A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows XP » Windows XP Help and Support
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

Infection messages?



 
 
Thread Tools Display Modes
  #46  
Old December 9th 09, 03:33 AM posted to microsoft.public.security.virus,microsoft.public.windowsxp.help_and_support,alt.privacy.spyware
JD
external usenet poster
 
Posts: 766
Default Infection messages?

The Real Truth MVP wrote:
Please David your ignorance and lack of knowledge is showing. You of all
people should know that malware writes to that key and since the issue
is there on EVERY boot if it gets deleted when run it gets put back in
there and you are WRONG about when that key gets read.



Oh My god..

Don't you have software to fix this? Go away. Nobody needs your help. 8-)

--
JD..
Ads
  #47  
Old December 9th 09, 12:05 PM posted to microsoft.public.security.virus,microsoft.public.windowsxp.help_and_support,alt.privacy.spyware
Rick
external usenet poster
 
Posts: 3
Default Infection messages?

"David H. Lipman" wrote in
:

| When is wininit.ini processed?



What OS are you referring to because NT based OS' don't use INI files.
Everything is pretty much stored in the Registry and evaluated there.

Since this was x-posted to a WinXP group, the answer is NEVER.



Not to be argumentative, but you're saying these folks are incorrect?

http://www.aumha.org/a/loads.php
http://support.microsoft.com/kb/140570

While I don't run into it as much as I used to, I still do find XP systems
that appear to be using wininit.ini for file deletions/renames on occasion.



--
Rick Simon

Include "spam(trap)key" somewhere in the
body of any email to avoid spam filters.
  #48  
Old December 9th 09, 12:50 PM posted to microsoft.public.security.virus,microsoft.public.windowsxp.help_and_support,alt.privacy.spyware
David H. Lipman
external usenet poster
 
Posts: 4,185
Default Infection messages?

From: "Rick"

| "David H. Lipman" wrote in
| :

| When is wininit.ini processed?




What OS are you referring to because NT based OS' don't use INI files.
Everything is pretty much stored in the Registry and evaluated there.


Since this was x-posted to a WinXP group, the answer is NEVER.



| Not to be argumentative, but you're saying these folks are incorrect?

| http://www.aumha.org/a/loads.php
| http://support.microsoft.com/kb/140570

| While I don't run into it as much as I used to, I still do find XP systems
| that appear to be using wininit.ini for file deletions/renames on occasion.


Well the aumha article is for mostly Win9x/ME and the MS KB140570 is more for NT4 and
Win9x/ME and you'll note mention of "Wininit.exe" which is NOT present in WinXP.

So let me modify my NEVER answer to practically NEVER. Interpreting .INI files is an old
construct that was used in Win9x/ME and and to a lesser degree in NT v3.5x and NT4 and
thus *may* have some left over functionality in subsequent OS'. However for the most
part, .INI files are no longer interpreted by the OS.

Notice in the aumha article it states...
"In Windows 2000 and XP, the WININIT.INI file, if existing, will be executed. However it
is usually replaced by the “PendingFileRenameOperations” sub-key in the Registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Session Manager."

This shows that for backwards compatibility Win2k and WinXP may interpret WININIT.INI but
has been really replaced by Registry functionality.

This will not affect Robin's problem as the message "INFECTION: DOCUMENTS AND
SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT
COULD NOT BE REMOVED. FILE IS NO LONGER EXISTENT" occurs "before the logon screen" and
would not be generated by such a process. This is presumed to be a security tool/utility
in action.




--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


  #49  
Old December 9th 09, 04:51 PM posted to microsoft.public.security.virus,microsoft.public.windowsxp.help_and_support,alt.privacy.spyware
Rick
external usenet poster
 
Posts: 3
Default Infection messages?

"David H. Lipman" wrote in
:

So let me modify my NEVER answer to practically NEVER. Interpreting
.INI files is an old construct that was used in Win9x/ME and and to a
lesser degree in NT v3.5x and NT4 and thus *may* have some left over
functionality in subsequent OS'. However for the most part, .INI
files are no longer interpreted by the OS.



Yes, I'm aware of how .ini files have been used going back through Win3.x.


Notice in the aumha article it states...
"In Windows 2000 and XP, the WININIT.INI file, if existing, will be
executed. However it is usually replaced by the
“PendingFileRenameOperations” sub-key in the Registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Session Manager."

This shows that for backwards compatibility Win2k and WinXP may
interpret WININIT.INI but has been really replaced by Registry
functionality.



I'm also aware of how wininit.ini is just a hangover and there are other,
preferred methods of doing the same thing. According to the aumha article
however, even though it is not the preferred method, Win XP will execute
the instructions in a wininit.ini file if one is found.


