Re: Infection messages?

Discussion in 'Virus Information' started by Daave, Nov 23, 2009.

  1. Daave

    Daave Guest

    Googling the above didn't turn up many hits, which already points to
    malware. I did manage to find a very similar message (with "available"
    replacing "existent") here:

    http://translate.google.com/translate?hl=en&sl=fr&u=http://forum.pcastuces.com/infection_indexdat_au_demarrage_xp-f25s51034.htm%3Fpage%3D2&ei=rRsLS5mONc7GlAeuhbGFBA&sa=X&oi=translate&ct=result&resnum=1&ved=0CAgQ7gEwAA&prev=/search%3Fq%3D%2522cookies%255Cindex.dat%2Bcould%2Bnot%2Bbe%2Bremoved%2522%2Bfile%2Bis%2Bno%2Blonger%2Bexistent%26hl%3Den

    Another possibly relevant hit:

    http://forums.techguy.org/malware-removal-hijackthis-logs/618659-my-first-virus-help-please.html

    I'm 99.9999999999999% sure you have malware. :-(

    This page should help:

    http://www.elephantboycomputers.com/page2.html#Removing_Malware

    (also cross-posting to microsoft.public.security.virus )
     
    Daave, Nov 23, 2009
    #1
    1. Advertisements

  2. Thanks for your help. I spent lots of time last night doing full/deep
    scans using Kaspersky 9, SAS, Asquared and Activescan2. Nothing
    found. Am now starting MBAM...
    Will look at your links after breakfast.
     
    Robin Bignall, Nov 24, 2009
    #2
    1. Advertisements

  3. Daave

    Daave Guest

    Sounds like you're on the right track. MBAM is quite good.

    Sometimes, one needs to boot off a rescue CD. Check out these links for
    more info:

    http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html

    http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/

    (This way, the OS is entirely bypassed. Another method is to physically
    remove your hard drive and slave it to another PC and use the
    uncompromised PC to perform the scan.)
     
    Daave, Nov 24, 2009
    #3
  4. MBAM was clean. I'm now going to run everything in safe mode to
    check.
     
    Robin Bignall, Nov 24, 2009
    #4
  5. Just ran MBAM, SAS and Kaspersky full scans in safe mode. Nothing
    reported. On reboot all "infection" messages had vanished. Weird,
    huh?
     
    Robin Bignall, Nov 24, 2009
    #5
  6. Daave

    Daave Guest

    Yes.

    I still smell something rotten. I would still boot off a rescue CD and
    scan or use another PC to scan. An alternative to removing the drive and
    slaving it is to use a device like this one:

    http://www.newegg.com/Product/Product.aspx?Item=N82E16812161002
     
    Daave, Nov 24, 2009
    #6
  7. Daave

    Daave Guest

    Also, HijackThis might be necessary...
     
    Daave, Nov 24, 2009
    #7
  8. From: "Daave" <>


    | Also, HijackThis might be necessary...

    I have read the original thread (when it first started) and the subsequent parts x-posted
    to m.p.s.v and this is curious indeed. However I don't think HJT will help.

    The way to fully understand this is to go back to the beginning. And to fully express the
    EXACT (to the best as one can) messgaes and relay the exact moment(s) the messages are
    displayed.

    To date what I have seen is...
    "I get a blue screen with white messages. There are dozens of them, all identical, which
    say something like:
    Infection: docs and settings my name cookies/index.dat does not exist
    and cannot be removed."

    From the description, it is happening PRIOR to the Winlogon Process during OS
    initialization.

    The question the becomes what is generating it ?

    The message "Infection: docs and settings my name cookies/index.dat..."
    Could be indicative of a program of a legitimate program (antimalware) that is installed
    that is processing a deletion request that is intended to occur PRIOR to the GUI being
    loaded and where most file handles would be in use.

    Thus we need to understand what security related software already existed on this platform
    PRIOR to the posting of this problem.
     
