Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tracking Cookies Continue to Show Up


  • This topic is locked This topic is locked
11 replies to this topic

#1 LJN

LJN

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 07 November 2015 - 03:22 PM

My Laptop wasn't acting it's usual self. During one of my google searches IE changed it's appearance and said IE had stopped working and there was some other note. This was not a normal message from IE. It looked fabricated. I ran Hitman Pro and several tracking cookies popped up. I deleted them but they returned. I ran malware bytes and it didn't detect anything. Aslo I got a message that Norton was having a problem and needed to fix it's self. I followed the instructions and restarted the computer. I ran hitman pro again and the tracking cookies were still there. Not sure what to do. I am running Windows 7.

Thanks for your help!



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,386 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:11 AM

Posted 07 November 2015 - 03:42 PM


Malwarebytes intentionally does not search for and remove cookies because they pose no significant threat...it has more important things to look for.

We do not detect or remove cookies as they are not considered a malware threat to your system. There are plenty of 3rd party programs to remove or you can even have most browsers automatically remove if you like.

Malwarebytes forum, Post #2 by AdvancedSetup (Root Admin)

Cookies are NOT a "threat" in the typical sense we think of malware infection. As text files, cookies are inherently harmless and cannot be executed to cause any damage. See my detailed explanation about cookies and links to resources in order to mitigate them.

As long as you surf the Internet, you are going to get cookies and some of your security programs will flag them for removal. Anti-malware scanners have more important things to look for, so I would recommend disabling the option to search for cookies which will also decrease the amount of time it takes to perform a scan. You can minimize the number of cookies which are stored on your computer by using SpywareBlaster and WinPatrol’s Cookie Manager.

If you want to perform another scan to check for possible malware, perform a scan with emsisoft_emergency_kit.pnglogo.png

Please download Emsisoft Emergency Kit and save it to your desktop.
  • Double-click on EmsisoftEmergencyKit.exe to install and create a shortcut on the desktop.
  • Leave all settings as they are and click Accept & Extract. A folder named EEK will be created in the root of the drive (usually C:\) as shown here.
  • After extraction an Emsisoft Emergency Kit window will open. Under "Run Directly:" click Emergency Kit Scanner.
    rxYDlQ1.png
    .
  • When asked to run an online update, click Yes.
    dQaKPnk.png
    .
  • When the update is finished, click the Back to Security Status link in the left corner.
  • On the main screen click the Scan PC button.
  • Select Smart Scan, then click the Scan button.
  • When the scan is finished, click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
    g5ojhHp.png
    .
  • Click the View Report button and in the Reports window double-click on the most recent log. Logs are named as follows: a2scan_Date-Time.txt (YYMODY) and saved to C:\EEK\bin\Reports\.
  • Alternatively you can click Export and save the log to your Desktop, then open by double-clicking on it.
  • Copy and paste the contents of that logfile in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 LJN

LJN
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 07 November 2015 - 10:03 PM

Emsisoft Emergency Kit v. 10.0.0.5488
© 2003-2015 Emsisoft - www.emsisoft.com

ID   Object
0    Value: HKEY_USERS\S-1-5-21-1536234192-1293814445-1674301984-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR detected: Setting.DisableTaskMgr (A)
1    Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS detected: Setting.DisableRegistryTools (A)
2    Value: HKEY_USERS\S-1-5-21-1536234192-1293814445-1674301984-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS detected: Setting.DisableRegistryTools (A)



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,386 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:11 AM

Posted 07 November 2015 - 10:40 PM

Now try doing an online scan to see if it finds anything else that the other scans may have missed.

Please perform a scan with Eset Online Anti-virus Scanner.
If using Mozilla Firefox, you will be prompted to download and use the ESET Smart Installer. Just double-click on esetsmartinstaller_enu.exe to install.
Vista/Windows 7/8 users need to run Internet Explorer/Firefox as Administrator.
To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.

