one: http://www.newegg.com/Product/Produc...82E16812161002 |
Infection messages?
Daave wrote:
Robin Bignall wrote: On Tue, 24 Nov 2009 14:42:04 +0000, Robin Bignall wrote: On Tue, 24 Nov 2009 08:53:29 -0500, "Daave" wrote: Robin Bignall wrote: On Mon, 23 Nov 2009 18:40:34 -0500, "Daave" wrote: Robin Bignall wrote: The message is: infection:documents and settings\robin bignall\cookies\index.dat could not be removed. file is no longer existent. Googling the above didn't turn up many hits, which already points to malware. I did manage to find a very similar message (with "available" replacing "existent") he http://translate.google.com/translat...tent%26hl%3Den Another possibly relevant hit: http://forums.techguy.org/malware-re...lp-please.html I'm 99.9999999999999% sure you have malware. :-( This page should help: http://www.elephantboycomputers.com/...moving_Malware (also cross-posting to microsoft.public.security.virus ) Thanks for your help. I spent lots of time last night doing full/deep scans using Kaspersky 9, SAS, Asquared and Activescan2. Nothing found. Am now starting MBAM... Will look at your links after breakfast. Sounds like you're on the right track. MBAM is quite good. Sometimes, one needs to boot off a rescue CD. Check out these links for more info: http://www.free-av.com/en/tools/12/a...ue_system.html http://www.techmixer.com/free-bootab...download-list/ (This way, the OS is entirely bypassed. Another method is to physically remove your hard drive and slave it to another PC and use the uncompromised PC to perform the scan.) MBAM was clean. I'm now going to run everything in safe mode to check. Just ran MBAM, SAS and Kaspersky full scans in safe mode. Nothing reported. On reboot all "infection" messages had vanished. Weird, huh? Yes. I still smell something rotten. I would still boot off a rescue CD and scan or use another PC to scan. An alternative to removing the drive and slaving it is to use a device like this one: http://www.newegg.com/Product/Produc...82E16812161002 Also, HijackThis might be necessary... |
Infection messages?
From: "Daave"
| Also, HijackThis might be necessary... I have read the original thread (when it first started) and the subsequent parts x-posted to m.p.s.v and this is curious indeed. However I don't think HJT will help. The way to fully understand this is to go back to the beginning. And to fully express the EXACT (to the best as one can) messgaes and relay the exact moment(s) the messages are displayed. To date what I have seen is... "I get a blue screen with white messages. There are dozens of them, all identical, which say something like: Infection: docs and settings my name cookies/index.dat does not exist and cannot be removed." From the description, it is happening PRIOR to the Winlogon Process during OS initialization. The question the becomes what is generating it ? The message "Infection: docs and settings my name cookies/index.dat..." Could be indicative of a program of a legitimate program (antimalware) that is installed that is processing a deletion request that is intended to occur PRIOR to the GUI being loaded and where most file handles would be in use. Thus we need to understand what security related software already existed on this platform PRIOR to the posting of this problem. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
Infection messages?
"David H. Lipman" wrote in message
... Thus we need to understand what security related software already existed on this platform PRIOR to the posting of this problem. To check if antimalware/tool running pre-desktop look into control panel taskmanager and enable view hidden tasks, then also download autoruns and check the 'run' section. Programs recently installed may still have their residue/setup in documents and settings (logon profile) so look for /temp folder (may be more than one location). Also look at restore points (usually a new restore point setup prior to installing a program). In control panel system uncheck the auto restart option that will leave any shutdown message sit on the screen instead of just blinking over it and rebooting. Download and install PUI (program uninstall utility) that will show programs installed in Windows..even the kb and 'uninstallable' type entries from registry. http://www.softpedia.com/progDownload/PUI-Download-24439.html Just some tips, FYI. -- 'Seek and ye shall find' NT Canuck |
Infection messages?
