Re: Infection messages?
Daave
> On Sun, 22 Nov 2009 19:05:42 -0500, "Daave" <da...@example.com> wrote:
>
>> Robin Bignall wrote:
>>> On Sun, 22 Nov 2009 11:36:50 -0500, "Daave" <da...@example.com>
>>> wrote:
>>>
>>>> Robin Bignall wrote:
>>>>> XP Pro SP3
>>>>> During the past few weeks, immediately after the initial Windows
>>>>> screen with the blue bar running left right, and before the logon
>>>>> screen, I get a blue screen with white messages. There are dozens
>>>>> of them, all identical, which say something like:
>>>>> Infection: docs and settings my name cookies/index.dat does not
>>>>> exist and cannot be removed. (Pause is inoperative and the normal
>>>>> logon screen appears immediately after.)
>>>>
>>>> It is very important that you post back with the exact, complete
>>>> message! It's hard to tell at this moment, but it's possible you
>>>> have a variation of what is described here:
>>>>
>>>> http://www.bleepingcomputer.com/virus-removal/anti-virus-1-removal
>>>>
>>>> Please post back with the complete message.
>>>>
>>> Difficult. Pause/break stops the screen for a second and then it
>>> goes straight to the logon. I just rebooted and all those messages
>>> have vanished. None of the virus/malware programs finds anything.
>>> I'll post again if those messages reappear. There's nothing in the
>>> event log that looks suspicious.
>>
>> In the menu you get after hitting F8, do you see an option called
>> "Disable automatic restart on system failure"? If so, choose it.
>> Another way to do this:
>>
>> http://pcsupport.about.com/od/tipstricks/ht/disautorestart.htm
>>
>> This way, you will be able to write down these messages.
>>
> The message is:
> infection:documents and settings\robin bignall\cookies\index.dat could
> not be removed. file is no longer existent.
Googling the above didn't turn up many hits, which already points to
malware. I did manage to find a very similar message (with "available"
replacing "existent") here:
Another possibly relevant hit:
http://forums.techguy.org/malware-removal-hijackthis-logs/618659-my-first-virus-help-please.html
I'm 99.9999999999999% sure you have malware. :-(
This page should help:
http://www.elephantboycomputers.com/page2.html#Removing_Malware
(also cross-posting to microsoft.public.security.virus )
Robin Bignall
Thanks for your help. I spent lots of time last night doing full/deep
scans using Kaspersky 9, SAS, Asquared and Activescan2. Nothing
found. Am now starting MBAM...
Will look at your links after breakfast.
--
Robin
(BrE)
Herts, England
Daave
Sounds like you're on the right track. MBAM is quite good.
Sometimes, one needs to boot off a rescue CD. Check out these links for
more info:
http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html
http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/
(This way, the OS is entirely bypassed. Another method is to physically
remove your hard drive and slave it to another PC and use the
uncompromised PC to perform the scan.)
Robin Bignall
MBAM was clean. I'm now going to run everything in safe mode to
check.
Robin Bignall
Just ran MBAM, SAS and Kaspersky full scans in safe mode. Nothing
reported. On reboot all "infection" messages had vanished. Weird,
huh?
Daave
Yes.
I still smell something rotten. I would still boot off a rescue CD and
scan or use another PC to scan. An alternative to removing the drive and
slaving it is to use a device like this one:
http://www.newegg.com/Product/Product.aspx?Item=N82E16812161002
Daave
Also, HijackThis might be necessary...
David H. Lipman
| Also, HijackThis might be necessary...
I have read the original thread (when it first started) and the subsequent parts x-posted
to m.p.s.v and this is curious indeed. However I don't think HJT will help.
The way to fully understand this is to go back to the beginning. And to fully express the
EXACT (to the best as one can) messgaes and relay the exact moment(s) the messages are
displayed.
To date what I have seen is...
"I get a blue screen with white messages. There are dozens of them, all identical, which
say something like:
Infection: docs and settings my name cookies/index.dat does not exist
and cannot be removed."
From the description, it is happening PRIOR to the Winlogon Process during OS
initialization.
The question the becomes what is generating it ?
The message "Infection: docs and settings my name cookies/index.dat..."
Could be indicative of a program of a legitimate program (antimalware) that is installed
that is processing a deletion request that is intended to occur PRIOR to the GUI being
loaded and where most file handles would be in use.
Thus we need to understand what security related software already existed on this platform
PRIOR to the posting of this problem.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
NT Canuck
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:uIpMdiVb...@TK2MSFTNGP05.phx.gbl...
> Thus we need to understand what security related software
> already existed on this platform PRIOR to the posting of this problem.
To check if antimalware/tool running pre-desktop look into
control panel > taskmanager > and enable view hidden
tasks, then also download autoruns and check the 'run'
section.
Programs recently installed may still have their residue/setup
in documents and settings (logon profile) so look for /temp
folder (may be more than one location).
Also look at restore points (usually a new restore point
setup prior to installing a program).
In control panel > system > uncheck the auto restart option
that will leave any shutdown message sit on the screen
instead of just blinking over it and rebooting.
Download and install PUI (program uninstall utility) that
will show programs installed in Windows..even the
kb and 'uninstallable' type entries from registry.
<http://www.softpedia.com/progDownload/PUI-Download-24439.html>
Just some tips, FYI.
--
'Seek and ye shall find'
NT Canuck
Daave
> From: "Daave" <da...@example.com>
>
>
>> Also, HijackThis might be necessary...
>
> I have read the original thread (when it first started) and the
> subsequent parts x-posted to m.p.s.v and this is curious indeed.
> However I don't think HJT will help.
>
> The way to fully understand this is to go back to the beginning. And
> to fully express the EXACT (to the best as one can) messgaes and
> relay the exact moment(s) the messages are displayed.
>
> To date what I have seen is...
> "I get a blue screen with white messages. There are dozens of them,
> all identical, which say something like:
> Infection: docs and settings my name cookies/index.dat does not exist
> and cannot be removed."
>
> From the description, it is happening PRIOR to the Winlogon Process
> during OS initialization.
>
> The question the becomes what is generating it ?
>
> The message "Infection: docs and settings my name
> cookies/index.dat..."
> Could be indicative of a program of a legitimate program
> (antimalware) that is installed that is processing a deletion request
> that is intended to occur PRIOR to the GUI being loaded and where
> most file handles would be in use.
That is a good point. It could be anything. Unfortunately, I don't speak
French and the best I could come up with is this Google translation:
The screen shot:
http://dl.toofiles.com/uc4yon/images/e1rwa0-fsz7yj-ziucmm.jpg
I don't have Vista, so I don't know what a BSOD looks like in it, but an
XP BSOD would be *all blue* and not what this French poster submitted.
NT Canuck
news:OszGs1Wb...@TK2MSFTNGP04.phx.gbl...
