From: Robin Bignall on
On Thu, 26 Nov 2009 21:10:05 +0000, Robin Bignall
<docrobin(a)ntlworld.com> wrote:

>On Wed, 25 Nov 2009 23:34:09 -0500, Andy Walker
><awalker(a)nspank.invalid> wrote:
>
>>David H. Lipman wrote:
>>
>>>I will keep researching this and hopefully we will find what security tool is generating
>>>the display you have seen.
>>
>>It occurred to me that she may be able to find the text of the error
>>in a log file for the program generating the error. Assuming the
>>program keeps a log, and the log has a formatted text element, she
>>should be able to use the search function in Windows to search for the
>>string "INFECTION: DOCUMENTS AND SETTINGS\ROBIN
>>BIGNALL\COOKIES\INDEX.DAT COULD NOT BE REMOVED. FILE IS NO LONGER
>>EXISTENT." or some portion of that. If she can find the log file, she
>>should be able to identify the program.
>
>Excellent idea, Andy. I'll try now and report back. Thanks also
>David.

No joy with that. I searched for
FILE IS NO LONGER EXISTENT
but didn't find anything.
--
Robin
(BrE)
Herts, England

ps: do any of you out there live in Herts and use
text.news.virginmedia.com? Access from Herts has been down for nearly
a week.
--
Robin
(BrE)
Herts, England
From: Robin Bignall on
On Wed, 25 Nov 2009 20:24:12 -0500, "FromTheRafters" <erratic
@nomail.afraid.org> wrote:

>"Robin Bignall" <docrobin(a)ntlworld.com> wrote in message
>news:bubrg555vcle0jo5kj0ioouhg90djmtlsg(a)4ax.com...
>
>The precise message is:
>INFECTION:DOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD
>NOT BE REMOVED. FILE IS NO LONGER EXISTENT.
>
>***
>It sounds to me like a conflict between two programs trying to do the
>same thing, and one doesn't check for the existence of the file prior to
>attempting the delete action.
>***
>
What, other than malware, would want to delete the cookie index?
Incidentally, I've run iecv, and there are no cookies in any of the
user's cookie folders.
--
Robin
(BrE)
Herts, England
From: "FromTheRafters" erratic on
"Robin Bignall" <docrobin(a)ntlworld.com> wrote in message
news:kt2ug5163h2js36ir46ndbci7ogvkhd6dq(a)4ax.com...
On Wed, 25 Nov 2009 20:24:12 -0500, "FromTheRafters" <erratic
@nomail.afraid.org> wrote:

>"Robin Bignall" <docrobin(a)ntlworld.com> wrote in message
>news:bubrg555vcle0jo5kj0ioouhg90djmtlsg(a)4ax.com...
>
>The precise message is:
>INFECTION:DOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD
>NOT BE REMOVED. FILE IS NO LONGER EXISTENT.
>
>***
>It sounds to me like a conflict between two programs trying to do the
>same thing, and one doesn't check for the existence of the file prior
>to
>attempting the delete action.
>***
>
What, other than malware, would want to delete the cookie index?
Incidentally, I've run iecv, and there are no cookies in any of the
user's cookie folders.

***
People who have issues with privacy and spyware (in the form of cookies)
sometimes download programs that "protect" them from data leakage (or
from their own OS's hidden data stores or pagefile.sys).

Malware (spyware specifically) is more likely to want that file to
remain existent.
***


From: Robin Bignall on
On Thu, 26 Nov 2009 19:04:55 -0500, "FromTheRafters" <erratic
@nomail.afraid.org> wrote:

>
>"Robin Bignall" <docrobin(a)ntlworld.com> wrote in message
>news:kt2ug5163h2js36ir46ndbci7ogvkhd6dq(a)4ax.com...
>On Wed, 25 Nov 2009 20:24:12 -0500, "FromTheRafters" <erratic
>@nomail.afraid.org> wrote:
>
>>"Robin Bignall" <docrobin(a)ntlworld.com> wrote in message
>>news:bubrg555vcle0jo5kj0ioouhg90djmtlsg(a)4ax.com...
>>
>>The precise message is:
>>INFECTION:DOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD
>>NOT BE REMOVED. FILE IS NO LONGER EXISTENT.
>>
Just another piece of data. I just logged on as "administrator" (with
several screens full of these infection messages) to see if, when I
rebooted, I might have some "administrator\cookies\index.dat"
messages.
When I rebooted back as myself all the infection messages had
vanished. But this has happened before on reboot.
--
Robin
(BrE)
Herts, England
From: Robin Bignall on
On Wed, 25 Nov 2009 19:09:56 -0500, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "Robin Bignall" <docrobin(a)ntlworld.com>
>
>< snip >
>
>| Thanks. I should say two other things:
>| I ran MRT.EXE /f:y this afternoon. Zero problems reported.
>| On reboot, sometimes all of these 'infection' messages are simply not
>| there. Then, on another reboot, they're back again, sometimes a few,
>| sometimes screens full. Normally I hibernate overnight and only
>| reboot when something, like critical updates, forces me to.
>
>| (alt.privacy.spyware added because this is being discussed there,
>| too.)
>| --
>| Robin
>| (BrE)
>| Herts, England
>
>
>It is definitly a security tool set to delete the file index.dat at system Reboot and
>before the Winlogon process.
>
>However, at this time none of my peers have pinpointed exactly what security tool is
>generating the process.
>
>However at this point I can/will say "don't worry". We know have done numerous anti
>malware scans and the system can be deemed clean so don't get frazzled over this.
>
>I will keep researching this and hopefully we will find what security tool is generating
>the display you have seen.

Just another word on this, for it's still happening. I created a text
file on c: containing the word "infection" only. I then used Windows
'search within files' to check all files -- including hidden and
system -- on the system disk. I found seven instances of 'infection'
in various places, mostly text or pdf files, including the made-up
one, but none relating in any way to the system, the virus checker or
any malware. I find it baffling to know what is generating this
message, and how.
--
Robin
(BrE)
Herts, England