David H. Lipman wrote:
From: "Daave" Also, HijackThis might be necessary... I have read the original thread (when it first started) and the subsequent parts x-posted to m.p.s.v and this is curious indeed. However I don't think HJT will help. The way to fully understand this is to go back to the beginning. And to fully express the EXACT (to the best as one can) messgaes and relay the exact moment(s) the messages are displayed. To date what I have seen is... "I get a blue screen with white messages. There are dozens of them, all identical, which say something like: Infection: docs and settings my name cookies/index.dat does not exist and cannot be removed." From the description, it is happening PRIOR to the Winlogon Process during OS initialization. The question the becomes what is generating it ? The message "Infection: docs and settings my name cookies/index.dat..." Could be indicative of a program of a legitimate program (antimalware) that is installed that is processing a deletion request that is intended to occur PRIOR to the GUI being loaded and where most file handles would be in use. That is a good point. It could be anything. Unfortunately, I don't speak French and the best I could come up with is this Google translation: http://translate.google.com/translat...2522%26hl%3Den The screen shot: http://dl.toofiles.com/uc4yon/images...7yj-ziucmm.jpg I don't have Vista, so I don't know what a BSOD looks like in it, but an XP BSOD would be *all blue* and not what this French poster submitted. Thus we need to understand what security related software already existed on this platform PRIOR to the posting of this problem. |
Infection messages?
"Daave" wrote in message
... Could be indicative of a program of a legitimate program (antimalware) that is installed that is processing a deletion request that is intended to occur PRIOR to the GUI being loaded and where most file handles would be in use. That is a good point. It could be anything. Unfortunately, I don't speak French and the best I could come up with is this Google translation: I'd suspect something along the lines of Internet track/trace evidence removal program (adaware or similar), since the index.dat in that location is a system file (locked/used by Explorer/IE/OutlookExpress and a few others like the A/V in use etc.) that it has to be (if done) deleted/moved during boot up before the OS logon and this is likely the screen shown...boot phase, logging the boot sequence (like shown on display during safe mode start up) would help. snip The screen shot: http://dl.toofiles.com/uc4yon/images...7yj-ziucmm.jpg I don't have Vista, so I don't know what a BSOD looks like in it, but an XP BSOD would be *all blue* and not what this French poster submitted. My comments earlier, typically it's not a bad file...very seldom a threat. hth -- 'Seek and ye shall find' NT Canuck |
Infection messages?
On Tue, 24 Nov 2009 17:51:02 -0500, "David H. Lipman"
wrote: From: "Daave" | Also, HijackThis might be necessary... I have read the original thread (when it first started) and the subsequent parts x-posted to m.p.s.v and this is curious indeed. However I don't think HJT will help. The way to fully understand this is to go back to the beginning. And to fully express the EXACT (to the best as one can) messgaes and relay the exact moment(s) the messages are displayed. To date what I have seen is... "I get a blue screen with white messages. There are dozens of them, all identical, which say something like: Infection: docs and settings my name cookies/index.dat does not exist and cannot be removed." From the description, it is happening PRIOR to the Winlogon Process during OS initialization. The question the becomes what is generating it ? The message "Infection: docs and settings my name cookies/index.dat..." Could be indicative of a program of a legitimate program (antimalware) that is installed that is processing a deletion request that is intended to occur PRIOR to the GUI being loaded and where most file handles would be in use. Thus we need to understand what security related software already existed on this platform PRIOR to the posting of this problem. The precise message is: INFECTION:DOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD NOT BE REMOVED. FILE IS NO LONGER EXISTENT. Needless to say, the file does exist. As previously stated I have Kaspersky 9, A-squared pro and SAS pro running in real time with frequent full scans. I also run MBAM weekly and Panda Activescan 2 monthly. -- Robin (BrE) Herts, England |
Infection messages?
