Re: Infection messages?
Robin Bignall
wrote:
>
>"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
>news:uIpMdiVb...@TK2MSFTNGP05.phx.gbl...
>
>
>> Thus we need to understand what security related software
>> already existed on this platform PRIOR to the posting of this problem.
>
>To check if antimalware/tool running pre-desktop look into
>control panel > taskmanager > and enable view hidden
>tasks, then also download autoruns and check the 'run'
>section.
>
A-squared contains "Hijackfree" that has an autoruns section plus a
lot of other stuff. I can't see anything running that shouldn't be
there.
>Programs recently installed may still have their residue/setup
>in documents and settings (logon profile) so look for /temp
>folder (may be more than one location).
>
Nothing recently installed or uninstalled, except updates to Windows
and running software.
>Also look at restore points (usually a new restore point
>setup prior to installing a program).
>
Don't use restore, never have.
>In control panel > system > uncheck the auto restart option
>that will leave any shutdown message sit on the screen
>instead of just blinking over it and rebooting.
>
This is already unchecked. Windows does not see these messages as
something to stop/reboot on.
>Download and install PUI (program uninstall utility) that
>will show programs installed in Windows..even the
>kb and 'uninstallable' type entries from registry.
><http://www.softpedia.com/progDownload/PUI-Download-24439.html>
>
>Just some tips, FYI.
Thanks. I should say two other things:
I ran MRT.EXE /f:y this afternoon. Zero problems reported.
On reboot, sometimes all of these 'infection' messages are simply not
there. Then, on another reboot, they're back again, sometimes a few,
sometimes screens full. Normally I hibernate overnight and only
reboot when something, like critical updates, forces me to.
(alt.privacy.spyware added because this is being discussed there,
too.)
--
Robin
(BrE)
Herts, England
David H. Lipman
< snip >
| Thanks. I should say two other things:
| I ran MRT.EXE /f:y this afternoon. Zero problems reported.
| On reboot, sometimes all of these 'infection' messages are simply not
| there. Then, on another reboot, they're back again, sometimes a few,
| sometimes screens full. Normally I hibernate overnight and only
| reboot when something, like critical updates, forces me to.
| (alt.privacy.spyware added because this is being discussed there,
| too.)
| --
| Robin
| (BrE)
| Herts, England
It is definitly a security tool set to delete the file index.dat at system Reboot and
before the Winlogon process.
However, at this time none of my peers have pinpointed exactly what security tool is
generating the process.
However at this point I can/will say "don't worry". We know have done numerous anti
malware scans and the system can be deemed clean so don't get frazzled over this.
I will keep researching this and hopefully we will find what security tool is generating
the display you have seen.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Andy Walker
>I will keep researching this and hopefully we will find what security tool is generating
>the display you have seen.
It occurred to me that she may be able to find the text of the error
in a log file for the program generating the error. Assuming the
program keeps a log, and the log has a formatted text element, she
should be able to use the search function in Windows to search for the
string "INFECTION: DOCUMENTS AND SETTINGS\ROBIN
BIGNALL\COOKIES\INDEX.DAT COULD NOT BE REMOVED. FILE IS NO LONGER
EXISTENT." or some portion of that. If she can find the log file, she
should be able to identify the program.
David H. Lipman
| David H. Lipman wrote:
A good approach !
Robin Bignall
Excellent idea, Andy. I'll try now and report back. Thanks also
David.
--
Robin (who is a he!)
(BrE)
Herts, England
Robin Bignall
No joy with that. I searched for
FILE IS NO LONGER EXISTENT
but didn't find anything.
--
Robin
(BrE)
Herts, England
ps: do any of you out there live in Herts and use
text.news.virginmedia.com? Access from Herts has been down for nearly
a week.
Robin Bignall
<DLipman~nospam~@Verizon.Net> wrote:
>From: "Robin Bignall" <docr...@ntlworld.com>
>
>< snip >
>
>| Thanks. I should say two other things:
>| I ran MRT.EXE /f:y this afternoon. Zero problems reported.
>| On reboot, sometimes all of these 'infection' messages are simply not
>| there. Then, on another reboot, they're back again, sometimes a few,
>| sometimes screens full. Normally I hibernate overnight and only
>| reboot when something, like critical updates, forces me to.
>
>| (alt.privacy.spyware added because this is being discussed there,
>| too.)
>| --
>| Robin
>| (BrE)
>| Herts, England
>
>
>It is definitly a security tool set to delete the file index.dat at system Reboot and
>before the Winlogon process.
