Very simply, a cookie is not a program. A cookie can not, in and of itself, hurt you. It is only a text file.
All a cookie can do is carry information, back to a site in the domain that created the cookie, if you visit the domain, that you have returned and can supply some information that the site knew the last time you were there.
So, what’s the problem with cookies — why do the anti-spyware/anti-adware companies flag that they found cookies?
First, cookies are easy to find. Counting cookies, as if they are problems, means that the program can make itself look better in the eyes of less-knowledgeable users, as if it found serious problems.
Cookies are stored in known locations in web browser data files — they’re easy to find. Rather than a program complaining that it found adware applications, which are harder to locate and harder to remove, many anti-spyware/anti-adware programs will flag a cookie that belongs to an advertising network and call it a "security risk."
Sunbelt Software, the makers of the CounterSpy program that I used to use and the VIPRE Antivirus Premium (antivirus + antispyware + firewall) that I use now, wrote about this issue in a couple of their recent newsletters.
If you are paranoid, you can block cookies. You can set your browser not to accept cookies. You can set your browser to delete any cookies when the browser closes.
What do I do about cookies?
I let sites set the cookies they want to set. If I buy something after clicking on a web site ad or link, someone is going to make a commission. That’s the way the web works — "free" is only free if someone is paying the bill somehow.
Occasionally I’ll clear cookies out, maybe once every few months, as part of a major cleaning of temporary files. Then, I have to look up all my site passwords and log in again…