On Tue, 24 Nov 2009 17:25:31 -0600, "NT Canuck"
wrote: "David H. Lipman" wrote in message ... Thus we need to understand what security related software already existed on this platform PRIOR to the posting of this problem. To check if antimalware/tool running pre-desktop look into control panel taskmanager and enable view hidden tasks, then also download autoruns and check the 'run' section. A-squared contains "Hijackfree" that has an autoruns section plus a lot of other stuff. I can't see anything running that shouldn't be there. Programs recently installed may still have their residue/setup in documents and settings (logon profile) so look for /temp folder (may be more than one location). Nothing recently installed or uninstalled, except updates to Windows and running software. Also look at restore points (usually a new restore point setup prior to installing a program). Don't use restore, never have. In control panel system uncheck the auto restart option that will leave any shutdown message sit on the screen instead of just blinking over it and rebooting. This is already unchecked. Windows does not see these messages as something to stop/reboot on. Download and install PUI (program uninstall utility) that will show programs installed in Windows..even the kb and 'uninstallable' type entries from registry. http://www.softpedia.com/progDownload/PUI-Download-24439.html Just some tips, FYI. Thanks. I should say two other things: I ran MRT.EXE /f:y this afternoon. Zero problems reported. On reboot, sometimes all of these 'infection' messages are simply not there. Then, on another reboot, they're back again, sometimes a few, sometimes screens full. Normally I hibernate overnight and only reboot when something, like critical updates, forces me to. (alt.privacy.spyware added because this is being discussed there, too.) -- Robin (BrE) Herts, England |
Infection messages?
From: "Robin Bignall"
snip | Thanks. I should say two other things: | I ran MRT.EXE /f:y this afternoon. Zero problems reported. | On reboot, sometimes all of these 'infection' messages are simply not | there. Then, on another reboot, they're back again, sometimes a few, | sometimes screens full. Normally I hibernate overnight and only | reboot when something, like critical updates, forces me to. | (alt.privacy.spyware added because this is being discussed there, | too.) | -- | Robin | (BrE) | Herts, England It is definitly a security tool set to delete the file index.dat at system Reboot and before the Winlogon process. However, at this time none of my peers have pinpointed exactly what security tool is generating the process. However at this point I can/will say "don't worry". We know have done numerous anti malware scans and the system can be deemed clean so don't get frazzled over this. I will keep researching this and hopefully we will find what security tool is generating the display you have seen. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
Infection messages?
"Robin Bignall" wrote in message
... The precise message is: INFECTION:DOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD NOT BE REMOVED. FILE IS NO LONGER EXISTENT. Needless to say, the file does exist. As previously stated I have Kaspersky 9, A-squared pro and SAS pro running in real time with frequent full scans. I also run MBAM weekly and Panda Activescan 2 monthly. Heh, too much by far... Likely an infection was found by one unit and set for automatic removal next boot...but before booting one of the other tools deleted the file or deleted it before another tool that also found it...could do so at boot. ;) I'd uninstall (not just de-activate) all of them except KAV9, and see what happens after a few days. Last mystery is why that .dat is considered an infection, it could be a renamed file so install this and have a look inside... A safe file inspector. http://users.westnet.gr/~cgian/peek11.zip 17kb PEEK is a Shell context menu extension which allows you to extract only the text portion of files. After installation you are provided with 3 different setups called: Standard, Unicode, Binary Files. Otherwise you may be visiting some odd site and picking up a poison cookie...then remnants in the ..dat (guessing)...but still...too many programs. -- 'Seek and ye shall find' NT Canuck |
Infection messages?
"Robin Bignall" wrote in message
... The precise message is: INFECTION:DOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD NOT BE REMOVED. FILE IS NO LONGER EXISTENT. *** It sounds to me like a conflict between two programs trying to do the same thing, and one doesn't check for the existence of the file prior to attempting the delete action. *** |
Infection messages?
David H. Lipman wrote:
I will keep researching this and hopefully we will find what security tool is generating the display you have seen. It occurred to me that she may be able to find the text of the error in a log file for the program generating the error. Assuming the program keeps a log, and the log has a formatted text element, she should be able to use the search function in Windows to search for the string "INFECTION: DOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD NOT BE REMOVED. FILE IS NO LONGER EXISTENT." or some portion of that. If she can find the log file, she should be able to identify the program. |
Infection messages?
From: "Andy Walker"
| David H. Lipman wrote: I will keep researching this and hopefully we will find what security tool is generating the display you have seen. | It occurred to me that she may be able to find the text of the error | in a log file for the program generating the error. Assuming the | program keeps a log, and the log has a formatted text element, she | should be able to use the search function in Windows to search for the | string "INFECTION: DOCUMENTS AND SETTINGS\ROBIN | BIGNALL\COOKIES\INDEX.DAT COULD NOT BE REMOVED. FILE IS NO LONGER | EXISTENT." or some portion of that. If she can find the log file, she | should be able to identify the program. A good approach ! -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
Infection messages?
