Ok this will be long as I'm going to take you step by step with what we've done to try to get midADdle off of my partner's computer.
First, we realized something was wrong on July 31, 2004 when she opened an email from a trusted friend that had an attachment. When she went to send the email to her son, **it hit the fan with her computer and it began popping up 3 and 4 instances of the same window and sending the email 3-4 times to her son. She immedatily called him and told him to simply delete any email from her until further notice and we sent an email from my computer which hasn't been affected to let anyone on her email list know to delete all emails from her until further notice.
I began searching to find what could be the problem and midaddle jumped out for some reason, and so we searched her computer to see if it was on it and found several instances of it. I then began searching for ways to rid her computer of it. Following is the detailed list of what we have done and things we've discovered in the process. We also found these and were able to remove successfully.
Program Files/SEP/SEP.dll
Software/Memory Watcher
C: Documentandsettings/sharonbass/localsettings/temp/fixit.exe
Docummentandsettings/sharonbass/localsettings/temp/middaddle.exe
We began by running her adaware and it found several instances also of MidADdle and so we deleted/quaranteened them. That however did not solve the problem. I again began searching for even more information after realizeing that it is MalWare.
I found these instructions on 2 different sites that were talking specifically about MidADdle that others said worked for them. It did delete them, temporarliy, but it's come back. Here are the step by step instructions that I followed.
Disconnect from the internet.
Restart Computer
Run
Msconfig
Select Diagnostic Startup
click ok computer will restart
Start
Run
Regedit
Select Find
Type MidADdle and find next
Delete Files/keys that are specifically MidADdle
Repeat until all instances are removed
After deleting all of these, go to
C: PRogram Files/Common Files
Find MidADdle and delete (SOmetimes it would let us delete and sometimes it would not)
Go to start
Run
Msconfig
Normal Start up (Her's was in selective startup)
These are the things that I found with MidADdle while in the registry.
HKEY_LocalMachines.software/{E8EAEB34-F7B5-4C55-87FF-7s0FAF53D84}
HKEY_Classes_ROOT:CLSID\{E8EAEB34-F7B5-4C55-87FF-7s0FAF53D84}
HKEY_CLASSES_ROOT:TYPELIB WINAFFILIATE BHO.WINAFFILIATE.IEEXTENS.1
{E8EAEB34-F7B5-4C55-87FF-7s0FAF53D841}
C: Documents and SEtting/SharonBass/Local Setting/Temporary INternet/Content.ie5/0v1266v
C:Program files/common files/Midaddle/midaddle.dll
Something about File Rename that had midaddle in it, so we deleted it.
Something about Threading with Midaddle and apartment in it, so we deleted it.
We deleted these and then went back into normal mode. Here is some fun begins, but we learned something in the process. We found that while in Diagnositc or Safe Mode, these could be deleted. Last night, after making certian that all things were off the computer concerning MidADdle, we turned off her computer and this morning turned it back on, and went straight to the Programfiles/Common files and this is what we found Midaddle.dll 116KB
They at first reappeared only when she went to Neopets.com or Roadrunner. This morning they reappeared simply when she turned on her computer. She hadn't even gone on the net.
She runs AVG and keeps it updated faithfully. She is using XP's Firewall. (This is where we differ, I also use ZONELABS and my computer has not been affected by any of this).
Does anyone have a reliable way to rid her computer of this crap? I've let her know that you all will most likely recommend that she download Hijack This to be able to read what is on her pc, and she's hesitienat, but I think she is finally reaching a point where she will allow me to get it set up and run on her computer.
Thanks in advance for all your help.
Darlid01
August 5th, 2004, 11:59 AM
OK, I won't disappoint. Download and run Hijack! Also, she has ad-aware, but it's obviously compromised since she has the virus. She should run an online scanner to check for the spyware, since it shouldn't be effected. Then, as much of a pain as it is, she should start installing those wonderful programs from Noonoo's sticky thread. I've only had one virus/trojan/malware not get stopped by the combination of those.
Ok this will be long as I'm going to take you step by step with what we've done to try to get midADdle off of my partner's computer.
