Unknown Tracking Cookie

[Longhair]

I made a bootable cd with nLite because I needed to add the AHCI/SATA drivers along with the other Dell drivers.

I did a clean install (formatted drive), installed Symantec Endpoint Protection, updated Windows (only website I visited), rebooted and I get a Tracking Cookie every time I reboot or do a full scan.

I tried to duplicate this on a virtual machine but nothing was found.

Any suggestions on how to rid myself of this?

[Tripredacus]

Where did it find it, what was it called, and what was in it?

[Longhair]

That's the head scratcher - it doesn't tell me where it is at or what it is called. The only thing it does is delete it.

The only thing I can think of is slipstreaming my drivers into Windows XP manually and see if nLite is the cause - except I don't know how to do that way.

[iamtheky]

load them from the runonce? it aint pretty but it would eliminate Nlite. And if you install symantec prior to them, it should pop when/if the culprit driver loads.

[Longhair]

If I don't insert the AHCI/SATA drivers before installing, it won't show any harddrives.

I don't have a floppy so pressing F6 is pointless

[Tripredacus]

Instead of running the virus scan, you can run hijackthis or an adware scanner instead to see what the cookie is.

[Longhair]

I turned off the anti-virus scan completely, rebooted and ran hijackthis.

I should mention that the computer is running Windows XP x64 - but I don't think that is going to make much of a difference in this case.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:39:55 PM, on 11/14/2008

Platform: Windows 2003 SP2 (WinNT 5.02.3790)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files (x86)\MailWasher Pro\MailWasher.exe

C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe

C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\WINDOWS\SysWOW64\CTXFISPI.EXE

C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe

C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe

C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SymCorpUI.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/

F2 - REG:system.ini: UserInit=userinit

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files (x86)\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll

O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [AsioThk32Reg] REGSVR32.EXE /S CTASIO.DLL

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"

O4 - HKCU\..\Run: [swg] C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O4 - Startup: MailWasherPro.lnk = C:\Program Files (x86)\MailWasher Pro\MailWasher.exe

O4 - Global Startup: Task Manager.lnk = C:\WINDOWS\system32\taskmgr.exe

O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL

O15 - ESC Trusted Zone: http://runonce.msn.com

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1226527801453

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O20 - AppInit_DLLs: acaptuser32.dll

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)

O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)

O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~2\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)

O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc64.exe (file missing)

O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)

O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)

O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)

O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe

O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SNAC64.EXE

O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe

O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)

O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)

O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--

End of file - 8453 bytes

[spacesurfer]

if you visited safe sites, then the tracking cookie might actually be safe and your antivirus is over-reacting.

when i do a scan, it always finds loads of tracking cookies and they are to sites i've visited. if you don't want to be tracked, you need to turn off cookies in your browser.

[Longhair]

I finally located the problem - it is my Sound Blaster X-Fi drivers

Right now I am tracking down some different drivers (not on the CD) to see if that helps.

[Longhair]

Now this is completely odd...

I just finished making an unattended Windows XP disk for my Sony Vaio laptop using nLite.

Different operating system disc (32 bit vs. 64 bit), different drivers (Dell vs. Sony), same Symantec Endpoint Protection, same Unknown Tracking Cookie.

I am really thinking that nLite is adding because the other computers using the Symantec Endpoint Protection do not have this problem.

[jaclaz]

If I am getting this correctly, there is not much logic (no offence intended ) into your line of reasoning.

Symantec Endpoint Protection:

• finds a "tracking cookie"
  
• it doesn't show it's filename/where it is
  
• it isn't able to "Quarantine"
  
• it isn't able to "Leave Alone" (whatever it means)
  

You make a complex unattended CD full of third party apps (at least from the HijackThis log) and then you put the blame on nlite?

I would try doing a "normal" nlite CD, NOT UNATTENDED, WITHOUT adding ANY other software: if the problem is still there, THEN it may be nlite's fault.

In any case this behaviour should be reported to Symantec, as it anyway doesn't look "right".

jaclaz

[Tripredacus]

Maybe you should run the Symantec against the source before you burn it to CD/DVD?

[JustinStacey.x]

Well dang, that's a real headscratcher. I couldn't *possibly* think what your problem might be.

Symantec Endpoint Protection

.

[Longhair]

If I am getting this correctly, there is not much logic (no offence intended ) into your line of reasoning.

Symantec Endpoint Protection:

• finds a "tracking cookie"
  
• it doesn't show it's filename/where it is
  
• it isn't able to "Quarantine"
  
• it isn't able to "Leave Alone" (whatever it means)
  

You make a complex unattended CD full of third party apps (at least from the HijackThis log) and then you put the blame on nlite?

I would try doing a "normal" nlite CD, NOT UNATTENDED, WITHOUT adding ANY other software: if the problem is still there, THEN it may be nlite's fault.

In any case this behaviour should be reported to Symantec, as it anyway doesn't look "right".

jaclaz

The HijackThis log is from the Dell computer.

I just made a new disk using only Microsoft SP3, Updates and drivers (same ones I have been using for the last 4 years without any problems) for a Sony laptop.

2 different operating systems (32 bit & 64 bit), 2 different computers, 2 different set of drivers for completely different hardware.

The only things that are constant is the nLite & Symantec.

I am not "blaming" anybody, I am trying to find answers so it may be fixed.

[Longhair]

Maybe you should run the Symantec against the source before you burn it to CD/DVD?

Full scan (highest settings & 10 levels deep) of XP, hot fixes and drivers came up clean.

Scanned the .iso (pre-burn) and that also came up clean.