  • Click the green esetOnline.png button.
  • Read the End User License Agreement and check the box:
  • Check esetAcceptTerms.png.
  • Click the esetStart.png button.
  • Accept any security warnings from your browser and allow the download/installation of any require files.
  • Under scan settings, check esetScanArchives.png and check Remove found threats
  • Click Advanced settings and select the following:
    • Enable detection of potentially unwanted applications
    • Enable detection of potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click the Start button.
  • ESET will install itself, download virus signature database updates, and begin scanning your computer.
  • Please be patient as the scan can take some time to complete...close all programs and do NOT use the computer while the scan is running.
    If given the option (when threats are found), choose "Quarantine" instead of delete.
  • When the scan completes, push esetListThreats.png
  • Push esetExport.png, and save the file to your desktop as ESETScan.txt.
  • Push the esetBack.png button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply. If no threats are found, there is no option to create a log.

If you have other antivirus, antispyware or anti-malware programs running on your computer, they may intercept the scan being performed by the ESET Online Scanner and hinder performance. You may wish to disable the real-time protection components of your other security software before running the ESET Online Scanner. Remember to turn them back on after you are finished.
ESET Online Scanner FAQs

-- Note: If you recognize any of the detections as legitimate programs, it's possible they are "false positives" and you can ignore them or get a second opinion if you're not sure. ESET's detection rate is high and can include legitimate files which it considers suspicious, a Risk Tool, Hacking Tool, Potentially Unwanted Program, a possible threat or even Malware (virus/trojan) when that is not always the case. Be careful what you choose to remove. If in doubt, ask before taking action.
 
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 LJN

LJN
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 08 November 2015 - 08:42 AM

C:\AdwCleaner\Quarantine\C\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe.vir a variant of Win32/Toolbar.Conduit.H potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\NCH Software\ExpressZip\uninst.exe.vir a variant of Win32/Toolbar.Conduit.H potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\NCH Software\ExpressZip\zipsetup_v2.03.exe.vir a variant of Win32/Toolbar.Conduit.H potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\NCH Software\MixPad\mixpad.exe.vir a variant of Win32/Toolbar.Conduit.H potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\NCH Software\MixPad\mpsetup_v3.08.exe.vir a variant of Win32/Toolbar.Conduit.H potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\NCH Software\MixPad\uninst.exe.vir a variant of Win32/Toolbar.Conduit.H potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\NCH Software\WavePad\uninst.exe.vir a variant of Win32/Toolbar.Conduit.H potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\NCH Software\WavePad\wavepad.exe.vir a variant of Win32/Toolbar.Conduit.H potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files (x86)\NCH Software\WavePad\wpsetup_v5.08.exe.vir a variant of Win32/Toolbar.Conduit.H potentially unwanted application deleted - quarantined
 



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,386 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:11 AM

Posted 08 November 2015 - 09:26 AM

I see nothing of concern in your logs.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 LJN

LJN
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 12 November 2015 - 11:54 AM

ok, What are the conduit files?



#8 LJN

LJN
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 12 November 2015 - 12:29 PM

Something just isn't right. I run Hitman Pro almost daily. It hardly ever comes back with anything. Now I can run it, delete the item and within 5 min there are piles more that will show up on a second Hitman Pro scan. Not sure what's going on but it's not normal.



#9 LJN

LJN
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 12 November 2015 - 12:31 PM

