If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#31
|
|||
|
|||
Infection messages?
"Robin Bignall" wrote in message
... On Wed, 25 Nov 2009 20:24:12 -0500, "FromTheRafters" erratic @nomail.afraid.org wrote: "Robin Bignall" wrote in message .. . The precise message is: INFECTIONOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD NOT BE REMOVED. FILE IS NO LONGER EXISTENT. *** It sounds to me like a conflict between two programs trying to do the same thing, and one doesn't check for the existence of the file prior to attempting the delete action. *** What, other than malware, would want to delete the cookie index? Incidentally, I've run iecv, and there are no cookies in any of the user's cookie folders. *** People who have issues with privacy and spyware (in the form of cookies) sometimes download programs that "protect" them from data leakage (or from their own OS's hidden data stores or pagefile.sys). Malware (spyware specifically) is more likely to want that file to remain existent. *** |
Ads |
#32
|
|||
|
|||
Infection messages?
On Wed, 25 Nov 2009 18:35:21 -0600, "NT Canuck"
wrote: "Robin Bignall" wrote in message .. . The precise message is: INFECTIONOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD NOT BE REMOVED. FILE IS NO LONGER EXISTENT. Needless to say, the file does exist. As previously stated I have Kaspersky 9, A-squared pro and SAS pro running in real time with frequent full scans. I also run MBAM weekly and Panda Activescan 2 monthly. Heh, too much by far... Likely an infection was found by one unit and set for automatic removal next boot...but before booting one of the other tools deleted the file or deleted it before another tool that also found it...could do so at boot. OK. If they're just arguing with each other, I can live with that. I am married! I'd uninstall (not just de-activate) all of them except KAV9, and see what happens after a few days. Last mystery is why that .dat is considered an infection, it could be a renamed file so install this and have a look inside... A safe file inspector. http://users.westnet.gr/~cgian/peek11.zip 17kb PEEK is a Shell context menu extension which allows you to extract only the text portion of files. After installation you are provided with 3 different setups called: Standard, Unicode, Binary Files. I have a hex editor. I took a look inside cookie\index.dat for administrator and me. They both lead off with "URL Cache", and the rest is mostly hex 00. Otherwise you may be visiting some odd site and picking up a poison cookie...then remnants in the .dat (guessing)...but still...too many programs. -- Robin (BrE) Herts, England |
#33
|
|||
|
|||
Infection messages?
On Thu, 26 Nov 2009 19:04:55 -0500, "FromTheRafters" erratic
@nomail.afraid.org wrote: "Robin Bignall" wrote in message .. . On Wed, 25 Nov 2009 20:24:12 -0500, "FromTheRafters" erratic wrote: "Robin Bignall" wrote in message . .. The precise message is: INFECTIONOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD NOT BE REMOVED. FILE IS NO LONGER EXISTENT. Just another piece of data. I just logged on as "administrator" (with several screens full of these infection messages) to see if, when I rebooted, I might have some "administrator\cookies\index.dat" messages. When I rebooted back as myself all the infection messages had vanished. But this has happened before on reboot. -- Robin (BrE) Herts, England |
#34
|
|||
|
|||
Infection messages?
On Wed, 25 Nov 2009 19:09:56 -0500, "David H. Lipman"
wrote: From: "Robin Bignall" snip | Thanks. I should say two other things: | I ran MRT.EXE /f:y this afternoon. Zero problems reported. | On reboot, sometimes all of these 'infection' messages are simply not | there. Then, on another reboot, they're back again, sometimes a few, | sometimes screens full. Normally I hibernate overnight and only | reboot when something, like critical updates, forces me to. | (alt.privacy.spyware added because this is being discussed there, | too.) | -- | Robin | (BrE) | Herts, England It is definitly a security tool set to delete the file index.dat at system Reboot and before the Winlogon process. However, at this time none of my peers have pinpointed exactly what security tool is generating the process. However at this point I can/will say "don't worry". We know have done numerous anti malware scans and the system can be deemed clean so don't get frazzled over this. I will keep researching this and hopefully we will find what security tool is generating the display you have seen. Just another word on this, for it's still happening. I created a text file on c: containing the word "infection" only. I then used Windows 'search within files' to check all files -- including hidden and system -- on the system disk. I found seven instances of 'infection' in various places, mostly text or pdf files, including the made-up one, but none relating in any way to the system, the virus checker or any malware. I find it baffling to know what is generating this message, and how. -- Robin (BrE) Herts, England |
#35
|
|||
|
|||
Infection messages?
