Infection messages?

[Robin Bignall]

From: "Daave" <[email protected]>


| Also, HijackThis might be necessary...

I have read the original thread (when it first started) and the subsequent parts x-posted
to m.p.s.v and this is curious indeed. However I don't think HJT willhelp.

The way to fully understand this is to go back to the beginning. And tofully express the
EXACT (to the best as one can) messgaes and relay the exact moment(s) the messages are
displayed.

To date what I have seen is...
"I get a blue screen with white messages. There are dozens of them, allidentical, which
say something like:
Infection: docs and settings my name cookies/index.dat does not exist
and cannot be removed."

From the description, it is happening PRIOR to the Winlogon Process during OS
initialization.

The question the becomes what is generating it ?

The message "Infection: docs and settings my name cookies/index.dat..."
Could be indicative of a program of a legitimate program (antimalware) that is installed
that is processing a deletion request that is intended to occur PRIOR tothe GUI being
loaded and where most file handles would be in use.

Thus we need to understand what security related software already existed on this platform
PRIOR to the posting of this problem.

The precise message is:
INFECTIONOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD
NOT BE REMOVED. FILE IS NO LONGER EXISTENT.

Needless to say, the file does exist.
As previously stated I have Kaspersky 9, A-squared pro and SAS pro
running in real time with frequent full scans. I also run MBAM weekly
and Panda Activescan 2 monthly.

 

[Robin Bignall]

To check if antimalware/tool running pre-desktop look into
control panel > taskmanager > and enable view hidden
tasks, then also download autoruns and check the 'run'
section.

A-squared contains "Hijackfree" that has an autoruns section plus a
lot of other stuff. I can't see anything running that shouldn't be
there.

Programs recently installed may still have their residue/setup
in documents and settings (logon profile) so look for /temp
folder (may be more than one location).

Nothing recently installed or uninstalled, except updates to Windows
and running software.

Also look at restore points (usually a new restore point
setup prior to installing a program).

Don't use restore, never have.

In control panel > system > uncheck the auto restart option
that will leave any shutdown message sit on the screen
instead of just blinking over it and rebooting.

This is already unchecked. Windows does not see these messages as
something to stop/reboot on.

Download and install PUI (program uninstall utility) that
will show programs installed in Windows..even the
kb and 'uninstallable' type entries from registry.
<http://www.softpedia.com/progDownload/PUI-Download-24439.html>

Just some tips, FYI.

Thanks. I should say two other things:
I ran MRT.EXE /f:y this afternoon. Zero problems reported.
On reboot, sometimes all of these 'infection' messages are simply not
there. Then, on another reboot, they're back again, sometimes a few,
sometimes screens full. Normally I hibernate overnight and only
reboot when something, like critical updates, forces me to.

(alt.privacy.spyware added because this is being discussed there,
too.)

 

[David H. Lipman]

From: "Robin Bignall" <[email protected]>

< snip >

| Thanks. I should say two other things:
| I ran MRT.EXE /f:y this afternoon. Zero problems reported.
| On reboot, sometimes all of these 'infection' messages are simply not
| there. Then, on another reboot, they're back again, sometimes a few,
| sometimes screens full. Normally I hibernate overnight and only
| reboot when something, like critical updates, forces me to.

| (alt.privacy.spyware added because this is being discussed there,
| too.)
| --
| Robin
| (BrE)
| Herts, England


It is definitly a security tool set to delete the file index.dat at system Reboot and
before the Winlogon process.

However, at this time none of my peers have pinpointed exactly what security tool is
generating the process.

However at this point I can/will say "don't worry". We know have done numerous anti
malware scans and the system can be deemed clean so don't get frazzled over this.

I will keep researching this and hopefully we will find what security tool is generating
the display you have seen.

 

[NT Canuck]

The precise message is:
INFECTIONOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD
NOT BE REMOVED. FILE IS NO LONGER EXISTENT.

Needless to say, the file does exist.
As previously stated I have Kaspersky 9, A-squared pro and SAS pro
running in real time with frequent full scans. I also run MBAM weekly
and Panda Activescan 2 monthly.

Heh, too much by far...
Likely an infection was found by one unit and set for
automatic removal next boot...but before booting one
of the other tools deleted the file or deleted it before
another tool that also found it...could do so at boot.

I'd uninstall (not just de-activate) all of them except
KAV9, and see what happens after a few days.

Last mystery is why that .dat is considered an infection,
it could be a renamed file so install this and have a look
inside... A safe file inspector.
http://users.westnet.gr/~cgian/peek11.zip 17kb
PEEK is a Shell context menu extension which
allows you to extract only the text portion of files.
After installation you are provided with 3 different
setups called: Standard, Unicode, Binary Files.

Otherwise you may be visiting some odd site and
picking up a poison cookie...then remnants in the
..dat (guessing)...but still...too many programs.

 

[FromTheRafters]

The precise message is:
INFECTIONOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD
NOT BE REMOVED. FILE IS NO LONGER EXISTENT.

