A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows XP » Windows XP Help and Support
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

Infection messages?



 
 
Thread Tools Display Modes
  #16  
Old November 24th 09, 05:16 PM posted to microsoft.public.security.virus,microsoft.public.windowsxp.help_and_support
Daave[_8_]
external usenet poster
 
Posts: 2,461
Default Infection messages?

Daave wrote:
Robin Bignall wrote:
On Tue, 24 Nov 2009 14:42:04 +0000, Robin Bignall
wrote:

On Tue, 24 Nov 2009 08:53:29 -0500, "Daave"
wrote:


Robin Bignall wrote:
On Mon, 23 Nov 2009 18:40:34 -0500, "Daave"
wrote:

Robin Bignall wrote:

The message is:
infection:documents and settings\robin bignall\cookies\index.dat
could not be removed. file is no longer existent.

Googling the above didn't turn up many hits, which already points
to malware. I did manage to find a very similar message (with
"available" replacing "existent") he

http://translate.google.com/translat...tent%26hl%3Den

Another possibly relevant hit:

http://forums.techguy.org/malware-re...lp-please.html

I'm 99.9999999999999% sure you have malware. :-(

This page should help:

http://www.elephantboycomputers.com/...moving_Malware

(also cross-posting to microsoft.public.security.virus )

Thanks for your help. I spent lots of time last night doing
full/deep scans using Kaspersky 9, SAS, Asquared and Activescan2.
Nothing found. Am now starting MBAM...
Will look at your links after breakfast.

Sounds like you're on the right track. MBAM is quite good.

Sometimes, one needs to boot off a rescue CD. Check out these links
for more info:

http://www.free-av.com/en/tools/12/a...ue_system.html

http://www.techmixer.com/free-bootab...download-list/

(This way, the OS is entirely bypassed. Another method is to
physically remove your hard drive and slave it to another PC and
use the uncompromised PC to perform the scan.)

MBAM was clean. I'm now going to run everything in safe mode to
check.


Just ran MBAM, SAS and Kaspersky full scans in safe mode. Nothing
reported. On reboot all "infection" messages had vanished. Weird,
huh?


Yes.

I still smell something rotten. I would still boot off a rescue CD and
scan or use another PC to scan. An alternative to removing the drive
and slaving it is to use a device like this one:

http://www.newegg.com/Product/Produc...82E16812161002


Also, HijackThis might be necessary...


Ads
  #17  
Old November 24th 09, 11:51 PM posted to microsoft.public.security.virus,microsoft.public.windowsxp.help_and_support
David H. Lipman
external usenet poster
 
Posts: 4,185
Default Infection messages?

From: "Daave"


| Also, HijackThis might be necessary...

I have read the original thread (when it first started) and the subsequent parts x-posted
to m.p.s.v and this is curious indeed. However I don't think HJT will help.

The way to fully understand this is to go back to the beginning. And to fully express the
EXACT (to the best as one can) messgaes and relay the exact moment(s) the messages are
displayed.

To date what I have seen is...
"I get a blue screen with white messages. There are dozens of them, all identical, which
say something like:
Infection: docs and settings my name cookies/index.dat does not exist
and cannot be removed."

From the description, it is happening PRIOR to the Winlogon Process during OS
initialization.

The question the becomes what is generating it ?

The message "Infection: docs and settings my name cookies/index.dat..."
Could be indicative of a program of a legitimate program (antimalware) that is installed
that is processing a deletion request that is intended to occur PRIOR to the GUI being
loaded and where most file handles would be in use.

Thus we need to understand what security related software already existed on this platform
PRIOR to the posting of this problem.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


  #18  
Old November 25th 09, 12:25 AM posted to microsoft.public.security.virus,microsoft.public.windowsxp.help_and_support
NT Canuck[_3_]
external usenet poster
 
Posts: 3
Default Infection messages?

"David H. Lipman" wrote in message
...