This will not affect Robin's problem as the message "INFECTION:
DOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT
COULD NOT BE REMOVED. FILE IS NO LONGER EXISTENT" occurs "before the
logon screen" and would not be generated by such a process. This is
presumed to be a security tool/utility in action.



And this is where my original question comes in. Just where in the boot
process does wininit.ini get processed? Since the aumha article points out
that:

a) "WININIT.INI is used to complete Windows and program installation steps
that cannot be completed while Windows is running"

b) "During the boot process, Windows checks to see if there is a
WININIT.INI file and, if it finds one, executes its instructions."

c) and specifies that Windows XP will execute such a file, if it exists
(assumedly to maintain backwards compatibility)


I was just curious if anyone happened to know where in the boot process
that execution was performed. Whether it was before or after the logon
process.


--
Rick Simon

Include "spam(trap)key" somewhere in the
body of any email to avoid spam filters.
  #50  
Old December 9th 09, 10:45 PM posted to microsoft.public.security.virus,microsoft.public.windowsxp.help_and_support,alt.privacy.spyware
David H. Lipman
external usenet poster
 
Posts: 4,185
Default Infection messages?

From: "Rick"

| "David H. Lipman" wrote in
| :

So let me modify my NEVER answer to practically NEVER. Interpreting
.INI files is an old construct that was used in Win9x/ME and and to a
lesser degree in NT v3.5x and NT4 and thus *may* have some left over
functionality in subsequent OS'. However for the most part, .INI
files are no longer interpreted by the OS.



| Yes, I'm aware of how .ini files have been used going back through Win3.x.


Notice in the aumha article it states...
"In Windows 2000 and XP, the WININIT.INI file, if existing, will be
executed. However it is usually replaced by the
“PendingFileRenameOperations” sub-key in the Registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Session Manager."


This shows that for backwards compatibility Win2k and WinXP may
interpret WININIT.INI but has been really replaced by Registry
functionality.



| I'm also aware of how wininit.ini is just a hangover and there are other,
| preferred methods of doing the same thing. According to the aumha article
| however, even though it is not the preferred method, Win XP will execute
| the instructions in a wininit.ini file if one is found.


This will not affect Robin's problem as the message "INFECTION:
DOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT
COULD NOT BE REMOVED. FILE IS NO LONGER EXISTENT" occurs "before the
logon screen" and would not be generated by such a process. This is
presumed to be a security tool/utility in action.



| And this is where my original question comes in. Just where in the boot
| process does wininit.ini get processed? Since the aumha article points out
| that:

| a) "WININIT.INI is used to complete Windows and program installation steps
| that cannot be completed while Windows is running"

| b) "During the boot process, Windows checks to see if there is a
| WININIT.INI file and, if it finds one, executes its instructions."

| c) and specifies that Windows XP will execute such a file, if it exists
| (assumedly to maintain backwards compatibility)


| I was just curious if anyone happened to know where in the boot process
| that execution was performed. Whether it was before or after the logon
| process.


Rick I think you have a good point in that if the WININIT.INI file is found by the OS it
will do a a file move/delete function "before the logon screen" which is 100% relevant to
Robin's problem.

However, this is a silent function. No screen displays and certainly not "INFECTION:...".

Since you know this INI file and its directives, maybe you could create a test and see
what it does.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


  #51  
Old December 10th 09, 02:19 AM posted to microsoft.public.security.virus,microsoft.public.windowsxp.help_and_support,alt.privacy.spyware
Buffalo[_2_]
external usenet poster
 
Posts: 329
Default Infection messages?



Robin Bignall wrote:
[snip]
John, Andy, thanks for the suggestions. I have checked autoruns. In
fact, A-squared contains a very useful feature called Hijackfree which
gives detailed information on what's present in 5 categories:
processes, ports, autoruns, services and others. I don't see anything
amiss. PCButts emailed me to make the sensible suggestion of checking
the runonce registry entries. They're empty. The weird thing is
where the message is coming from, since no executable on my system
disk contains the string "infection".

Dl and instal a free anti-virus program like Avira AntiVir and install it.
Disable or uninstall your present anti-virus program (A-squared)
Uninstall your anti-malware programs and install the free version of
MalwareBytes AntiMalware.
Use it to scan frequently.
See if you have the same problem. If not, install each of the programs you
uninstalled or disabled one at a time to see if you can find out which one
causes the problem.
I don't think you ever said you installed and ran the free version of MBAM
(MalwareBytes Anti-Malware) and the free version of SAS (SuperAntiSpyware).
If you didn't (this is a damn long thread) please do it.
Buffalo


  #52  
Old December 10th 09, 04:05 AM posted to microsoft.public.security.virus,microsoft.public.windowsxp.help_and_support,alt.privacy.spyware
Beauregard T. Shagnasty
external usenet poster
 
Posts: 206
Default Infection messages?