From: "Robin Bignall"
| Just another word on this, for it's still happening. I created a text | file on c: containing the word "infection" only. I then used Windows | 'search within files' to check all files -- including hidden and | system -- on the system disk. I found seven instances of 'infection' | in various places, mostly text or pdf files, including the made-up | one, but none relating in any way to the system, the virus checker or | any malware. I find it baffling to know what is generating this | message, and how. | -- | Robin | (BrE) | Herts, England To date, NOTHING has been pin-pointed yet as the source :-( -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
#36
|
|||
|
|||
Infection messages?
Robin Bignall wrote:
Just another word on this, for it's still happening. I created a text file on c: containing the word "infection" only. I then used Windows 'search within files' to check all files -- including hidden and system -- on the system disk. I found seven instances of 'infection' in various places, mostly text or pdf files, including the made-up one, but none relating in any way to the system, the virus checker or any malware. I find it baffling to know what is generating this message, and how. Have you tried looking through your registry for startup programs? If you are familiar with regedit, you can look at the keys in the following article to identify programs that could potentially be giving you the error. Just be mindful that regedit is a dangerous tool for the inexperienced user: http://www.bleepingcomputer.com/tuto...utorial44.html Using Regedit http://www.microsoft.com/resources/d....mspx?mfr=true or http://preview.tinyurl.com/yhph8yt Another possibility is to use autoruns to look for startup programs. Autoruns has some useful features that allow you to *not* display normal Microsoft startup programs, which may help zero in on the source of the problem. http://technet.microsoft.com/en-us/s.../bb963902.aspx |
#37
|
|||
|
|||
Infection messages?
Andy Walker wrote:
Robin Bignall wrote: Just another word on this, for it's still happening. I created a text file on c: containing the word "infection" only. I then used Windows 'search within files' to check all files -- including hidden and system -- on the system disk. I found seven instances of 'infection' in various places, mostly text or pdf files, including the made-up one, but none relating in any way to the system, the virus checker or any malware. I find it baffling to know what is generating this message, and how. Have you tried looking through your registry for startup programs? If you are familiar with regedit, you can look at the keys in the following article to identify programs that could potentially be giving you the error. Just be mindful that regedit is a dangerous tool for the inexperienced user: http://www.bleepingcomputer.com/tuto...utorial44.html Using Regedit http://www.microsoft.com/resources/d....mspx?mfr=true or http://preview.tinyurl.com/yhph8yt Another possibility is to use autoruns to look for startup programs. Autoruns has some useful features that allow you to *not* display normal Microsoft startup programs, which may help zero in on the source of the problem. http://technet.microsoft.com/en-us/s.../bb963902.aspx Process Monitor http://technet.microsoft.com/en-us/s.../bb896645.aspx and PendMoves might help as well http://technet.microsoft.com/en-us/s.../bb897556.aspx John |
#38
|
|||
|
|||
Infection messages?