***
It sounds to me like a conflict between two programs trying to do the
same thing, and one doesn't check for the existence of the file prior to
attempting the delete action.
***

 

[Andy Walker]

I will keep researching this and hopefully we will find what security tool is generating
the display you have seen.

It occurred to me that she may be able to find the text of the error
in a log file for the program generating the error. Assuming the
program keeps a log, and the log has a formatted text element, she
should be able to use the search function in Windows to search for the
string "INFECTION: DOCUMENTS AND SETTINGS\ROBIN
BIGNALL\COOKIES\INDEX.DAT COULD NOT BE REMOVED. FILE IS NO LONGER
EXISTENT." or some portion of that. If she can find the log file, she
should be able to identify the program.

 

[David H. Lipman]

From: "Andy Walker" <[email protected]>


| It occurred to me that she may be able to find the text of the error
| in a log file for the program generating the error. Assuming the
| program keeps a log, and the log has a formatted text element, she
| should be able to use the search function in Windows to search for the
| string "INFECTION: DOCUMENTS AND SETTINGS\ROBIN
| BIGNALL\COOKIES\INDEX.DAT COULD NOT BE REMOVED. FILE IS NO LONGER
| EXISTENT." or some portion of that. If she can find the log file, she
| should be able to identify the program.


A good approach !

 

[Robin Bignall]

It occurred to me that she may be able to find the text of the error
in a log file for the program generating the error. Assuming the
program keeps a log, and the log has a formatted text element, she
should be able to use the search function in Windows to search for the
string "INFECTION: DOCUMENTS AND SETTINGS\ROBIN
BIGNALL\COOKIES\INDEX.DAT COULD NOT BE REMOVED. FILE IS NO LONGER
EXISTENT." or some portion of that. If she can find the log file, she
should be able to identify the program.

Excellent idea, Andy. I'll try now and report back. Thanks also
David.

 

[Robin Bignall]

Excellent idea, Andy. I'll try now and report back. Thanks also
David.

No joy with that. I searched for
FILE IS NO LONGER EXISTENT
but didn't find anything.
--
Robin
(BrE)
Herts, England

ps: do any of you out there live in Herts and use
text.news.virginmedia.com? Access from Herts has been down for nearly
a week.

 

[Robin Bignall]

The precise message is:
INFECTIONOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD
NOT BE REMOVED. FILE IS NO LONGER EXISTENT.

***
It sounds to me like a conflict between two programs trying to do the
same thing, and one doesn't check for the existence of the file prior to
attempting the delete action.
***

What, other than malware, would want to delete the cookie index?
Incidentally, I've run iecv, and there are no cookies in any of the
user's cookie folders.

 

[FromTheRafters]

The precise message is:
INFECTIONOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD
NOT BE REMOVED. FILE IS NO LONGER EXISTENT.

***
It sounds to me like a conflict between two programs trying to do the
same thing, and one doesn't check for the existence of the file prior
to
attempting the delete action.
***

What, other than malware, would want to delete the cookie index?
Incidentally, I've run iecv, and there are no cookies in any of the
user's cookie folders.

***
People who have issues with privacy and spyware (in the form of cookies)
sometimes download programs that "protect" them from data leakage (or
from their own OS's hidden data stores or pagefile.sys).

Malware (spyware specifically) is more likely to want that file to
remain existent.
***

 

[Robin Bignall]

The precise message is:
INFECTIONOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD
NOT BE REMOVED. FILE IS NO LONGER EXISTENT.

Needless to say, the file does exist.
As previously stated I have Kaspersky 9, A-squared pro and SAS pro
running in real time with frequent full scans. I also run MBAM weekly
and Panda Activescan 2 monthly.

Heh, too much by far...
Likely an infection was found by one unit and set for
automatic removal next boot...but before booting one
of the other tools deleted the file or deleted it before
another tool that also found it...could do so at boot.

OK. If they're just arguing with each other, I can live with that. I
am married!

I'd uninstall (not just de-activate) all of them except
KAV9, and see what happens after a few days.

Last mystery is why that .dat is considered an infection,
it could be a renamed file so install this and have a look
inside... A safe file inspector.
http://users.westnet.gr/~cgian/peek11.zip 17kb
PEEK is a Shell context menu extension which
allows you to extract only the text portion of files.
After installation you are provided with 3 different
setups called: Standard, Unicode, Binary Files.

I have a hex editor. I took a look inside cookie\index.dat for
administrator and me. They both lead off with "URL Cache", and the
rest is mostly hex 00.

 

[Robin Bignall]

Just another piece of data. I just logged on as "administrator" (with
several screens full of these infection messages) to see if, when I
rebooted, I might have some "administrator\cookies\index.dat"
messages.
When I rebooted back as myself all the infection messages had
vanished. But this has happened before on reboot.