>> Could be indicative of a program of a legitimate program
>> (antimalware) that is installed that is processing a deletion request
>> that is intended to occur PRIOR to the GUI being loaded and where
>> most file handles would be in use.
>
> That is a good point. It could be anything. Unfortunately, I don't speak
> French and the best I could come up with is this Google translation:
I'd suspect something along the lines of Internet track/trace evidence
removal program (adaware or similar), since the index.dat in that
location is a system file (locked/used by Explorer/IE/OutlookExpress
and a few others like the A/V in use etc.) that it has to be (if done)
deleted/moved during boot up before the OS logon and this is
likely the screen shown...boot phase, logging the boot sequence
(like shown on display during safe mode start up) would help.
snip
> The screen shot:
>
> http://dl.toofiles.com/uc4yon/images/e1rwa0-fsz7yj-ziucmm.jpg
>
> I don't have Vista, so I don't know what a BSOD looks like in it, but an
> XP BSOD would be *all blue* and not what this French poster submitted.
My comments earlier, typically it's not a bad file...very seldom a threat.
hth
Robin Bignall
The precise message is:
INFECTION:DOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD
NOT BE REMOVED. FILE IS NO LONGER EXISTENT.
Needless to say, the file does exist.
As previously stated I have Kaspersky 9, A-squared pro and SAS pro
running in real time with frequent full scans. I also run MBAM weekly
and Panda Activescan 2 monthly.
Robin Bignall
wrote:
>
>"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
>news:uIpMdiVb...@TK2MSFTNGP05.phx.gbl...
>
>
>> Thus we need to understand what security related software
>> already existed on this platform PRIOR to the posting of this problem.
>
>To check if antimalware/tool running pre-desktop look into
>control panel > taskmanager > and enable view hidden
>tasks, then also download autoruns and check the 'run'
>section.
>
A-squared contains "Hijackfree" that has an autoruns section plus a
lot of other stuff. I can't see anything running that shouldn't be
there.
>Programs recently installed may still have their residue/setup
>in documents and settings (logon profile) so look for /temp
>folder (may be more than one location).
>
Nothing recently installed or uninstalled, except updates to Windows
and running software.
>Also look at restore points (usually a new restore point
>setup prior to installing a program).
>
Don't use restore, never have.
>In control panel > system > uncheck the auto restart option
>that will leave any shutdown message sit on the screen
>instead of just blinking over it and rebooting.
>
This is already unchecked. Windows does not see these messages as
something to stop/reboot on.
>Download and install PUI (program uninstall utility) that
>will show programs installed in Windows..even the
>kb and 'uninstallable' type entries from registry.
><http://www.softpedia.com/progDownload/PUI-Download-24439.html>
>
>Just some tips, FYI.
Thanks. I should say two other things:
I ran MRT.EXE /f:y this afternoon. Zero problems reported.
On reboot, sometimes all of these 'infection' messages are simply not
there. Then, on another reboot, they're back again, sometimes a few,
sometimes screens full. Normally I hibernate overnight and only
reboot when something, like critical updates, forces me to.
(alt.privacy.spyware added because this is being discussed there,
too.)
David H. Lipman
< snip >
| Thanks. I should say two other things:
| I ran MRT.EXE /f:y this afternoon. Zero problems reported.
| On reboot, sometimes all of these 'infection' messages are simply not
| there. Then, on another reboot, they're back again, sometimes a few,
| sometimes screens full. Normally I hibernate overnight and only
| reboot when something, like critical updates, forces me to.
| (alt.privacy.spyware added because this is being discussed there,
| too.)
| --
| Robin
| (BrE)
| Herts, England
It is definitly a security tool set to delete the file index.dat at system Reboot and
before the Winlogon process.
However, at this time none of my peers have pinpointed exactly what security tool is
generating the process.
However at this point I can/will say "don't worry". We know have done numerous anti
malware scans and the system can be deemed clean so don't get frazzled over this.
I will keep researching this and hopefully we will find what security tool is generating
the display you have seen.
NT Canuck
news:bubrg555vcle0jo5k...@4ax.com...
The precise message is:
INFECTION:DOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD
NOT BE REMOVED. FILE IS NO LONGER EXISTENT.
Needless to say, the file does exist.
As previously stated I have Kaspersky 9, A-squared pro and SAS pro
running in real time with frequent full scans. I also run MBAM weekly
and Panda Activescan 2 monthly.
Heh, too much by far...
Likely an infection was found by one unit and set for
automatic removal next boot...but before booting one
of the other tools deleted the file or deleted it before
another tool that also found it...could do so at boot. ;)
I'd uninstall (not just de-activate) all of them except
KAV9, and see what happens after a few days.
Last mystery is why that .dat is considered an infection,
it could be a renamed file so install this and have a look
inside... A safe file inspector.
http://users.westnet.gr/~cgian/peek11.zip 17kb
PEEK is a Shell context menu extension which
allows you to extract only the text portion of files.
After installation you are provided with 3 different
setups called: Standard, Unicode, Binary Files.
Otherwise you may be visiting some odd site and
picking up a poison cookie...then remnants in the
.dat (guessing)...but still...too many programs.
@nomail.afraid.org FromTheRafters
news:bubrg555vcle0jo5k...@4ax.com...
The precise message is:
INFECTION:DOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD
NOT BE REMOVED. FILE IS NO LONGER EXISTENT.
***
It sounds to me like a conflict between two programs trying to do the
same thing, and one doesn't check for the existence of the file prior to
attempting the delete action.
***
Andy Walker
>I will keep researching this and hopefully we will find what security tool is generating
>the display you have seen.
It occurred to me that she may be able to find the text of the error
in a log file for the program generating the error. Assuming the
program keeps a log, and the log has a formatted text element, she
should be able to use the search function in Windows to search for the
string "INFECTION: DOCUMENTS AND SETTINGS\ROBIN
BIGNALL\COOKIES\INDEX.DAT COULD NOT BE REMOVED. FILE IS NO LONGER
EXISTENT." or some portion of that. If she can find the log file, she
should be able to identify the program.
David H. Lipman
| David H. Lipman wrote:
A good approach !
Robin Bignall
Excellent idea, Andy. I'll try now and report back. Thanks also
David.
--
Robin (who is a he!)
(BrE)
Herts, England
Robin Bignall
No joy with that. I searched for
FILE IS NO LONGER EXISTENT
but didn't find anything.
--
Robin
(BrE)
Herts, England
ps: do any of you out there live in Herts and use
text.news.virginmedia.com? Access from Herts has been down for nearly
a week.
Robin Bignall
What, other than malware, would want to delete the cookie index?
Incidentally, I've run iecv, and there are no cookies in any of the
user's cookie folders.
@nomail.afraid.org FromTheRafters
***
People who have issues with privacy and spyware (in the form of cookies)
sometimes download programs that "protect" them from data leakage (or
from their own OS's hidden data stores or pagefile.sys).