First, we realized something was wrong on July 31, 2004 when she opened an email from a trusted friend that had an attachment. When she went to send the email to her son, **it hit the fan with her computer and it began popping up 3 and 4 instances of the same window and sending the email 3-4 times to her son. She immedatily called him and told him to simply delete any email from her until further notice and we sent an email from my computer which hasn't been affected to let anyone on her email list know to delete all emails from her until further notice.
I began searching to find what could be the problem and midaddle jumped out for some reason, and so we searched her computer to see if it was on it and found several instances of it. I then began searching for ways to rid her computer of it. Following is the detailed list of what we have done and things we've discovered in the process. We also found these and were able to remove successfully.
Program Files/SEP/SEP.dll
Software/Memory Watcher
C: Documentandsettings/sharonbass/localsettings/temp/fixit.exe
Docummentandsettings/sharonbass/localsettings/temp/middaddle.exe
We began by running her adaware and it found several instances also of MidADdle and so we deleted/quaranteened them. That however did not solve the problem. I again began searching for even more information after realizeing that it is MalWare.
I found these instructions on 2 different sites that were talking specifically about MidADdle that others said worked for them. It did delete them, temporarliy, but it's come back. Here are the step by step instructions that I followed.
Disconnect from the internet.
Restart Computer
Run
Msconfig
Select Diagnostic Startup
click ok computer will restart
Start
Run
Regedit
Select Find
Type MidADdle and find next
Delete Files/keys that are specifically MidADdle
Repeat until all instances are removed
After deleting all of these, go to
C: PRogram Files/Common Files
Find MidADdle and delete (SOmetimes it would let us delete and sometimes it would not)
Go to start
Run
Msconfig
Normal Start up (Her's was in selective startup)
These are the things that I found with MidADdle while in the registry.
HKEY_LocalMachines.software/{E8EAEB34-F7B5-4C55-87FF-7s0FAF53D84}
HKEY_Classes_ROOT:CLSID\{E8EAEB34-F7B5-4C55-87FF-7s0FAF53D84}
HKEY_CLASSES_ROOT:TYPELIB WINAFFILIATE BHO.WINAFFILIATE.IEEXTENS.1
{E8EAEB34-F7B5-4C55-87FF-7s0FAF53D841}
C: Documents and SEtting/SharonBass/Local Setting/Temporary INternet/Content.ie5/0v1266v
C:Program files/common files/Midaddle/midaddle.dll
Something about File Rename that had midaddle in it, so we deleted it.
Something about Threading with Midaddle and apartment in it, so we deleted it.
We deleted these and then went back into normal mode. Here is some fun begins, but we learned something in the process. We found that while in Diagnositc or Safe Mode, these could be deleted. Last night, after making certian that all things were off the computer concerning MidADdle, we turned off her computer and this morning turned it back on, and went straight to the Programfiles/Common files and this is what we found Midaddle.dll 116KB
They at first reappeared only when she went to Neopets.com or Roadrunner. This morning they reappeared simply when she turned on her computer. She hadn't even gone on the net.
She runs AVG and keeps it updated faithfully. She is using XP's Firewall. (This is where we differ, I also use ZONELABS and my computer has not been affected by any of this).
Does anyone have a reliable way to rid her computer of this crap? I've let her know that you all will most likely recommend that she download Hijack This to be able to read what is on her pc, and she's hesitienat, but I think she is finally reaching a point where she will allow me to get it set up and run on her computer.
Thanks in advance for all your help.
Dshadna
August 5th, 2004, 12:30 PM
OK, I won't disappoint. Download and run Hijack! Also, she has ad-aware, but it's obviously compromised since she has the virus. She should run an online scanner to check for the spyware, since it shouldn't be effected. Then, as much of a pain as it is, she should start installing those wonderful programs from Noonoo's sticky thread. I've only had one virus/trojan/malware not get stopped by the combination of those.
Thank you for your quick answer. I'll have her do those things. We did go to PCPitstop and also the PANDA site to scan and neither one comes up with any virus or spyware. We've tried to download spybot several times to her computer but each time it says something aobut corrupted file. She's not a happy camper, but hopefully we can help her get happier. I'll write down the list of what's in the sticky and we'll start doing it and see what happens.