>
>However, at this time none of my peers have pinpointed exactly what security tool is
>generating the process.
>
>However at this point I can/will say "don't worry". We know have done numerous anti
>malware scans and the system can be deemed clean so don't get frazzled over this.
>
>I will keep researching this and hopefully we will find what security tool is generating
>the display you have seen.
Just another word on this, for it's still happening. I created a text
file on c: containing the word "infection" only. I then used Windows
'search within files' to check all files -- including hidden and
system -- on the system disk. I found seven instances of 'infection'
in various places, mostly text or pdf files, including the made-up
one, but none relating in any way to the system, the virus checker or
any malware. I find it baffling to know what is generating this
message, and how.
David H. Lipman
| Just another word on this, for it's still happening. I created a text
| file on c: containing the word "infection" only. I then used Windows
| 'search within files' to check all files -- including hidden and
| system -- on the system disk. I found seven instances of 'infection'
| in various places, mostly text or pdf files, including the made-up
| one, but none relating in any way to the system, the virus checker or
| any malware. I find it baffling to know what is generating this
| message, and how.
| --
| Robin
| (BrE)
| Herts, England
To date, NOTHING has been pin-pointed yet as the source :-(
Andy Walker
>Just another word on this, for it's still happening. I created a text
>file on c: containing the word "infection" only. I then used Windows
>'search within files' to check all files -- including hidden and
>system -- on the system disk. I found seven instances of 'infection'
>in various places, mostly text or pdf files, including the made-up
>one, but none relating in any way to the system, the virus checker or
>any malware. I find it baffling to know what is generating this
>message, and how.
Have you tried looking through your registry for startup programs?
If you are familiar with regedit, you can look at the keys in the
following article to identify programs that could potentially be
giving you the error. Just be mindful that regedit is a dangerous
tool for the inexperienced user:
http://www.bleepingcomputer.com/tutorials/tutorial44.html
Using Regedit
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/tools_regeditors.mspx?mfr=true
or
http://preview.tinyurl.com/yhph8yt
Another possibility is to use autoruns to look for startup programs.
Autoruns has some useful features that allow you to *not* display
normal Microsoft startup programs, which may help zero in on the
source of the problem.
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
John Mason Jr
Process Monitor
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
and
PendMoves might help as well
http://technet.microsoft.com/en-us/sysinternals/bb897556.aspx
John
Robin Bignall
John, Andy, thanks for the suggestions. I have checked autoruns. In
fact, A-squared contains a very useful feature called Hijackfree which
gives detailed information on what's present in 5 categories:
processes, ports, autoruns, services and others. I don't see anything
amiss. PCButts emailed me to make the sensible suggestion of checking
the runonce registry entries. They're empty. The weird thing is
where the message is coming from, since no executable on my system
disk contains the string "infection".
Beauregard T. Shagnasty
> PCButts emailed me to make the sensible suggestion of checking
> the runonce registry entries.
What?
Buttface is now emailing direct to posters? How cheeky is that!! Must
be a new way to get around having others respond to warn about his
stolen software...
--
-bts
-Friends don't let friends drive Windows
David H. Lipman
| In alt.privacy.spyware, Robin Bignall wrote:
>> PCButts emailed me to make the sensible suggestion of checking
>> the runonce registry entries.
| What?
| Buttface is now emailing direct to posters? How cheeky is that!! Must
| be a new way to get around having others respond to warn about his
| stolen software...
And it is even really a "sensible" suggestion as the RunOnce key is just that, it runs
only once then the contents of that Registry key is removed. Therefore if it did run, by
the time the person examined it, it would be an empty key. Plus RunOnce is interpreted
AFTER the Winlogon process. Robin's problem occurs before the Winlogon process.
Leythos
docr...@ntlworld.com says...
> PCButts emailed me to make the sensible suggestion of checking
> the runonce registry entries. They're empty. The weird thing is
> where the message is coming from, since no executable on my system
> disk contains the string "infection".
You should ALWAYS check the reputation and online history of a person
before taking their advice - there are many people that would give you
bad advice that could damage your system.
In the case of PCBUTTS, I don't know of anyone that would consider
trusting him.
--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself.
spam9...@rrohio.com (remove 999 for proper email address)
Rick
news:hfml4...@news3.newsguy.com:
> And it is even really a "sensible" suggestion as the RunOnce key is
> just that, it runs only once then the contents of that Registry key is
> removed. Therefore if it did run, by the time the person examined it,
> it would be an empty key. Plus RunOnce is interpreted AFTER the
> Winlogon process. Robin's problem occurs before the Winlogon process.