 

[Robin Bignall]

From: "Robin Bignall" <[email protected]>

< snip >

| Thanks. I should say two other things:
| I ran MRT.EXE /f:y this afternoon. Zero problems reported.
| On reboot, sometimes all of these 'infection' messages are simply not
| there. Then, on another reboot, they're back again, sometimes a few,
| sometimes screens full. Normally I hibernate overnight and only
| reboot when something, like critical updates, forces me to.

| (alt.privacy.spyware added because this is being discussed there,
| too.)
| --
| Robin
| (BrE)
| Herts, England


It is definitly a security tool set to delete the file index.dat at system Reboot and
before the Winlogon process.

However, at this time none of my peers have pinpointed exactly what security tool is
generating the process.

However at this point I can/will say "don't worry". We know have done numerous anti
malware scans and the system can be deemed clean so don't get frazzled over this.

I will keep researching this and hopefully we will find what security tool is generating
the display you have seen.

Just another word on this, for it's still happening. I created a text
file on c: containing the word "infection" only. I then used Windows
'search within files' to check all files -- including hidden and
system -- on the system disk. I found seven instances of 'infection'
in various places, mostly text or pdf files, including the made-up
one, but none relating in any way to the system, the virus checker or
any malware. I find it baffling to know what is generating this
message, and how.

 

[David H. Lipman]

From: "Robin Bignall" <[email protected]>

| Just another word on this, for it's still happening. I created a text
| file on c: containing the word "infection" only. I then used Windows
| 'search within files' to check all files -- including hidden and
| system -- on the system disk. I found seven instances of 'infection'
| in various places, mostly text or pdf files, including the made-up
| one, but none relating in any way to the system, the virus checker or
| any malware. I find it baffling to know what is generating this
| message, and how.
| --
| Robin
| (BrE)
| Herts, England

To date, NOTHING has been pin-pointed yet as the source :-(

 

[Andy Walker]

Just another word on this, for it's still happening. I created a text
file on c: containing the word "infection" only. I then used Windows
'search within files' to check all files -- including hidden and
system -- on the system disk. I found seven instances of 'infection'
in various places, mostly text or pdf files, including the made-up
one, but none relating in any way to the system, the virus checker or
any malware. I find it baffling to know what is generating this
message, and how.

Have you tried looking through your registry for startup programs?

If you are familiar with regedit, you can look at the keys in the
following article to identify programs that could potentially be
giving you the error. Just be mindful that regedit is a dangerous
tool for the inexperienced user:

http://www.bleepingcomputer.com/tutorials/tutorial44.html

Using Regedit
http://www.microsoft.com/resources/...proddocs/en-us/tools_regeditors.mspx?mfr=true
or
http://preview.tinyurl.com/yhph8yt


Another possibility is to use autoruns to look for startup programs.
Autoruns has some useful features that allow you to *not* display
normal Microsoft startup programs, which may help zero in on the
source of the problem.

http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

 

[John Mason Jr]

Have you tried looking through your registry for startup programs?

If you are familiar with regedit, you can look at the keys in the
following article to identify programs that could potentially be
giving you the error. Just be mindful that regedit is a dangerous
tool for the inexperienced user:

http://www.bleepingcomputer.com/tutorials/tutorial44.html

Using Regedit
http://www.microsoft.com/resources/...proddocs/en-us/tools_regeditors.mspx?mfr=true
or
http://preview.tinyurl.com/yhph8yt


Another possibility is to use autoruns to look for startup programs.
Autoruns has some useful features that allow you to *not* display
normal Microsoft startup programs, which may help zero in on the
source of the problem.

http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

Process Monitor

http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

and
PendMoves might help as well

http://technet.microsoft.com/en-us/sysinternals/bb897556.aspx


John

 

[Robin Bignall]

Process Monitor

http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

and
PendMoves might help as well

http://technet.microsoft.com/en-us/sysinternals/bb897556.aspx

John, Andy, thanks for the suggestions. I have checked autoruns. In
fact, A-squared contains a very useful feature called Hijackfree which
gives detailed information on what's present in 5 categories:
processes, ports, autoruns, services and others. I don't see anything
amiss. PCButts emailed me to make the sensible suggestion of checking
the runonce registry entries. They're empty. The weird thing is
where the message is coming from, since no executable on my system
disk contains the string "infection".

 

[Beauregard T. Shagnasty]

PCButts emailed me to make the sensible suggestion of checking
the runonce registry entries.

What?

Buttface is now emailing direct to posters? How cheeky is that!! Must
be a new way to get around having others respond to warn about his
stolen software...

 

[David H. Lipman]

From: "Beauregard T. Shagnasty" <[email protected]>


| What?

| Buttface is now emailing direct to posters? How cheeky is that!! Must
| be a new way to get around having others respond to warn about his
| stolen software...

And it is even really a "sensible" suggestion as the RunOnce key is just that, it runs
only once then the contents of that Registry key is removed. Therefore if it did run, by
the time the person examined it, it would be an empty key. Plus RunOnce is interpreted
AFTER the Winlogon process. Robin's problem occurs before the Winlogon process.