GrandDad
August 5th, 2004, 01:43 PM
Yes , do all thats in NooNoo's sticky post . :thumbs:
As for online scans you can try ;
http://housecall.trendmicro.com/
if nothing else the online scans will give you more of what could be on that PC .
Don't know what Anti-virus your using but if you don't have this (AVG);
http://www.grisoft.com/us/us_dwnl7.php
it works great , and its free . :thumbs2:
corturbra
August 5th, 2004, 02:32 PM
Switch off system restore before you start
In Safe Mode
Run Hi-jack this and Spybot
Also check in Add/Remove programs and uninstall SEP/Middadle.
Follow previous instructions that you've done to get rid of registry entries
Scrap the MS firewall it is pants, install ZoneAlarms its free FFS and like yourself I run ZoneAlarms and AVG and I have never, repeat never gotten anything on my PC.
Good luck. I had fun with this kiddy about a week or so ago and I did the above to get shot of it, so far it hasn't come back
Dshadna
August 5th, 2004, 04:08 PM
Switch off system restore before you start
In Safe Mode
Run Hi-jack this and Spybot
Also check in Add/Remove programs and uninstall SEP/Middadle.
Follow previous instructions that you've done to get rid of registry entries
Scrap the MS firewall it is pants, install ZoneAlarms its free FFS and like yourself I run ZoneAlarms and AVG and I have never, repeat never gotten anything on my PC.
Good luck. I had fun with this kiddy about a week or so ago and I did the above to get shot of it, so far it hasn't come back
Ok, I will run all these in safe mode (If I can get her computer into safe mode again, it's a b**ch to try to get it there). I have run them all in regular mode but nothing is found. Already removed the SEP/Middadle from the Control Panel and it's not come back. I'll try this with system restore off now though..
Dshadna
August 5th, 2004, 04:10 PM
Had to put into 2 different posts as it was too long for onehttp://forums.windrivers.com/images/smilies/sad2.gif
Logfile of HijackThis v1.97.7
Scan saved at 2:55:53 PM, on 8/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
These are bad:
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll (file missing)
O4 - HKLM\..\Run: [vONa] C:\docume~1\sharon~1\locals~1\temp\vONa.exe
O4 - HKLM\..\Run: [S] C:\documents and settings\sharon bass\local settings\temp\S.exe
Boot into safe mode and run hijack again. Kill the registry entries and delete the files as well.
Darlid01
August 5th, 2004, 04:25 PM
Yep you have pretty much neutered MidADdle but you now have W97M.Gogaru.A
http://securityresponse.symantec.com/avcenter/venc/data/w97m.gogaru.a.html
I don't recognise the vONa.exe
These are bad:
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll (file missing)
O4 - HKLM\..\Run: [vONa] C:\docume~1\sharon~1\locals~1\temp\vONa.exe
O4 - HKLM\..\Run: [S] C:\documents and settings\sharon bass\local settings\temp\S.exe
Boot into safe mode and run hijack again. Kill the registry entries and delete the files as well.
NooNoo
August 5th, 2004, 05:17 PM
someone has been porn surfing
C:\docume~1\sharon~1\locals~1\temp\vONa.exe
C:\documents and settings\sharon bass\local settings\temp\S.exe
Kill both of them
Dshadna
August 5th, 2004, 07:56 PM
someone has been porn surfing
C:\docume~1\sharon~1\locals~1\temp\vONa.exe
C:\documents and settings\sharon bass\local settings\temp\S.exe
Kill both of them
There are only two of us who use either computer and neither of us has ever porn surfed. I will kill both of those immidatly.
Thanks you all.
After doing this I will post the new HJT Log.
Dshadna
August 5th, 2004, 09:54 PM
There are only two of us who use either computer and neither of us has ever porn surfed. I will kill both of those immidatly.
Thanks you all.
After doing this I will post the new HJT Log.
Allow me to ask a stupid question before I mess anything up.
Exactly HOW do you "KILL PROCESS" with HJT? Please give step by step instructions as if I were a dunce. I want to be certian I don't do something wrong.
