Infection messages?
in [Windows Viruses]
|
From: Daave on 24 Nov 2009 11:05 Robin Bignall wrote: > On Tue, 24 Nov 2009 14:42:04 +0000, Robin Bignall > <docrobin(a)ntlworld.com> wrote: > >> On Tue, 24 Nov 2009 08:53:29 -0500, "Daave" <daave(a)example.com> >> wrote: >> >>> >>> Robin Bignall wrote: >>>> On Mon, 23 Nov 2009 18:40:34 -0500, "Daave" <daave(a)example.com> >>>> wrote: >>>> >>>>> Robin Bignall wrote: >>> >>>>>> The message is: >>>>>> infection:documents and settings\robin bignall\cookies\index.dat >>>>>> could not be removed. file is no longer existent. >>>>> >>>>> Googling the above didn't turn up many hits, which already points >>>>> to malware. I did manage to find a very similar message (with >>>>> "available" replacing "existent") here: >>>>> >>>>> http://translate.google.com/translate?hl=en&sl=fr&u=http://forum.pcastuces.com/infection_indexdat_au_demarrage_xp-f25s51034.htm%3Fpage%3D2&ei=rRsLS5mONc7GlAeuhbGFBA&sa=X&oi=translate&ct=result&resnum=1&ved=0CAgQ7gEwAA&prev=/search%3Fq%3D%2522cookies%255Cindex.dat%2Bcould%2Bnot%2Bbe%2Bremoved%2522%2Bfile%2Bis%2Bno%2Blonger%2Bexistent%26hl%3Den >>>>> >>>>> Another possibly relevant hit: >>>>> >>>>> http://forums.techguy.org/malware-removal-hijackthis-logs/618659-my-first-virus-help-please.html >>>>> >>>>> I'm 99.9999999999999% sure you have malware. :-( >>>>> >>>>> This page should help: >>>>> >>>>> http://www.elephantboycomputers.com/page2.html#Removing_Malware >>>>> >>>>> (also cross-posting to microsoft.public.security.virus ) >>>>> >>>> Thanks for your help. I spent lots of time last night doing >>>> full/deep scans using Kaspersky 9, SAS, Asquared and Activescan2. >>>> Nothing found. Am now starting MBAM... >>>> Will look at your links after breakfast. >>> >>> Sounds like you're on the right track. MBAM is quite good. >>> >>> Sometimes, one needs to boot off a rescue CD. Check out these links >>> for more info: >>> >>> http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html >>> >>> http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/ >>> >>> (This way, the OS is entirely bypassed. Another method is to >>> physically remove your hard drive and slave it to another PC and >>> use the uncompromised PC to perform the scan.) >>> >> MBAM was clean. I'm now going to run everything in safe mode to >> check. > > Just ran MBAM, SAS and Kaspersky full scans in safe mode. Nothing > reported. On reboot all "infection" messages had vanished. Weird, > huh? Yes. I still smell something rotten. I would still boot off a rescue CD and scan or use another PC to scan. An alternative to removing the drive and slaving it is to use a device like this one: http://www.newegg.com/Product/Product.aspx?Item=N82E16812161002
From: Daave on 24 Nov 2009 11:16 Daave wrote: > Robin Bignall wrote: >> On Tue, 24 Nov 2009 14:42:04 +0000, Robin Bignall >> <docrobin(a)ntlworld.com> wrote: >> >>> On Tue, 24 Nov 2009 08:53:29 -0500, "Daave" <daave(a)example.com> >>> wrote: >>> >>>> >>>> Robin Bignall wrote: >>>>> On Mon, 23 Nov 2009 18:40:34 -0500, "Daave" <daave(a)example.com> >>>>> wrote: >>>>> >>>>>> Robin Bignall wrote: >>>> >>>>>>> The message is: >>>>>>> infection:documents and settings\robin bignall\cookies\index.dat >>>>>>> could not be removed. file is no longer existent. >>>>>> >>>>>> Googling the above didn't turn up many hits, which already points >>>>>> to malware. I did manage to find a very similar message (with >>>>>> "available" replacing "existent") here: >>>>>> >>>>>> http://translate.google.com/translate?hl=en&sl=fr&u=http://forum.pcastuces.com/infection_indexdat_au_demarrage_xp-f25s51034.htm%3Fpage%3D2&ei=rRsLS5mONc7GlAeuhbGFBA&sa=X&oi=translate&ct=result&resnum=1&ved=0CAgQ7gEwAA&prev=/search%3Fq%3D%2522cookies%255Cindex.dat%2Bcould%2Bnot%2Bbe%2Bremoved%2522%2Bfile%2Bis%2Bno%2Blonger%2Bexistent%26hl%3Den >>>>>> >>>>>> Another possibly relevant hit: >>>>>> >>>>>> http://forums.techguy.org/malware-removal-hijackthis-logs/618659-my-first-virus-help-please.html >>>>>> >>>>>> I'm 99.9999999999999% sure you have malware. :-( >>>>>> >>>>>> This page should help: >>>>>> >>>>>> http://www.elephantboycomputers.com/page2.html#Removing_Malware >>>>>> >>>>>> (also cross-posting to microsoft.public.security.virus ) >>>>>> >>>>> Thanks for your help. I spent lots of time last night doing >>>>> full/deep scans using Kaspersky 9, SAS, Asquared and Activescan2. >>>>> Nothing found. Am now starting MBAM... >>>>> Will look at your links after breakfast. >>>> >>>> Sounds like you're on the right track. MBAM is quite good. >>>> >>>> Sometimes, one needs to boot off a rescue CD. Check out these links >>>> for more info: >>>> >>>> http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html >>>> >>>> http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/ >>>> >>>> (This way, the OS is entirely bypassed. Another method is to >>>> physically remove your hard drive and slave it to another PC and >>>> use the uncompromised PC to perform the scan.) >>>> >>> MBAM was clean. I'm now going to run everything in safe mode to >>> check. >> >> Just ran MBAM, SAS and Kaspersky full scans in safe mode. Nothing >> reported. On reboot all "infection" messages had vanished. Weird, >> huh? > > Yes. > > I still smell something rotten. I would still boot off a rescue CD and > scan or use another PC to scan. An alternative to removing the drive > and slaving it is to use a device like this one: > > http://www.newegg.com/Product/Product.aspx?Item=N82E16812161002 Also, HijackThis might be necessary...