Thus we need to understand what security related software
already existed on this platform PRIOR to the posting of this problem.


To check if antimalware/tool running pre-desktop look into
control panel taskmanager and enable view hidden
tasks, then also download autoruns and check the 'run'
section.

Programs recently installed may still have their residue/setup
in documents and settings (logon profile) so look for /temp
folder (may be more than one location).

Also look at restore points (usually a new restore point
setup prior to installing a program).

In control panel system uncheck the auto restart option
that will leave any shutdown message sit on the screen
instead of just blinking over it and rebooting.

Download and install PUI (program uninstall utility) that
will show programs installed in Windows..even the
kb and 'uninstallable' type entries from registry.
http://www.softpedia.com/progDownload/PUI-Download-24439.html

Just some tips, FYI.

--
'Seek and ye shall find'
NT Canuck


  #19  
Old November 25th 09, 02:19 AM posted to microsoft.public.security.virus,microsoft.public.windowsxp.help_and_support
Daave[_8_]
external usenet poster
 
Posts: 2,461
Default Infection messages?

David H. Lipman wrote:
From: "Daave"


Also, HijackThis might be necessary...


I have read the original thread (when it first started) and the
subsequent parts x-posted to m.p.s.v and this is curious indeed.
However I don't think HJT will help.

The way to fully understand this is to go back to the beginning. And
to fully express the EXACT (to the best as one can) messgaes and
relay the exact moment(s) the messages are displayed.

To date what I have seen is...
"I get a blue screen with white messages. There are dozens of them,
all identical, which say something like:
Infection: docs and settings my name cookies/index.dat does not exist
and cannot be removed."

From the description, it is happening PRIOR to the Winlogon Process
during OS initialization.

The question the becomes what is generating it ?

The message "Infection: docs and settings my name
cookies/index.dat..."
Could be indicative of a program of a legitimate program
(antimalware) that is installed that is processing a deletion request
that is intended to occur PRIOR to the GUI being loaded and where
most file handles would be in use.


That is a good point. It could be anything. Unfortunately, I don't speak
French and the best I could come up with is this Google translation:

http://translate.google.com/translat...2522%26hl%3Den

The screen shot:

http://dl.toofiles.com/uc4yon/images...7yj-ziucmm.jpg

I don't have Vista, so I don't know what a BSOD looks like in it, but an
XP BSOD would be *all blue* and not what this French poster submitted.

Thus we need to understand what security related software already
existed on this platform PRIOR to the posting of this problem.



  #20  
Old November 25th 09, 02:39 AM posted to microsoft.public.security.virus,microsoft.public.windowsxp.help_and_support
NT Canuck[_3_]
external usenet poster
 
Posts: 3
Default Infection messages?

"Daave" wrote in message
...


Could be indicative of a program of a legitimate program
(antimalware) that is installed that is processing a deletion request
that is intended to occur PRIOR to the GUI being loaded and where
most file handles would be in use.


That is a good point. It could be anything. Unfortunately, I don't speak
French and the best I could come up with is this Google translation:


I'd suspect something along the lines of Internet track/trace evidence
removal program (adaware or similar), since the index.dat in that
location is a system file (locked/used by Explorer/IE/OutlookExpress
and a few others like the A/V in use etc.) that it has to be (if done)
deleted/moved during boot up before the OS logon and this is
likely the screen shown...boot phase, logging the boot sequence
(like shown on display during safe mode start up) would help.

snip
The screen shot:

http://dl.toofiles.com/uc4yon/images...7yj-ziucmm.jpg

I don't have Vista, so I don't know what a BSOD looks like in it, but an
XP BSOD would be *all blue* and not what this French poster submitted.


My comments earlier, typically it's not a bad file...very seldom a threat.

hth

--
'Seek and ye shall find'
NT Canuck


  #21  
Old November 25th 09, 11:34 PM posted to microsoft.public.security.virus,microsoft.public.windowsxp.help_and_support
Robin Bignall
external usenet poster
 
Posts: 595
Default Infection messages?

