If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#16
|
|||
|
|||
Infection messages?
Daave wrote:
Robin Bignall wrote: On Tue, 24 Nov 2009 14:42:04 +0000, Robin Bignall wrote: On Tue, 24 Nov 2009 08:53:29 -0500, "Daave" wrote: Robin Bignall wrote: On Mon, 23 Nov 2009 18:40:34 -0500, "Daave" wrote: Robin Bignall wrote: The message is: infection:documents and settings\robin bignall\cookies\index.dat could not be removed. file is no longer existent. Googling the above didn't turn up many hits, which already points to malware. I did manage to find a very similar message (with "available" replacing "existent") he http://translate.google.com/translat...tent%26hl%3Den Another possibly relevant hit: http://forums.techguy.org/malware-re...lp-please.html I'm 99.9999999999999% sure you have malware. :-( This page should help: http://www.elephantboycomputers.com/...moving_Malware (also cross-posting to microsoft.public.security.virus ) Thanks for your help. I spent lots of time last night doing full/deep scans using Kaspersky 9, SAS, Asquared and Activescan2. Nothing found. Am now starting MBAM... Will look at your links after breakfast. Sounds like you're on the right track. MBAM is quite good. Sometimes, one needs to boot off a rescue CD. Check out these links for more info: http://www.free-av.com/en/tools/12/a...ue_system.html http://www.techmixer.com/free-bootab...download-list/ (This way, the OS is entirely bypassed. Another method is to physically remove your hard drive and slave it to another PC and use the uncompromised PC to perform the scan.) MBAM was clean. I'm now going to run everything in safe mode to check. Just ran MBAM, SAS and Kaspersky full scans in safe mode. Nothing reported. On reboot all "infection" messages had vanished. Weird, huh? Yes. I still smell something rotten. I would still boot off a rescue CD and scan or use another PC to scan. An alternative to removing the drive and slaving it is to use a device like this one: http://www.newegg.com/Product/Produc...82E16812161002 Also, HijackThis might be necessary... |
Ads |
#17
|
|||
|
|||
Infection messages?
From: "Daave"
| Also, HijackThis might be necessary... I have read the original thread (when it first started) and the subsequent parts x-posted to m.p.s.v and this is curious indeed. However I don't think HJT will help. The way to fully understand this is to go back to the beginning. And to fully express the EXACT (to the best as one can) messgaes and relay the exact moment(s) the messages are displayed. To date what I have seen is... "I get a blue screen with white messages. There are dozens of them, all identical, which say something like: Infection: docs and settings my name cookies/index.dat does not exist and cannot be removed." From the description, it is happening PRIOR to the Winlogon Process during OS initialization. The question the becomes what is generating it ? The message "Infection: docs and settings my name cookies/index.dat..." Could be indicative of a program of a legitimate program (antimalware) that is installed that is processing a deletion request that is intended to occur PRIOR to the GUI being loaded and where most file handles would be in use. Thus we need to understand what security related software already existed on this platform PRIOR to the posting of this problem. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
#18
|
|||
|
|||
Infection messages?
"David H. Lipman" wrote in message
... Thus we need to understand what security related software already existed on this platform PRIOR to the posting of this problem. To check if antimalware/tool running pre-desktop look into control panel taskmanager and enable view hidden tasks, then also download autoruns and check the 'run' section. Programs recently installed may still have their residue/setup in documents and settings (logon profile) so look for /temp folder (may be more than one location). Also look at restore points (usually a new restore point setup prior to installing a program). In control panel system uncheck the auto restart option that will leave any shutdown message sit on the screen instead of just blinking over it and rebooting. Download and install PUI (program uninstall utility) that will show programs installed in Windows..even the kb and 'uninstallable' type entries from registry. http://www.softpedia.com/progDownload/PUI-Download-24439.html Just some tips, FYI. -- 'Seek and ye shall find' NT Canuck |
#19
|
|||
|
|||
Infection messages?
David H. Lipman wrote:
From: "Daave" Also, HijackThis might be necessary... I have read the original thread (when it first started) and the subsequent parts x-posted to m.p.s.v and this is curious indeed. However I don't think HJT will help. The way to fully understand this is to go back to the beginning. And to fully express the EXACT (to the best as one can) messgaes and relay the exact moment(s) the messages are displayed. To date what I have seen is... "I get a blue screen with white messages. There are dozens of them, all identical, which say something like: Infection: docs and settings my name cookies/index.dat does not exist and cannot be removed." From the description, it is happening PRIOR to the Winlogon Process during OS initialization. The question the becomes what is generating it ? The message "Infection: docs and settings my name cookies/index.dat..." Could be indicative of a program of a legitimate program (antimalware) that is installed that is processing a deletion request that is intended to occur PRIOR to the GUI being loaded and where most file handles would be in use. That is a good point. It could be anything. Unfortunately, I don't speak French and the best I could come up with is this Google translation: http://translate.google.com/translat...2522%26hl%3Den The screen shot: http://dl.toofiles.com/uc4yon/images...7yj-ziucmm.jpg I don't have Vista, so I don't know what a BSOD looks like in it, but an XP BSOD would be *all blue* and not what this French poster submitted. Thus we need to understand what security related software already existed on this platform PRIOR to the posting of this problem. |
#20
|
|||
|
|||
Infection messages?
