Infection messages

Discussion in 'Spyware' started by Robin Bignall, Nov 24, 2009.

  1. Recently I've been getting screens full of the same message, white
    writing on blue background, just after the first boot screen of
    Windows (the one with the blue bar going left to right) and before the
    logon screen.
    INFECTION: DOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT
    COULD NOT BE REMOVED. FILE IS NO LONGER EXISTENT.

    I have scanned with Kaspersky 9, asquared, MBAM and SAS prof, all set
    to full scan, and with Activescan2, both in full windows mode and safe
    mode. No infections reported by any of those.

    Occasionally, when I reboot, there are dozens of these messages, other
    times none at all. CHKDSK gives a clear reading on a newish
    velociraptor. Windows XP Pro SP3, all latest critical updates. No
    new soft/hardware added in recent months. System seems to be running
    fine, and I'm not prone to clicking on anything that's unknown.
    Any suggestions as to what might be happening?
     
    Robin Bignall, Nov 24, 2009
    #1
    1. Advertisements

  2. Robin Bignall

    Buffalo Guest

    It sounds like a leftover and I would think one of the folks here will be
    along shortly to give you some good advice on what to do to resolve your
    problem.
    Buffalo
     
    Buffalo, Nov 24, 2009
    #2
    1. Advertisements

  3. From: "Robin Bignall" <>

    | Recently I've been getting screens full of the same message, white
    | writing on blue background, just after the first boot screen of
    | Windows (the one with the blue bar going left to right) and before the
    | logon screen.
    | INFECTION: DOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT
    | COULD NOT BE REMOVED. FILE IS NO LONGER EXISTENT.

    | I have scanned with Kaspersky 9, asquared, MBAM and SAS prof, all set
    | to full scan, and with Activescan2, both in full windows mode and safe
    | mode. No infections reported by any of those.

    | Occasionally, when I reboot, there are dozens of these messages, other
    | times none at all. CHKDSK gives a clear reading on a newish
    | velociraptor. Windows XP Pro SP3, all latest critical updates. No
    | new soft/hardware added in recent months. System seems to be running
    | fine, and I'm not prone to clicking on anything that's unknown.
    | Any suggestions as to what might be happening?
    | --
    | Robin
    | (BrE)
    | Herts, England

    As I noted in the orginal thread that was susequently x-posted to m.p.s.v. ...

    From the description, it is happening PRIOR to the Winlogon Process during OS
    initialization.

    The question the becomes what is generating it ?

    The message "Infection: docs and settings my name cookies/index.dat..."
    Could be indicative of a legitimate program (antimalware) that is installed
    that is processing a deletion request that is intended to occur PRIOR to the GUI being
    loaded and where most file handles would not be in use.

    Thus we need to understand what security related software already existed on this platform
    PRIOR to the initial posting of this problem in; m.w.h_a_s
     
    David H. Lipman, Nov 24, 2009
    #3
  4. Robin Bignall

    Andy Walker Guest

    You could check the Microsoft Windows Malicious Software Removal Tool
    log to see if the error is being generated by that program.

    %windir%\debug\mrt.log

    You could also run it from a command prompt

    Start/Run
    CMD <enter>
    Mrt.exe <enter>
     
    Andy Walker, Nov 25, 2009
    #4
  5. Robin Bignall

    Andy Walker Guest

    Actually, you don't need the DOS window since it's a GUI program...

    Start/Run
    Mrt.exe
    OK
     
    Andy Walker, Nov 25, 2009
    #5
  6. Robin Bignall

    Andy Walker Guest

    Good point, Dave.

    There are a number of programs that remove DAT,MRU,LOG, etc.. files on
    startup or logoff. I think you can configure CrapCleaner to run on
    startup to perform cleanup... there are many more that do the same
    thing.
     
    Andy Walker, Nov 25, 2009
    #6
  7. From: "Andy Walker" <>


    | Actually, you don't need the DOS window since it's a GUI program...

    | Start/Run
    | Mrt.exe
    | OK

    If one is to run it manually I suggest...

