Infection messages?

[Robin Bignall]

XP Pro SP3
During the past few weeks, immediately after the initial Windows
screen with the blue bar running left right, and before the logon
screen, I get a blue screen with white messages. There are dozens of
them, all identical, which say something like:
Infection: docs and settings my name cookies/index.dat does not exist
and cannot be removed. (Pause is inoperative and the normal logon
screen appears immediately after.)

If I reboot at the logon screen instead of logging on, they have all
disappeared. CHKDSK on system disk shows a healthy disk.

I have Kaspersky 9 and have run MBAM SAS Asquared etc., nothing found.
What is causing these? (There's no anti-virus in my BIOS, BTW.)

 

[Gerry]

Robin

They could be ophaned start up items. Perhaps an infection only partly
removed.

To identify what loads when you boot use Autoruns (freeware) from
Microsoft.
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/Autoruns.mspx

With Autoruns you can uncheck an item, which disables it from
starting,or you can right click an item and then delete it. If you
uncheck you can recheck to re-enable the item. It is a much safer
approach than editing the Registry and better than using msconfig..
Another useful feature of the programme is that you can right click an
item and select Search Online to get information about the item
selected.

When booting an automatic virus scan can impact significantly on
performance. The extent varies according to the anti-virus software, the
availability of RAM and the CPU capacity.

Is your system error free?

Have a look in the System and Application logs in Event Viewer for
Errors and Warnings and post copies here. Don't post any more than 48
hours ago.

You can access Event Viewer by selecting Start, Control Panel,
Administrative Tools, and Event Viewer. When researching the meaning
of the error, information regarding Event ID, Source and Description
are important.

A tip for posting copies of Error Reports! Run Event Viewer and double
click on the error you want to copy. In the window, which appears is a
button resembling two pages. Click the button and close Event
Viewer.Now start your message (email) and do a paste into the body of
the message. Make sure this is the first paste after exiting from
Event Viewer.

--


Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[Daave]

XP Pro SP3
During the past few weeks, immediately after the initial Windows
screen with the blue bar running left right, and before the logon
screen, I get a blue screen with white messages. There are dozens of
them, all identical, which say something like:
Infection: docs and settings my name cookies/index.dat does not exist
and cannot be removed. (Pause is inoperative and the normal logon
screen appears immediately after.)

It is very important that you post back with the exact, complete
message! It's hard to tell at this moment, but it's possible you have a
variation of what is described here:

http://www.bleepingcomputer.com/virus-removal/anti-virus-1-removal

Please post back with the complete message.

 

[Peter Foldes]

Robin

What is the exact error message as per verbatim that shows up on the Blue screen .
We need that for a proper answer

--
Peter

Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.

XP Pro SP3
During the past few weeks, immediately after the initial Windows
screen with the blue bar running left right, and before the logon
screen, I get a blue screen with white messages. There are dozens of
them, all identical, which say something like:
Infection: docs and settings my name cookies/index.dat does not exist
and cannot be removed. (Pause is inoperative and the normal logon
screen appears immediately after.)

If I reboot at the logon screen instead of logging on, they have all
disappeared. CHKDSK on system disk shows a healthy disk.

I have Kaspersky 9 and have run MBAM SAS Asquared etc., nothing found.
What is causing these? (There's no anti-virus in my BIOS, BTW.)

 

[Robin Bignall]

It is very important that you post back with the exact, complete
message! It's hard to tell at this moment, but it's possible you have a
variation of what is described here:

http://www.bleepingcomputer.com/virus-removal/anti-virus-1-removal

Please post back with the complete message.

Difficult. Pause/break stops the screen for a second and then it goes
straight to the logon. I just rebooted and all those messages have
vanished. None of the virus/malware programs finds anything.
I'll post again if those messages reappear. There's nothing in the
event log that looks suspicious.

 

[Daave]

Difficult. Pause/break stops the screen for a second and then it goes
straight to the logon. I just rebooted and all those messages have
vanished. None of the virus/malware programs finds anything.
I'll post again if those messages reappear. There's nothing in the
event log that looks suspicious.

In the menu you get after hitting F8, do you see an option called
"Disable automatic restart on system failure"? If so, choose it. Another
way to do this:

http://pcsupport.about.com/od/tipstricks/ht/disautorestart.htm

This way, you will be able to write down these messages.

