Can't remove items found by SAS.....bigger problem??

[acillatem]

I just ran a full system scan today, and SAS found 13 Adware Tracking cookies. and moved them to quarantine, after which I deleted them, or so I thought. I ran the scan again, and it found the same objects! I might add that the other night, my Antivirus program(Nod32) found something called Trojan-Downloader.Win32.Monkif.AF, or something like that. I It quarantined it, and I removed it, and that prompted my SAS scan, as well as a MBAM scan, and that's when I found these items, but I can't get rid of them. Here is my SAS scan log, as well as MBAM and HiJackThis logs:
SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

Generated 07/24/2010 at 07:40 PM

Application Version : 4.35.1000

Core Rules Database Version : 5261
Trace Rules Database Version: 3073

Scan type : Complete Scan
Total Scan Time : 00:39:58

Memory items scanned : 482
Memory threats detected : 0
Registry items scanned : 6441
Registry threats detected : 0
File items scanned : 22929
File threats detected : 13

Adware.Tracking Cookie
C:\Documents and Settings\Jim Lundquist\Cookies\jim_lundquist@adbrite[1].txt
C:\Documents and Settings\Jim Lundquist\Cookies\jim_lundquist@atdmt[2].txt
C:\Documents and Settings\Jim Lundquist\Cookies\jim_lundquist@tribalfusion[1].txt
C:\Documents and Settings\Jim Lundquist\Cookies\jim_lundquist@ads.pointroll[1].txt
C:\Documents and Settings\Jim Lundquist\Cookies\jim_lundquist@fastclick[2].txt
C:\Documents and Settings\Jim Lundquist\Cookies\jim_lundquist@tacoda[1].txt
C:\Documents and Settings\Jim Lundquist\Cookies\jim_lundquist@content.yieldmanager[3].txt
C:\Documents and Settings\Jim Lundquist\Cookies\jim_lundquist@content.yieldmanager[2].txt
C:\Documents and Settings\Jim Lundquist\Cookies\jim_lundquist@doubleclick[1].txt
C:\Documents and Settings\Jim Lundquist\Cookies\jim_lundquist@mediaforge[1].txt
C:\Documents and Settings\Jim Lundquist\Cookies\jim_lundquist@pro-market[1].txt
C:\Documents and Settings\Jim Lundquist\Cookies\jim_lundquist@atdmt[3].txt
C:\Documents and Settings\Jim Lundquist\Cookies\jim_lundquist@oasn04.247realmedia[1].txt



Malwarebytes' Anti-Malware 1.46
Malwarebytes

Database version: 4344

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/24/2010 9:47:43 AM
mbam-log-2010-07-24 (09-47-43).txt

Scan type: Full scan (C:\|)
Objects scanned: 200148
Time elapsed: 52 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:42:26, on 7/24/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\devldr32.exe
C:\Documents and Settings\Jim Lundquist\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\PROGRA~1\MESSEN~1\Msmsgs.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo!
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Microsoft Windows Update
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [SansaDispatch] C:\Documents and Settings\Jim Lundquist\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\Msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093415681217
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupda...01/CTSUEng.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E56347B0-6C2B-4C2E-939F-EE513EAC80BC} (Creative Product Registration ActiveX Control Module) - http://www.creative.com/register/OCX...lientNoMFC.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupda...5106/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{866B4473-554A-423C-9CDA-751CB3F3A5D5}: NameServer = 151.164.1.8,206.13.28.12
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6701 bytes


Any feedback or help greatly appreciated. Thanks in advance!

[NeonFx]

Hi there Welcome to Help2Go.


Cookies are not dangerous. A lot of websites use them to keep track of information such as your preferences, your username and your password. It's how you can be logged in automatically into a website and it's how amazon always knows what sort of items you like.


Let's run an online scan to see if you have anything, but if you're not experiencing any symptoms, you should be good.


Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.



2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.


The program will then begin downloading and installing and will also update the database.


Please be patient as this can take quite a long time to download.

• Once the update is complete, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, adware, dialers, and other riskware
  • Archives
  • E-mail databases
• Click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View report... at the bottom.
• Click the Save report... button.
  
  
• Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

[acillatem]

Thanks for the reply! Been kind of busy the last couple days. I will do this and post the results soon!