    David H. Lipman, Nov 24, 2009
    #8
  9. Daave

    NT Canuck Guest

    To check if antimalware/tool running pre-desktop look into
    control panel > taskmanager > and enable view hidden
    tasks, then also download autoruns and check the 'run'
    section.

    Programs recently installed may still have their residue/setup
    in documents and settings (logon profile) so look for /temp
    folder (may be more than one location).

    Also look at restore points (usually a new restore point
    setup prior to installing a program).

    In control panel > system > uncheck the auto restart option
    that will leave any shutdown message sit on the screen
    instead of just blinking over it and rebooting.

    Download and install PUI (program uninstall utility) that
    will show programs installed in Windows..even the
    kb and 'uninstallable' type entries from registry.
    <http://www.softpedia.com/progDownload/PUI-Download-24439.html>

    Just some tips, FYI.
     
    NT Canuck, Nov 24, 2009
    #9
  10. Daave

    Daave Guest

    That is a good point. It could be anything. Unfortunately, I don't speak
    French and the best I could come up with is this Google translation:

    http://translate.google.com/translate?hl=en&sl=fr&u=http://www.commentcamarche.net/forum/affich-14935176-infection-index-dat-au-demarrage-d-xp&ei=IoIMS9nZKpDT8QbGrJ20BA&sa=X&oi=translate&ct=result&resnum=1&ved=0CAgQ7gEwAA&prev=/search%3Fq%3Dinfection%2B%2522documents%2Band%2Bsettings%2522%2B%2522cookies%255Cindex.dat%2Bcould%2Bnot%2Bbe%2Bremoved%2522%26hl%3Den

    The screen shot:

    http://dl.toofiles.com/uc4yon/images/e1rwa0-fsz7yj-ziucmm.jpg

    I don't have Vista, so I don't know what a BSOD looks like in it, but an
    XP BSOD would be *all blue* and not what this French poster submitted.
     
    Daave, Nov 25, 2009
    #10
  11. Daave

    NT Canuck Guest

    I'd suspect something along the lines of Internet track/trace evidence
    removal program (adaware or similar), since the index.dat in that
    location is a system file (locked/used by Explorer/IE/OutlookExpress
    and a few others like the A/V in use etc.) that it has to be (if done)
    deleted/moved during boot up before the OS logon and this is
    likely the screen shown...boot phase, logging the boot sequence
    (like shown on display during safe mode start up) would help.

    snip
    My comments earlier, typically it's not a bad file...very seldom a threat.

    hth
     
    NT Canuck, Nov 25, 2009
    #11
  12. The precise message is:
    INFECTION:DOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD
    NOT BE REMOVED. FILE IS NO LONGER EXISTENT.

    Needless to say, the file does exist.
    As previously stated I have Kaspersky 9, A-squared pro and SAS pro
    running in real time with frequent full scans. I also run MBAM weekly
    and Panda Activescan 2 monthly.
     
    Robin Bignall, Nov 25, 2009
    #12
  13. A-squared contains "Hijackfree" that has an autoruns section plus a
    lot of other stuff. I can't see anything running that shouldn't be
    there.
    Nothing recently installed or uninstalled, except updates to Windows
    and running software.
    Don't use restore, never have.
    This is already unchecked. Windows does not see these messages as
    something to stop/reboot on.
    Thanks. I should say two other things:
    I ran MRT.EXE /f:y this afternoon. Zero problems reported.
    On reboot, sometimes all of these 'infection' messages are simply not
    there. Then, on another reboot, they're back again, sometimes a few,
    sometimes screens full. Normally I hibernate overnight and only
    reboot when something, like critical updates, forces me to.

    (alt.privacy.spyware added because this is being discussed there,
    too.)
     
    Robin Bignall, Nov 25, 2009
    #13
  14. From: "Robin Bignall" <>

    < snip >

    | Thanks. I should say two other things:
    | I ran MRT.EXE /f:y this afternoon. Zero problems reported.
    | On reboot, sometimes all of these 'infection' messages are simply not
    | there. Then, on another reboot, they're back again, sometimes a few,
    | sometimes screens full. Normally I hibernate overnight and only
    | reboot when something, like critical updates, forces me to.

    | (alt.privacy.spyware added because this is being discussed there,
    | too.)
    | --
    | Robin
    | (BrE)
    | Herts, England


    It is definitly a security tool set to delete the file index.dat at system Reboot and
    before the Winlogon process.

