Weird Cookie problem

Blongpop · 07-01-2009, 09:25 PM

Ok so my AVG scans everynight at midnight and for the past 3 weeks it comes up with the same 2 dozen cookies as warnings I will post a s/s later as soon as the scan is done but i have ran, Avg, Malwarebytes and spybot S&D and they are not picking up anything virus/ spyware wise besides these same cookies every night. I'm wondering if i should just give Hijack This! a try any ideas?

Ok so i gave Hijack This a whirl aaand.

Code:

   Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:26 PM, on 01/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\V0350Mon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
   C:\Documents and Settings\Owner\My Documents\Backups\Windows\Windows_security_backup files\Windows_security_update_3475_36_d.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: DeviceVM Url Search Hook - {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - C:\WINDOWS\system32\dvmurl.dll
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.3.2.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [GEST] m‘|\ü
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [V0350Mon.exe] C:\WINDOWS\V0350Mon.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Windows Security Update] C:\Documents and Settings\Owner\My Documents\Backups\Windows\Windows_security_backup files\Windows_security_update_3475_36_d.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.3.3.2.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1245285717359
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PinnacleUpdate Service (PinnacleUpdateSvc) - KALiNKOsoft - C:\Program Files\KALiNKOsoft\Pinnacle Game Profiler\pinnacle_updater.exe

--
End of file - 8412 bytes

The one I marked in red the security update i don't recognize and there is no windows update running on my pc so this could be the culprit.

Still waiting on the AVG log.

Ok either way I am deleting the Windows security thing in red cause i went into the source file and it has everything i have done in it for the past few weeks. Everythin MSN GAMING FACEBOOK ETC.

Blongpop · 07-01-2009, 10:32 PM

AVG Results

Code:

 
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogfhxxvr.default\cookies.sqlite";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogfhxxvr.default\cookies.sqlite:\ad.yieldmanager.com.539b0606";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogfhxxvr.default\cookies.sqlite:\ad.yieldmanager.com.557bf2b0";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogfhxxvr.default\cookies.sqlite:\ad.yieldmanager.com.8a47878";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogfhxxvr.default\cookies.sqlite:\advertising.com.1820df7a";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogfhxxvr.default\cookies.sqlite:\ad.yieldmanager.com.b68f2b7b";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogfhxxvr.default\cookies.sqlite:\ad.yieldmanager.com.ff92306";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogfhxxvr.default\cookies.sqlite:\advertising.com.1dfa2206";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogfhxxvr.default\cookies.sqlite:\advertising.com.525a5fb9";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogfhxxvr.default\cookies.sqlite:\casalemedia.com.350339d4";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogfhxxvr.default\cookies.sqlite:\advertising.com.203aa218";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogfhxxvr.default\cookies.sqlite:\advertising.com.b624fa46";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogfhxxvr.default\cookies.sqlite:\advertising.com.f62113d5";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogfhxxvr.default\cookies.sqlite:\burstnet.com.c4fe2ebb";"Found Tracking cookie.Burstnet";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogfhxxvr.default\cookies.sqlite:\casalemedia.com.2d37ad26";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogfhxxvr.default\cookies.sqlite:\casalemedia.com.fb62dd4b";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogfhxxvr.default\cookies.sqlite:\doubleclick.net.bf396750";"Found Tracking cookie.Doubleclick";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogfhxxvr.default\cookies.sqlite:\realmedia.com.855b46d";"Found Tracking cookie.Realmedia";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogfhxxvr.default\cookies.sqlite:\realmedia.com.ef906bac";"Found Tracking cookie.Realmedia";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogfhxxvr.default\cookies.sqlite:\tacoda.net.4366831a";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogfhxxvr.default\cookies.sqlite:\casalemedia.com.1773afc";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogfhxxvr.default\cookies.sqlite:\casalemedia.com.650648e8";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogfhxxvr.default\cookies.sqlite:\casalemedia.com.80ad4799";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogfhxxvr.default\cookies.sqlite:\casalemedia.com.987e6b46";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogfhxxvr.default\cookies.sqlite:\revsci.net.2df99d79";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogfhxxvr.default\cookies.sqlite:\revsci.net.44927ec";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogfhxxvr.default\cookies.sqlite:\tacoda.net.27341d57";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogfhxxvr.default\cookies.sqlite:\revsci.net.55564293";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogfhxxvr.default\cookies.sqlite:\revsci.net.e9dbeb91";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogfhxxvr.default\cookies.sqlite:\tacoda.net.5935e89";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogfhxxvr.default\cookies.sqlite:\tacoda.net.c4fe2ebb";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogfhxxvr.default\cookies.sqlite:\tacoda.net.ed9c50d1";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogfhxxvr.default\cookies.sqlite:\tribalfusion.com.dcc03271";"Found Tracking cookie.Tribalfusion";"Potentially dangerous object"

**TheBruce1** · 07-02-2009, 04:23 AM

Hello and welcome to TSF

We no longer use HijackThis as our initial analysis tool.

We want all our members to perform the steps outlined in the link I'll give you below, before posting for assistance. There's a sticky at the top of this forum, and a

Quote:

Having problems with spyware and pop-ups? First Steps

link at the top of each page.

---------------------------------------------------------------------------------------------

Please follow our pre-posting process outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the Virus/Trojan/Spyware Help forum is extremely busy, and it may take a while to receive a reply.