 

[Robin Bignall]

In the menu you get after hitting F8, do you see an option called
"Disable automatic restart on system failure"? If so, choose it. Another
way to do this:

http://pcsupport.about.com/od/tipstricks/ht/disautorestart.htm

This way, you will be able to write down these messages.

The message is:
infection:documents and settings\robin bignall\cookies\index.dat could
not be removed. file is no longer existent.

 

[Daave]

The message is:
infection:documents and settings\robin bignall\cookies\index.dat could
not be removed. file is no longer existent.

Googling the above didn't turn up many hits, which already points to
malware. I did manage to find a very similar message (with "available"
replacing "existent") here:

http://translate.google.com/transla...e+removed%22+file+is+no+longer+existent&hl=en

Another possibly relevant hit:

http://forums.techguy.org/malware-removal-hijackthis-logs/618659-my-first-virus-help-please.html

I'm 99.9999999999999% sure you have malware. :-(

This page should help:

http://www.elephantboycomputers.com/page2.html#Removing_Malware

(also cross-posting to microsoft.public.security.virus )

 

[Robin Bignall]

Googling the above didn't turn up many hits, which already points to
malware. I did manage to find a very similar message (with "available"
replacing "existent") here:

http://translate.google.com/transla...e+removed%22+file+is+no+longer+existent&hl=en

Another possibly relevant hit:

http://forums.techguy.org/malware-removal-hijackthis-logs/618659-my-first-virus-help-please.html

I'm 99.9999999999999% sure you have malware. :-(

This page should help:

http://www.elephantboycomputers.com/page2.html#Removing_Malware

(also cross-posting to microsoft.public.security.virus )

Thanks for your help. I spent lots of time last night doing full/deep
scans using Kaspersky 9, SAS, Asquared and Activescan2. Nothing
found. Am now starting MBAM...
Will look at your links after breakfast.

 

[Daave]

Thanks for your help. I spent lots of time last night doing full/deep
scans using Kaspersky 9, SAS, Asquared and Activescan2. Nothing
found. Am now starting MBAM...
Will look at your links after breakfast.

Sounds like you're on the right track. MBAM is quite good.

Sometimes, one needs to boot off a rescue CD. Check out these links for
more info:

http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html

http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/

(This way, the OS is entirely bypassed. Another method is to physically
remove your hard drive and slave it to another PC and use the
uncompromised PC to perform the scan.)

 

[Robin Bignall]

Sounds like you're on the right track. MBAM is quite good.

Sometimes, one needs to boot off a rescue CD. Check out these links for
more info:

http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html

http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/

(This way, the OS is entirely bypassed. Another method is to physically
remove your hard drive and slave it to another PC and use the
uncompromised PC to perform the scan.)

MBAM was clean. I'm now going to run everything in safe mode to
check.

 

[Buffalo]

The message is:
infection:documents and settings\robin bignall\cookies\index.dat could
not be removed. file is no longer existent.

Try posting this in :
alt.privacy.spyware



There are some very sharp people in there who could probably help you
quickly.

Just include the exact message, your OS and what you already tried and the
whole story.

Buffalo

 

[Robin Bignall]

MBAM was clean. I'm now going to run everything in safe mode to
check.

Just ran MBAM, SAS and Kaspersky full scans in safe mode. Nothing
reported. On reboot all "infection" messages had vanished. Weird,
huh?

 

[Robin Bignall]

Try posting this in :
alt.privacy.spyware



There are some very sharp people in there who could probably help you
quickly.

Just include the exact message, your OS and what you already tried and the
whole story.

Buffalo

I'll give that a try later.

 

[Daave]

Just ran MBAM, SAS and Kaspersky full scans in safe mode. Nothing
reported. On reboot all "infection" messages had vanished. Weird,
huh?

Yes.

I still smell something rotten. I would still boot off a rescue CD and
scan or use another PC to scan. An alternative to removing the drive and
slaving it is to use a device like this one:

http://www.newegg.com/Product/Product.aspx?Item=N82E16812161002

 

[Daave]

Yes.

