Re: Infection messages?

Discussion in 'Virus Information' started by Daave, Nov 23, 2009.

  1. What, other than malware, would want to delete the cookie index?
    Incidentally, I've run iecv, and there are no cookies in any of the
    user's cookie folders.
     
    Robin Bignall, Nov 26, 2009
    #21
    1. Advertisements

  2. What, other than malware, would want to delete the cookie index?
    Incidentally, I've run iecv, and there are no cookies in any of the
    user's cookie folders.

    ***
    People who have issues with privacy and spyware (in the form of cookies)
    sometimes download programs that "protect" them from data leakage (or
    from their own OS's hidden data stores or pagefile.sys).

    Malware (spyware specifically) is more likely to want that file to
    remain existent.
    ***
     
    FromTheRafters, Nov 27, 2009
    #22
    1. Advertisements

  3. OK. If they're just arguing with each other, I can live with that. I
    am married!
    I have a hex editor. I took a look inside cookie\index.dat for
    administrator and me. They both lead off with "URL Cache", and the
    rest is mostly hex 00.
     
    Robin Bignall, Nov 27, 2009
    #23
  4. Just another piece of data. I just logged on as "administrator" (with
    several screens full of these infection messages) to see if, when I
    rebooted, I might have some "administrator\cookies\index.dat"
    messages.
    When I rebooted back as myself all the infection messages had
    vanished. But this has happened before on reboot.
     
    Robin Bignall, Nov 27, 2009
    #24
  5. Just another word on this, for it's still happening. I created a text
    file on c: containing the word "infection" only. I then used Windows
    'search within files' to check all files -- including hidden and
    system -- on the system disk. I found seven instances of 'infection'
    in various places, mostly text or pdf files, including the made-up
    one, but none relating in any way to the system, the virus checker or
    any malware. I find it baffling to know what is generating this
    message, and how.
     
    Robin Bignall, Dec 7, 2009
    #25
  6. From: "Robin Bignall" <>

    | Just another word on this, for it's still happening. I created a text
    | file on c: containing the word "infection" only. I then used Windows
    | 'search within files' to check all files -- including hidden and
    | system -- on the system disk. I found seven instances of 'infection'
    | in various places, mostly text or pdf files, including the made-up
    | one, but none relating in any way to the system, the virus checker or
    | any malware. I find it baffling to know what is generating this
    | message, and how.
    | --
    | Robin
    | (BrE)
    | Herts, England

    To date, NOTHING has been pin-pointed yet as the source :-(
     
    David H. Lipman, Dec 7, 2009
    #26
  7. Daave

    Andy Walker Guest

    Have you tried looking through your registry for startup programs?

    If you are familiar with regedit, you can look at the keys in the
    following article to identify programs that could potentially be
    giving you the error. Just be mindful that regedit is a dangerous
    tool for the inexperienced user:

    http://www.bleepingcomputer.com/tutorials/tutorial44.html

    Using Regedit
    http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/tools_regeditors.mspx?mfr=true
    or
    http://preview.tinyurl.com/yhph8yt


    Another possibility is to use autoruns to look for startup programs.
    Autoruns has some useful features that allow you to *not* display
    normal Microsoft startup programs, which may help zero in on the
    source of the problem.

    http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
     
    Andy Walker, Dec 7, 2009
    #27

  8. Process Monitor

    http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

    and
    PendMoves might help as well

    http://technet.microsoft.com/en-us/sysinternals/bb897556.aspx


    John
     
    John Mason Jr, Dec 8, 2009
    #28
  9. John, Andy, thanks for the suggestions. I have checked autoruns. In
    fact, A-squared contains a very useful feature called Hijackfree which
    gives detailed information on what's present in 5 categories:
    processes, ports, autoruns, services and others. I don't see anything
    amiss. PCButts emailed me to make the sensible suggestion of checking
    the runonce registry entries. They're empty. The weird thing is
    where the message is coming from, since no executable on my system
    disk contains the string "infection".
     
    Robin Bignall, Dec 8, 2009
    #29
  10. What?

    Buttface is now emailing direct to posters? How cheeky is that!! Must
    be a new way to get around having others respond to warn about his
    stolen software...
     
    Beauregard T. Shagnasty, Dec 8, 2009
    #30
  11. From: "Beauregard T. Shagnasty" <>


    | What?

    | Buttface is now emailing direct to posters? How cheeky is that!! Must
    | be a new way to get around having others respond to warn about his
    | stolen software...

    And it is even really a "sensible" suggestion as the RunOnce key is just that, it runs
    only once then the contents of that Registry key is removed. Therefore if it did run, by
    the time the person examined it, it would be an empty key. Plus RunOnce is interpreted
    AFTER the Winlogon process. Robin's problem occurs before the Winlogon process.
     