On Tue, 24 Nov 2009 17:51:02 -0500, "David H. Lipman"
wrote:

From: "Daave"


| Also, HijackThis might be necessary...

I have read the original thread (when it first started) and the subsequent parts x-posted
to m.p.s.v and this is curious indeed. However I don't think HJT will help.

The way to fully understand this is to go back to the beginning. And to fully express the
EXACT (to the best as one can) messgaes and relay the exact moment(s) the messages are
displayed.

To date what I have seen is...
"I get a blue screen with white messages. There are dozens of them, all identical, which
say something like:
Infection: docs and settings my name cookies/index.dat does not exist
and cannot be removed."

From the description, it is happening PRIOR to the Winlogon Process during OS
initialization.

The question the becomes what is generating it ?

The message "Infection: docs and settings my name cookies/index.dat..."
Could be indicative of a program of a legitimate program (antimalware) that is installed
that is processing a deletion request that is intended to occur PRIOR to the GUI being
loaded and where most file handles would be in use.

Thus we need to understand what security related software already existed on this platform
PRIOR to the posting of this problem.


The precise message is:
INFECTIONOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD
NOT BE REMOVED. FILE IS NO LONGER EXISTENT.

Needless to say, the file does exist.
As previously stated I have Kaspersky 9, A-squared pro and SAS pro
running in real time with frequent full scans. I also run MBAM weekly
and Panda Activescan 2 monthly.
--
Robin
(BrE)
Herts, England
  #22  
Old November 25th 09, 11:53 PM posted to microsoft.public.security.virus,microsoft.public.windowsxp.help_and_support,alt.privacy.spyware
Robin Bignall
external usenet poster
 
Posts: 595
Default Infection messages?

On Tue, 24 Nov 2009 17:25:31 -0600, "NT Canuck"
wrote:


"David H. Lipman" wrote in message
...


Thus we need to understand what security related software
already existed on this platform PRIOR to the posting of this problem.


To check if antimalware/tool running pre-desktop look into
control panel taskmanager and enable view hidden
tasks, then also download autoruns and check the 'run'
section.

A-squared contains "Hijackfree" that has an autoruns section plus a
lot of other stuff. I can't see anything running that shouldn't be
there.

Programs recently installed may still have their residue/setup
in documents and settings (logon profile) so look for /temp
folder (may be more than one location).

Nothing recently installed or uninstalled, except updates to Windows
and running software.

Also look at restore points (usually a new restore point
setup prior to installing a program).

Don't use restore, never have.

In control panel system uncheck the auto restart option
that will leave any shutdown message sit on the screen
instead of just blinking over it and rebooting.

This is already unchecked. Windows does not see these messages as
something to stop/reboot on.

Download and install PUI (program uninstall utility) that
will show programs installed in Windows..even the
kb and 'uninstallable' type entries from registry.
http://www.softpedia.com/progDownload/PUI-Download-24439.html

Just some tips, FYI.


Thanks. I should say two other things:
I ran MRT.EXE /f:y this afternoon. Zero problems reported.
On reboot, sometimes all of these 'infection' messages are simply not
there. Then, on another reboot, they're back again, sometimes a few,
sometimes screens full. Normally I hibernate overnight and only
reboot when something, like critical updates, forces me to.

(alt.privacy.spyware added because this is being discussed there,
too.)
--
Robin
(BrE)
Herts, England
  #23  
Old November 26th 09, 01:09 AM posted to microsoft.public.security.virus,microsoft.public.windowsxp.help_and_support,alt.privacy.spyware
David H. Lipman
external usenet poster
 
Posts: 4,185
Default Infection messages?