Malware (spyware specifically) is more likely to want that file to
remain existent.
***
Robin Bignall
wrote:
>"Robin Bignall" <docr...@ntlworld.com> wrote in message
>news:bubrg555vcle0jo5k...@4ax.com...
>
>The precise message is:
>INFECTION:DOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD
>NOT BE REMOVED. FILE IS NO LONGER EXISTENT.
>
>Needless to say, the file does exist.
>As previously stated I have Kaspersky 9, A-squared pro and SAS pro
>running in real time with frequent full scans. I also run MBAM weekly
>and Panda Activescan 2 monthly.
>
>Heh, too much by far...
>Likely an infection was found by one unit and set for
>automatic removal next boot...but before booting one
>of the other tools deleted the file or deleted it before
>another tool that also found it...could do so at boot. ;)
>
OK. If they're just arguing with each other, I can live with that. I
am married!
>I'd uninstall (not just de-activate) all of them except
>KAV9, and see what happens after a few days.
>
>Last mystery is why that .dat is considered an infection,
>it could be a renamed file so install this and have a look
>inside... A safe file inspector.
>http://users.westnet.gr/~cgian/peek11.zip 17kb
>PEEK is a Shell context menu extension which
>allows you to extract only the text portion of files.
>After installation you are provided with 3 different
>setups called: Standard, Unicode, Binary Files.
>
I have a hex editor. I took a look inside cookie\index.dat for
administrator and me. They both lead off with "URL Cache", and the
rest is mostly hex 00.
>Otherwise you may be visiting some odd site and
>picking up a poison cookie...then remnants in the
>.dat (guessing)...but still...too many programs.
--
Robin
(BrE)
Herts, England
Robin Bignall
@nomail.afraid.org> wrote:
>
>"Robin Bignall" <docr...@ntlworld.com> wrote in message
>news:kt2ug5163h2js36ir...@4ax.com...
>On Wed, 25 Nov 2009 20:24:12 -0500, "FromTheRafters" <erratic
>@nomail.afraid.org> wrote:
>
>>"Robin Bignall" <docr...@ntlworld.com> wrote in message
>>news:bubrg555vcle0jo5k...@4ax.com...
>>
>>The precise message is:
>>INFECTION:DOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT COULD
>>NOT BE REMOVED. FILE IS NO LONGER EXISTENT.
>>
Just another piece of data. I just logged on as "administrator" (with
several screens full of these infection messages) to see if, when I
rebooted, I might have some "administrator\cookies\index.dat"
messages.
When I rebooted back as myself all the infection messages had
vanished. But this has happened before on reboot.
Robin Bignall
<DLipman~nospam~@Verizon.Net> wrote:
>From: "Robin Bignall" <docr...@ntlworld.com>
>
>< snip >
>
>| Thanks. I should say two other things:
>| I ran MRT.EXE /f:y this afternoon. Zero problems reported.
>| On reboot, sometimes all of these 'infection' messages are simply not
>| there. Then, on another reboot, they're back again, sometimes a few,
>| sometimes screens full. Normally I hibernate overnight and only
>| reboot when something, like critical updates, forces me to.
>
>| (alt.privacy.spyware added because this is being discussed there,
>| too.)
>| --
>| Robin
>| (BrE)
>| Herts, England
>
>
>It is definitly a security tool set to delete the file index.dat at system Reboot and
>before the Winlogon process.
>
>However, at this time none of my peers have pinpointed exactly what security tool is
>generating the process.
>
>However at this point I can/will say "don't worry". We know have done numerous anti
>malware scans and the system can be deemed clean so don't get frazzled over this.
>
>I will keep researching this and hopefully we will find what security tool is generating
>the display you have seen.
Just another word on this, for it's still happening. I created a text
file on c: containing the word "infection" only. I then used Windows
'search within files' to check all files -- including hidden and
system -- on the system disk. I found seven instances of 'infection'
in various places, mostly text or pdf files, including the made-up
one, but none relating in any way to the system, the virus checker or
any malware. I find it baffling to know what is generating this
message, and how.
David H. Lipman
| Just another word on this, for it's still happening. I created a text
| file on c: containing the word "infection" only. I then used Windows
| 'search within files' to check all files -- including hidden and
| system -- on the system disk. I found seven instances of 'infection'
| in various places, mostly text or pdf files, including the made-up
| one, but none relating in any way to the system, the virus checker or
| any malware. I find it baffling to know what is generating this
| message, and how.
| --
| Robin
| (BrE)
| Herts, England
To date, NOTHING has been pin-pointed yet as the source :-(
Andy Walker
>Just another word on this, for it's still happening. I created a text
>file on c: containing the word "infection" only. I then used Windows
>'search within files' to check all files -- including hidden and
>system -- on the system disk. I found seven instances of 'infection'
>in various places, mostly text or pdf files, including the made-up
>one, but none relating in any way to the system, the virus checker or
>any malware. I find it baffling to know what is generating this
>message, and how.
Have you tried looking through your registry for startup programs?
If you are familiar with regedit, you can look at the keys in the
following article to identify programs that could potentially be
giving you the error. Just be mindful that regedit is a dangerous
tool for the inexperienced user:
http://www.bleepingcomputer.com/tutorials/tutorial44.html
Using Regedit
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/tools_regeditors.mspx?mfr=true
or
http://preview.tinyurl.com/yhph8yt
Another possibility is to use autoruns to look for startup programs.
Autoruns has some useful features that allow you to *not* display
normal Microsoft startup programs, which may help zero in on the
source of the problem.
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
John Mason Jr
Process Monitor
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
and
PendMoves might help as well
http://technet.microsoft.com/en-us/sysinternals/bb897556.aspx
John
Robin Bignall
John, Andy, thanks for the suggestions. I have checked autoruns. In
fact, A-squared contains a very useful feature called Hijackfree which
gives detailed information on what's present in 5 categories:
processes, ports, autoruns, services and others. I don't see anything
amiss. PCButts emailed me to make the sensible suggestion of checking
the runonce registry entries. They're empty. The weird thing is
where the message is coming from, since no executable on my system
disk contains the string "infection".
Beauregard T. Shagnasty
> PCButts emailed me to make the sensible suggestion of checking
> the runonce registry entries.
What?
Buttface is now emailing direct to posters? How cheeky is that!! Must
be a new way to get around having others respond to warn about his
stolen software...
--
-bts
-Friends don't let friends drive Windows
David H. Lipman
| In alt.privacy.spyware, Robin Bignall wrote:
>> PCButts emailed me to make the sensible suggestion of checking
>> the runonce registry entries.
| What?
| Buttface is now emailing direct to posters? How cheeky is that!! Must
| be a new way to get around having others respond to warn about his
| stolen software...