When is wininit.ini processed?
--
Rick Simon rsi...@cris.com
Include "spam(trap)key" somewhere in the
body of any email to avoid spam filters.
David H. Lipman
| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
| news:hfml4...@news3.newsguy.com:
>> And it is even really a "sensible" suggestion as the RunOnce key is
>> just that, it runs only once then the contents of that Registry key is
>> removed. Therefore if it did run, by the time the person examined it,
>> it would be an empty key. Plus RunOnce is interpreted AFTER the
>> Winlogon process. Robin's problem occurs before the Winlogon process.
| When is wininit.ini processed?
What OS are you referring to because NT based OS' don't use INI files.
Everything is pretty much stored in the Registry and evaluated there.
Since this was x-posted to a WinXP group, the answer is NEVER.
The Real Truth MVP
people should know that malware writes to that key and since the issue is
there on EVERY boot if it gets deleted when run it gets put back in there
and you are WRONG about when that key gets read.
--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
*WARNING* Do NOT follow any advice given by the people listed below.
They do NOT have the expertise or knowledge to fix your issue. Do not waste
your time.
David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:hfml4...@news3.newsguy.com...
Andy Walker
>What OS are you referring to because NT based OS' don't use INI files.
>Everything is pretty much stored in the Registry and evaluated there.
>
>Since this was x-posted to a WinXP group, the answer is NEVER.
Not true, Dave. XP still uses INI files.
boot.ini
win.ini
system.ini
to name a few...
David H. Lipman
| David H. Lipman wrote:
| boot.ini
| win.ini
| system.ini
| to name a few...
OK. BOOT.INI is only used to launch the OS or a different OS. It is interpreted before
the WinGUI.
WIN.INI and SYSTEM.INI are NOT really interpreted anymore. They ONLY exist for backwards
compatibility purposes for Win9x/ME, and maybe Win3.1x programs that weren't written to
use a registry.
JD
> Please David your ignorance and lack of knowledge is showing. You of all
> people should know that malware writes to that key and since the issue
> is there on EVERY boot if it gets deleted when run it gets put back in
> there and you are WRONG about when that key gets read.
>
>
Oh My god..
Don't you have software to fix this? Go away. Nobody needs your help. 8-)
--
JD..
Rick
>
>| When is wininit.ini processed?
>
>
>
> What OS are you referring to because NT based OS' don't use INI files.
> Everything is pretty much stored in the Registry and evaluated there.
>
> Since this was x-posted to a WinXP group, the answer is NEVER.
Not to be argumentative, but you're saying these folks are incorrect?
http://www.aumha.org/a/loads.php
http://support.microsoft.com/kb/140570
While I don't run into it as much as I used to, I still do find XP systems
that appear to be using wininit.ini for file deletions/renames on occasion.
David H. Lipman
| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
| news:hfmpi...@news3.newsguy.com:
>>| When is wininit.ini processed?
>> What OS are you referring to because NT based OS' don't use INI files.
>> Everything is pretty much stored in the Registry and evaluated there.
>> Since this was x-posted to a WinXP group, the answer is NEVER.
| Not to be argumentative, but you're saying these folks are incorrect?
| http://www.aumha.org/a/loads.php
| http://support.microsoft.com/kb/140570
| While I don't run into it as much as I used to, I still do find XP systems
| that appear to be using wininit.ini for file deletions/renames on occasion.
Well the aumha article is for mostly Win9x/ME and the MS KB140570 is more for NT4 and
Win9x/ME and you'll note mention of "Wininit.exe" which is NOT present in WinXP.
So let me modify my NEVER answer to practically NEVER. Interpreting .INI files is an old
construct that was used in Win9x/ME and and to a lesser degree in NT v3.5x and NT4 and
thus *may* have some left over functionality in subsequent OS'. However for the most
part, .INI files are no longer interpreted by the OS.
Notice in the aumha article it states...
"In Windows 2000 and XP, the WININIT.INI file, if existing, will be executed. However it
is usually replaced by the �PendingFileRenameOperations� sub-key in the Registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager."
This shows that for backwards compatibility Win2k and WinXP may interpret WININIT.INI but
has been really replaced by Registry functionality.