In alt.privacy.spyware, Buffalo wrote:

Disable or uninstall your present anti-virus program (A-squared)


A² (A-Squared) is an anti-spyware program, not an anti-virus program.
There should be no conflict with anything, assuming of course you don't
set full-time scanners in action.

http://www.emsisoft.com/en/ (pay)
http://www.emsisoft.com/en/software/free/ (free)

--
-bts
-Friends don't let friends drive Windows
  #53  
Old December 10th 09, 04:53 AM posted to microsoft.public.security.virus,microsoft.public.windowsxp.help_and_support,alt.privacy.spyware
Buffalo[_2_]
external usenet poster
 
Posts: 329
Default Infection messages?



Beauregard T. Shagnasty wrote:
In alt.privacy.spyware, Buffalo wrote:

Disable or uninstall your present anti-virus program (A-squared)


A² (A-Squared) is an anti-spyware program, not an anti-virus program.
There should be no conflict with anything, assuming of course you
don't set full-time scanners in action.

http://www.emsisoft.com/en/ (pay)
http://www.emsisoft.com/en/software/free/ (free)


Right you are. Sorry.
I now realize that Robin uses Kaspersky.
Ok, Robin, disable or uninstall Kaspersky and use the free version of Avira
AntiVir temporarily.\
Since even Lipman can't nail it, please post back on what program is causing
the message.
Thanks,
Buffalo


  #54  
Old December 10th 09, 05:35 AM posted to microsoft.public.security.virus,microsoft.public.windowsxp.help_and_support,alt.privacy.spyware
David H. Lipman
external usenet poster
 
Posts: 4,185
Default Infection messages?

From: "Buffalo"

| Right you are. Sorry.
| I now realize that Robin uses Kaspersky.
| Ok, Robin, disable or uninstall Kaspersky and use the free version of Avira
| AntiVir temporarily.\
| Since even Lipman can't nail it, please post back on what program is causing
| the message.
| Thanks,
| Buffalo

Robin has already indicated NUMEROUS anti malware scans have been performewd with nothing
being found.

We do NOT know what security program is generating this message. That is the problem.



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


  #55  
Old December 10th 09, 05:59 AM posted to microsoft.public.security.virus,microsoft.public.windowsxp.help_and_support,alt.privacy.spyware
Buffalo[_2_]
external usenet poster
 
Posts: 329
Default Infection messages?



David H. Lipman wrote:
From: "Buffalo"

Right you are. Sorry.
I now realize that Robin uses Kaspersky.
Ok, Robin, disable or uninstall Kaspersky and use the free version
of Avira AntiVir temporarily.\
Since even Lipman can't nail it, please post back on what program is
causing the message.
Thanks,
Buffalo


Robin has already indicated NUMEROUS anti malware scans have been
performewd with nothing being found.

We do NOT know what security program is generating this message.
That is the problem.


That is why I recommended that he disable or uninstall his anti-virus and
anti-malware programs and install Avira AntiVir and free MBAM and hopefully
the free SAS. ( I don't think he ever said that he tried them both)
If the above doesn't change things, then that would indicate a different
security program causing the problem.
Buffalo


  #56  
Old December 10th 09, 10:17 PM posted to microsoft.public.security.virus,microsoft.public.windowsxp.help_and_support,alt.privacy.spyware
Robin Bignall
external usenet poster
 
Posts: 595
Default Infection messages?

On Wed, 9 Dec 2009 21:59:57 -0700, "Buffalo"
wrote:



David H. Lipman wrote:
From: "Buffalo"

Right you are. Sorry.
I now realize that Robin uses Kaspersky.
Ok, Robin, disable or uninstall Kaspersky and use the free version
of Avira AntiVir temporarily.\
Since even Lipman can't nail it, please post back on what program is
causing the message.
Thanks,
Buffalo


Robin has already indicated NUMEROUS anti malware scans have been
performewd with nothing being found.

We do NOT know what security program is generating this message.
That is the problem.


That is why I recommended that he disable or uninstall his anti-virus and
anti-malware programs and install Avira AntiVir and free MBAM and hopefully
the free SAS. ( I don't think he ever said that he tried them both)
If the above doesn't change things, then that would indicate a different
security program causing the problem.
Buffalo

Just to save you reading back in the thread, I have SAS Pro, which is
not free, and MBAM, which is. I also run ActiveScan 2, which was
recommended, together with Kaspersky, by AumHa. I don't intend to
through the process of uninstalling Kaspersky.
--
Robin
(BrE)
Herts, England
  #57  
Old December 10th 09, 10:27 PM posted to microsoft.public.security.virus,microsoft.public.windowsxp.help_and_support,alt.privacy.spyware
Buffalo[_2_]
external usenet poster
 
Posts: 329
Default Infection messages?



