New User? Need help? Click here to register for free! Registering removes the advertisements.

Computer Cops
image image image image image image image image
Donations
If you found this site helpful, please donate to help keep it online.
image
Prime Choice
· Head Lines
· Advisories (All)
· Dnld of the Week!
· CCSP News Ltrs
· Find a Cure!

· Ian T's (AR 19)
· Marcia's (QA2)
· Bill G's (CO5)
· Paul's (AR 5)

· Ian T's Archive
· Marcia's Archive
· Bill G's Archive
· Paul's Archive
image
Security Central
· Home
· Wireless
· Bookmarks
· CLSID
· Columbia
· Community
· Downloads
· Encyclopedia
· Feedback (send)
· Forums
· Gallery
· Giveaways
· HijackThis
· Journal
· Members List
· My Downloads
· PremChat
· Premium
· Private Messages
· Proxomitron
· Quizz
· Recommend Us
· RegChat
· Reviews
· Search (Topics)
· Sections
· Software
· Statistics
· Stories Archive
· Submit News
· Surveys
· Top
· Topics
· Web Links
· Your Account
image
CCSP Toolkit
· Email Virus Scan
· UDP Port Scanner
· TCP Port Scanner
· Trojan TCP Scan
· Reveal Your IP
· Algorithms
· Whois
· nmap port scanner
· IPs Banned [?]
image
Survey
How much can you give to keep Computer Cops online?

$10 up to $25 per year?
$25 up to $50 per year?
$10 up to $25 per month?
$25 up to $50 per month?
More than $50 per year?
More than $50 per month?
One time only?
Other (please comment)



Results
Polls

Votes: 116
Comments: 5
image
Translate
English German French
Italian Portuguese Spanish
Chinese Greek Russian
image
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin 

Another Hijack while logged in to CCSP
Goto page Previous  1, 2, 3
 
Post new topic   Reply to topic       Computer Cops Forum Index -> Site Inbox
View previous topic :: View next topic  
Author Message
Paul

Admin
Admin



Joined: Feb 22, 2002
Posts: 5154
Location: USA

PostPosted: Sat Mar 27, 2004 6:14 pm    Post subject:
Reply with quote

A quick jump over to ceoexpress dropped two cookies on my laptop:

www.ceoexpress
zedo

Connections were being made to tribalfusion and zedo when trying to bring up ceoexpress. Popups were supressed.

Not nice.

_________________
http://computercops.biz/
Back to top
View users profile Send private message Send email Visit posters website
QuietOne

Lieutenant
Lieutenant



Joined: Dec 28, 2003
Posts: 227
Location: USA

PostPosted: Sat Mar 27, 2004 6:46 pm    Post subject:
Reply with quote

Paul wrote:
A quick jump over to ceoexpress dropped two cookies on my laptop:

www.ceoexpress
zedo

Connections were being made to tribalfusion and zedo when trying to bring up ceoexpress. Popups were supressed.

Not nice.

OK Paul,

Maybe I'm a little thick here so you'll have to help me out here please because I just got through:
  • Scanning my computer with Norton Clean Sweep (1 ceoexpress cookie, not 2) and no references to either Tribalfusion or zedo inside the 1 cookie because I edited it and looked;
  • Then I ran Ad-aware Pro 6 (no Tribalfusion OR Zedo cookies) and no report of a ceoexpress cookie either even though there is 1. But that just means Ad-aware doesn't consider ceoexpress a threat; then,
  • Norton Personal Firewall 4 - no alarms;
  • Lavasoft Ad-watch - no alarms;
  • Opera Browser cookie setting - no 3rd party cookies - no alarms;

What am I missing here? If ceoexpress drops cookies on your computer why doesn't it drop them on mine? Please help me understand why I should be so afraid/leary of something that DOESN'T drop cookies on my computer. At least as far as I can see or find. Confused Confused Confused
_________________
Stealth is the best weapon
Back to top
View users profile Send private message Send email
Paul