And it is even really a "sensible" suggestion as the RunOnce key is just that, it runs
only once then the contents of that Registry key is removed. Therefore if it did run, by
the time the person examined it, it would be an empty key. Plus RunOnce is interpreted
AFTER the Winlogon process. Robin's problem occurs before the Winlogon process.
Leythos
docr...@ntlworld.com says...
> PCButts emailed me to make the sensible suggestion of checking
> the runonce registry entries. They're empty. The weird thing is
> where the message is coming from, since no executable on my system
> disk contains the string "infection".
You should ALWAYS check the reputation and online history of a person
before taking their advice - there are many people that would give you
bad advice that could damage your system.
In the case of PCBUTTS, I don't know of anyone that would consider
trusting him.
--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself.
spam9...@rrohio.com (remove 999 for proper email address)
Rick
news:hfml4...@news3.newsguy.com:
> And it is even really a "sensible" suggestion as the RunOnce key is
> just that, it runs only once then the contents of that Registry key is
> removed. Therefore if it did run, by the time the person examined it,
> it would be an empty key. Plus RunOnce is interpreted AFTER the
> Winlogon process. Robin's problem occurs before the Winlogon process.
When is wininit.ini processed?
--
Rick Simon rsi...@cris.com
Include "spam(trap)key" somewhere in the
body of any email to avoid spam filters.
David H. Lipman
| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
| news:hfml4...@news3.newsguy.com:
>> And it is even really a "sensible" suggestion as the RunOnce key is
>> just that, it runs only once then the contents of that Registry key is
>> removed. Therefore if it did run, by the time the person examined it,
>> it would be an empty key. Plus RunOnce is interpreted AFTER the
>> Winlogon process. Robin's problem occurs before the Winlogon process.
| When is wininit.ini processed?
What OS are you referring to because NT based OS' don't use INI files.
Everything is pretty much stored in the Registry and evaluated there.
Since this was x-posted to a WinXP group, the answer is NEVER.
The Real Truth MVP
people should know that malware writes to that key and since the issue is
there on EVERY boot if it gets deleted when run it gets put back in there
and you are WRONG about when that key gets read.
--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
*WARNING* Do NOT follow any advice given by the people listed below.
They do NOT have the expertise or knowledge to fix your issue. Do not waste
your time.
David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:hfml4...@news3.newsguy.com...
Andy Walker
>What OS are you referring to because NT based OS' don't use INI files.
>Everything is pretty much stored in the Registry and evaluated there.
>
>Since this was x-posted to a WinXP group, the answer is NEVER.
Not true, Dave. XP still uses INI files.
boot.ini
win.ini
system.ini
to name a few...
David H. Lipman
| David H. Lipman wrote:
| boot.ini
| win.ini
| system.ini
| to name a few...
OK. BOOT.INI is only used to launch the OS or a different OS. It is interpreted before
the WinGUI.
WIN.INI and SYSTEM.INI are NOT really interpreted anymore. They ONLY exist for backwards
compatibility purposes for Win9x/ME, and maybe Win3.1x programs that weren't written to
use a registry.
JD
> Please David your ignorance and lack of knowledge is showing. You of all
> people should know that malware writes to that key and since the issue
> is there on EVERY boot if it gets deleted when run it gets put back in
> there and you are WRONG about when that key gets read.
>
>
Oh My god..
Don't you have software to fix this? Go away. Nobody needs your help. 8-)
--
JD..
Rick
>
>| When is wininit.ini processed?
>
>
>
> What OS are you referring to because NT based OS' don't use INI files.
> Everything is pretty much stored in the Registry and evaluated there.
>
> Since this was x-posted to a WinXP group, the answer is NEVER.
Not to be argumentative, but you're saying these folks are incorrect?
http://www.aumha.org/a/loads.php
http://support.microsoft.com/kb/140570
While I don't run into it as much as I used to, I still do find XP systems
that appear to be using wininit.ini for file deletions/renames on occasion.
David H. Lipman
| "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
| news:hfmpi...@news3.newsguy.com:
>>| When is wininit.ini processed?
>> What OS are you referring to because NT based OS' don't use INI files.
>> Everything is pretty much stored in the Registry and evaluated there.
>> Since this was x-posted to a WinXP group, the answer is NEVER.
| Not to be argumentative, but you're saying these folks are incorrect?
| http://www.aumha.org/a/loads.php
| http://support.microsoft.com/kb/140570
| While I don't run into it as much as I used to, I still do find XP systems
| that appear to be using wininit.ini for file deletions/renames on occasion.
Well the aumha article is for mostly Win9x/ME and the MS KB140570 is more for NT4 and
Win9x/ME and you'll note mention of "Wininit.exe" which is NOT present in WinXP.
So let me modify my NEVER answer to practically NEVER. Interpreting .INI files is an old
construct that was used in Win9x/ME and and to a lesser degree in NT v3.5x and NT4 and
thus *may* have some left over functionality in subsequent OS'. However for the most
part, .INI files are no longer interpreted by the OS.
Notice in the aumha article it states...
"In Windows 2000 and XP, the WININIT.INI file, if existing, will be executed. However it
is usually replaced by the �PendingFileRenameOperations� sub-key in the Registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager."
This shows that for backwards compatibility Win2k and WinXP may interpret WININIT.INI but
has been really replaced by Registry functionality.
This will not affect Robin's problem as the message "INFECTION: DOCUMENTS AND
SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT
COULD NOT BE REMOVED. FILE IS NO LONGER EXISTENT" occurs "before the logon screen" and
would not be generated by such a process. This is presumed to be a security tool/utility
in action.
Rick
> So let me modify my NEVER answer to practically NEVER. Interpreting
> .INI files is an old construct that was used in Win9x/ME and and to a
> lesser degree in NT v3.5x and NT4 and thus *may* have some left over
> functionality in subsequent OS'. However for the most part, .INI
> files are no longer interpreted by the OS.
Yes, I'm aware of how .ini files have been used going back through Win3.x.
> Notice in the aumha article it states...
> "In Windows 2000 and XP, the WININIT.INI file, if existing, will be
> executed. However it is usually replaced by the
> �PendingFileRenameOperations� sub-key in the Registry key
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager."
>
> This shows that for backwards compatibility Win2k and WinXP may
> interpret WININIT.INI but has been really replaced by Registry
> functionality.
I'm also aware of how wininit.ini is just a hangover and there are other,
preferred methods of doing the same thing. According to the aumha article
however, even though it is not the preferred method, Win XP will execute
the instructions in a wininit.ini file if one is found.
> This will not affect Robin's problem as the message "INFECTION:
> DOCUMENTS AND SETTINGS\ROBIN BIGNALL\COOKIES\INDEX.DAT
> COULD NOT BE REMOVED. FILE IS NO LONGER EXISTENT" occurs "before the
> logon screen" and would not be generated by such a process. This is
> presumed to be a security tool/utility in action.