From: "Robin Bignall"

snip

| Thanks. I should say two other things:
| I ran MRT.EXE /f:y this afternoon. Zero problems reported.
| On reboot, sometimes all of these 'infection' messages are simply not
| there. Then, on another reboot, they're back again, sometimes a few,
| sometimes screens full. Normally I hibernate overnight and only
| reboot when something, like critical updates, forces me to.

| (alt.privacy.spyware added because this is being discussed there,
| too.)
| --
| Robin
| (BrE)
| Herts, England


It is definitly a security tool set to delete the file index.dat at system Reboot and
before the Winlogon process.

However, at this time none of my peers have pinpointed exactly what security tool is
generating the process.

However at this point I can/will say "don't worry". We know have done numerous anti
malware scans and the system can be deemed clean so don't get frazzled over this.

I will keep researching this and hopefully we will find what security tool is generating
the display you have seen.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


  #24  
Old November 26th 09, 01:35 AM posted to microsoft.public.security.virus,microsoft.public.windowsxp.help_and_support
NT Canuck[_3_]
external usenet poster
 
Posts: 3
Default Infection messages?

"Robin Bignall" wrote in message
...

The precise message is:
INFECTIONOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD
NOT BE REMOVED. FILE IS NO LONGER EXISTENT.

Needless to say, the file does exist.
As previously stated I have Kaspersky 9, A-squared pro and SAS pro
running in real time with frequent full scans. I also run MBAM weekly
and Panda Activescan 2 monthly.

Heh, too much by far...
Likely an infection was found by one unit and set for
automatic removal next boot...but before booting one
of the other tools deleted the file or deleted it before
another tool that also found it...could do so at boot.

I'd uninstall (not just de-activate) all of them except
KAV9, and see what happens after a few days.

Last mystery is why that .dat is considered an infection,
it could be a renamed file so install this and have a look
inside... A safe file inspector.
http://users.westnet.gr/~cgian/peek11.zip 17kb
PEEK is a Shell context menu extension which
allows you to extract only the text portion of files.
After installation you are provided with 3 different
setups called: Standard, Unicode, Binary Files.

Otherwise you may be visiting some odd site and
picking up a poison cookie...then remnants in the
..dat (guessing)...but still...too many programs.

--
'Seek and ye shall find'
NT Canuck


  #25  
Old November 26th 09, 02:24 AM posted to microsoft.public.security.virus,microsoft.public.windowsxp.help_and_support
FromTheRafters[_3_]
external usenet poster
 
Posts: 102
Default Infection messages?

"Robin Bignall" wrote in message
...

The precise message is:
INFECTIONOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD
NOT BE REMOVED. FILE IS NO LONGER EXISTENT.

***
It sounds to me like a conflict between two programs trying to do the
same thing, and one doesn't check for the existence of the file prior to
attempting the delete action.
***


  #26  
Old November 26th 09, 05:34 AM posted to microsoft.public.security.virus,microsoft.public.windowsxp.help_and_support,alt.privacy.spyware
Andy Walker
external usenet poster
 
Posts: 7
Default Infection messages?

David H. Lipman wrote:

I will keep researching this and hopefully we will find what security tool is generating
the display you have seen.


It occurred to me that she may be able to find the text of the error
in a log file for the program generating the error. Assuming the
program keeps a log, and the log has a formatted text element, she
should be able to use the search function in Windows to search for the
string "INFECTION: DOCUMENTS AND SETTINGS\ROBIN
BIGNALL\COOKIES\INDEX.DAT COULD NOT BE REMOVED. FILE IS NO LONGER
EXISTENT." or some portion of that. If she can find the log file, she
should be able to identify the program.

  #27  
Old November 26th 09, 02:50 PM posted to microsoft.public.security.virus,microsoft.public.windowsxp.help_and_support,alt.privacy.spyware
David H. Lipman
external usenet poster
 
Posts: 4,185
Default Infection messages?