I still smell something rotten. I would still boot off a rescue CD and
scan or use another PC to scan. An alternative to removing the drive
and slaving it is to use a device like this one:

http://www.newegg.com/Product/Product.aspx?Item=N82E16812161002

Also, HijackThis might be necessary...

 

[David H. Lipman]

From: "Daave" <[email protected]>


| Also, HijackThis might be necessary...

I have read the original thread (when it first started) and the subsequent parts x-posted
to m.p.s.v and this is curious indeed. However I don't think HJT will help.

The way to fully understand this is to go back to the beginning. And to fully express the
EXACT (to the best as one can) messgaes and relay the exact moment(s) the messages are
displayed.

To date what I have seen is...
"I get a blue screen with white messages. There are dozens of them, all identical, which
say something like:
Infection: docs and settings my name cookies/index.dat does not exist
and cannot be removed."

From the description, it is happening PRIOR to the Winlogon Process during OS
initialization.

The question the becomes what is generating it ?

The message "Infection: docs and settings my name cookies/index.dat..."
Could be indicative of a program of a legitimate program (antimalware) that is installed
that is processing a deletion request that is intended to occur PRIOR to the GUI being
loaded and where most file handles would be in use.

Thus we need to understand what security related software already existed on this platform
PRIOR to the posting of this problem.

 

[NT Canuck]

Thus we need to understand what security related software
already existed on this platform PRIOR to the posting of this problem.

To check if antimalware/tool running pre-desktop look into
control panel > taskmanager > and enable view hidden
tasks, then also download autoruns and check the 'run'
section.

Programs recently installed may still have their residue/setup
in documents and settings (logon profile) so look for /temp
folder (may be more than one location).

Also look at restore points (usually a new restore point
setup prior to installing a program).

In control panel > system > uncheck the auto restart option
that will leave any shutdown message sit on the screen
instead of just blinking over it and rebooting.

Download and install PUI (program uninstall utility) that
will show programs installed in Windows..even the
kb and 'uninstallable' type entries from registry.
<http://www.softpedia.com/progDownload/PUI-Download-24439.html>

Just some tips, FYI.

 

[Daave]

I have read the original thread (when it first started) and the
subsequent parts x-posted to m.p.s.v and this is curious indeed.
However I don't think HJT will help.

The way to fully understand this is to go back to the beginning. And
to fully express the EXACT (to the best as one can) messgaes and
relay the exact moment(s) the messages are displayed.

To date what I have seen is...
"I get a blue screen with white messages. There are dozens of them,
all identical, which say something like:
Infection: docs and settings my name cookies/index.dat does not exist
and cannot be removed."

From the description, it is happening PRIOR to the Winlogon Process
during OS initialization.

The question the becomes what is generating it ?

The message "Infection: docs and settings my name
cookies/index.dat..."
Could be indicative of a program of a legitimate program
(antimalware) that is installed that is processing a deletion request
that is intended to occur PRIOR to the GUI being loaded and where
most file handles would be in use.

That is a good point. It could be anything. Unfortunately, I don't speak
French and the best I could come up with is this Google translation:

http://translate.google.com/transla...ies%5Cindex.dat+could+not+be+removed%22&hl=en

The screen shot:

http://dl.toofiles.com/uc4yon/images/e1rwa0-fsz7yj-ziucmm.jpg

I don't have Vista, so I don't know what a BSOD looks like in it, but an
XP BSOD would be *all blue* and not what this French poster submitted.

 

[NT Canuck]

That is a good point. It could be anything. Unfortunately, I don't speak
French and the best I could come up with is this Google translation:

I'd suspect something along the lines of Internet track/trace evidence
removal program (adaware or similar), since the index.dat in that
location is a system file (locked/used by Explorer/IE/OutlookExpress
and a few others like the A/V in use etc.) that it has to be (if done)
deleted/moved during boot up before the OS logon and this is
likely the screen shown...boot phase, logging the boot sequence
(like shown on display during safe mode start up) would help.

snip

The screen shot:

http://dl.toofiles.com/uc4yon/images/e1rwa0-fsz7yj-ziucmm.jpg

I don't have Vista, so I don't know what a BSOD looks like in it, but an
XP BSOD would be *all blue* and not what this French poster submitted.

My comments earlier, typically it's not a bad file...very seldom a threat.

hth