Robin Bignall wrote:
[snip]

That is why I recommended that he disable or uninstall his
anti-virus and anti-malware programs and install Avira AntiVir and
free MBAM and hopefully the free SAS. ( I don't think he ever said
that he tried them both)
If the above doesn't change things, then that would indicate a
different security program causing the problem.
Buffalo

Just to save you reading back in the thread, I have SAS Pro, which is
not free, and MBAM, which is. I also run ActiveScan 2, which was
recommended, together with Kaspersky, by AumHa. I don't intend to
through the process of uninstalling Kaspersky.


OK, missed that point. If you disable Kaspersky and just use the free Avira
AntiVir and no message comes up, perhaps it is Kaspersky doing it.
Doesn't really seem like it's worth the trouble overall.
Buffalo
PS: If you ever find out what it is, please post back.


  #58  
Old December 10th 09, 11:13 PM posted to microsoft.public.security.virus,microsoft.public.windowsxp.help_and_support,alt.privacy.spyware
Robin Bignall
external usenet poster
 
Posts: 595
Default Infection messages?

On Thu, 10 Dec 2009 14:27:55 -0700, "Buffalo"
wrote:



Robin Bignall wrote:
[snip]

That is why I recommended that he disable or uninstall his
anti-virus and anti-malware programs and install Avira AntiVir and
free MBAM and hopefully the free SAS. ( I don't think he ever said
that he tried them both)
If the above doesn't change things, then that would indicate a
different security program causing the problem.
Buffalo

Just to save you reading back in the thread, I have SAS Pro, which is
not free, and MBAM, which is. I also run ActiveScan 2, which was
recommended, together with Kaspersky, by AumHa. I don't intend to
through the process of uninstalling Kaspersky.


OK, missed that point. If you disable Kaspersky and just use the free Avira
AntiVir and no message comes up, perhaps it is Kaspersky doing it.
Doesn't really seem like it's worth the trouble overall.
Buffalo
PS: If you ever find out what it is, please post back.

I certainly will.
--
Robin
(BrE)
Herts, England
  #59  
Old December 10th 09, 11:41 PM posted to microsoft.public.security.virus,microsoft.public.windowsxp.help_and_support,alt.privacy.spyware
Robin Bignall
external usenet poster
 
Posts: 595
Default Infection messages?

On Thu, 10 Dec 2009 22:13:51 +0000, Robin Bignall
wrote:

On Thu, 10 Dec 2009 14:27:55 -0700, "Buffalo"
wrote:



Robin Bignall wrote:
[snip]

That is why I recommended that he disable or uninstall his
anti-virus and anti-malware programs and install Avira AntiVir and
free MBAM and hopefully the free SAS. ( I don't think he ever said
that he tried them both)
If the above doesn't change things, then that would indicate a
different security program causing the problem.
Buffalo

Just to save you reading back in the thread, I have SAS Pro, which is
not free, and MBAM, which is. I also run ActiveScan 2, which was
recommended, together with Kaspersky, by AumHa. I don't intend to
through the process of uninstalling Kaspersky.


OK, missed that point. If you disable Kaspersky and just use the free Avira
AntiVir and no message comes up, perhaps it is Kaspersky doing it.
Doesn't really seem like it's worth the trouble overall.
Buffalo
PS: If you ever find out what it is, please post back.

I certainly will.


I'm running Avira now.
--
Robin
(BrE)
Herts, England
  #60  
Old December 11th 09, 12:02 AM posted to microsoft.public.security.virus,microsoft.public.windowsxp.help_and_support,alt.privacy.spyware
Robin Bignall
external usenet poster
 
Posts: 595
Default Infection messages?

On Thu, 10 Dec 2009 22:41:55 +0000, Robin Bignall
wrote:

On Thu, 10 Dec 2009 22:13:51 +0000, Robin Bignall
wrote:

On Thu, 10 Dec 2009 14:27:55 -0700, "Buffalo"
wrote:



Robin Bignall wrote:
[snip]

That is why I recommended that he disable or uninstall his
anti-virus and anti-malware programs and install Avira AntiVir and
free MBAM and hopefully the free SAS. ( I don't think he ever said
that he tried them both)
If the above doesn't change things, then that would indicate a
different security program causing the problem.
Buffalo

Just to save you reading back in the thread, I have SAS Pro, which is
not free, and MBAM, which is. I also run ActiveScan 2, which was
recommended, together with Kaspersky, by AumHa. I don't intend to
through the process of uninstalling Kaspersky.

OK, missed that point. If you disable Kaspersky and just use the free Avira
AntiVir and no message comes up, perhaps it is Kaspersky doing it.
Doesn't really seem like it's worth the trouble overall.
Buffalo
PS: If you ever find out what it is, please post back.

I certainly will.


I'm running Avira now.


And it found nothing.
--
Robin
(BrE)
Herts, England
 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off






All times are GMT +1. The time now is 04:20 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.