From: David H. Lipman on 24 Nov 2009 17:51 From: "Daave" <daave(a)example.com> | Also, HijackThis might be necessary... I have read the original thread (when it first started) and the subsequent parts x-posted to m.p.s.v and this is curious indeed. However I don't think HJT will help. The way to fully understand this is to go back to the beginning. And to fully express the EXACT (to the best as one can) messgaes and relay the exact moment(s) the messages are displayed. To date what I have seen is... "I get a blue screen with white messages. There are dozens of them, all identical, which say something like: Infection: docs and settings my name cookies/index.dat does not exist and cannot be removed." From the description, it is happening PRIOR to the Winlogon Process during OS initialization. The question the becomes what is generating it ? The message "Infection: docs and settings my name cookies/index.dat..." Could be indicative of a program of a legitimate program (antimalware) that is installed that is processing a deletion request that is intended to occur PRIOR to the GUI being loaded and where most file handles would be in use. Thus we need to understand what security related software already existed on this platform PRIOR to the posting of this problem. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: Daave on 24 Nov 2009 20:19 David H. Lipman wrote: > From: "Daave" <daave(a)example.com> > > >> Also, HijackThis might be necessary... > > I have read the original thread (when it first started) and the > subsequent parts x-posted to m.p.s.v and this is curious indeed. > However I don't think HJT will help. > > The way to fully understand this is to go back to the beginning. And > to fully express the EXACT (to the best as one can) messgaes and > relay the exact moment(s) the messages are displayed. > > To date what I have seen is... > "I get a blue screen with white messages. There are dozens of them, > all identical, which say something like: > Infection: docs and settings my name cookies/index.dat does not exist > and cannot be removed." > > From the description, it is happening PRIOR to the Winlogon Process > during OS initialization. > > The question the becomes what is generating it ? > > The message "Infection: docs and settings my name > cookies/index.dat..." > Could be indicative of a program of a legitimate program > (antimalware) that is installed that is processing a deletion request > that is intended to occur PRIOR to the GUI being loaded and where > most file handles would be in use. That is a good point. It could be anything. Unfortunately, I don't speak French and the best I could come up with is this Google translation: http://translate.google.com/translate?hl=en&sl=fr&u=http://www.commentcamarche.net/forum/affich-14935176-infection-index-dat-au-demarrage-d-xp&ei=IoIMS9nZKpDT8QbGrJ20BA&sa=X&oi=translate&ct=result&resnum=1&ved=0CAgQ7gEwAA&prev=/search%3Fq%3Dinfection%2B%2522documents%2Band%2Bsettings%2522%2B%2522cookies%255Cindex.dat%2Bcould%2Bnot%2Bbe%2Bremoved%2522%26hl%3Den The screen shot: http://dl.toofiles.com/uc4yon/images/e1rwa0-fsz7yj-ziucmm.jpg I don't have Vista, so I don't know what a BSOD looks like in it, but an XP BSOD would be *all blue* and not what this French poster submitted. > Thus we need to understand what security related software already > existed on this platform PRIOR to the posting of this problem.
From: Robin Bignall on 25 Nov 2009 17:34
On Tue, 24 Nov 2009 17:51:02 -0500, "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote: >From: "Daave" <daave(a)example.com> > > >| Also, HijackThis might be necessary... > >I have read the original thread (when it first started) and the subsequent parts x-posted >to m.p.s.v and this is curious indeed. However I don't think HJT will help. > >The way to fully understand this is to go back to the beginning. And to fully express the >EXACT (to the best as one can) messgaes and relay the exact moment(s) the messages are >displayed. > >To date what I have seen is... >"I get a blue screen with white messages. There are dozens of them, all identical, which >say something like: >Infection: docs and settings my name cookies/index.dat does not exist >and cannot be removed." > >From the description, it is happening PRIOR to the Winlogon Process during OS >initialization. > >The question the becomes what is generating it ? > >The message "Infection: docs and settings my name cookies/index.dat..." >Could be indicative of a program of a legitimate program (antimalware) that is installed >that is processing a deletion request that is intended to occur PRIOR to the GUI being >loaded and where most file handles would be in use. > >Thus we need to understand what security related software already existed on this platform >PRIOR to the posting of this problem. The precise message is: INFECTION:DOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD NOT BE REMOVED. FILE IS NO LONGER EXISTENT. Needless to say, the file does exist. As previously stated I have Kaspersky 9, A-squared pro and SAS pro running in real time with frequent full scans. I also run MBAM weekly and Panda Activescan 2 monthly. -- Robin (BrE) Herts, England |