From: "Andy Walker"

| David H. Lipman wrote:

I will keep researching this and hopefully we will find what security tool is
generating
the display you have seen.


| It occurred to me that she may be able to find the text of the error
| in a log file for the program generating the error. Assuming the
| program keeps a log, and the log has a formatted text element, she
| should be able to use the search function in Windows to search for the
| string "INFECTION: DOCUMENTS AND SETTINGS\ROBIN
| BIGNALL\COOKIES\INDEX.DAT COULD NOT BE REMOVED. FILE IS NO LONGER
| EXISTENT." or some portion of that. If she can find the log file, she
| should be able to identify the program.


A good approach !

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


  #28  
Old November 26th 09, 10:10 PM posted to microsoft.public.security.virus,microsoft.public.windowsxp.help_and_support,alt.privacy.spyware
Robin Bignall
external usenet poster
 
Posts: 595
Default Infection messages?

On Wed, 25 Nov 2009 23:34:09 -0500, Andy Walker
wrote:

David H. Lipman wrote:

I will keep researching this and hopefully we will find what security tool is generating
the display you have seen.


It occurred to me that she may be able to find the text of the error
in a log file for the program generating the error. Assuming the
program keeps a log, and the log has a formatted text element, she
should be able to use the search function in Windows to search for the
string "INFECTION: DOCUMENTS AND SETTINGS\ROBIN
BIGNALL\COOKIES\INDEX.DAT COULD NOT BE REMOVED. FILE IS NO LONGER
EXISTENT." or some portion of that. If she can find the log file, she
should be able to identify the program.


Excellent idea, Andy. I'll try now and report back. Thanks also
David.
--
Robin (who is a he!)
(BrE)
Herts, England
  #29  
Old November 26th 09, 10:32 PM posted to microsoft.public.security.virus,microsoft.public.windowsxp.help_and_support,alt.privacy.spyware
Robin Bignall
external usenet poster
 
Posts: 595
Default Infection messages?

On Thu, 26 Nov 2009 21:10:05 +0000, Robin Bignall
wrote:

On Wed, 25 Nov 2009 23:34:09 -0500, Andy Walker
wrote:

David H. Lipman wrote:

I will keep researching this and hopefully we will find what security tool is generating
the display you have seen.


It occurred to me that she may be able to find the text of the error
in a log file for the program generating the error. Assuming the
program keeps a log, and the log has a formatted text element, she
should be able to use the search function in Windows to search for the
string "INFECTION: DOCUMENTS AND SETTINGS\ROBIN
BIGNALL\COOKIES\INDEX.DAT COULD NOT BE REMOVED. FILE IS NO LONGER
EXISTENT." or some portion of that. If she can find the log file, she
should be able to identify the program.


Excellent idea, Andy. I'll try now and report back. Thanks also
David.


No joy with that. I searched for
FILE IS NO LONGER EXISTENT
but didn't find anything.
--
Robin
(BrE)
Herts, England

ps: do any of you out there live in Herts and use
text.news.virginmedia.com? Access from Herts has been down for nearly
a week.
--
Robin
(BrE)
Herts, England
  #30  
Old November 27th 09, 12:15 AM posted to microsoft.public.security.virus,microsoft.public.windowsxp.help_and_support
Robin Bignall
external usenet poster
 
Posts: 595
Default Infection messages?

On Wed, 25 Nov 2009 20:24:12 -0500, "FromTheRafters" erratic
@nomail.afraid.org wrote:

"Robin Bignall" wrote in message
.. .

The precise message is:
INFECTIONOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD
NOT BE REMOVED. FILE IS NO LONGER EXISTENT.

***
It sounds to me like a conflict between two programs trying to do the
same thing, and one doesn't check for the existence of the file prior to
attempting the delete action.
***

What, other than malware, would want to delete the cookie index?
Incidentally, I've run iecv, and there are no cookies in any of the
user's cookie folders.
--
Robin
(BrE)
Herts, England
 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off






All times are GMT +1. The time now is 12:23 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.