[RESOLVED] ATDMT.com (bad cookie)

[fink]

It's being protected by spybot. Turn that feature off first. (or you may also be able to alter the attributes of the hosts file and turn "read only" off (not sure that would work but try it anyway)

[SpywareDr]

Which Operating System are you running?

[Broni]

Did you check my reply #6?

[Welshjim]

Suttonite12 --I do not think either Spybot or SpywareBlaster adds sites to the HOSTS file. They add sites to the Restricted Sites list. Are you sure you are looking in the right place?
Some info on HOSTS including location.
http://www.mvps.org/winhelp2002/hosts.htm

[fink]

spybot does optionally but spyware blaster does not.

[Suttonite12]

Hi folks,

Many thanks for your comments, spybot does add items to the host file when you use their immuniser.The host file they use is Hosts.xp apparently and believe me they have logged a considerable amount of blocked programs.

Spywareblaster protects the hosts file if you want it protected.

Dr i have read and tried implementing your post to the same file as spybot s&d, however as fink stated it maybe spybot protecting the file or for that matter spywareblaster.

fink i found another Host file labelled Hosts. MSN and i copied Dr's suggestions into that file, which up to now seems to have done the trick, but i aint holding my breath here. The Hosts file accepted my insertion so we will see what happens as the scans have not brought up any infections as yet.

Will keep you all informed guys & thanks again.

Regards.

[Suttonite12]

Hi folks,

Unfortunately this ATDMT is back...

After reading "Alens blog" i went through the instructions to remove it.

The registry had no logs of "Atlassolutions" or for that matter there were no entries regarding:-

IE->Tools->Manage Add-ons->Enable or Disable Add-ons

Find CBrowserHelper under names and highlight it (the publisher should be Dell). Then select “disable” in the “Settings” box on the bottom left side. OK and close IE.

I have opened a new file in the registry and copied the following into the file:-

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Do404Search”=hex:01,00,00,00
“Search Page”=”http://www.microsoft.com/isapi/redir...ar=iesearch”
“Search Bar”=”http://search.msn.com/spbasic.htm”
“Use Custom Search URL”= dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
“{CFBFAE00-17A6-11D0-99CB-00C04FD64497}”=”"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
“”=”http://home.microsoft.com/access/autosearch.asp?p=%s”
“provider”=”"
” “=”+”
“&”=”%26″
“+”=”%2B”
“#”=”%23″
“?”=”%3F”
“=”=”%3D”

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
“Search Page”=”http://www.microsoft.com/isapi/redir...ar=iesearch”
“Search Bar”=”http://search.msn.com/spbasic.htm”

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
“SearchAssistant”=”http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm”
“CustomizeSearch”=”http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm”
“Default_Search_URL”=”http://www.microsoft.com/isapi/redir...ar=iesearch”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
“Default_Search_URL”=”http://www.microsoft.com/isapi/redir...ar=iesearch”
“Search Page”=”http://www.microsoft.com/isapi/redir...ar=iesearch”

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
@=”http://”

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]
“ftp”=”ftp://”
“gopher”=”gopher://”
“home”=”http://”
“mosaic”=”http://”
“www”=”http://”

Atdmt is still showing up on scans.

Do i need a letter from the pope to get shut of this or am i doing something wrong?.

Thanks again guys for your assistance.

Regards.

[Broni]

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   
   NOTE. If Combofix asks you to install Recovery Console, please allow it.
   
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

[Suttonite12]

Hi guys,

Apologies for the late reply.

I ran a hijackthis scan and the only thing slightly dubious was the "Ask toolbar" however this is Norton Safe Search, so no problems there.

Anyway after some research it seems ATDMT is Microsoft's advertising partner. ATDMT has an opt out policy on their website however, all blocked ATDMT cookies have to be re-enabled for the "opt out" to work apparently.

I have a post here for you to read as it makes sense to me, but i would be grateful for your comments on this:-

" Windows live sign in helper (assistant) is definitely responsible for the cookie.
What happens is the first time you sign in to windows Live using the sign in helper it writes the cookie and also puts 2 entries into the registry:
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\UserExtendedProperties\[email protected]
and:
HKEY_USERS\S-1-5-21-4234794394-2194508213-234476443-1006\Software\Microsoft\IdentityCRL\UserExtendedProperties\[email protected]
(on my computer anyway)

Then when Live mail or IE7/IE8 (with the live sign in helper add-on enabled) is started the cookies are written from the registry and the registry values are updated on-line.

I suppose it's quite a neat way for Microsoft to avoid the privacy options it puts in its browsers But I find it quite unethical."

In my opinion this would be a valid explanation as i use windows live mail and it seems that people with the so called "Bing" search assistant are also having the same problems with ATDMT.

I think the best way of getting shut of this cookie is to bin Bing and download another email program which allows you to read your live mail via their program (possibly Thunderbird 2).

Any comments are welcomed guys.

Regards.

[Broni]

See here: http://alenblog.wordpress.com/2008/1...yware-removal/

[Suttonite12]

Hi guys,

Looks like ATDMT has gone now.

I disabled everything in I.E8 (ADD-ONS) refering to windows live and search help assistants. The system seems to be clean.

Thanks again for all your comments guys, they are appreciated.

I will mark the thread as "Resolved" .

Best Regards.