How to delete spyware in Windows Live applications

Discussion in 'other security issues & news' started by newdogdad, Sep 25, 2009.

Thread Status:
Not open for further replies.
  1. newdogdad

    newdogdad Registered Member

    Joined:
    Aug 11, 2003
    Posts:
    7
    Location:
    Tucson, AZ
    I operate an HP Pavilion a530n. OS is XP Professional sp2. All MS security updates have been installed. I use Windows Live email and Windows Live messenger. Spyware Blaster w/automatic upgrades, Windows Defender, Spybot S & D and AVG 8.5 Free Virus scanner & removal.

    Following many occasions of a report of a Tracking cookie following the start of Windows Live Messenger and Windows Live email, I performed the following: After startup, running an AVG scan found no problems. Manually scanning with Spybot found and removed 6 spyware and one Trojan. Windows Defender scan found no problems, and I assume Spyware Blaster found no problems.

    Then, Windows Live Messenger started and appeared to be no problem then I got report from AVG that it found and removed a Tracking Cookie atdmt[2].txt. I looked at the History of reports and found that this was from Windows Live Messenger on start-up and it was removed to the Virus Vault. Also, there were 145 other records, many from Windows Live Messenger and many from Windows Live email. There were 2 Trojan Horse Proxy AHY (one found at WINDOWS system32 MRT.exe and the other, in WIINDOWS system32 cidaemon.exe.) 143 entries were the Tracking cookie atdmt[2].exe.

    I cannot delete this tracking cookie from either Windows live applications, as each time I start either one, it is followed by an AVG report that it automatically removed a Tracking cookie atdmt[2].txt.

    How do I proceed and become successful in removing this infection?
     
  2. lordpake

    lordpake Registered Member

    Joined:
    Aug 7, 2004
    Posts:
    563
    Location:
    Helsinki ~ European Union
    It's tracking cookie, not an infection.


    Really, cookies are not that big of a deal. Basically, it's a text file with some information on it.
     
  3. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Sounds like another case of AVG false positives.

    First of all, don't worry about the cookies. Cookies are never malware. They're not any ware in the first place, since they're not software, they're text files. They're harmless. You can delete them for reasons of privacy, but they cannot harm your system in any way. Those cookies are coming from the ads Live Messenger shows you.

    Second, open Windows Explorer and find those files AVG claims are infected with trojans. Then check the file properties of those files. MRT.EXE should have a digital signature tab that should have a valid Microsoft digital signature. If it does, and the signature is valid, then that is a false positive from AVG. Then check cidaemon.exe. That one is a Microsoft file, as well. And it, too, has a digital signature, although you can't see it from the file properties. Instead, you can download the Sigcheck command line tool ( http://technet.microsoft.com/en-us/sysinternals/bb897441.aspx ) , copy the sigcheck.exe in the Windows folder, and then open cmd.exe and type this command: sigcheck C:\Windows\system32\cidaemon.exe (assuming your Windows is installed in C). This should tell you that the file is "Verified: Signed" by Microsoft Corporation. If it is, that one is also an AVG false positive.

    You can also upload the files for another scan at Virustotal which will also use sigcheck to check the digital signatures. It will also run a scan with multiple anti-malware scanners. And after that, you can also submit those files being detected by AVG as false positives to AVG, so that they know their AV is detecting system files as malicious. If the digital signatures could not be verified, and also if Virustotal reports lots of AVs detecting the files as infected, only then do you have any cause for concern beyond AVG having false positives. :)
     
Loading...
Thread Status:
Not open for further replies.