On Wed, 25 Nov 2009 23:34:09 -0500, Andy Walker
wrote: David H. Lipman wrote: I will keep researching this and hopefully we will find what security tool is generating the display you have seen. It occurred to me that she may be able to find the text of the error in a log file for the program generating the error. Assuming the program keeps a log, and the log has a formatted text element, she should be able to use the search function in Windows to search for the string "INFECTION: DOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD NOT BE REMOVED. FILE IS NO LONGER EXISTENT." or some portion of that. If she can find the log file, she should be able to identify the program. Excellent idea, Andy. I'll try now and report back. Thanks also David. -- Robin (who is a he!) (BrE) Herts, England |
Infection messages?
On Thu, 26 Nov 2009 21:10:05 +0000, Robin Bignall
wrote: On Wed, 25 Nov 2009 23:34:09 -0500, Andy Walker wrote: David H. Lipman wrote: I will keep researching this and hopefully we will find what security tool is generating the display you have seen. It occurred to me that she may be able to find the text of the error in a log file for the program generating the error. Assuming the program keeps a log, and the log has a formatted text element, she should be able to use the search function in Windows to search for the string "INFECTION: DOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD NOT BE REMOVED. FILE IS NO LONGER EXISTENT." or some portion of that. If she can find the log file, she should be able to identify the program. Excellent idea, Andy. I'll try now and report back. Thanks also David. No joy with that. I searched for FILE IS NO LONGER EXISTENT but didn't find anything. -- Robin (BrE) Herts, England ps: do any of you out there live in Herts and use text.news.virginmedia.com? Access from Herts has been down for nearly a week. -- Robin (BrE) Herts, England |
Infection messages?
On Wed, 25 Nov 2009 20:24:12 -0500, "FromTheRafters" erratic
@nomail.afraid.org wrote: "Robin Bignall" wrote in message .. . The precise message is: INFECTION:DOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD NOT BE REMOVED. FILE IS NO LONGER EXISTENT. *** It sounds to me like a conflict between two programs trying to do the same thing, and one doesn't check for the existence of the file prior to attempting the delete action. *** What, other than malware, would want to delete the cookie index? Incidentally, I've run iecv, and there are no cookies in any of the user's cookie folders. -- Robin (BrE) Herts, England |
Infection messages?
"Robin Bignall" wrote in message
... On Wed, 25 Nov 2009 20:24:12 -0500, "FromTheRafters" erratic @nomail.afraid.org wrote: "Robin Bignall" wrote in message .. . The precise message is: INFECTION:DOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD NOT BE REMOVED. FILE IS NO LONGER EXISTENT. *** It sounds to me like a conflict between two programs trying to do the same thing, and one doesn't check for the existence of the file prior to attempting the delete action. *** What, other than malware, would want to delete the cookie index? Incidentally, I've run iecv, and there are no cookies in any of the user's cookie folders. *** People who have issues with privacy and spyware (in the form of cookies) sometimes download programs that "protect" them from data leakage (or from their own OS's hidden data stores or pagefile.sys). Malware (spyware specifically) is more likely to want that file to remain existent. *** |
Infection messages?
On Wed, 25 Nov 2009 18:35:21 -0600, "NT Canuck"
wrote: "Robin Bignall" wrote in message .. . The precise message is: INFECTION:DOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD NOT BE REMOVED. FILE IS NO LONGER EXISTENT. Needless to say, the file does exist. As previously stated I have Kaspersky 9, A-squared pro and SAS pro running in real time with frequent full scans. I also run MBAM weekly and Panda Activescan 2 monthly. Heh, too much by far... Likely an infection was found by one unit and set for automatic removal next boot...but before booting one of the other tools deleted the file or deleted it before another tool that also found it...could do so at boot. ;) OK. If they're just arguing with each other, I can live with that. I am married! I'd uninstall (not just de-activate) all of them except KAV9, and see what happens after a few days. Last mystery is why that .dat is considered an infection, it could be a renamed file so install this and have a look inside... A safe file inspector. http://users.westnet.gr/~cgian/peek11.zip 17kb PEEK is a Shell context menu extension which allows you to extract only the text portion of files. After installation you are provided with 3 different setups called: Standard, Unicode, Binary Files. I have a hex editor. I took a look inside cookie\index.dat for administrator and me. They both lead off with "URL Cache", and the rest is mostly hex 00. Otherwise you may be visiting some odd site and picking up a poison cookie...then remnants in the .dat (guessing)...but still...too many programs. -- Robin (BrE) Herts, England |
Infection messages?