And this is where my original question comes in. Just where in the boot
process does wininit.ini get processed? Since the aumha article points out
that:
a) "WININIT.INI is used to complete Windows and program installation steps
that cannot be completed while Windows is running"
b) "During the boot process, Windows checks to see if there is a
WININIT.INI file and, if it finds one, executes its instructions."
c) and specifies that Windows XP will execute such a file, if it exists
(assumedly to maintain backwards compatibility)
I was just curious if anyone happened to know where in the boot process
that execution was performed. Whether it was before or after the logon
process.
David H. Lipman
Rick I think you have a good point in that if the WININIT.INI file is found by the OS it
will do a a file move/delete function "before the logon screen" which is 100% relevant to
Robin's problem.
However, this is a silent function. No screen displays and certainly not "INFECTION:...".
Since you know this INI file and its directives, maybe you could create a test and see
what it does.
Buffalo
Robin Bignall wrote:
[snip]
> John, Andy, thanks for the suggestions. I have checked autoruns. In
> fact, A-squared contains a very useful feature called Hijackfree which
> gives detailed information on what's present in 5 categories:
> processes, ports, autoruns, services and others. I don't see anything
> amiss. PCButts emailed me to make the sensible suggestion of checking
> the runonce registry entries. They're empty. The weird thing is
> where the message is coming from, since no executable on my system
> disk contains the string "infection".
Dl and instal a free anti-virus program like Avira AntiVir and install it.
Disable or uninstall your present anti-virus program (A-squared)
Uninstall your anti-malware programs and install the free version of
MalwareBytes AntiMalware.
Use it to scan frequently.
See if you have the same problem. If not, install each of the programs you
uninstalled or disabled one at a time to see if you can find out which one
causes the problem.
I don't think you ever said you installed and ran the free version of MBAM
(MalwareBytes Anti-Malware) and the free version of SAS (SuperAntiSpyware).
If you didn't (this is a damn long thread) please do it.
Buffalo
Beauregard T. Shagnasty
> Disable or uninstall your present anti-virus program (A-squared)
A� (A-Squared) is an anti-spyware program, not an anti-virus program.
There should be no conflict with anything, assuming of course you don't
set full-time scanners in action.
http://www.emsisoft.com/en/ (pay)
http://www.emsisoft.com/en/software/free/ (free)
Buffalo
Beauregard T. Shagnasty wrote:
> In alt.privacy.spyware, Buffalo wrote:
>
>> Disable or uninstall your present anti-virus program (A-squared)
>
> A� (A-Squared) is an anti-spyware program, not an anti-virus program.
> There should be no conflict with anything, assuming of course you
> don't set full-time scanners in action.
>
> http://www.emsisoft.com/en/ (pay)
> http://www.emsisoft.com/en/software/free/ (free)
Right you are. Sorry.
I now realize that Robin uses Kaspersky.
Ok, Robin, disable or uninstall Kaspersky and use the free version of Avira
AntiVir temporarily.\
Since even Lipman can't nail it, please post back on what program is causing
the message.
Thanks,
Buffalo
David H. Lipman
| Right you are. Sorry.
| I now realize that Robin uses Kaspersky.
| Ok, Robin, disable or uninstall Kaspersky and use the free version of Avira
| AntiVir temporarily.\
| Since even Lipman can't nail it, please post back on what program is causing
| the message.
| Thanks,
| Buffalo
Robin has already indicated NUMEROUS anti malware scans have been performewd with nothing
being found.
We do NOT know what security program is generating this message. That is the problem.
Buffalo
David H. Lipman wrote:
> From: "Buffalo" <Er...@nada.com.invalid>
>
>> Right you are. Sorry.
>> I now realize that Robin uses Kaspersky.
>> Ok, Robin, disable or uninstall Kaspersky and use the free version
>> of Avira AntiVir temporarily.\
>> Since even Lipman can't nail it, please post back on what program is
>> causing the message.
>> Thanks,
>> Buffalo
>
> Robin has already indicated NUMEROUS anti malware scans have been
> performewd with nothing being found.
>
> We do NOT know what security program is generating this message.
> That is the problem.
That is why I recommended that he disable or uninstall his anti-virus and
anti-malware programs and install Avira AntiVir and free MBAM and hopefully
the free SAS. ( I don't think he ever said that he tried them both)
If the above doesn't change things, then that would indicate a different
security program causing the problem.
Buffalo
Robin Bignall
wrote:
Just to save you reading back in the thread, I have SAS Pro, which is
not free, and MBAM, which is. I also run ActiveScan 2, which was
recommended, together with Kaspersky, by AumHa. I don't intend to
through the process of uninstalling Kaspersky.
Buffalo
Robin Bignall wrote:
[snip]
>>
>> That is why I recommended that he disable or uninstall his
>> anti-virus and anti-malware programs and install Avira AntiVir and
>> free MBAM and hopefully the free SAS. ( I don't think he ever said
>> that he tried them both)
>> If the above doesn't change things, then that would indicate a
>> different security program causing the problem.
>> Buffalo
>>
> Just to save you reading back in the thread, I have SAS Pro, which is
> not free, and MBAM, which is. I also run ActiveScan 2, which was
> recommended, together with Kaspersky, by AumHa. I don't intend to
> through the process of uninstalling Kaspersky.
OK, missed that point. If you disable Kaspersky and just use the free Avira
AntiVir and no message comes up, perhaps it is Kaspersky doing it.
Doesn't really seem like it's worth the trouble overall.
Buffalo
PS: If you ever find out what it is, please post back.
Robin Bignall
wrote:
I certainly will.
Robin Bignall
I'm running Avira now.
Robin Bignall
Buffalo
Perhaps just let Avira run for several days while Kaspersky is disabled, if
you wish.
Buffalo
Robin Bignall
wrote:
>
>
["infected" messages before logon screen]
>>> I'm running Avira now.
>>
>> And it found nothing.
>
>Perhaps just let Avira run for several days while Kaspersky is disabled, if
>you wish.
>Buffalo
>
I don't think it'll find anything.
There appears to be no rhyme or reason behind these messages. For
example, when I rebooted last night, there were hundreds of these
messages, in bunches. I can't tell how many are in a bunch, maybe 32
or 64. A bunch scrolls for about five seconds, there's a two second
gap, then another bunch scrolls, and so on. Last night there were four
of these bunches, plus half a screen of bunch five. Tonight when I
booted there were just two of these messages (not two bunches). I
booted again and there were none. I've found this behaviour before.
These messages seem to come and go.
I just again checked the contents of all files on c: and d:, and the
registry, for the string "infection", without finding anything
associated in any way with an executable. Weird.
Buffalo
I was just suggesting that possibly Kaspersky could be the culprit and
disabling it and only running Avira to see if the messages stop.
However, I really doubt Kaspersky would react that way.
