Longhair Posted November 13, 2008 Share Posted November 13, 2008 I made a bootable cd with nLite because I needed to add the AHCI/SATA drivers along with the other Dell drivers.I did a clean install (formatted drive), installed Symantec Endpoint Protection, updated Windows (only website I visited), rebooted and I get a Tracking Cookie every time I reboot or do a full scan.I tried to duplicate this on a virtual machine but nothing was found.Any suggestions on how to rid myself of this? Link to comment Share on other sites More sharing options...
Tripredacus Posted November 13, 2008 Share Posted November 13, 2008 Where did it find it, what was it called, and what was in it? Link to comment Share on other sites More sharing options...
Longhair Posted November 13, 2008 Author Share Posted November 13, 2008 That's the head scratcher - it doesn't tell me where it is at or what it is called. The only thing it does is delete it.The only thing I can think of is slipstreaming my drivers into Windows XP manually and see if nLite is the cause - except I don't know how to do that way. Link to comment Share on other sites More sharing options...
iamtheky Posted November 13, 2008 Share Posted November 13, 2008 load them from the runonce? it aint pretty but it would eliminate Nlite. And if you install symantec prior to them, it should pop when/if the culprit driver loads. Link to comment Share on other sites More sharing options...
Longhair Posted November 13, 2008 Author Share Posted November 13, 2008 If I don't insert the AHCI/SATA drivers before installing, it won't show any harddrives.I don't have a floppy so pressing F6 is pointless Link to comment Share on other sites More sharing options...
Tripredacus Posted November 14, 2008 Share Posted November 14, 2008 Instead of running the virus scan, you can run hijackthis or an adware scanner instead to see what the cookie is. Link to comment Share on other sites More sharing options...
Longhair Posted November 14, 2008 Author Share Posted November 14, 2008 I turned off the anti-virus scan completely, rebooted and ran hijackthis.I should mention that the computer is running Windows XP x64 - but I don't think that is going to make much of a difference in this case.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 6:39:55 PM, on 11/14/2008Platform: Windows 2003 SP2 (WinNT 5.02.3790)MSIE: Internet Explorer v7.00 (7.00.6000.16735)Boot mode: NormalRunning processes:C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exeC:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exeC:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files (x86)\MailWasher Pro\MailWasher.exeC:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exeC:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exeC:\WINDOWS\system32\CTHELPER.EXEC:\WINDOWS\system32\CTXFIHLP.EXEC:\WINDOWS\SysWOW64\CTXFISPI.EXEC:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exeC:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exeC:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exeC:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SymCorpUI.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/F2 - REG:system.ini: UserInit=userinitO2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar.dllO2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dllO2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files (x86)\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dllO2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dllO3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dllO4 - HKLM\..\Run: [ccApp] "C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [AsioThk32Reg] REGSVR32.EXE /S CTASIO.DLLO4 - HKLM\..\Run: [CTHelper] CTHELPER.EXEO4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXEO4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXEO4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"O4 - HKCU\..\Run: [swg] C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')O4 - Startup: MailWasherPro.lnk = C:\Program Files (x86)\MailWasher Pro\MailWasher.exeO4 - Global Startup: Task Manager.lnk = C:\WINDOWS\system32\taskmgr.exeO8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLLO15 - ESC Trusted Zone: http://runonce.msn.comO16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1226527801453O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO20 - AppInit_DLLs: acaptuser32.dllO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~2\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc64.exe (file missing)O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exeO23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SNAC64.EXEO23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exeO23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)--End of file - 8453 bytes Link to comment Share on other sites More sharing options...
spacesurfer Posted November 15, 2008 Share Posted November 15, 2008 if you visited safe sites, then the tracking cookie might actually be safe and your antivirus is over-reacting.when i do a scan, it always finds loads of tracking cookies and they are to sites i've visited. if you don't want to be tracked, you need to turn off cookies in your browser. Link to comment Share on other sites More sharing options...
Longhair Posted November 15, 2008 Author Share Posted November 15, 2008 I finally located the problem - it is my Sound Blaster X-Fi drivers Right now I am tracking down some different drivers (not on the CD) to see if that helps. Link to comment Share on other sites More sharing options...
Longhair Posted May 22, 2009 Author Share Posted May 22, 2009 Now this is completely odd...I just finished making an unattended Windows XP disk for my Sony Vaio laptop using nLite.Different operating system disc (32 bit vs. 64 bit), different drivers (Dell vs. Sony), same Symantec Endpoint Protection, same Unknown Tracking Cookie.I am really thinking that nLite is adding because the other computers using the Symantec Endpoint Protection do not have this problem. Link to comment Share on other sites More sharing options...
jaclaz Posted May 22, 2009 Share Posted May 22, 2009 If I am getting this correctly, there is not much logic (no offence intended ) into your line of reasoning. Symantec Endpoint Protection:finds a "tracking cookie"it doesn't show it's filename/where it isit isn't able to "Quarantine"it isn't able to "Leave Alone" (whatever it means) You make a complex unattended CD full of third party apps (at least from the HijackThis log) and then you put the blame on nlite? I would try doing a "normal" nlite CD, NOT UNATTENDED, WITHOUT adding ANY other software: if the problem is still there, THEN it may be nlite's fault.In any case this behaviour should be reported to Symantec, as it anyway doesn't look "right".jaclaz Link to comment Share on other sites More sharing options...
Tripredacus Posted May 22, 2009 Share Posted May 22, 2009 Maybe you should run the Symantec against the source before you burn it to CD/DVD? Link to comment Share on other sites More sharing options...
JustinStacey.x Posted May 22, 2009 Share Posted May 22, 2009 Well dang, that's a real headscratcher. I couldn't *possibly* think what your problem might be.Symantec Endpoint Protection. Link to comment Share on other sites More sharing options...
Longhair Posted May 22, 2009 Author Share Posted May 22, 2009 If I am getting this correctly, there is not much logic (no offence intended ) into your line of reasoning. Symantec Endpoint Protection:finds a "tracking cookie"it doesn't show it's filename/where it isit isn't able to "Quarantine"it isn't able to "Leave Alone" (whatever it means) You make a complex unattended CD full of third party apps (at least from the HijackThis log) and then you put the blame on nlite? I would try doing a "normal" nlite CD, NOT UNATTENDED, WITHOUT adding ANY other software: if the problem is still there, THEN it may be nlite's fault.In any case this behaviour should be reported to Symantec, as it anyway doesn't look "right".jaclazThe HijackThis log is from the Dell computer.I just made a new disk using only Microsoft SP3, Updates and drivers (same ones I have been using for the last 4 years without any problems) for a Sony laptop.2 different operating systems (32 bit & 64 bit), 2 different computers, 2 different set of drivers for completely different hardware.The only things that are constant is the nLite & Symantec.I am not "blaming" anybody, I am trying to find answers so it may be fixed. Link to comment Share on other sites More sharing options...
Longhair Posted May 22, 2009 Author Share Posted May 22, 2009 Maybe you should run the Symantec against the source before you burn it to CD/DVD?Full scan (highest settings & 10 levels deep) of XP, hot fixes and drivers came up clean.Scanned the .iso (pre-burn) and that also came up clean. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now