I think I know how, but would much rather have you all tell me exactly what to do.
Thanks ya'll.
D
hudsonsmith
August 6th, 2004, 07:18 AM
You are trying to delete the file itself, as well as the registry references to it. Before you can do that, you have to stop it from running. You can either boot into safe mode, which bypasses the list of programs scheduled to run at startup, or you can go into task manager, find the process, and click the end process button.
After you have done that, you would go into hijack, check the boxes next to the items you want to remove, and click the fix checked button. Then browse the directory to find the actual files and delete them.
Dshadna
August 6th, 2004, 04:41 PM
You are trying to delete the file itself, as well as the registry references to it. Before you can do that, you have to stop it from running. You can either boot into safe mode, which bypasses the list of programs scheduled to run at startup, or you can go into task manager, find the process, and click the end process button.
After you have done that, you would go into hijack, check the boxes next to the items you want to remove, and click the fix checked button. Then browse the directory to find the actual files and delete them.
Thank you that was exactly what I needed to know. I took the time last night to be certian that I wrote everything down exactly so that this morning I could get to it when I was refreshed and not stressing out. It took about 2 hours of searching the registry, and then searching for all files related to everything you all recommened be shut down. I made sure before doing anything that I was certian of what I was doing. I found the [s] and [vONa] files almost immediatly and was able to get them out and then find any files they were hidden in. I also checked with "dates created" to be certian, because I had a relativly vauge idea of when problems appeared to start.
I've now got it all cleared off the pc and restarted the computer. The one problem I had was that midaddle kept unchecking itself in the spyblasters, so I've told my partner to make certain when she turns her pc on to go immideatly to that program and make certian that everything is checked and protect against them. The other thing, and you all can tell me if it's a problem or not is that when I took the computer out of safe mode (diagnostic) and let it restart; it went straight to selective startup rather than Normal startup. It appears to be running just fine this way and in fact is where it was when this all began; but without all the programs that you all recommended.
We've now got spybot installed (had to exclude wild tangent from the search or the thing wouldn't workhttp://forums.windrivers.com/images/smilies/flamethrow.gif. (Which reminds me; we now are getting an error report about a dll for WT missing whenever the computer starts.....any recommendations or suggestions?) We've also got zonelabs installed and we're slowly getting in configured to where it won't appear to be so intrusive. Also with spybots, we did the "Teatimer" thingie. I've been running it for some time and haven't experienced any problems that I'm aware of. When we installed the firewall, we had to restart the pc and I had her immidatly go to spyblasters and see if midADdle was checked or unchecked; this time it stayed checked. I had her select all and protect again just to be certain. We went to common files to see if the folder was back with MidADdle and it was finally gone. We went to Neopets and Roadrunner and then went to check and no problems. It appears at this time that all of your suggestions and such may have done the trick this time.
So once again. A big Southern THANK YA'LL for your hard work and your patience with us as we solved this problem. I'm sure that I'll be back again as you've helped me with some other problems and I have NO complaints.
http://forums.windrivers.com/images/smilies/bigok.gif
NooNoo
August 7th, 2004, 06:36 AM
wt.dll looks like its a leftover. I found no information about it.
Search the registry for reference to it and remove the key if found. Also start, run, type in sysedit and check in win.ini for references there.
Dshadna
August 7th, 2004, 12:24 PM
wt.dll looks like its a leftover. I found no information about it.
Search the registry for reference to it and remove the key if found. Also start, run, type in sysedit and check in win.ini for references there.
Thank you NooNoo. Will do. I appreciate all the help from everyone. It's been 24 hours and so far no more midaddle. I believe we've finally gotten rid of it and protected (I HOPE) from it.
D
NooNoo
August 7th, 2004, 01:43 PM
:cool:
Dshadna
August 10th, 2004, 12:02 PM
:cool:
Posting new HJT log. Something hit her pc again and with a vengance. We found nothing of midaddle, but I will express which thing hit me as being wrong on the HJT log that I ran before going into safe mode. It's not the same as what shows up when I ran it in safe mode. I'll post both so you all can see.