This will not affect Robin's problem as the message "INFECTION: DOCUMENTS AND
SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT
COULD NOT BE REMOVED. FILE IS NO LONGER EXISTENT" occurs "before the logon screen" and
would not be generated by such a process. This is presumed to be a security tool/utility
in action.
Rick
> So let me modify my NEVER answer to practically NEVER. Interpreting
> .INI files is an old construct that was used in Win9x/ME and and to a
> lesser degree in NT v3.5x and NT4 and thus *may* have some left over
> functionality in subsequent OS'. However for the most part, .INI
> files are no longer interpreted by the OS.
Yes, I'm aware of how .ini files have been used going back through Win3.x.
> Notice in the aumha article it states...
> "In Windows 2000 and XP, the WININIT.INI file, if existing, will be
> executed. However it is usually replaced by the
> �PendingFileRenameOperations� sub-key in the Registry key
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager."
>
> This shows that for backwards compatibility Win2k and WinXP may
> interpret WININIT.INI but has been really replaced by Registry
> functionality.
I'm also aware of how wininit.ini is just a hangover and there are other,
preferred methods of doing the same thing. According to the aumha article
however, even though it is not the preferred method, Win XP will execute
the instructions in a wininit.ini file if one is found.
> This will not affect Robin's problem as the message "INFECTION:
> DOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT
> COULD NOT BE REMOVED. FILE IS NO LONGER EXISTENT" occurs "before the
> logon screen" and would not be generated by such a process. This is
> presumed to be a security tool/utility in action.
And this is where my original question comes in. Just where in the boot
process does wininit.ini get processed? Since the aumha article points out
that:
a) "WININIT.INI is used to complete Windows and program installation steps
that cannot be completed while Windows is running"
b) "During the boot process, Windows checks to see if there is a
WININIT.INI file and, if it finds one, executes its instructions."
c) and specifies that Windows XP will execute such a file, if it exists
(assumedly to maintain backwards compatibility)
I was just curious if anyone happened to know where in the boot process
that execution was performed. Whether it was before or after the logon
process.
David H. Lipman
Rick I think you have a good point in that if the WININIT.INI file is found by the OS it
will do a a file move/delete function "before the logon screen" which is 100% relevant to
Robin's problem.
However, this is a silent function. No screen displays and certainly not "INFECTION:...".
Since you know this INI file and its directives, maybe you could create a test and see
what it does.
Buffalo
Robin Bignall wrote:
[snip]
> John, Andy, thanks for the suggestions. I have checked autoruns. In
> fact, A-squared contains a very useful feature called Hijackfree which
> gives detailed information on what's present in 5 categories:
> processes, ports, autoruns, services and others. I don't see anything
> amiss. PCButts emailed me to make the sensible suggestion of checking
> the runonce registry entries. They're empty. The weird thing is
> where the message is coming from, since no executable on my system
> disk contains the string "infection".
Dl and instal a free anti-virus program like Avira AntiVir and install it.
Disable or uninstall your present anti-virus program (A-squared)
Uninstall your anti-malware programs and install the free version of
MalwareBytes AntiMalware.
Use it to scan frequently.
See if you have the same problem. If not, install each of the programs you
uninstalled or disabled one at a time to see if you can find out which one
causes the problem.
I don't think you ever said you installed and ran the free version of MBAM
(MalwareBytes Anti-Malware) and the free version of SAS (SuperAntiSpyware).
If you didn't (this is a damn long thread) please do it.
Buffalo
Beauregard T. Shagnasty
> Disable or uninstall your present anti-virus program (A-squared)
A� (A-Squared) is an anti-spyware program, not an anti-virus program.
There should be no conflict with anything, assuming of course you don't
set full-time scanners in action.
http://www.emsisoft.com/en/ (pay)
http://www.emsisoft.com/en/software/free/ (free)
Buffalo
Beauregard T. Shagnasty wrote:
> In alt.privacy.spyware, Buffalo wrote:
>
>> Disable or uninstall your present anti-virus program (A-squared)
>
> A� (A-Squared) is an anti-spyware program, not an anti-virus program.
> There should be no conflict with anything, assuming of course you
> don't set full-time scanners in action.
>
> http://www.emsisoft.com/en/ (pay)
> http://www.emsisoft.com/en/software/free/ (free)
Right you are. Sorry.
I now realize that Robin uses Kaspersky.
Ok, Robin, disable or uninstall Kaspersky and use the free version of Avira
AntiVir temporarily.\
Since even Lipman can't nail it, please post back on what program is causing
the message.