Admin
Admin



Joined: Feb 22, 2002
Posts: 5154
Location: USA

PostPosted: Sat Mar 27, 2004 11:28 pm    Post subject:
Reply with quote

If you try disabling everything and opening up your privacy settings for testing only, go to ceoexpress (the same way I did), and you'll notice the cookies placed. And zedo would not be inside the ceoexpress cookie, its a cookie on its own. I replicated this on multiple machines simply by visiting ceoexpress.
_________________
http://computercops.biz/
Back to top
View users profile Send private message Send email Visit posters website
IACOJ

Site Admin
Site Admin



Joined: Oct 15, 2003
Posts: 263
Location: USA

PostPosted: Sun Mar 28, 2004 12:09 am    Post subject:
Reply with quote

Hi QuietOne,

Opera "may" block the cookies I don't know. As Paul said we can and have replicated this on multiple machines using different OS. I haven't tested it on Opera.

I'll take a look at your new log in the morning, and pull out the things which don't need to run at startup. Some of them are user choice, and some don't need to be there at all, but I'd like to confirm what is what after a full nights sleep.

Quote:
I'd like to get rid of the two entries immediately below, but don't see any entries in either Add/Remove Programs for related apps or in any of the registry keys to identify what apps they are related to. Both are web page entries but I'm unsure when/where they came from and whether they can be safely removed.

O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesui...anager.ocx
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.kontiki.com/kdx/v2.11/ko...nt/kdx.cab


Those are activeX controls, you can safely have hijackthis fix them. If you need them again you'll be prompted to download them again.
Back to top
View users profile Send private message
QuietOne

Lieutenant
Lieutenant



Joined: Dec 28, 2003
Posts: 227
Location: USA

PostPosted: Sun Mar 28, 2004 10:41 am    Post subject:
Reply with quote

Hi IACOJ,

Don't worry and I sure don't mind if you get a good nights sleep. Wink I'll be here when you get done analyzing things.

OK I just got the definitive answer from CeoExpress on the cookie deal. I'll quote the reply, emphasis added.
Quote:
One of the benefits of CEOExpressSelect membership is that, while on CEOExpress and signed into your Select account, you will not receive pop-ups, pop-unders, or banner advertising. We do have pop-unders and banner advertising on the public CEOExpress in order to help defray the costs of providing our public site to the general public without charge. Our advertisers are using Tribal Fusion and Zedo cookies on visitors to the public CEOExpress to limit pop-unders (we don't allow pop-ups) to a maximum of 2 per day and to limit the number of paid banner ads any one computer is shown during any one day. There is nothing nefarious about these cookies, but these cookies and/or the ads themselves can be blocked fairly easily. I am sure that your computer security consultant know how to do this.

If I can be of any further assistance, please do not hesitate to contact me. I would appreciate your spreading the word about CEOExpress if you are so inclined.

Best regards,

QuietOne wrote:
Replied to by the
Vice President of Technical Operations at CeoExpress


As the reply states, I'd be happy to forward his actual reply to my inquiry so you can verify it's contents, routing etc yourselves. If you want me to, just send me a PM with the appropriate email address. Or better yet since I supplied my email address when I signed up, just send me an email with the correct return address and I'll reply with the actual email I received.

Also as the reply indicates, I log into the paid site while you and Paul access the public site; so I'm sure the results you are getting and the results I'm getting are both accurate. However given the difference in the sites we access that says a lot about whether I should worry or not. Don't you agree? Again, I'll be happy to forward the reply if you want.

On the two ActiveX controls, I'll dump them today as soon as I get done with this reply.

I look forward to hearing back from you.

_________________
Stealth is the best weapon
Back to top
View users profile Send private message Send email
IACOJ

Site Admin
Site Admin



Joined: Oct 15, 2003
Posts: 263
Location: USA

PostPosted: Sun Mar 28, 2004 11:10 am    Post subject:
Reply with quote

Hey QuietOne,

I was just going to grab your hijackthis log, but since you are going to dump those activeX anyway, would you mind closing all your browser windows etc, and running hijackthis one more time. That way I'll have the newest one to work with.

Thanks
Back to top
View users profile Send private message
QuietOne

Lieutenant
Lieutenant



Joined: Dec 28, 2003
Posts: 227
Location: USA

PostPosted: Sun Mar 28, 2004 12:02 pm    Post subject:
Reply with quote

OK IACOJ,

Here's the latest with NO processes running EXCEPT the bootup stuff.