We know 'something' is generating the messages and hopefully there is
someone in this ng that would have a good suggestion for a program that
could monitor all the startups.
Buffalo
PS: It will be interesting to see what caused it. :)
And, do you have more than one (1) antivirus program running in real time,
such as Windows Defender?
@nomail.afraid.org FromTheRafters
"Robin Bignall" <docr...@ntlworld.com> wrote in message
news:79svg5lo5tkdthrgr...@4ax.com...
Do you use "Windows Washer" or some similar program?
Daave
> Just another piece of data. I just logged on as "administrator" (with
> several screens full of these infection messages) to see if, when I
> rebooted, I might have some "administrator\cookies\index.dat"
> messages.
> When I rebooted back as myself all the infection messages had
> vanished. But this has happened before on reboot.
If you configue a Clean Boot, do you still get these messages?
The Real Truth MVP
--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
*WARNING* Do NOT follow any advice given by the people listed below.
They do NOT have the expertise or knowledge to fix your issue. Do not waste
your time.
David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.
"FromTheRafters" <erratic @nomail.afraid.org> wrote in message
news:%23426zLs...@TK2MSFTNGP02.phx.gbl...
Leythos
says...
> David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.
>
I see you're still stalking myself and other in every post you make -
shows just how unethical you are.
--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself.
spam9...@rrohio.com (remove 999 for proper email address)
Robin Bignall
No, only what's in IE8 and CCleaner.
The Real Truth MVP
uninstalled it in the past few days. It shows up in your log file.
--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
*WARNING* Do NOT follow any advice given by the people listed below.
They do NOT have the expertise or knowledge to fix your issue. Do not waste
your time.
David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.
"Robin Bignall" <docr...@ntlworld.com> wrote in message
news:d348i5tnis0u376ns...@4ax.com...
@nomail.afraid.org FromTheRafters
> "FromTheRafters" <erratic @nomail.afraid.org> wrote in message
> news:%23426zLs...@TK2MSFTNGP02.phx.gbl...
>> Do you use "Windows Washer" or some similar program?
"The Real Truth MVP" <t...@void.com> wrote in message
news:4b23dd60$0$16700$8826...@blocknews.net...
> Window washer no mail washer pro yes.
Thanks.
I asked about Windows Washer (and similar) because that is one program
that 'cleans up' some of the residual browsing traces by deleting
certain index.dat files (for privacy zealots). It wouldn't surprise me
if this were a conflict between two such programs - one that didn't
forsee the possibility that "not exist" could ever exist.
The OP could conceivably uninstall and then reinstall them in the
reverse order and avoid the 'non handled' error (assuming the other
program is written more smartly).
@nomail.afraid.org FromTheRafters
>
>"Robin Bignall" <docr...@ntlworld.com> wrote in message
>news:79svg5lo5tkdthrgr...@4ax.com...
>
>Do you use "Windows Washer" or some similar program?
>
No, only what's in IE8 and CCleaner.
***
I'm not too familiar with that (although I use it myself), but do you
use it in conjunction with a browser add-on (Firefox?).
I'm just grasping at straws here - try removing ccleaner completely (you
can reinstall it later) and see if the problem persists.
***
Robin Bignall
It's hard to say, for a couple of reasons.
- even when logging on as "administrator" rather than just a member of
the administrator's group, you can't shut Kaspersky down without
uninstalling it. A "turn off protection for an hour" does not apply
through a reboot.
- sometimes, during normal operation, all of these messages vanish
anyway.
Having said that, I managed a cleanish boot with just Kaspersky and
the loudspeaker symbol showing in the tray, everything else disabled.
There were no infection messages on reboot. But I re enabled
everything and have booted several times since then and there are
still no messages. What this means I don't know.
Robin Bignall
@nomail.afraid.org> wrote:
>"Robin Bignall" <docr...@ntlworld.com> wrote in message
>news:d348i5tnis0u376ns...@4ax.com...
>On Fri, 11 Dec 2009 19:35:03 -0500, "FromTheRafters" <erratic
>@nomail.afraid.org> wrote:
>
>>
>>"Robin Bignall" <docr...@ntlworld.com> wrote in message
>>news:79svg5lo5tkdthrgr...@4ax.com...
>>
>>Do you use "Windows Washer" or some similar program?
>>
>No, only what's in IE8 and CCleaner.
>
>***
>I'm not too familiar with that (although I use it myself), but do you
>use it in conjunction with a browser add-on (Firefox?).
>
No, I just use IE8.
>I'm just grasping at straws here - try removing ccleaner completely (you
>can reinstall it later) and see if the problem persists.
>***
>
Ccleaner shouldn't do anything unless it's actually run. I haven't
run it for a few days, I just rebooted and got about 40 of these
messages, after having none for a while. Must get to bed now, but
tomorrow I'll physically disconnect from the Internet and boot a few
times to see what happens.
The Real Truth MVP
few times to see if it returns if it does then we know it is not Kaspersky.
--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
*WARNING* Do NOT follow any advice given by the people listed below.
They do NOT have the expertise or knowledge to fix your issue. Do not waste
your time.
David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.
"Robin Bignall" <docr...@ntlworld.com> wrote in message
news:eorai5trj00s213l1...@4ax.com...
Daave
Alas, intermittent problems are the most difficult to solve! And perhaps
you unknowingly fixed your problem.
@nomail.afraid.org FromTheRafters
***
The intermittent nature of the symptoms may be due to a race condition.
What might be causing it, I haven't a clue.
Not removing ccleaner, because you don't think it could be the problem,
is not good troubleshooting. Many is the time that something that
couldn't be the cause of something - actually was the cause. I'm not
saying that this is the case here, but why not remove it anyway to see
what happens? It's not as if it were a needed system file, and you could
just put it back afterward.
Sorry I couldn't help you.
***
Robin Bignall
Unfortunately, no. When I booted this morning I got 30 or 40 of these
messages. I booted having physically disconnected from the Internet,
to leave the machine running all day and see what, if anything
happened. Unfortunately, my helpful wife, seeing the machine running
and thinking I'd inadvertently left it on, shut it down a few minutes
later. When I booted tonight, no infection messages. Who knows what
I'll see tomorrow...
Massimo
Your wife, most probably.
Massimo
Buffalo
Massimo wrote:
[snip]
>> When I booted tonight, no infection
>> messages. Who knows what I'll see tomorrow...
>
> Your wife, most probably.
>
> Massimo
You think?
Merry Christmas
Buffalo
Robin Bignall
infection:documents and settings\robin bignall\cookies\index.dat could
not be removed. file is no longer existent.
appearing before the XP login screen, I have discovered how to stop
them occurring. That is to turn off the real-time background
protection in A-squared.