On Tue, 08 Dec 2009 11:43:58 -0500, John Mason Jr
wrote: Andy Walker wrote: Robin Bignall wrote: Just another word on this, for it's still happening. I created a text file on c: containing the word "infection" only. I then used Windows 'search within files' to check all files -- including hidden and system -- on the system disk. I found seven instances of 'infection' in various places, mostly text or pdf files, including the made-up one, but none relating in any way to the system, the virus checker or any malware. I find it baffling to know what is generating this message, and how. Have you tried looking through your registry for startup programs? If you are familiar with regedit, you can look at the keys in the following article to identify programs that could potentially be giving you the error. Just be mindful that regedit is a dangerous tool for the inexperienced user: http://www.bleepingcomputer.com/tuto...utorial44.html Using Regedit http://www.microsoft.com/resources/d....mspx?mfr=true or http://preview.tinyurl.com/yhph8yt Another possibility is to use autoruns to look for startup programs. Autoruns has some useful features that allow you to *not* display normal Microsoft startup programs, which may help zero in on the source of the problem. http://technet.microsoft.com/en-us/s.../bb963902.aspx Process Monitor http://technet.microsoft.com/en-us/s.../bb896645.aspx and PendMoves might help as well http://technet.microsoft.com/en-us/s.../bb897556.aspx John, Andy, thanks for the suggestions. I have checked autoruns. In fact, A-squared contains a very useful feature called Hijackfree which gives detailed information on what's present in 5 categories: processes, ports, autoruns, services and others. I don't see anything amiss. PCButts emailed me to make the sensible suggestion of checking the runonce registry entries. They're empty. The weird thing is where the message is coming from, since no executable on my system disk contains the string "infection". -- Robin (BrE) Herts, England |
#39
|
|||
|
|||
Infection messages?
In alt.privacy.spyware, Robin Bignall wrote:
PCButts emailed me to make the sensible suggestion of checking the runonce registry entries. What? Buttface is now emailing direct to posters? How cheeky is that!! Must be a new way to get around having others respond to warn about his stolen software... -- -bts -Friends don't let friends drive Windows |
#40
|
|||
|
|||
Infection messages?
From: "Beauregard T. Shagnasty"
| In alt.privacy.spyware, Robin Bignall wrote: PCButts emailed me to make the sensible suggestion of checking the runonce registry entries. | What? | Buttface is now emailing direct to posters? How cheeky is that!! Must | be a new way to get around having others respond to warn about his | stolen software... And it is even really a "sensible" suggestion as the RunOnce key is just that, it runs only once then the contents of that Registry key is removed. Therefore if it did run, by the time the person examined it, it would be an empty key. Plus RunOnce is interpreted AFTER the Winlogon process. Robin's problem occurs before the Winlogon process. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
#42
|
|||
|
|||
Infection messages?
"David H. Lipman" wrote in
: And it is even really a "sensible" suggestion as the RunOnce key is just that, it runs only once then the contents of that Registry key is removed. Therefore if it did run, by the time the person examined it, it would be an empty key. Plus RunOnce is interpreted AFTER the Winlogon process. Robin's problem occurs before the Winlogon process. When is wininit.ini processed? -- Rick Simon Include "spam(trap)key" somewhere in the body of any email to avoid spam filters. |
#43
|
|||
|
|||
Infection messages?
From: "Rick"
| "David H. Lipman" wrote in | : And it is even really a "sensible" suggestion as the RunOnce key is just that, it runs only once then the contents of that Registry key is removed. Therefore if it did run, by the time the person examined it, it would be an empty key. Plus RunOnce is interpreted AFTER the Winlogon process. Robin's problem occurs before the Winlogon process. | When is wininit.ini processed? What OS are you referring to because NT based OS' don't use INI files. Everything is pretty much stored in the Registry and evaluated there. Since this was x-posted to a WinXP group, the answer is NEVER. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
#44
|
|||
|
|||
Infection messages?
David H. Lipman wrote:
What OS are you referring to because NT based OS' don't use INI files. Everything is pretty much stored in the Registry and evaluated there. Since this was x-posted to a WinXP group, the answer is NEVER. Not true, Dave. XP still uses INI files. boot.ini win.ini system.ini to name a few... |
#45
|
|||
|
|||
Infection messages?
From: "Andy Walker"
| David H. Lipman wrote: What OS are you referring to because NT based OS' don't use INI files. Everything is pretty much stored in the Registry and evaluated there. Since this was x-posted to a WinXP group, the answer is NEVER. | Not true, Dave. XP still uses INI files. | boot.ini | win.ini | system.ini | to name a few... OK. BOOT.INI is only used to launch the OS or a different OS. It is interpreted before the WinGUI. WIN.INI and SYSTEM.INI are NOT really interpreted anymore. They ONLY exist for backwards compatibility purposes for Win9x/ME, and maybe Win3.1x programs that weren't written to use a registry. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
Thread Tools | |
Display Modes | |
|
|