BTW, did you read the reply from CeoExpress and if so, what did/do you think?

Also, do you want me to forward the email for your records? If so, where to?



HiJackThis3-28-2004.log.txt
 Description:
MRV

Download
 Filename:  HiJackThis3-28-2004.log.txt
 Filesize:  9.15 KB
 Downloaded:  3 Time(s)


_________________
Stealth is the best weapon
Back to top
View users profile Send private message Send email
Paul

Admin
Admin



Joined: Feb 22, 2002
Posts: 5154
Location: USA

PostPosted: Sun Mar 28, 2004 1:08 pm    Post subject:
Reply with quote

I read the reply and it sounds good to me, and even better that they acknowledge that tracking cookies do exist at that site. However, my question to you is... as a premium subscriber, what happens when your cookie expires? Do you go back into the public verison of the site in order to log in? If so, then that means an advertising cookie has the potential of being installed.
_________________
http://computercops.biz/
Back to top
View users profile Send private message Send email Visit posters website
QuietOne

Lieutenant
Lieutenant



Joined: Dec 28, 2003
Posts: 227
Location: USA

PostPosted: Sun Mar 28, 2004 3:10 pm    Post subject:
Reply with quote

Paul wrote:
I read the reply and it sounds good to me, and even better that they acknowledge that tracking cookies do exist at that site. However, my question to you is... as a premium subscriber, what happens when your cookie expires? Do you go back into the public verison of the site in order to log in? If so, then that means an advertising cookie has the potential of being installed.

You're right Paul. I don't argue that possibility at all however I'm willing to take that risk because I'm aware or both: 1) That it occurs and 2) When. So I can log in at the public site when needed and immediately clean out the necessary cookies which gets me back to the "no tracking cookie" state I should be in in the first place. If I wasn't aware of when it was happening or that it was happening at all, it would be an entirely different deal.

I hope that this series of events has also done some to improve your opinion of CeoExpress as a website too but whether it has or not is your business. JM2c and thanks for both getting back to me and for your diligence. It's appreciated.

_________________
Stealth is the best weapon
Back to top
View users profile Send private message Send email
Paul

Admin
Admin



Joined: Feb 22, 2002
Posts: 5154
Location: USA

PostPosted: Sun Mar 28, 2004 7:11 pm    Post subject:
Reply with quote

I personally don't have any opinion of CeoExpress (neither does IACOJ). We're just both really busy on this site.
_________________
http://computercops.biz/
Back to top
View users profile Send private message Send email Visit posters website
IACOJ

Site Admin
Site Admin



Joined: Oct 15, 2003
Posts: 263
Location: USA

PostPosted: Mon Mar 29, 2004 9:37 am    Post subject:
Reply with quote

Hi QuietOne,

btw.. Paul answered for me above because he read your last reply to me, and I said "neither do I" Smile

Here is the list of what you can safely remove from your start up. Again if you need assistance with how to remove it, let us know, and we'd be happy to help.

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINNT\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINNT\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINNT\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
************* Not required to run at startup for your modem to function correctly. It is for a messaging applet used by your modem, and will autoload when required.***********
O4 - HKLM\..\Run: [GetSmile] C:\Program Files\GetSmile\GetSmile.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"


The things listed aren't necessary at startup. The ones which are user defined I haven't included, because you are probably used to things working the way they do.
Back to top
View users profile Send private message
QuietOne

Lieutenant
Lieutenant



Joined: Dec 28, 2003
Posts: 227
Location: USA

PostPosted: Mon Mar 29, 2004 11:18 am    Post subject:
Reply with quote

Not a problem IACOJ,

Thanks for the help.

_________________
Stealth is the best weapon
Back to top
View users profile Send private message Send email
Display posts from previous:   
Post new topic   Reply to topic       Computer Cops Forum Index -> Site Inbox All times are GMT - 5 Hours
Goto page Previous  1, 2, 3
Page 3 of 3

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB 2.0.8a © 2001 phpBB Group

Version 2.0.6 of PHP-Nuke Port by Tom Nitzschner © 2002 www.toms-home.com
Version 2.2 by Paul Laudanski © 2003-2004 Computer Cops