    However, at this time none of my peers have pinpointed exactly what security tool is
    generating the process.

    However at this point I can/will say "don't worry". We know have done numerous anti
    malware scans and the system can be deemed clean so don't get frazzled over this.

    I will keep researching this and hopefully we will find what security tool is generating
    the display you have seen.
     
    David H. Lipman, Nov 26, 2009
    #14
  15. Daave

    NT Canuck Guest

    The precise message is:
    INFECTION:DOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD
    NOT BE REMOVED. FILE IS NO LONGER EXISTENT.

    Needless to say, the file does exist.
    As previously stated I have Kaspersky 9, A-squared pro and SAS pro
    running in real time with frequent full scans. I also run MBAM weekly
    and Panda Activescan 2 monthly.

    Heh, too much by far...
    Likely an infection was found by one unit and set for
    automatic removal next boot...but before booting one
    of the other tools deleted the file or deleted it before
    another tool that also found it...could do so at boot. ;)

    I'd uninstall (not just de-activate) all of them except
    KAV9, and see what happens after a few days.

    Last mystery is why that .dat is considered an infection,
    it could be a renamed file so install this and have a look
    inside... A safe file inspector.
    http://users.westnet.gr/~cgian/peek11.zip 17kb
    PEEK is a Shell context menu extension which
    allows you to extract only the text portion of files.
    After installation you are provided with 3 different
    setups called: Standard, Unicode, Binary Files.

    Otherwise you may be visiting some odd site and
    picking up a poison cookie...then remnants in the
    ..dat (guessing)...but still...too many programs.
     
    NT Canuck, Nov 26, 2009
    #15
  16. The precise message is:
    INFECTION:DOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD
    NOT BE REMOVED. FILE IS NO LONGER EXISTENT.

    ***
    It sounds to me like a conflict between two programs trying to do the
    same thing, and one doesn't check for the existence of the file prior to
    attempting the delete action.
    ***
     
    FromTheRafters, Nov 26, 2009
    #16
  17. Daave

    Andy Walker Guest

    It occurred to me that she may be able to find the text of the error
    in a log file for the program generating the error. Assuming the
    program keeps a log, and the log has a formatted text element, she
    should be able to use the search function in Windows to search for the
    string "INFECTION: DOCUMENTS AND SETTINGS\ROBIN
    BIGNALL\COOKIES\INDEX.DAT COULD NOT BE REMOVED. FILE IS NO LONGER
    EXISTENT." or some portion of that. If she can find the log file, she
    should be able to identify the program.
     
    Andy Walker, Nov 26, 2009
    #17
  18. From: "Andy Walker" <>


    | It occurred to me that she may be able to find the text of the error
    | in a log file for the program generating the error. Assuming the
    | program keeps a log, and the log has a formatted text element, she
    | should be able to use the search function in Windows to search for the
    | string "INFECTION: DOCUMENTS AND SETTINGS\ROBIN
    | BIGNALL\COOKIES\INDEX.DAT COULD NOT BE REMOVED. FILE IS NO LONGER
    | EXISTENT." or some portion of that. If she can find the log file, she
    | should be able to identify the program.


    A good approach !
     
    David H. Lipman, Nov 26, 2009
    #18
  19. Excellent idea, Andy. I'll try now and report back. Thanks also
    David.
     
    Robin Bignall, Nov 26, 2009
    #19
  20. No joy with that. I searched for
    FILE IS NO LONGER EXISTENT
    but didn't find anything.
    --
    Robin
    (BrE)
    Herts, England

    ps: do any of you out there live in Herts and use
    text.news.virginmedia.com? Access from Herts has been down for nearly
    a week.
     
    Robin Bignall, Nov 26, 2009
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.