HitmanPro 3.7.10.251
www.hitmanpro.com
   Computer name . . . . : OWNER-PC
   Windows . . . . . . . : 6.1.1.7601.X64/4
   User name . . . . . . : Owner-PC\Owner
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Paid (777 days left)
   Scan date . . . . . . : 2015-11-12 11:21:23
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 6m 9s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No
   Threats . . . . . . . : 0
   Traces  . . . . . . . : 31
   Objects scanned . . . : 1,922,628
   Files scanned . . . . : 36,123
   Remnants scanned  . . : 312,816 files / 1,573,689 keys
Cookies _____________________________________________________________________
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\0OQCNCB2.txt
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\151X9YNK.txt
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\22Y9VE84.txt
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\5KAMKC8M.txt
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\6PFP0B05.txt
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\80W6JOSY.txt
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\8TBHJD6V.txt
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\B8M7IXMR.txt
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\C96GAE42.txt
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\CEA8VA2J.txt
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\D9CUV2EG.txt
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\G5J3QMUX.txt
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\I2966O6Q.txt
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\IAYEUTTW.txt
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\K396KL60.txt
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\KI4TC449.txt
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\MTT73DIC.txt
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\ND43A1A6.txt
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\OL4VPL1G.txt
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\P9PAK9IG.txt
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\PVE6A3GK.txt
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\PZHE6YOK.txt
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\R4WQ9Y5Y.txt
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\SK4BQTTT.txt
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\SRNUPZUX.txt
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\T24ZIZJT.txt
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\T91SCYW8.txt
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\US6CV0W6.txt
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\V0OS8FYG.txt
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\XWC4TYYM.txt
   C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Cookies\Low\YYG9QZY1.txt


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,386 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:11 AM

Posted 12 November 2015 - 03:29 PM

ok, What are the conduit files?


Conduit (now ClientConnect) is a toolbar/search engine installed (bundled) with other free software which allows users to add applications directly to their browser. See this Trovi End-User License Agreement which explains the restructuring of Conduit and use of third-party software. ClientConnect likr Conduit offers a distribution option for bundled software offerings and is used in order to generate ad revenue for the company. By bundling a toolbar and search engine in a vendor's software installer, they boost the number of installs and a rewards program pays based on the number of daily active users.

While not explicitly malware or an infection in the typical sense, Conduit products (Toolbar, Search Protect) are more accurately classified as a Potentially Unwanted Program (PUP) because they are often installed stealthily (bundled) without knowledge or consent from the end user. As such, security tools typically detect and remove them. The results of your last scan indicate you previously ran AdwCleaner which removed conduit related files and quarantined them.

When an anti-virus or security program quarantines a file (item) and moves it into a virus vault (virus chest) or a dedicated Quarantine folder, that file is safely held there and no longer a threat. The file is essentially disabled and prevented from causing any harm to your system through proprietary security routines which may copy, rename (usually by adding a .vir extension), encrypt and password protect the file as part of the process.

Quarantine is just an added safety measure which allows you to view and investigate the files while keeping them from harming your computer. One reason for doing this is to prevent the permanent deletion of a legitimate file that may have been incorrectly flagged (a "false positive") and placed in quarantine. This can occur if the scanner uses heuristic analysis technology which is not as reliable as signature-based detection (blacklisting) and can potentially increase the chances that a non-malicious program is flagged as suspicious or infected. If the file is confirmed as legitimate, it can be safely restored from quarantine and added to the exclusion or ignore list.

Keep in mind, however, that if these files are left in quarantine, other scanning programs and security tools may flag them as a threat while in the quarantined area so don't be alarmed if you see such an alert. This is what was actually detected by the ESET scan.

If you want a comprehensive look at your system for possible malware, there are advanced tools which can be used to investigate but they are not permitted in this forum. Please follow the instructions in the Malware Removal and Log Section Preparation Guide. When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team. If you choose to post a log...after doing that, please reply back in this thread with a link to the new topic so we can closed this one.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 LJN

LJN
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Local time:06:11 AM

Posted 23 November 2015 - 01:04 PM

http://www.bleepingcomputer.com/forums/t/597276/tracking-cookies-continue-to-show-up-2nd-removal-attempt/?p=3870782



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,386 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:11 AM

Posted 23 November 2015 - 03:40 PM

Since you are now receiving help from the Malware Response Team, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Response Team member...nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log(s) you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process or make things worst which would extend the time it takes to clean your computer.

The Malware Response Team should be the only members that you take advice from, until they have verified your log as clean.

To avoid confusion, I am closing this topic.

The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users