"Daave" wrote in message
... Could be indicative of a program of a legitimate program (antimalware) that is installed that is processing a deletion request that is intended to occur PRIOR to the GUI being loaded and where most file handles would be in use. That is a good point. It could be anything. Unfortunately, I don't speak French and the best I could come up with is this Google translation: I'd suspect something along the lines of Internet track/trace evidence removal program (adaware or similar), since the index.dat in that location is a system file (locked/used by Explorer/IE/OutlookExpress and a few others like the A/V in use etc.) that it has to be (if done) deleted/moved during boot up before the OS logon and this is likely the screen shown...boot phase, logging the boot sequence (like shown on display during safe mode start up) would help. snip The screen shot: http://dl.toofiles.com/uc4yon/images...7yj-ziucmm.jpg I don't have Vista, so I don't know what a BSOD looks like in it, but an XP BSOD would be *all blue* and not what this French poster submitted. My comments earlier, typically it's not a bad file...very seldom a threat. hth -- 'Seek and ye shall find' NT Canuck |
#21
|
|||
|
|||
Infection messages?
On Tue, 24 Nov 2009 17:51:02 -0500, "David H. Lipman"
wrote: From: "Daave" | Also, HijackThis might be necessary... I have read the original thread (when it first started) and the subsequent parts x-posted to m.p.s.v and this is curious indeed. However I don't think HJT will help. The way to fully understand this is to go back to the beginning. And to fully express the EXACT (to the best as one can) messgaes and relay the exact moment(s) the messages are displayed. To date what I have seen is... "I get a blue screen with white messages. There are dozens of them, all identical, which say something like: Infection: docs and settings my name cookies/index.dat does not exist and cannot be removed." From the description, it is happening PRIOR to the Winlogon Process during OS initialization. The question the becomes what is generating it ? The message "Infection: docs and settings my name cookies/index.dat..." Could be indicative of a program of a legitimate program (antimalware) that is installed that is processing a deletion request that is intended to occur PRIOR to the GUI being loaded and where most file handles would be in use. Thus we need to understand what security related software already existed on this platform PRIOR to the posting of this problem. The precise message is: INFECTIONOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD NOT BE REMOVED. FILE IS NO LONGER EXISTENT. Needless to say, the file does exist. As previously stated I have Kaspersky 9, A-squared pro and SAS pro running in real time with frequent full scans. I also run MBAM weekly and Panda Activescan 2 monthly. -- Robin (BrE) Herts, England |
#22
|
|||
|
|||
Infection messages?
On Tue, 24 Nov 2009 17:25:31 -0600, "NT Canuck"
wrote: "David H. Lipman" wrote in message ... Thus we need to understand what security related software already existed on this platform PRIOR to the posting of this problem. To check if antimalware/tool running pre-desktop look into control panel taskmanager and enable view hidden tasks, then also download autoruns and check the 'run' section. A-squared contains "Hijackfree" that has an autoruns section plus a lot of other stuff. I can't see anything running that shouldn't be there. Programs recently installed may still have their residue/setup in documents and settings (logon profile) so look for /temp folder (may be more than one location). Nothing recently installed or uninstalled, except updates to Windows and running software. Also look at restore points (usually a new restore point setup prior to installing a program). Don't use restore, never have. In control panel system uncheck the auto restart option that will leave any shutdown message sit on the screen instead of just blinking over it and rebooting. This is already unchecked. Windows does not see these messages as something to stop/reboot on. Download and install PUI (program uninstall utility) that will show programs installed in Windows..even the kb and 'uninstallable' type entries from registry. http://www.softpedia.com/progDownload/PUI-Download-24439.html Just some tips, FYI. Thanks. I should say two other things: I ran MRT.EXE /f:y this afternoon. Zero problems reported. On reboot, sometimes all of these 'infection' messages are simply not there. Then, on another reboot, they're back again, sometimes a few, sometimes screens full. Normally I hibernate overnight and only reboot when something, like critical updates, forces me to. (alt.privacy.spyware added because this is being discussed there, too.) -- Robin (BrE) Herts, England |
#23
|
|||
|
|||
Infection messages?
From: "Robin Bignall"
snip | Thanks. I should say two other things: | I ran MRT.EXE /f:y this afternoon. Zero problems reported. | On reboot, sometimes all of these 'infection' messages are simply not | there. Then, on another reboot, they're back again, sometimes a few, | sometimes screens full. Normally I hibernate overnight and only | reboot when something, like critical updates, forces me to. | (alt.privacy.spyware added because this is being discussed there, | too.) | -- | Robin | (BrE) | Herts, England It is definitly a security tool set to delete the file index.dat at system Reboot and before the Winlogon process. However, at this time none of my peers have pinpointed exactly what security tool is generating the process. However at this point I can/will say "don't worry". We know have done numerous anti malware scans and the system can be deemed clean so don't get frazzled over this. I will keep researching this and hopefully we will find what security tool is generating the display you have seen. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
#24
|
|||
|
|||
Infection messages?