Thanks,
Buffalo
David H. Lipman
| Right you are. Sorry.
| I now realize that Robin uses Kaspersky.
| Ok, Robin, disable or uninstall Kaspersky and use the free version of Avira
| AntiVir temporarily.\
| Since even Lipman can't nail it, please post back on what program is causing
| the message.
| Thanks,
| Buffalo
Robin has already indicated NUMEROUS anti malware scans have been performewd with nothing
being found.
We do NOT know what security program is generating this message. That is the problem.
Buffalo
David H. Lipman wrote:
> From: "Buffalo" <Er...@nada.com.invalid>
>
>> Right you are. Sorry.
>> I now realize that Robin uses Kaspersky.
>> Ok, Robin, disable or uninstall Kaspersky and use the free version
>> of Avira AntiVir temporarily.\
>> Since even Lipman can't nail it, please post back on what program is
>> causing the message.
>> Thanks,
>> Buffalo
>
> Robin has already indicated NUMEROUS anti malware scans have been
> performewd with nothing being found.
>
> We do NOT know what security program is generating this message.
> That is the problem.
That is why I recommended that he disable or uninstall his anti-virus and
anti-malware programs and install Avira AntiVir and free MBAM and hopefully
the free SAS. ( I don't think he ever said that he tried them both)
If the above doesn't change things, then that would indicate a different
security program causing the problem.
Buffalo
Robin Bignall
wrote:
Just to save you reading back in the thread, I have SAS Pro, which is
not free, and MBAM, which is. I also run ActiveScan 2, which was
recommended, together with Kaspersky, by AumHa. I don't intend to
through the process of uninstalling Kaspersky.
Buffalo
Robin Bignall wrote:
[snip]
>>
>> That is why I recommended that he disable or uninstall his
>> anti-virus and anti-malware programs and install Avira AntiVir and
>> free MBAM and hopefully the free SAS. ( I don't think he ever said
>> that he tried them both)
>> If the above doesn't change things, then that would indicate a
>> different security program causing the problem.
>> Buffalo
>>
> Just to save you reading back in the thread, I have SAS Pro, which is
> not free, and MBAM, which is. I also run ActiveScan 2, which was
> recommended, together with Kaspersky, by AumHa. I don't intend to
> through the process of uninstalling Kaspersky.
OK, missed that point. If you disable Kaspersky and just use the free Avira
AntiVir and no message comes up, perhaps it is Kaspersky doing it.
Doesn't really seem like it's worth the trouble overall.
Buffalo
PS: If you ever find out what it is, please post back.
Robin Bignall
wrote:
I certainly will.
Robin Bignall
>Robin Bignall wrote:
>
>Was looking for source of text within a file;
>
>Have you tried Agent Ransack,
>a free search engine that can look for embedded text?
>
>http://www.mythicsoft.com/agentransack/
I don't mind trying, but is there any reason to believe that Windows
search won't find embedded text?
Robin Bignall
I'm running Avira now.
Robin Bignall
Buffalo
Perhaps just let Avira run for several days while Kaspersky is disabled, if
you wish.
Buffalo
Robin Bignall
wrote:
>
>
["infected" messages before logon screen]
>>> I'm running Avira now.
>>
>> And it found nothing.
>
>Perhaps just let Avira run for several days while Kaspersky is disabled, if
>you wish.
>Buffalo
>
I don't think it'll find anything.
There appears to be no rhyme or reason behind these messages. For
example, when I rebooted last night, there were hundreds of these
messages, in bunches. I can't tell how many are in a bunch, maybe 32
or 64. A bunch scrolls for about five seconds, there's a two second
gap, then another bunch scrolls, and so on. Last night there were four
of these bunches, plus half a screen of bunch five. Tonight when I
booted there were just two of these messages (not two bunches). I
booted again and there were none. I've found this behaviour before.
These messages seem to come and go.
I just again checked the contents of all files on c: and d:, and the
registry, for the string "infection", without finding anything
associated in any way with an executable. Weird.
Buffalo
I was just suggesting that possibly Kaspersky could be the culprit and
disabling it and only running Avira to see if the messages stop.
However, I really doubt Kaspersky would react that way.
We know 'something' is generating the messages and hopefully there is
someone in this ng that would have a good suggestion for a program that
could monitor all the startups.
Buffalo
PS: It will be interesting to see what caused it. :)
And, do you have more than one (1) antivirus program running in real time,
such as Windows Defender?