I have no idea what is happening, but I assume something in A-squared
is building a table (the number of messages I see seems to be directly
proportional to the length of time the system is powered up) and then
some component of XP, or, more likely, Kaspersky 2010, is running
through this table generating these messages. Either some weird
interaction or bug in either/both.
The real-time guard of SAS works perfectly (or, at least, these
messages do not appear when it's running).
Merry Christmas or its equivalent to all.
Daave
Thanks for sharing the cause of the problem.
You are probably aware that it is not recommended to run two or more
real-time antispyware (or antivirus) programs simultaneously. I wonder
if you disabled SAS (or Kaspersky 2010) completely but keep A-Squared
with its real-time protection on, what the outcome would be.
Merry Christmas to you, too, Robin!
David H. Lipman
Thanx for the update Robin!
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Andy Medina
> On the subject of these messages:
>
> infection:documents and settings\robin bignall\cookies\index.dat could
> not be removed. file is no longer existent.
>
> appearing before the XP login screen, I have discovered how to stop
> them occurring. That is to turn off the real-time background
> protection in A-squared.
This shows the importance of turning off or uninstalling various programs
REGARDLESS of whether one believes it can not be the culprit.
Troubleshooting any problem demands it. Reminds me of the times years ago
(in the DOS and early Windows days) when *mouse drivers* would interfere
with printing. Many a tech would be caught red-faced because they just could
not believe a mouse driver would interfere with printing. Yet turn off or
uninstall the mouse driver and the printing problem would disappear.
Reinstall or turn the driver back on, and the printing problem would
resurface. Any tech worth his salt will seek to *prove* a
program/driver/utility is not the culprit, rather than go with the *belief*
it can not be the culprit. I have even had people complain about turning off
screen savers while troubleshooting a problem. Geeeeeez, it's not like I
want them to turn it off forever, unless it is causing problems. Yes, even
screen savers have been found to cause problems.
Robin Bignall
I was aware of the problem running two antivirus programs
simultaneously, but didn't appreciate that it applied to malware too.
Having just installed Kaspersky 9.0.0.736 I'm reluctant to uninstall
it. I'll switch Asquared on again and see if the problem still
exists. SAS does not seem to affect these messages.
@nomail.afraid.org FromTheRafters
It could even be affected by the order in which the suspects get loaded
into memory. It kinda reminds me of the "Two Black Crows" routine about
the race '...if I get there first, I'll draw a line in the dirt - if you
get there first, you rub it out..'. Computer programs will actually try
to do this when told to.
RJK
"Andy Medina" <gme...@email.arizona.edu> wrote in message
news:O9OkJxNh...@TK2MSFTNGP04.phx.gbl...
Agreed, ...the "bells and whistles" BLOATWARE that always seems to accompany
new hardware, including mice - is often a recipe for disaster, i.e. it's
often poorly written application software that accompanies hardware which
causes problems, or, as you said, the mouse driver itseld. For years I've
let Windows use it's own driver !
Unless Winodws can't find a "universal" driver (for want of a better word)
then I think it best to chuck that CD that came with a piece of hardware -
into the rubbish bin !!
Also, too many people blindly install ALL the junk on the CD instead of just
the driver !! ...then they wonder why their filetype associations have all
changed !!!!
regards, Richard
Robin Bignall
Does a user have any control over that?
>It kinda reminds me of the "Two Black Crows" routine about
>the race '...if I get there first, I'll draw a line in the dirt - if you
>get there first, you rub it out..'. Computer programs will actually try
>to do this when told to.
>
I can confirm that the messages come back when A-squared's background
guard is activated.
@nomail.afraid.org FromTheRafters
[...]
>>It could even be affected by the order in which the suspects get
>>loaded
>>into memory.
> Does a user have any control over that?
Not really, that would be a memory management thing. If two programs had
the task of deleting index.dat, and one of them did it by "delete file"
and the other by "if file exists, delete file" the first one *first* and
the second one *second* would not create an error message for display.
If the sequence were reversed, the later "delete file" would error
because no check was made for the file's existence beforehand and it
*had* been deleted already. It creates a race condition of sorts, and
can account for intermittent symptoms.
>>It kinda reminds me of the "Two Black Crows" routine about
>>the race '...if I get there first, I'll draw a line in the dirt - if
>>you
>>get there first, you rub it out..'. Computer programs will actually
>>try
>>to do this when told to.
>>
> I can confirm that the messages come back when A-squared's background
> guard is activated.
It seems that you have narrowed it down to A-Squared being what is
responsible for the messages. As to why it is doing so, who knows? I had
thought maybe some other antispy component was deleting the file
(perhaps upon exiting the browser?), and that was not expected by the
programmers of the program (A-Squared?) that subsequently tried
(numerous times?) to delete the same file.
Does A-Squared log those events as well as display the messages (the
wording should be essentially the same)?
Robin Bignall
@nomail.afraid.org> wrote:
I don't know. I've stopped using A-Squared and have raised this item
on their web forum.
Buffalo
Robin Bignall wrote:
[snipped]
> I don't know. I've stopped using A-Squared and have raised this item
> on their web forum.
If you get an answer from them, let us know.
At least you made a lot of progress.
Buffalo
David H. Lipman
| I don't know. I've stopped using A-Squared and have raised this item
| on their web forum.
| --
| Robin
| (BrE)
| Herts, England
Did 'ShadowPuterDude' reply/respond ?
If not, please send me an email of the posted URL and I will have him give your A-Squared
thread due attention.
Buffalo
Robin Bignall wrote:
[snip]
> I've stopped using A-Squared and have raised this item
> on their web forum.
Is it possible that A-Squared is causing the problem and another program is
reacting to it?
IOW, perhaps A-squared is not itself bringing up the boxes, but another
program inter-reacting with it.
Just thinking out loud. :)
Buffalo
PS: Long thread and easy to miss something.
Robin Bignall
<DLipman~nospam~@Verizon.Net> wrote:
>From: "Robin Bignall" <docr...@ntlworld.com>
>
>| I don't know. I've stopped using A-Squared and have raised this item
>| on their web forum.
>| --
>| Robin
>| (BrE)
>| Herts, England
>
>Did 'ShadowPuterDude' reply/respond ?
>
>If not, please send me an email of the posted URL and I will have him give your A-Squared
>thread due attention.
http://support.emsisoft.com/topic/1105-infection-message-at-xp-logon/page__gopid__5462&
That gets to my latest post on the group, but it won't help much as
I'm not going to go through the folderol they're suggesting: I've
simply uninstalled A-Squared.
David H. Lipman
From: "Robin Bignall" <docr...@ntlworld.com>
>>From: "Robin Bignall" <docr...@ntlworld.com>
>>Did 'ShadowPuterDude' reply/respond ?
| http://support.emsisoft.com/topic/1105-infection-message-at-xp-logon/page__gopid__5462&
OK got it...