    David H. Lipman, Dec 8, 2009
    #31
  12. Daave

    Leythos Guest

    You should ALWAYS check the reputation and online history of a person
    before taking their advice - there are many people that would give you
    bad advice that could damage your system.

    In the case of PCBUTTS, I don't know of anyone that would consider
    trusting him.
     
    Leythos, Dec 8, 2009
    #32
  13. Daave

    Rick Guest


    When is wininit.ini processed?
     
    Rick, Dec 8, 2009
    #33
  14. From: "Rick" <>



    | When is wininit.ini processed?



    What OS are you referring to because NT based OS' don't use INI files.
    Everything is pretty much stored in the Registry and evaluated there.

    Since this was x-posted to a WinXP group, the answer is NEVER.
     
    David H. Lipman, Dec 9, 2009
    #34
  15. Please David your ignorance and lack of knowledge is showing. You of all
    people should know that malware writes to that key and since the issue is
    there on EVERY boot if it gets deleted when run it gets put back in there
    and you are WRONG about when that key gets read.


    --
    The Real Truth http://pcbutts1-therealtruth.blogspot.com/
    *WARNING* Do NOT follow any advice given by the people listed below.
    They do NOT have the expertise or knowledge to fix your issue. Do not waste
    your time.
    David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.
     
    The Real Truth MVP, Dec 9, 2009
    #35
  16. Daave

    Andy Walker Guest

    Not true, Dave. XP still uses INI files.

    boot.ini
    win.ini
    system.ini

    to name a few...
     
    Andy Walker, Dec 9, 2009
    #36
  17. From: "Andy Walker" <>


    | Not true, Dave. XP still uses INI files.

    | boot.ini
    | win.ini
    | system.ini

    | to name a few...

    OK. BOOT.INI is only used to launch the OS or a different OS. It is interpreted before
    the WinGUI.

    WIN.INI and SYSTEM.INI are NOT really interpreted anymore. They ONLY exist for backwards
    compatibility purposes for Win9x/ME, and maybe Win3.1x programs that weren't written to
    use a registry.
     
    David H. Lipman, Dec 9, 2009
    #37
  18. Daave

    Rick Guest


    Not to be argumentative, but you're saying these folks are incorrect?

    http://www.aumha.org/a/loads.php
    http://support.microsoft.com/kb/140570

    While I don't run into it as much as I used to, I still do find XP systems
    that appear to be using wininit.ini for file deletions/renames on occasion.
     
    Rick, Dec 9, 2009
    #38
  19. From: "Rick" <>



    | Not to be argumentative, but you're saying these folks are incorrect?

    | http://www.aumha.org/a/loads.php
    | http://support.microsoft.com/kb/140570

    | While I don't run into it as much as I used to, I still do find XP systems
    | that appear to be using wininit.ini for file deletions/renames on occasion.


    Well the aumha article is for mostly Win9x/ME and the MS KB140570 is more for NT4 and
    Win9x/ME and you'll note mention of "Wininit.exe" which is NOT present in WinXP.

    So let me modify my NEVER answer to practically NEVER. Interpreting .INI files is an old
    construct that was used in Win9x/ME and and to a lesser degree in NT v3.5x and NT4 and
    thus *may* have some left over functionality in subsequent OS'. However for the most
    part, .INI files are no longer interpreted by the OS.

    Notice in the aumha article it states...
    "In Windows 2000 and XP, the WININIT.INI file, if existing, will be executed. However it
    is usually replaced by the “PendingFileRenameOperations” sub-key in the Registry key
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager."

    This shows that for backwards compatibility Win2k and WinXP may interpret WININIT.INI but
    has been really replaced by Registry functionality.

    This will not affect Robin's problem as the message "INFECTION: DOCUMENTS AND
    SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT
    COULD NOT BE REMOVED. FILE IS NO LONGER EXISTENT" occurs "before the logon screen" and
    would not be generated by such a process. This is presumed to be a security tool/utility
    in action.
     
    David H. Lipman, Dec 9, 2009
    #39
  20. Daave

    Rick Guest


    Yes, I'm aware of how .ini files have been used going back through Win3.x.


    I'm also aware of how wininit.ini is just a hangover and there are other,
    preferred methods of doing the same thing. According to the aumha article
    however, even though it is not the preferred method, Win XP will execute
    the instructions in a wininit.ini file if one is found.


    And this is where my original question comes in. Just where in the boot
    process does wininit.ini get processed? Since the aumha article points out
    that:

    a) "WININIT.INI is used to complete Windows and program installation steps
    that cannot be completed while Windows is running"

    b) "During the boot process, Windows checks to see if there is a
    WININIT.INI file and, if it finds one, executes its instructions."

    c) and specifies that Windows XP will execute such a file, if it exists
    (assumedly to maintain backwards compatibility)


    I was just curious if anyone happened to know where in the boot process
    that execution was performed. Whether it was before or after the logon
    process.
     
    Rick, Dec 9, 2009
    #40
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.