Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

tracking cookie keeps being found as potentially harmfull and Google homepage keeps signing out with every new session


  • Please log in to reply
8 replies to this topic

#1 Psycho Nomad

Psycho Nomad

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 18 February 2009 - 07:04 AM

I've only recently been getting the issue the past few days, but i don't like it.

Basically before this began to happen, i'de start up firefox which was configured to load onto my customized google homepage, which involved an (i presume) automatic loggin, or that it stayed logged in.

Recently, when i open firefox a 'potentially harmful cookie' warning box pops up from windows defender, and Google is never logged in, so i then do a number of things.

Sign in to google, which i now have to do every time i open firefox. Secondly, remove the threat, sometimes a different box pops up that shows two of the same cookie, and one of them cannot be removed... The problem is no matter how many times i remove it, it's back the next time i open firefox.

this is the information i can gather about the cookie.

Threat Location: C:\users\*myname*\AppData\Roaming\Mozilla\Firefox\Profiles\zhkiyqdd.default\cookies.sqlite

Threat Name: Found tracking cookie.tribalfusion (there is a few that pops up here with different names, this is the current one im looking at)

then it says 'detect on open'.

From what i can gather. This is a cookie in the firefox 3.x version's cookie folder, i have already tried to go and delete 'cookies.sqlite' to no avail. it returns, and the 'potential threat' pops up again when i open up firefox, running an AVG virus scan picks up nothing except a number of tracking cookies it always seems to pick up, removing these again seems to do nothing to solve the 'potential threat' msg and the sudden 'never signed in' issue with my google homepage....

so.... Am i Infected? What do i do?

BC AdBot (Login to Remove)

 


#2 Psycho Nomad

Psycho Nomad
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 18 February 2009 - 10:59 AM

bump...

anyone?

#3 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:39 PM

Posted 18 February 2009 - 11:01 AM

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Please download Malwarebytes Anti-Malware (v1.34) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
Chewy

No. Try not. Do... or do not. There is no try.

#4 Psycho Nomad

Psycho Nomad
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 18 February 2009 - 05:31 PM

Malwarebytes log file:

Malwarebytes' Anti-Malware 1.34
Database version: 1777
Windows 6.0.6000

18/02/2009 22:15:00
mbam-log-2009-02-18 (22-15-00).txt

Scan type: Quick Scan
Objects scanned: 50458
Time elapsed: 4 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 24
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e596df5f-4239-4d40-8367-ebadf0165917} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{09f1adac-76d8-4d0f-99a5-5c907dadb988} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\AdvRemoteDbg (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
________________

After a restart and opening firefox, the same thing happens. the issue is not fixed yet.

here is an image of the warning msg:
Posted Image
Posted Image

_________________
EDIT* i just got this after opening Firefox a second time:

Posted Image
Posted Image

Edited by Psycho Nomad, 18 February 2009 - 05:45 PM.


#5 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:39 PM

Posted 18 February 2009 - 05:48 PM

Use ATFCleaner again and make sure you do the firefox cleanup right click run as administrator

then run another scan with MBAM
Chewy

No. Try not. Do... or do not. There is no try.

#6 Psycho Nomad

Psycho Nomad
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 18 February 2009 - 07:10 PM

i had run both as administrator previously. Non the less, i'm doing that right now a second time, This time running a long scan over all drives.......

here is the log:

Malwarebytes' Anti-Malware 1.34
Database version: 1777
Windows 6.0.6000

19/02/2009 00:02:53
mbam-log-2009-02-19 (00-02-53).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 264384
Time elapsed: 1 hour(s), 29 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
_________

i see no infection... yet the issue is still there. This is getting interesting. May it be something to do with AVG 'thinking' a tracking cookie, that would normally log me into my google homepage, is malicious, and blocks it from logging me in while prompting me with the message of what it's just done?

it seems like the most plausible explanation to me. So now, if this is true (which i understand it easily may not be), the question is, how do i stop AVG form treating it as malicious?

Edit* On a side note, i've noticed you people here really know what ur on about when it comes to computer safety. And considering the missleading nature due to the amount of 'fake' so called 'good' protection programmes, i feel compelled to ask for your opinion and guidance on what the best free anti spy/mall/virus options are, and how regularly i should run them e.t.c. Your guidance will be GREATLY apreciated on this front. And thank you for your help so far.

Edited by Psycho Nomad, 18 February 2009 - 07:14 PM.


#7 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:39 PM

Posted 18 February 2009 - 07:26 PM

Anonymní Your anti virus software may have deleted it. I have been getting this problem with AVG 8 constantly removing it from my firefox profile. Still trying to get answers from AVG as to why, even adding as an exception does not seem to stop it.


http://support.mozilla.com/tiki-view_forum...parentId=264359

It's your decision but this link might be appropriate at this time

http://www.malwarebytes.org/forums/index.php?showtopic=7368

I only reccomend avira or avast anymore

We have a special forum for these reccomendations

http://www.bleepingcomputer.com/forums/f/25/antivirus-firewall-and-privacy-products-and-protection-methods/

My main defenses are an updated windows, a hardware firewall, safe hex and vigilance

Firefox with noscript is essential, I have to investigate a lot of dangerous web sites
Chewy

No. Try not. Do... or do not. There is no try.

#8 Psycho Nomad

Psycho Nomad
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:39 PM

Posted 18 February 2009 - 09:28 PM

sweet. Seems like logic pays off, as always :thumbsup: I do agree AVG seems a little 'rickety'. Saying that I've taken great interest to this site and have spent the whole night browsing through it reading all kinds of invaluable information. I have to say, i think this has to be 'thee best' site for providing easy to understand technical information to people all up and down the technical spectrum. A definite Beaut! and one of my 'must have' bookmarks from now on. Anyway, getting back to the original point i was making. I came across a 'how to keep safe on the net' (or something of that nature) guide and have subsequently downloaded Ad-aware Anniversary addition and Spy bot and spent the last few hours running scans and playing about/reading up on/with them.... and oh noees. 3 cases of spyware, and some kind of trojan. funny what u come up with with the right tools eh. they weren't really bad viruses, and havn't done anything bnad to the computre atall, i mean i didn't even know they were there....

So anyway i HAVE decided to get rid of AVG, as its obvious quite inapt at doing what its supposed to effectively, so i will ask, with a grateful departure, one last question. Which of the two free antivirus programmes you mentioned in your previous post would you consider to be the better?

Once again, thank you for your help. the removal of AVG will presumably solve the issue I'm having, and yes, now, this computer as as clean as its been in a long time :flowers:

May the Force be with you...

Peace.

Edited by Psycho Nomad, 18 February 2009 - 09:29 PM.


#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:39 PM

Posted 18 February 2009 - 09:42 PM

I prefer avira over avast, it's seems lighter on the resources, with dual core cpu and a lot of ram i would probably go for avast

Both are very good programs
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users