On Thu, 26 Nov 2009 19:04:55 -0500, "FromTheRafters" erratic
@nomail.afraid.org wrote: "Robin Bignall" wrote in message .. . On Wed, 25 Nov 2009 20:24:12 -0500, "FromTheRafters" erratic wrote: "Robin Bignall" wrote in message . .. The precise message is: INFECTION:DOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD NOT BE REMOVED. FILE IS NO LONGER EXISTENT. Just another piece of data. I just logged on as "administrator" (with several screens full of these infection messages) to see if, when I rebooted, I might have some "administrator\cookies\index.dat" messages. When I rebooted back as myself all the infection messages had vanished. But this has happened before on reboot. -- Robin (BrE) Herts, England |
Infection messages?
On Wed, 25 Nov 2009 19:09:56 -0500, "David H. Lipman"
wrote: From: "Robin Bignall" snip | Thanks. I should say two other things: | I ran MRT.EXE /f:y this afternoon. Zero problems reported. | On reboot, sometimes all of these 'infection' messages are simply not | there. Then, on another reboot, they're back again, sometimes a few, | sometimes screens full. Normally I hibernate overnight and only | reboot when something, like critical updates, forces me to. | (alt.privacy.spyware added because this is being discussed there, | too.) | -- | Robin | (BrE) | Herts, England It is definitly a security tool set to delete the file index.dat at system Reboot and before the Winlogon process. However, at this time none of my peers have pinpointed exactly what security tool is generating the process. However at this point I can/will say "don't worry". We know have done numerous anti malware scans and the system can be deemed clean so don't get frazzled over this. I will keep researching this and hopefully we will find what security tool is generating the display you have seen. Just another word on this, for it's still happening. I created a text file on c: containing the word "infection" only. I then used Windows 'search within files' to check all files -- including hidden and system -- on the system disk. I found seven instances of 'infection' in various places, mostly text or pdf files, including the made-up one, but none relating in any way to the system, the virus checker or any malware. I find it baffling to know what is generating this message, and how. -- Robin (BrE) Herts, England |
Infection messages?
From: "Robin Bignall"
| Just another word on this, for it's still happening. I created a text | file on c: containing the word "infection" only. I then used Windows | 'search within files' to check all files -- including hidden and | system -- on the system disk. I found seven instances of 'infection' | in various places, mostly text or pdf files, including the made-up | one, but none relating in any way to the system, the virus checker or | any malware. I find it baffling to know what is generating this | message, and how. | -- | Robin | (BrE) | Herts, England To date, NOTHING has been pin-pointed yet as the source :-( -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
Infection messages?
Robin Bignall wrote:
Just another word on this, for it's still happening. I created a text file on c: containing the word "infection" only. I then used Windows 'search within files' to check all files -- including hidden and system -- on the system disk. I found seven instances of 'infection' in various places, mostly text or pdf files, including the made-up one, but none relating in any way to the system, the virus checker or any malware. I find it baffling to know what is generating this message, and how. Have you tried looking through your registry for startup programs? If you are familiar with regedit, you can look at the keys in the following article to identify programs that could potentially be giving you the error. Just be mindful that regedit is a dangerous tool for the inexperienced user: http://www.bleepingcomputer.com/tuto...utorial44.html Using Regedit http://www.microsoft.com/resources/d....mspx?mfr=true or http://preview.tinyurl.com/yhph8yt Another possibility is to use autoruns to look for startup programs. Autoruns has some useful features that allow you to *not* display normal Microsoft startup programs, which may help zero in on the source of the problem. http://technet.microsoft.com/en-us/s.../bb963902.aspx |
Infection messages?
