Infection messages
Robin Bignall
writing on blue background, just after the first boot screen of
Windows (the one with the blue bar going left to right) and before the
logon screen.
INFECTION: DOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT
COULD NOT BE REMOVED. FILE IS NO LONGER EXISTENT.
I have scanned with Kaspersky 9, asquared, MBAM and SAS prof, all set
to full scan, and with Activescan2, both in full windows mode and safe
mode. No infections reported by any of those.
Occasionally, when I reboot, there are dozens of these messages, other
times none at all. CHKDSK gives a clear reading on a newish
velociraptor. Windows XP Pro SP3, all latest critical updates. No
new soft/hardware added in recent months. System seems to be running
fine, and I'm not prone to clicking on anything that's unknown.
Any suggestions as to what might be happening?
--
Robin
(BrE)
Herts, England
Buffalo
It sounds like a leftover and I would think one of the folks here will be
along shortly to give you some good advice on what to do to resolve your
problem.
Buffalo
David H. Lipman
As I noted in the orginal thread that was susequently x-posted to m.p.s.v. ...
From the description, it is happening PRIOR to the Winlogon Process during OS
initialization.
The question the becomes what is generating it ?
The message "Infection: docs and settings my name cookies/index.dat..."
Could be indicative of a legitimate program (antimalware) that is installed
that is processing a deletion request that is intended to occur PRIOR to the GUI being
loaded and where most file handles would not be in use.
Thus we need to understand what security related software already existed on this platform
PRIOR to the initial posting of this problem in; m.w.h_a_s
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Andy Walker
You could check the Microsoft Windows Malicious Software Removal Tool
log to see if the error is being generated by that program.
%windir%\debug\mrt.log
You could also run it from a command prompt
Start/Run
CMD <enter>
Mrt.exe <enter>
Andy Walker
>You could also run it from a command prompt
>
>Start/Run
>CMD <enter>
>Mrt.exe <enter>
Actually, you don't need the DOS window since it's a GUI program...
Start/Run
Mrt.exe
OK
Andy Walker
>Thus we need to understand what security related software already existed on this platform
>PRIOR to the initial posting of this problem in; m.w.h_a_s
Good point, Dave.
There are a number of programs that remove DAT,MRU,LOG, etc.. files on
startup or logoff. I think you can configure CrapCleaner to run on
startup to perform cleanup... there are many more that do the same
thing.
David H. Lipman
| Andy Walker wrote:
| Start/Run
| Mrt.exe
| OK
If one is to run it manually I suggest...
MRT.EXE /f:y
That will cause a Forced Full Scan and automatically clean infected files.
To get all command line switches...
MRT.EXE /?
Robin Bignall
<DLipman~nospam~@Verizon.Net> wrote:
>From: "Andy Walker" <awa...@nspank.invalid>
>
>| Andy Walker wrote:
>
>>>You could also run it from a command prompt
>
>>>Start/Run
>>>CMD <enter>
>>>Mrt.exe <enter>
>
>| Actually, you don't need the DOS window since it's a GUI program...
>
>| Start/Run
>| Mrt.exe
>| OK
>
>If one is to run it manually I suggest...
>
>MRT.EXE /f:y
>
>That will cause a Forced Full Scan and automatically clean infected files.
>
Thanks for your help. I just ran MRT (nearly 2 hours!) and got zero
files infected. As I've said, system is XP Pro SP3 IE8. Protection is
Kaspersky 9, A-squared pro and SAS pro, all running in real time with
frequent full/deep scans. MBAM weekly, Panda Activescan 2 monthly. No
product has anything in quarantine.
I'll shut down now for dinner and reboot later to see if infection
messages have gone. But sometimes they all do vanish, only to
reappear on the next reboot. Weird. TTFN.
Robin Bignall
As Sod's Law suggests, on booting there were no infection messages.
I'm going to reboot after this...
Maximus the Mad
wrote:
Are you using a hosts file? Do you use a router? Do you use an alternate
browser like Opera? No amount of protection can protect you from yourself.
I use MBAM(Paid),AntiVir(free),HostsXpert(free)with HpHosts
file(free),router with built in firewll,Opera@USB(MSN can kiss off)
--
Max Wachtel
This post was created using Opera@USB: http://www.opera-usb.com
Virus Removal Instructions
http://sites.google.com/site/keepingwindowsclean/home
Max's Favorite Freeware
http://sites.google.com/site/keepingwindowsclean/freeware
Robin Bignall
No.
>Do you use a router?