This is the log before safe mode:
Logfile of HijackThis v1.97.7
Scan saved at 10:17:50 AM, on 8/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)[/color]
The O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize is the one that just doesn't seem right. All she did was go on her computer, go to neopets to log in and hit the s button to type in her name and everything began popping up, computer started going into standby and wouldn't turn off. I got her off the net, managed to get the system restore off (pain in the arse it was). and then got her into safe mode. She has Zonelabs, spyblaster, Adaware, Spybot all running. Any ideas.
Dshadna
August 10th, 2004, 12:16 PM
Something else to mention.
About the same time that the Midaddle showed up, when we are starting the pc it has a black screen has a line that looks like it is loading something up began. Now one thing I can remember is that happened right after an electrical storm. This was not happening for the last 3 years that she has owned the pc but only this short amount of time in the last 2-3 weeks or so. I don't know if it is relevant, but felt I should mention it. Also, it pops up something about initilizing something, but it never stays up long enough to see just what it is trying to initialize. This too has not always been and began about the same time as the Midaddle crap showed up.
Any help is appreciated. I wish there was something I could do to help you all as much as you've been helping me.
NooNoo
August 10th, 2004, 03:25 PM
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize - you have an nvidia card, this is a startup option. You can remove it and start it manually when needed.
Other than that, I don't see anything there that's a problem. PS that blue hurts my eyes, please don't bother colouring the text - thanks.
What do the popups say? Are the advertisements?
Wildtangent could be the cause.
Dshadna
August 10th, 2004, 03:57 PM
I apologize for the coloured text, I didn't realize it would stay that way. I copied and pasted from the email we sent from Shad's pc to mine and just hit enter and all. Wasn't thinking about it. I'll try to remember.
The popup's are that it's opening the same page we're on over 15 times or more. It does it for about 10 minutes, if we can't get the pc to shut down right. It will open up that many instances of HJT and SPybot, if we accidently scroll over the programs and all. If we accidently scroll over Log out while trying to get the pc to shut down, it sets the pc into standby mode. It takes patience and a steady hand to get it to let us get to where we need to get the pc to boot properly. I did manage to get into system restore to turn it off. I managed finally to get into safe mode and run the Spybot and HJT, and to check for files and anything related to Midaddle....and the registry, but made no changes.
Once I can get the pc to boot properly at least twice, then it doesn't seem to have the same problem. Until we go back on the internet on any page. Then it does it again. We're completly stumped.
One thing I can say is that someone she trusts sent her an email yesterday with attatchement, and she immidelty went in and deleted it without opening it and then emptied the delete bin in Outlook Express. That was the last thing she did before turning off the compuer. She got on this morning and went to Neopets and this all began again. Coincindence??
Nothing about Midaddle shows up again. No virus or anything show up when the virus scan is run, spyware blaster shows it's protecting against everything and Spybot and Adaware show nothing (except spybot shows the DOS exploit which I've been reading about and we are up-to-date on everything so we're leaving that one alone). Two online virus scanners show nothing either.
I'll wait for a response to see what you think we should look into next.
Thanks NooNoo.
Dshadna
August 10th, 2004, 11:17 PM
It's been suggested by some people I know who have had problems similar to ours that we should consider reformatting the hard drive. Is setting it back to factory setting the same as reformatting the hard drive?
My question is: We have the compaq Restore CD to take it back to factory settings. We have the cd for the optical wireless mouse, the CD burning, the ATI Video card. What else would we need, and where would I find it? I've done the google search and am more confused now then when I began looking.
(We also have the cd's for some of the programs we've added to her pc like solitare 3 and Everquest. We know that EQ will take almost 20 hours to reinstall, so we're prepared for that. I have the web addy's for all the programs you all recommended, so those can be restored with little problem. We know that any documents or pics need to be saved before even considering this).
Would setting it to factory settings erase the problem altogether? Does the CD Restore disc also contain the windows xp home that was on the computer when we first got it? We never had a disc for Windows xp home with her Compaq. Should we even consider this as an option?
If we do this, what do I need to know?
