Cookie Virus - Please Help

Hello,

I had AVAST installed, but when this virus appeared, it infected AVAST and caused my computer to crash, even after uninstalling and re-installing AVAST. So I had to install a different virus software in order to ensure my computer stays safe as I try to clean my computer.

My computer is infected with a cookie virus, I don’t know the name of it but it keeps putting tracking cookies in folders in my computer. AVG is stopping all of them, I’ve scanned my computer multiple time (10+) and AVG is not detecting it.

The virus is located in C://windows/system32/svghost.exe

Everytime the virus alert appears, it narrows the virus down to Process ID: 9956 which has the following processes;

AeLookupSvc, Browser, LanmanServer, MMCSS, Winmgmt

I need help deleting this virus, I’ve also scanned it with Malware bytes, it does not detect it as well. Help!

Thanks!

tracking cookies are not malware :wink:

Are cookies really spyware and are they dangerous?
http://superantispyware.com/supportfaqdisplay.html?faq=26

HTTP cookie
http://en.wikipedia.org/wiki/HTTP_cookie

do you have avast and AVG installed ?

AVG Keeps popping up with a virus alert that originates from my svghost.exe, and every single time its from Process 9953 as I stated above. When I do a search for a random thing in a search engine such as yahoo, for example; Poland, when I click on the results, it does not take me to the webpage but it takes me to a spam site and advertisements and fake search engines. The weird thing is when I click the back button and click on the same link again, it takes me to the actual and correct website.

I do not have both installed, I only have AVG installed because AVAST is infected on my computer. The first time I got this virus, I had to delete AVAST in safe mode since everytime it started up on normal window boot, it would cause the blue screen of death, it took me a while to link the BSOD with AVAST, but once I uninstalled AVAST, my computer started up normally and ceased to have any further crashing problems. I then tried to re-install AVAST, same thing happened, caused BBOD and crashed my computer.

Any help would be appreciated for my problem.

could you attach a screenshot of the AVG detection?

Follow this guide and attach (not copy and paste) logs from malwarebytes / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0

If your spelling is correct then it is malware and AVG should kill it… Monitoring

Pondus - Running all three scans now, will post the results when it’s all done. Next time I get the alert I will screenshot it for you, it haven’t happened again yet.

EssexBoy - What do you mean, “If my spelling is correct”? Did I misspell something?

Also an question for you, if tracking cookies aren’t harmful, is it normal for them to all originate from svchost.exe? And in numbers greater than 40 in less than 5 minutes? Everytime I ran a AVG scan for tracking cookies since I get notifications from AVG saying exploit blocked from svghost.exe and got 99 results for tracking cookies - deleted them all, I then ran another scan 5 minute later and found 66 more tracking cookies.

EDIT: I’m also running ESET online scanner, and it found a trojan - Exploit.Lotoor.AK trojan. Would this trojan cause my problems?

I meant the spelling of svghost

Pondus - Running all three scans now
by this i guess you mean one by one...... and not activated all scan at the same time ?

Here is all the logs requested,

Pondius - Yes I ran them separately - one at a time

malwarebytes was not updated when you did the scan…
malwarebytes release 5 - 10 updates a day…so always hit the update button before you scan :wink:

Here is the updated scan result for Malwarebytes

Not happy with the MBR so we will check that out first

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_1.jpg

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_2.jpg

[*]Click the Start Scan button.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_3.jpg

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_4.jpg

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_5.jpg

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste its contents on your next reply.

THEN

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Hello,

Attached the two reports for you. I did some test searches for random items and no redirects to fake advertisement or search websites. It seems to be running faster now actually.

Hopefully the one virus TDSSKiller found is gone now. I will keep monitoring. If there is anything else to do, let me know!

Looks good

Re-run TDSSKiller with the same parameters and when you get to the following select delete

\Device\Harddisk0\DR0 ( TDSS File System )

Then let me know of any outstanding problems

I did what you said,

While doing some searches today, I’m still getting some false re-directs to sites with advertisement and fake searches.

Could you run a fresh OTL scan please, ensure that all users is selected

Here you go.

Do the redirects occur in all browsers or just one ?

It is still occurring, I’m using Chrome and I haven’t tested it on other browsers. It would happen for maybe 1 out of 10-15ish search link I click. But when I click the back button and click the same link again it would go to the correct website.

Thanks.

Could you try the other browsers please, as Chrome is easy to infect but difficult to locate