Buffalo
Robin Bignall wrote:
[snip]>
>
http://support.emsisoft.com/topic/1105-infection-message-at-xp-logon/page__gopid__5462&
>
> That gets to my latest post on the group, but it won't help much as
> I'm not going to go through the folderol they're suggesting: I've
> simply uninstalled A-Squared.
Well maybe A-Squared will stop their 'defensive' attitude and try to improve
their product.
I thought they responded to you like you were a beginning computer user.
Have a Happy New Year,
Buffalo
Buffalo
PS: And a female blonde to boot!!
Buffalo :)
The Real Truth MVP
tell them they will not see past an infection. You are right to just
uninstall it but I would send an email to Christian Mairoll the company CEO
since this is not a malware issue but a software programming issue. Don't
waste your time again starting from scratch.
--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
*WARNING* Do NOT follow any advice given by the people listed below.
They do NOT have the expertise or knowledge to fix your issue. Do not waste
your time.
David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.
"Robin Bignall" <docr...@ntlworld.com> wrote in message
news:qjmnj5li18r70pboi...@4ax.com...
Buffalo
The Real Truth MVP wrote:
> I've read your posts there and the replies. No matter how many times
> you tell them they will not see past an infection. You are right to
> just uninstall it but I would send an email to Christian Mairoll the
> company CEO since this is not a malware issue but a software
> programming issue. Don't waste your time again starting from scratch.
[snip]
That actually makes a lot of sense.
Wow, congratulations, Real Truth MVP.
Buffalo
Kevin Zoll
>
> I've read your posts there and the replies. No matter how many times you
> tell them they will not see past an infection. You are right to just
> uninstall it but I would send an email to Christian Mairoll the company CEO
> since this is not a malware issue but a software programming issue. Don't
> waste your time again starting from scratch.
A security application is set to delete index.dat on system boot. A-
squared Anti-Malware is seeing this and alerting to the suspicious
activity.
@nomail.afraid.org FromTheRafters
"Kevin Zoll" <s...@malwareteks.com> wrote in message
news:MPG.25a5e6cd4...@msnews.microsoft.com...
Then why would the message say:
"...could not be removed. file is no longer existent"
if A-squared wasn't trying to remove the file itself?
Why try to remove a non-existent file? Why not check for the existence
of a file before trying to remove it and generating such an error
message.
Why would the programmatical deletion of a browsing history file be
considered suspicious activity?
I'm tempted to agree with the software thief on this one.
Kevin Zoll
@nomail.afraid.org says...
The problem is that another security application deletes the non-
malicious history file at system start. Which in turn triggers A-
squared. A-Squared wrongly sees this as malicious activity. I know
what index.dat is and I know who Butts is, and his unethical practices.
The alteration, deletion, creation and replacement of files at system
start is very common with malware. Security applications should monitor
this kind of system activity. Why A-squared is even trying to delete
index.dat is beyond me, and is something I will be discussing with the
developers.
However, the point here is that one security application is doing one
thing while the other security application is doing another. Conflicting
with each other.
A-squared Anti-Malware has both an AV engine and an AS engine. People
shouldn't be running 2 resident AVs. Kaspersky and A2AM are known to
interfere with each other. Something I would like to know is if beta
udpates was enabled. There a serval changes forth coming in A2AM and if
the user has beta updates enabled or disabled would be nice to know.
I normally don't post in news groups. Since David pointed this out too
me the other night, I took the time to read this thread and the one at
the EMSI Support forums.
I will be bringing this to Christian's and/or Fabian's attention, as
soon as I can catch either or both on IM.
@nomail.afraid.org FromTheRafters
[...]
> The problem is that another security application deletes the non-
> malicious history file at system start. Which in turn triggers A-
> squared. A-Squared wrongly sees this as malicious activity. I know
> what index.dat is and I know who Butts is, and his unethical
> practices.
Thanks for responding. I wouldn't fault A� for alerting to "suspicious"
activity as well as malicious activity, but those messages do seem to
indicate that an attempted deleting of an already deleted file is the
problem.
> The alteration, deletion, creation and replacement of files at system
> start is very common with malware. Security applications should
> monitor
> this kind of system activity. Why A-squared is even trying to delete
> index.dat is beyond me, and is something I will be discussing with the
> developers.
Please do share with us whatever information you can.
> However, the point here is that one security application is doing one
> thing while the other security application is doing another.
> Conflicting
> with each other.
Yes, and the discussion the OP had with support outside of usenet did
indicate this as well (others may have missed that part). I, too, see
this as a case of too many antispyware (privacy) programs causing
conflict by trying to affect the same resources (as well as "overkill").
It just seemed to me that checking for the existence (if...then) of the
file prior to attempting to delete it would resolve this conflict.
> A-squared Anti-Malware has both an AV engine and an AS engine. People
> shouldn't be running 2 resident AVs. Kaspersky and A2AM are known to
> interfere with each other. Something I would like to know is if beta
> udpates was enabled. There a serval changes forth coming in A2AM and
> if
> the user has beta updates enabled or disabled would be nice to know.
Hopefully the OP will read your post and respond on that point.
> I normally don't post in news groups. Since David pointed this out
> too
> me the other night, I took the time to read this thread and the one at
> the EMSI Support forums.
> I will be bringing this to Christian's and/or Fabian's attention, as
> soon as I can catch either or both on IM.
Thanks for participating, it is nice to have knowledgeable posters join
in.
Robin Bignall
wrote:
If some security application has deleted index.dat on startup, what
exactly is restoring it? For it's certainly there after booting.
>The alteration, deletion, creation and replacement of files at system
>start is very common with malware. Security applications should monitor
>this kind of system activity. Why A-squared is even trying to delete
>index.dat is beyond me, and is something I will be discussing with the
>developers.
>
>However, the point here is that one security application is doing one
>thing while the other security application is doing another. Conflicting
>with each other.
>
>A-squared Anti-Malware has both an AV engine and an AS engine. People
>shouldn't be running 2 resident AVs. Kaspersky and A2AM are known to
>interfere with each other. Something I would like to know is if beta
>udpates was enabled. There a serval changes forth coming in A2AM and if
>the user has beta updates enabled or disabled would be nice to know.
>
No, beta updates were not enabled. This is the first time I've heard
that A2 is also an anti-virus product. I am now not surprised that it
clashes with Kaspersky. I do not intend to uninstall the latter in
favour of A2, which I bought originally as an anti-malware product.
>I normally don't post in news groups. Since David pointed this out too
>me the other night, I took the time to read this thread and the one at
>the EMSI Support forums.
>
>I will be bringing this to Christian's and/or Fabian's attention, as
>soon as I can catch either or both on IM.
I shall follow the forum with interest.
@nomail.afraid.org FromTheRafters
> If some security application has deleted index.dat on startup, what
> exactly is restoring it? For it's certainly there after booting.
That would be either IE or XP (not sure if one can be clearly
distinguished from the other).