I've reached the end of my rope on this and just need to know what I should do. I'm frustrated and aggravated that this has happened again. Why do people do things like this to ruin other people's pc's? What possible reason is good enough for their maliciousness?
NooNoo
August 11th, 2004, 08:37 AM
What possible reason is good enough for their maliciousness?
In short money. The current problems with this sort of malware are about selling information or advertising. A good old fashioned trojan was theivery - clever, hidden, and designed to just steal personal information. They are both about control.
OK to compaq - depending on the model, compaqs have a quick restore - which is just a install over type thing, it is non destructive of the data. All compaqs have the full restore which is destructive and (all things being equal) should take care of the problem.
Post your full compaq model - lets see what is available at compaq.com for it.
Also have you installed spybot teatimer utility? Set spybot to block bad pages? These can be enormously useful. If you have a firewall such as zone alarm, it can be set to ask for every program accessing the internet - pretty soon whatever is causing your headache will show itself there.
It's up to you - you want to back up every thing and wipe or track the little bugger down and blast it?
We replaced the nVidia Vanta Graphics card with a Radeon 7000 Series card over a year ago. Everything else is the same, except we now have a logitch Wireless Optical mouse for the pc.
It has a 10/100 Ethernet Networking Card in it also.
Not sure what else you need to know, but I have a printout we did when we first got the pc of what's on it and I've handwritten notes of what's been replaced.
Also have you installed spybot teatimer utility? Set spybot to block bad pages? These can be enormously useful. If you have a firewall such as zone alarm, it can be set to ask for every program accessing the internet - pretty soon whatever is causing your headache will show itself there.
Yes, we installed the Teatimer and have it set to block bad pages. We have the ZoneAlarm Firewall asking permission for everything to the point that Shad is getting fed up with but will live with it to get this taken care of.
Thanks NooNoo for being so patient and for being willing to help us.
Edit to ask a question from Shad:
Could it be that the electical storm we had that caused a power surge may have done some damage to the pc? We have very good surge protector's on both pc's, but are concerned that may be a problem. Also, could the storm have caused a problem with the keyboard? She's had problems with the factory sent keyboard since she got the pc in Dec 2001. Sometimes when booting up it says the keyboard isn't there and it is attached, no loose connection or anything.
hudsonsmith
August 11th, 2004, 01:47 PM
Try running sfc /scannow. It will check if any of your system files are corrupt or have been replaced.
Dshadna
August 11th, 2004, 01:52 PM
What is sfc /scannow?
Where do I find it to run it?
Thanks Hudson
Edit:
I found out what it is by doing a google. Now I just need to know how to find it to run it.
We replaced the nVidia Vanta Graphics card with a Radeon 7000 Series card over a year ago. Everything else is the same, except we now have a logitch Wireless Optical mouse for the pc.
It has a 10/100 Ethernet Networking Card in it also.
Not sure what else you need to know, but I have a printout we did when we first got the pc of what's on it and I've handwritten notes of what's been replaced.
Bloody Hell!! Someone actually takes note!! I am very impressed.
Dshadna
August 13th, 2004, 11:15 PM
Update:
We believe we've solved the problem of the windows constantly popping up when hitting the "s" key. It appears that the Numerical Enter key was stuck in the down position and so we first unplugged it from the pc and then popped that key up and off and found that the metal clip under it was not on correctly, so we put it back in right and cleaned out from under it. We popped it back on and then replugged it in. We followed the directions for uninstalling the keyboard and then reinstalling so that the driver would update when we did it and now it appears that everything is working normally.
As to the Wild Tangent error, we reinstalled Wild Tangent and then did a complete Uninstall to rid ourselves of that particular problem. Thanks ya'll for all the help. We're planning on replaceing the almost 4 year old keyboard next week when SSD comes in. She's had problems with it since we got it, but this just has made us more certian that we're ready to replace it. She doesn't use half the keys on it anyway. http://forums.windrivers.com/images/smilies/eek.gif
I know that if we have any more problems I can always come back here and some great people will continue to help us until we can solve the problem. Thanks everyone for suggestions and all. One great thing about this Midaddle/Stuck key is that we now have her computer extremely protected with AdAwareSE, Spybot/TeaTimer, Zonelabs and Spyblaster, amoung the few. I've wanted her to get them before, but this situation impressed upon her just why. Thanks for helping us.