Yes. (Hardware)
>Do you use an alternate
>browser like Opera?
No.
>No amount of protection can protect you from yourself.
Gee whiz.
>I use MBAM(Paid),AntiVir(free),HostsXpert(free)with HpHosts
>file(free),router with built in firewll,Opera@USB(MSN can kiss off)
--
Robin
(BrE)
Herts, England
Beauregard T. Shagnasty
> "Maximus the Mad" wrote:
>> Are you using a hosts file?
>
> No.
[followed by]
> I use ... HostsXpert(free)with HpHosts file(free) ...
Seems to be somewhat of a contradiction there, Robin. ;-)
--
-bts
-Friends don't let friends drive Windows
Robin Bignall
<a.non...@example.invalid> wrote:
>Robin Bignall wrote:
>
>> "Maximus the Mad" wrote:
>>> Are you using a hosts file?
>>
>> No.
>[followed by]
>> I use ... HostsXpert(free)with HpHosts file(free) ...
>
>Seems to be somewhat of a contradiction there, Robin. ;-)
I don't think so. It's Maximus who uses software that uses the hosts
file. I don't.
Buffalo
Beauregard T. Shagnasty is just being 'itself'.
Buffalo :)
David H. Lipman
| Beauregard T. Shagnasty is just being 'itself'.
| Buffalo :)
No, BTS is usually on spot. I think he had too much Turkey with JD sauce ;-)
Beauregard T. Shagnasty
> "Beauregard T. Shagnasty" wrote:
>> Robin Bignall wrote:
>>> "Maximus the Mad" wrote:
>>>> Are you using a hosts file?
>>>
>>> No.
>> [followed by]
>>> I use ... HostsXpert(free)with HpHosts file(free) ...
>>
>> Seems to be somewhat of a contradiction there, Robin. ;-)
>
> I don't think so. It's Maximus who uses software that uses the hosts
> file.
Oh! Somehow I had missed receiving the Maximus post. I see now...
> I don't.
Perhaps you should. ;-)
Beauregard T. Shagnasty
> From: "Buffalo" <Er...@nada.com.invalid>
>
>| Beauregard T. Shagnasty is just being 'itself'.
>| Buffalo :)
>
> No, BTS is usually on spot. I think he had too much Turkey with JD
> sauce ;-)
Cranberry sauce! Honest!
--
-bts
-(Burp!)
Buffalo
David H. Lipman wrote:
> From: "Buffalo" <Er...@nada.com.invalid>
>
>
>> Beauregard T. Shagnasty is just being 'itself'.
>> Buffalo :)
>
> No, BTS is usually on spot. I think he had too much Turkey with JD
> sauce ;-)
More than likely.
Buffalo
Robin Bignall
Why? One of the malware products (Adaware?) uses or used to use the
hosts file for inoculation, AFAIK. I stopped using it long ago for
some reason.
On a slightly different note, what exactly does quarantining a file
do? I know it makes it inactive, but once something is quarantined,
what does one do with it? Leave it there?
David H. Lipman
<snip>
| On a slightly different note, what exactly does quarantining a file
| do? I know it makes it inactive, but once something is quarantined,
| what does one do with it? Leave it there?
| --
| Robin
| (BrE)
| Herts, England
It is a methodolgy for removing the file from the operating system and
storing it in a safe, encrypted, place where it can do no harm.
Since the file(s) are not actually deleted they can be restored to their
original, operational, locations IFF the file(s) are deemed to be falsely
identified as malware.
The Real Truth MVP
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
*WARNING* Do NOT follow any advice given by the people listed below.
They do NOT have the expertise or knowledge to fix your issue. Do not waste
your time.
David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.
"Robin Bignall" <docr...@ntlworld.com> wrote in message
news:vju5h55j9plrviic4...@4ax.com...
Robin Bignall
>Robin Bignall wrote:
>>
>>On a slightly different note, what exactly does quarantining a file
>>do? I know it makes it inactive,
>
>usually done by renaming the extension and then perhaps
>even moving it to a holding pen (quarantine folder).
>
>>but once something is quarantined,
>>what does one do with it? Leave it there?
>
>If you can't disassemble*¹ the workings of it, maybe submit it to some scanner
>site*² for additional opinions, then restore or delete based on your
>conclusions.
>
>*¹ http://tinyurl.com/57dfj
>*² http://tinyurl.com/rd9l3f
Thanks to you and David. That's what I thought. The days when I
would willingly try to disassemble Intel machine code are long past
me.