Strange cookie request upon internet connection....

Discussion in 'adware, spyware & hijack cleaning' started by Brando Ikari, Nov 27, 2003.

Thread Status:
Not open for further replies.
  1. Brando Ikari

    Brando Ikari Registered Member

    Joined:
    Oct 25, 2003
    Posts:
    17
    Location:
    New Jersey, USA
    Hello. Today, when I connected to the internet, I recieved a cookie request from the website "688e3f75-37d7-41b6-9e7e-d53efc898f48". I did a scan with both adaware and spybot and found nothing. I looked at my running processes and found nothing strange. I did a scan with AVG and nothing.... I also looked at my startup processes and found nothing new or unusual, and according to sygate, no new programs have requested internet access. Also, this cookie request seems to come up whenever I connect.

    This' what the window looks like:
    http://www.angelfire.com/weird2/brandoikari/Strange_C_window.JPG

    I should also mention that my ISP is aol.

    Here is my Hijack this log:

    Logfile of HijackThis v1.97.2
    Scan saved at 9:13:27 PM, on 11/27/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\Smc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\System32\atiptaxx.exe
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Documents and Settings\Bran and Mom\My Documents\Brandon's stuff\HijackThis.exe
    C:\Program Files\America Online 8.0a\aol.exe
    C:\Program Files\America Online 8.0a\waol.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Encarta Encyclopedia (HKLM)
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
    O9 - Extra button: Define (HKLM)
    O9 - Extra 'Tools' menuitem: Define (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37913.4723032407
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Thanks a lot

    *important update*: it seems that the site that it wants to download from changes every time log on, making it impossible to block the cookie request.
     
  2. Brando Ikari

    Brando Ikari Registered Member

    Joined:
    Oct 25, 2003
    Posts:
    17
    Location:
    New Jersey, USA
    Sorry for the double post, but I have a Hijack This Update. I didn't want to edit my last post ( I'm not sure how long posts can be in this forum), so here it is:


    C:\Program Files\America Online 8.0\aol.exe
    C:\Program Files\America Online 8.0\waol.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Bran and Mom\My Documents\Brandon's stuff\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Encarta Encyclopedia (HKLM)
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
    O9 - Extra button: Define (HKLM)
    O9 - Extra 'Tools' menuitem: Define (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37913.4723032407
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6ECE7DAC-8A84-4691-9201-A9DCA289F98B}: NameServer = 205.188.195.4
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Brando Ikari,

    Could you please check for me if these rightclick options:
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    really lead to the Encarta Encyclopedia?

    Have alook at reply#13 in this thread: http://www.wilderssecurity.com/showthread.php?t=15983
    to see why I am asking.

    Regards,

    Pieter
     
  4. Brando Ikari

    Brando Ikari Registered Member

    Joined:
    Oct 25, 2003
    Posts:
    17
    Location:
    New Jersey, USA
    Sorry, but I don't understand what you mean exactly. If you mean if they lead to the .exe for encarta, then no.

    And the files in the folder are:
    http://www.angelfire.com/weird2/brandoikari/eerie.2.GIF


    I also wasnt able to locate either of the exe files connected with IEtray.
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    That looks OK.

    Did you do a search in the registry for that CLSID: 688e3f75-37d7-41b6-9e7e-d53efc898f48 ?

    Maybe that would learn you something.

    Regards,

    Pieter
     
  6. Brando Ikari

    Brando Ikari Registered Member

    Joined:
    Oct 25, 2003
    Posts:
    17
    Location:
    New Jersey, USA
    hmm... Searched through the registry, and no go.
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Nothing to be found on the search engines either.

    Very strange. Hopefully someone else can shed some light on this.

    Regards,

    Pieter
     
  8. Brando Ikari

    Brando Ikari Registered Member

    Joined:
    Oct 25, 2003
    Posts:
    17
    Location:
    New Jersey, USA
    Important update: for some reason, my computer stopped requesting the cookies. I wonder if this whole thing was because of aol (I had a similar incident a few months ago when my computer would request a cookie when I went to a site. The reason was because I had some stupid aol shopping companion enabled or something.). I also find it interesting that my computer was only requesting these cookies for less than 10 hours or so (I was online about an hour before my computer started requesting the cookie, then when I went back on my pc, the window started to pop up.).

    And if this problem comes back, I'll probably just reformat (it's about time for one anyway, I try to reformat about every 6 months or so). Thanks for the help, Pieter.
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    No problem, Brando Ikari.
    I wish I could have provided some more substantial help.
    Did you ever accept one of these cookies?
    If you are planning a format the next time it happens anyway, we might learn some more.

    Regards,

    Pieter
     
  10. Brando Ikari

    Brando Ikari Registered Member

    Joined:
    Oct 25, 2003
    Posts:
    17
    Location:
    New Jersey, USA
    Nope, I never accepted any of the cookies. And I'll keep you updated if anything happens. That was probably the strangest thing that's ever happened to my pc (scans with 5 spyware/adware programs and with a few antivirus programs, and nothing found. And not even any hints on google). I'll also be monitoring my pc for strange behavior over the next few weeks.
     
Thread Status:
Not open for further replies.