NooNoo
August 16th, 2004, 07:10 AM
Anytime :)
rihay
August 17th, 2004, 02:54 PM
Hello DSHADNA:
it is obviously that your problem is not ony midaddle you have other spybots and virus running on the background. such as
smsss.exe
s.exe.
you need to get rid off them the same way that you are trying to del midaddle.. it should work.
and so on..
Ok this will be long as I'm going to take you step by step with what we've done to try to get midADdle off of my partner's computer.
First, we realized something was wrong on July 31, 2004 when she opened an email from a trusted friend that had an attachment. When she went to send the email to her son, **it hit the fan with her computer and it began popping up 3 and 4 instances of the same window and sending the email 3-4 times to her son. She immedatily called him and told him to simply delete any email from her until further notice and we sent an email from my computer which hasn't been affected to let anyone on her email list know to delete all emails from her until further notice.
I began searching to find what could be the problem and midaddle jumped out for some reason, and so we searched her computer to see if it was on it and found several instances of it. I then began searching for ways to rid her computer of it. Following is the detailed list of what we have done and things we've discovered in the process. We also found these and were able to remove successfully.
Program Files/SEP/SEP.dll
Software/Memory Watcher
C: Documentandsettings/sharonbass/localsettings/temp/fixit.exe
Docummentandsettings/sharonbass/localsettings/temp/middaddle.exe
We began by running her adaware and it found several instances also of MidADdle and so we deleted/quaranteened them. That however did not solve the problem. I again began searching for even more information after realizeing that it is MalWare.
I found these instructions on 2 different sites that were talking specifically about MidADdle that others said worked for them. It did delete them, temporarliy, but it's come back. Here are the step by step instructions that I followed.
Disconnect from the internet.
Restart Computer
Run
Msconfig
Select Diagnostic Startup
click ok computer will restart
Start
Run
Regedit
Select Find
Type MidADdle and find next
Delete Files/keys that are specifically MidADdle
Repeat until all instances are removed
After deleting all of these, go to
C: PRogram Files/Common Files
Find MidADdle and delete (SOmetimes it would let us delete and sometimes it would not)
Go to start
Run
Msconfig
Normal Start up (Her's was in selective startup)
These are the things that I found with MidADdle while in the registry.
HKEY_LocalMachines.software/{E8EAEB34-F7B5-4C55-87FF-7s0FAF53D84}
HKEY_Classes_ROOT:CLSID\{E8EAEB34-F7B5-4C55-87FF-7s0FAF53D84}
HKEY_CLASSES_ROOT:TYPELIB WINAFFILIATE BHO.WINAFFILIATE.IEEXTENS.1
{E8EAEB34-F7B5-4C55-87FF-7s0FAF53D841}
C: Documents and SEtting/SharonBass/Local Setting/Temporary INternet/Content.ie5/0v1266v
C:Program files/common files/Midaddle/midaddle.dll
Something about File Rename that had midaddle in it, so we deleted it.
Something about Threading with Midaddle and apartment in it, so we deleted it.
We deleted these and then went back into normal mode. Here is some fun begins, but we learned something in the process. We found that while in Diagnositc or Safe Mode, these could be deleted. Last night, after making certian that all things were off the computer concerning MidADdle, we turned off her computer and this morning turned it back on, and went straight to the Programfiles/Common files and this is what we found Midaddle.dll 116KB
They at first reappeared only when she went to Neopets.com or Roadrunner. This morning they reappeared simply when she turned on her computer. She hadn't even gone on the net.
She runs AVG and keeps it updated faithfully. She is using XP's Firewall. (This is where we differ, I also use ZONELABS and my computer has not been affected by any of this).
Does anyone have a reliable way to rid her computer of this crap? I've let her know that you all will most likely recommend that she download Hijack This to be able to read what is on her pc, and she's hesitienat, but I think she is finally reaching a point where she will allow me to get it set up and run on her computer.
Thanks in advance for all your help.