Andy Walker wrote:
Robin Bignall wrote: Just another word on this, for it's still happening. I created a text file on c: containing the word "infection" only. I then used Windows 'search within files' to check all files -- including hidden and system -- on the system disk. I found seven instances of 'infection' in various places, mostly text or pdf files, including the made-up one, but none relating in any way to the system, the virus checker or any malware. I find it baffling to know what is generating this message, and how. Have you tried looking through your registry for startup programs? If you are familiar with regedit, you can look at the keys in the following article to identify programs that could potentially be giving you the error. Just be mindful that regedit is a dangerous tool for the inexperienced user: http://www.bleepingcomputer.com/tuto...utorial44.html Using Regedit http://www.microsoft.com/resources/d....mspx?mfr=true or http://preview.tinyurl.com/yhph8yt Another possibility is to use autoruns to look for startup programs. Autoruns has some useful features that allow you to *not* display normal Microsoft startup programs, which may help zero in on the source of the problem. http://technet.microsoft.com/en-us/s.../bb963902.aspx Process Monitor http://technet.microsoft.com/en-us/s.../bb896645.aspx and PendMoves might help as well http://technet.microsoft.com/en-us/s.../bb897556.aspx John |
Infection messages?
On Tue, 08 Dec 2009 11:43:58 -0500, John Mason Jr
wrote: Andy Walker wrote: Robin Bignall wrote: Just another word on this, for it's still happening. I created a text file on c: containing the word "infection" only. I then used Windows 'search within files' to check all files -- including hidden and system -- on the system disk. I found seven instances of 'infection' in various places, mostly text or pdf files, including the made-up one, but none relating in any way to the system, the virus checker or any malware. I find it baffling to know what is generating this message, and how. Have you tried looking through your registry for startup programs? If you are familiar with regedit, you can look at the keys in the following article to identify programs that could potentially be giving you the error. Just be mindful that regedit is a dangerous tool for the inexperienced user: http://www.bleepingcomputer.com/tuto...utorial44.html Using Regedit http://www.microsoft.com/resources/d....mspx?mfr=true or http://preview.tinyurl.com/yhph8yt Another possibility is to use autoruns to look for startup programs. Autoruns has some useful features that allow you to *not* display normal Microsoft startup programs, which may help zero in on the source of the problem. http://technet.microsoft.com/en-us/s.../bb963902.aspx Process Monitor http://technet.microsoft.com/en-us/s.../bb896645.aspx and PendMoves might help as well http://technet.microsoft.com/en-us/s.../bb897556.aspx John, Andy, thanks for the suggestions. I have checked autoruns. In fact, A-squared contains a very useful feature called Hijackfree which gives detailed information on what's present in 5 categories: processes, ports, autoruns, services and others. I don't see anything amiss. PCButts emailed me to make the sensible suggestion of checking the runonce registry entries. They're empty. The weird thing is where the message is coming from, since no executable on my system disk contains the string "infection". -- Robin (BrE) Herts, England |
Infection messages?
In alt.privacy.spyware, Robin Bignall wrote:
PCButts emailed me to make the sensible suggestion of checking the runonce registry entries. What? Buttface is now emailing direct to posters? How cheeky is that!! Must be a new way to get around having others respond to warn about his stolen software... -- -bts -Friends don't let friends drive Windows |
Infection messages?
From: "Beauregard T. Shagnasty"
| In alt.privacy.spyware, Robin Bignall wrote: PCButts emailed me to make the sensible suggestion of checking the runonce registry entries. | What? | Buttface is now emailing direct to posters? How cheeky is that!! Must | be a new way to get around having others respond to warn about his | stolen software... And it is even really a "sensible" suggestion as the RunOnce key is just that, it runs only once then the contents of that Registry key is removed. Therefore if it did run, by the time the person examined it, it would be an empty key. Plus RunOnce is interpreted AFTER the Winlogon process. Robin's problem occurs before the Winlogon process. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
All times are GMT +1. The time now is 05:56 AM. |
Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright © 2004 - 2006 PCbanter
Comments are property of their posters