    MRT.EXE /f:y

    That will cause a Forced Full Scan and automatically clean infected files.

    To get all command line switches...

    MRT.EXE /?
     
    David H. Lipman, Nov 25, 2009
    #7
  8. Thanks for your help. I just ran MRT (nearly 2 hours!) and got zero
    files infected. As I've said, system is XP Pro SP3 IE8. Protection is
    Kaspersky 9, A-squared pro and SAS pro, all running in real time with
    frequent full/deep scans. MBAM weekly, Panda Activescan 2 monthly. No
    product has anything in quarantine.
    I'll shut down now for dinner and reboot later to see if infection
    messages have gone. But sometimes they all do vanish, only to
    reappear on the next reboot. Weird. TTFN.
     
    Robin Bignall, Nov 25, 2009
    #8
  9. As Sod's Law suggests, on booting there were no infection messages.
    I'm going to reboot after this...
     
    Robin Bignall, Nov 25, 2009
    #9
  10. Are you using a hosts file? Do you use a router? Do you use an alternate
    browser like Opera? No amount of protection can protect you from yourself.
    I use MBAM(Paid),AntiVir(free),HostsXpert(free)with HpHosts
    file(free),router with built in firewll,Opera@USB(MSN can kiss off)
    --
    Max Wachtel
    This post was created using Opera@USB: http://www.opera-usb.com
    Virus Removal Instructions
    http://sites.google.com/site/keepingwindowsclean/home
    Max's Favorite Freeware
    http://sites.google.com/site/keepingwindowsclean/freeware
     
    Maximus the Mad, Nov 26, 2009
    #10
  11. Yes. (Hardware)
    Gee whiz.
     
    Robin Bignall, Nov 27, 2009
    #11
  12. Seems to be somewhat of a contradiction there, Robin. ;-)
     
    Beauregard T. Shagnasty, Nov 27, 2009
    #12
  13. I don't think so. It's Maximus who uses software that uses the hosts
    file. I don't.
     
    Robin Bignall, Nov 27, 2009
    #13
  14. Robin Bignall

    Buffalo Guest

    Beauregard T. Shagnasty is just being 'itself'.
    Buffalo :)
     
    Buffalo, Nov 28, 2009
    #14
  15. From: "Buffalo" <>


    | Beauregard T. Shagnasty is just being 'itself'.
    | Buffalo :)

    No, BTS is usually on spot. I think he had too much Turkey with JD sauce ;-)
     
    David H. Lipman, Nov 28, 2009
    #15
  16. Oh! Somehow I had missed receiving the Maximus post. I see now...
    Perhaps you should. ;-)
     
    Beauregard T. Shagnasty, Nov 28, 2009
    #16
  17. Cranberry sauce! Honest!
     
    Beauregard T. Shagnasty, Nov 28, 2009
    #17
  18. Robin Bignall

    Buffalo Guest

    More than likely.
    Buffalo
     
    Buffalo, Nov 28, 2009
    #18
  19. Why? One of the malware products (Adaware?) uses or used to use the
    hosts file for inoculation, AFAIK. I stopped using it long ago for
    some reason.

    On a slightly different note, what exactly does quarantining a file
    do? I know it makes it inactive, but once something is quarantined,
    what does one do with it? Leave it there?
     
    Robin Bignall, Nov 29, 2009
    #19
  20. From: "Robin Bignall" <>

    <snip>

    | On a slightly different note, what exactly does quarantining a file
    | do? I know it makes it inactive, but once something is quarantined,
    | what does one do with it? Leave it there?
    | --
    | Robin
    | (BrE)
    | Herts, England


    It is a methodolgy for removing the file from the operating system and
    storing it in a safe, encrypted, place where it can do no harm.

    Since the file(s) are not actually deleted they can be restored to their
    original, operational, locations IFF the file(s) are deemed to be falsely
    identified as malware.
     
    David H. Lipman, Nov 29, 2009
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.