Dshadna
August 17th, 2004, 03:47 PM
I've already taken care of the s.exe.
Did some reading on the smss.exe
and it appears to be a legitmeate part of the windowXP operating system. I'll wait for NooNoo or Hudson to correct me if that is wrong.
smss - smss.exe - Process Information
Process File: smss or smss.exe
Process Name: Session Manager Subsystem
Description: Application that is used to start, manage, and delete user sessions or client sessions under Terminal Server.
Company: Microsoft Corp.
System Process: Yes
Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): No
Common Errors: N/A
NooNoo
August 17th, 2004, 03:51 PM
rihay posted about smsss.exe - an extra s makes ALL the difference. Check the spelling of the file in your processes Dshadna!!
rihay, thanks for the tip!
Dshadna
August 17th, 2004, 04:59 PM
rihay posted about smsss.exe - an extra s makes ALL the difference. Check the spelling of the file in your processes Dshadna!!
rihay, thanks for the tip!
This is what he posted in another place where I had been looking for ways to rid the pc of MidADdle. This is why I double checked what process he was talking about and why I am hestiant to follow his directions.
Dshadna : I took a look @ your log that you posted on windrivers.. and it looks like you have several spybots and virus..not to mention the DAMN midadle..
your doing everything so far... with the instructions but you keep leavign some of the spybots and viruses out .. and thats what keeps bringing midadle back. THESE ARE NOT TO BE RUNNING ON YOUR SYSTEM AT ALL AND THIS GOES FOR EVERYONE.
This is what I found by checking http://computercops.biz/sl-100.html
smss.exe--Session Manager Subsystem
Description: Application that is used to start, manage, and delete user sessions or client sessions under Terminal Server. (Legitimate running smss.exe is found in System32 subdirectory)
Mine is found here:C:\WINDOWS\System32\smss.exe
lsass.exe --Local Security Authentication Server
Description: Windows Local Security Authority Server Process handles Windows security mechanisms. It verifies the validity of user logons to your computer or server. Technically, the software generates the process that is responsible for authenticating users for the Winlogon service.
--also found this when searching the computercops startup list.
lsass.exe--Added as a result of the RANDEX.AR (http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.ar.html) VIRUS! Note - this is not the legitimate Lsass.exe (http://www.liutilities.com/products/wintaskspro/processlibrary/lsass/) system file should normally NOT figure in Msconfig/Startup!
How do I know which one is legimetate and which one isn't?
Mine is found here: C:\WINDOWS\system32\lsass.exe
vONA.exe --Already taken care of
S.exe--Already taken care of
pctspk.exe--Used for modems based upon PC-TEL chipsets. Normally used for some Voice and Speakerphone functions and also for some Power management options. If you remove it you may not be able to use any of those functions
Mine is found here: C:\WINDOWS\System32\pctspk.exe
wkcalrem.exe--Produces a pop-up reminder of events scheduled using the MS Works Calendar
Mine is found here: C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
I just want to be very sure before I do anything else to the pc. I don't want to delete something that is necessary for the running of the pc or for a program we use, such as Microsoft Works Reminder for the Calender, which we do use. Maybe I am too cautious, but the pc is running correctly now and there has been nothing found with Spybot, SpywareBlaster, Adaware or anything else. Please, NooNoo or Hudson, will you double check the first log that I put in to be certian for me. I can repost it again if you prefer, but it will take some time to get a new log for posting.
NooNoo
August 18th, 2004, 05:06 AM
How do I know which one is legimetate and which one isn't?
Mine is found here: C:\WINDOWS\system32\lsass.exe
That's the correct - but does it figure in the msconfig startup tab? If it does, its not right.
Dshadna
August 21st, 2004, 09:47 AM
Checked the msconfig startup tab and neither the smss.exe or
lsass.exe are found there. I'm assuming that means these are the correct ones?
Thanks NooNoo for your prompt reply. I would have replied sooner, but haven't been able to get to my friend's pc to check out what you asked.
NooNoo
August 21st, 2004, 10:04 AM
they are indeed the correct ones if they do not appear in the startup tab.
windrivers.com
Copyright WebMediaBrands Inc., All Rights Reserved.