[NeonFx]

Alright Don't worry about delays. Make sure you try the advice I gave at the end if you have trouble with the second scan.

[acillatem]

Well, it didn't find anything, which is good.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, July 28, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, July 28, 2010 17:52:59
Records in database: 4195346
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Objects scanned: 58373
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 03:29:20

No threats found. Scanned area is clean.

Selected area has been scanned.


I know that cookies aren't dangerous, I was just concerned about the group of them that SAS finds, quarantines, and then I delete, and they are right back with the next scan, without ever opening my browser. It's just strange. It's this group right here
Adware.Tracking Cookie
C:\Documents and Settings\Jim Lundquist\Cookies\jim_lundquist@adbrite[1].txt
C:\Documents and Settings\Jim Lundquist\Cookies\jim_lundquist@atdmt[2].txt
C:\Documents and Settings\Jim Lundquist\Cookies\jim_lundquist@tribalfusion[1].txt
C:\Documents and Settings\Jim Lundquist\Cookies\jim_lundquist@ads.pointroll[1].txt
C:\Documents and Settings\Jim Lundquist\Cookies\jim_lundquist@fastclick[2].txt
C:\Documents and Settings\Jim Lundquist\Cookies\jim_lundquist@tacoda[1].txt
C:\Documents and Settings\Jim Lundquist\Cookies\jim_lundquist@content.yieldmanager[3].txt
C:\Documents and Settings\Jim Lundquist\Cookies\jim_lundquist@content.yieldmanager[2].txt
C:\Documents and Settings\Jim Lundquist\Cookies\jim_lundquist@doubleclick[1].txt
C:\Documents and Settings\Jim Lundquist\Cookies\jim_lundquist@mediaforge[1].txt
C:\Documents and Settings\Jim Lundquist\Cookies\jim_lundquist@pro-market[1].txt
C:\Documents and Settings\Jim Lundquist\Cookies\jim_lundquist@atdmt[3].txt
C:\Documents and Settings\Jim Lundquist\Cookies\jim_lundquist@oasn04.247realmedia[1].txt
It even has my name as part of the cookie name, for whatever that's worth. Also, there is no cookies folder when I go to C:\Documents and Settings\Jim Lundquist

And I have it set to show hidden files and folders.
My biggest concern was that these cookies were somehow associated with the "trojan downloader" that my virus program(Nod32) found, called Trojan-Downloader.Win32.Monkif.AF, or something like that.

[NeonFx]

No they're probably not associated with any infection. You could try uninstalling and reinstalling SpyBot to see if it still detects them. That could just be a problem with the program itself.


Have you noticed any more symptoms? We could also run this other scanner if you like just to see if anything else is lurking:


Run ESET Online Scan

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
2. Click the button.
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. Click on to download the ESET Smart Installer. Save it to your desktop.
   2. Double click on the icon on your desktop.
4. Check
5. Click the button.
6. Accept any security warnings from your browser.
7. Check
8. Push the Start button.
9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
10. When the scan completes, push
11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
12. Push the button.
13. Push

You can refer to this animation by neomage if needed.

[acillatem]

No they're probably not associated with any infection. You could try uninstalling and reinstalling SpyBot to see if it still detects them. That could just be a problem with the program itself.


Have you noticed any more symptoms? We could also run this other scanner if you like just to see if anything else is lurking:


Run ESET Online Scan

Well, it's SuperAntiSpyware that is showing these, not Spybot. And, I've already uninstalled an older version, and downloaded the newest version, and the same crap come up. It's just odd that it shows these as something that should be removed, and when you tell it do delete them, they are still there on the next scan. I also can't find any of these objects doing a search on my hard drive, and that's odd as well.
Oh, and I already use Eset NOD32

[NeonFx]

Sorry about that. I did mean SuperAntiSpyware and not Spybot. I was thinking of Spybot because it too used to have problems like that.


The only other advice I can give you is that you create a new topic at their forums to see if they can help you with that:

SUPERAntiSpyware.com

[acillatem]

Oh, no problem......I appreciate your help. I did start a topic over there, and no one knew there either....strange.

[NeonFx]

I just found your thread there. Here is a link to their support page:

SUPERAntiSpyware.com - Please review before submitting your customer support request.