"Robin Bignall" wrote in message
... The precise message is: INFECTIONOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD NOT BE REMOVED. FILE IS NO LONGER EXISTENT. Needless to say, the file does exist. As previously stated I have Kaspersky 9, A-squared pro and SAS pro running in real time with frequent full scans. I also run MBAM weekly and Panda Activescan 2 monthly. Heh, too much by far... Likely an infection was found by one unit and set for automatic removal next boot...but before booting one of the other tools deleted the file or deleted it before another tool that also found it...could do so at boot. I'd uninstall (not just de-activate) all of them except KAV9, and see what happens after a few days. Last mystery is why that .dat is considered an infection, it could be a renamed file so install this and have a look inside... A safe file inspector. http://users.westnet.gr/~cgian/peek11.zip 17kb PEEK is a Shell context menu extension which allows you to extract only the text portion of files. After installation you are provided with 3 different setups called: Standard, Unicode, Binary Files. Otherwise you may be visiting some odd site and picking up a poison cookie...then remnants in the ..dat (guessing)...but still...too many programs. -- 'Seek and ye shall find' NT Canuck |
#25
|
|||
|
|||
Infection messages?
"Robin Bignall" wrote in message
... The precise message is: INFECTIONOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD NOT BE REMOVED. FILE IS NO LONGER EXISTENT. *** It sounds to me like a conflict between two programs trying to do the same thing, and one doesn't check for the existence of the file prior to attempting the delete action. *** |
#26
|
|||
|
|||
Infection messages?
David H. Lipman wrote:
I will keep researching this and hopefully we will find what security tool is generating the display you have seen. It occurred to me that she may be able to find the text of the error in a log file for the program generating the error. Assuming the program keeps a log, and the log has a formatted text element, she should be able to use the search function in Windows to search for the string "INFECTION: DOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD NOT BE REMOVED. FILE IS NO LONGER EXISTENT." or some portion of that. If she can find the log file, she should be able to identify the program. |
#27
|
|||
|
|||
Infection messages?
From: "Andy Walker"
| David H. Lipman wrote: I will keep researching this and hopefully we will find what security tool is generating the display you have seen. | It occurred to me that she may be able to find the text of the error | in a log file for the program generating the error. Assuming the | program keeps a log, and the log has a formatted text element, she | should be able to use the search function in Windows to search for the | string "INFECTION: DOCUMENTS AND SETTINGS\ROBIN | BIGNALL\COOKIES\INDEX.DAT COULD NOT BE REMOVED. FILE IS NO LONGER | EXISTENT." or some portion of that. If she can find the log file, she | should be able to identify the program. A good approach ! -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
#28
|
|||
|
|||
Infection messages?
On Wed, 25 Nov 2009 23:34:09 -0500, Andy Walker
wrote: David H. Lipman wrote: I will keep researching this and hopefully we will find what security tool is generating the display you have seen. It occurred to me that she may be able to find the text of the error in a log file for the program generating the error. Assuming the program keeps a log, and the log has a formatted text element, she should be able to use the search function in Windows to search for the string "INFECTION: DOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD NOT BE REMOVED. FILE IS NO LONGER EXISTENT." or some portion of that. If she can find the log file, she should be able to identify the program. Excellent idea, Andy. I'll try now and report back. Thanks also David. -- Robin (who is a he!) (BrE) Herts, England |
#29
|
|||
|
|||
Infection messages?
On Thu, 26 Nov 2009 21:10:05 +0000, Robin Bignall
wrote: On Wed, 25 Nov 2009 23:34:09 -0500, Andy Walker wrote: David H. Lipman wrote: I will keep researching this and hopefully we will find what security tool is generating the display you have seen. It occurred to me that she may be able to find the text of the error in a log file for the program generating the error. Assuming the program keeps a log, and the log has a formatted text element, she should be able to use the search function in Windows to search for the string "INFECTION: DOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD NOT BE REMOVED. FILE IS NO LONGER EXISTENT." or some portion of that. If she can find the log file, she should be able to identify the program. Excellent idea, Andy. I'll try now and report back. Thanks also David. No joy with that. I searched for FILE IS NO LONGER EXISTENT but didn't find anything. -- Robin (BrE) Herts, England ps: do any of you out there live in Herts and use text.news.virginmedia.com? Access from Herts has been down for nearly a week. -- Robin (BrE) Herts, England |
#30
|
|||
|
|||
Infection messages?
On Wed, 25 Nov 2009 20:24:12 -0500, "FromTheRafters" erratic
@nomail.afraid.org wrote: "Robin Bignall" wrote in message .. . The precise message is: INFECTIONOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD NOT BE REMOVED. FILE IS NO LONGER EXISTENT. *** It sounds to me like a conflict between two programs trying to do the same thing, and one doesn't check for the existence of the file prior to attempting the delete action. *** What, other than malware, would want to delete the cookie index? Incidentally, I've run iecv, and there are no cookies in any of the user's cookie folders. -- Robin (BrE) Herts, England |
Thread Tools | |
Display Modes | |
|
|