MidADdle MUST DIE

[Dshadna]

Ok this will be long as I'm going to take you step by step with what we've done to try to get midADdle off of my partner's computer.

First, we realized something was wrong on July 31, 2004 when she opened an email from a trusted friend that had an attachment. When she went to send the email to her son, **it hit the fan with her computer and it began popping up 3 and 4 instances of the same window and sending the email 3-4 times to her son. She immedatily called him and told him to simply delete any email from her until further notice and we sent an email from my computer which hasn't been affected to let anyone on her email list know to delete all emails from her until further notice.

I began searching to find what could be the problem and midaddle jumped out for some reason, and so we searched her computer to see if it was on it and found several instances of it. I then began searching for ways to rid her computer of it. Following is the detailed list of what we have done and things we've discovered in the process. We also found these and were able to remove successfully.

1. Program Files/SEP/SEP.dll
2. Software/Memory Watcher
3. C: Documentandsettings/sharonbass/localsettings/temp/fixit.exe
4. Docummentandsettings/sharonbass/localsettings/temp/middaddle.exe

We began by running her adaware and it found several instances also of MidADdle and so we deleted/quaranteened them. That however did not solve the problem. I again began searching for even more information after realizeing that it is MalWare.

I found these instructions on 2 different sites that were talking specifically about MidADdle that others said worked for them. It did delete them, temporarliy, but it's come back. Here are the step by step instructions that I followed.

1. Disconnect from the internet.
2. Restart Computer
3. Run
4. Msconfig
5. Select Diagnostic Startup
6. click ok computer will restart
7. Start
8. Run
9. Regedit
10. Select Find
11. Type MidADdle and find next
12. Delete Files/keys that are specifically MidADdle
13. Repeat until all instances are removed
14. After deleting all of these, go to
15. C: PRogram Files/Common Files
16. Find MidADdle and delete (SOmetimes it would let us delete and sometimes it would not)
17. Go to start
18. Run
19. Msconfig
20. Normal Start up (Her's was in selective startup)

These are the things that I found with MidADdle while in the registry.

• HKEY_LocalMachines.software/{E8EAEB34-F7B5-4C55-87FF-7s0FAF53D84}
• HKEY_Classes_ROOT:CLSID\{E8EAEB34-F7B5-4C55-87FF-7s0FAF53D84}
• HKEY_CLASSES_ROOT:TYPELIB WINAFFILIATE BHO.WINAFFILIATE.IEEXTENS.1
• {E8EAEB34-F7B5-4C55-87FF-7s0FAF53D841}
• C: Documents and SEtting/SharonBass/Local Setting/Temporary INternet/Content.ie5/0v1266v
• C:Program files/common files/Midaddle/midaddle.dll
• Something about File Rename that had midaddle in it, so we deleted it.
• Something about Threading with Midaddle and apartment in it, so we deleted it.

We deleted these and then went back into normal mode. Here is some fun begins, but we learned something in the process. We found that while in Diagnositc or Safe Mode, these could be deleted. Last night, after making certian that all things were off the computer concerning MidADdle, we turned off her computer and this morning turned it back on, and went straight to the Programfiles/Common files and this is what we found Midaddle.dll 116KB

They at first reappeared only when she went to Neopets.com or Roadrunner. This morning they reappeared simply when she turned on her computer. She hadn't even gone on the net.

She runs AVG and keeps it updated faithfully. She is using XP's Firewall. (This is where we differ, I also use ZONELABS and my computer has not been affected by any of this).

Does anyone have a reliable way to rid her computer of this crap? I've let her know that you all will most likely recommend that she download Hijack This to be able to read what is on her pc, and she's hesitienat, but I think she is finally reaching a point where she will allow me to get it set up and run on her computer.

Thanks in advance for all your help.

[Darlid01]

OK, I won't disappoint. Download and run Hijack! Also, she has ad-aware, but it's obviously compromised since she has the virus. She should run an online scanner to check for the spyware, since it shouldn't be effected. Then, as much of a pain as it is, she should start installing those wonderful programs from Noonoo's sticky thread. I've only had one virus/trojan/malware not get stopped by the combination of those.

Ok this will be long as I'm going to take you step by step with what we've done to try to get midADdle off of my partner's computer.

First, we realized something was wrong on July 31, 2004 when she opened an email from a trusted friend that had an attachment. When she went to send the email to her son, **it hit the fan with her computer and it began popping up 3 and 4 instances of the same window and sending the email 3-4 times to her son. She immedatily called him and told him to simply delete any email from her until further notice and we sent an email from my computer which hasn't been affected to let anyone on her email list know to delete all emails from her until further notice.

I began searching to find what could be the problem and midaddle jumped out for some reason, and so we searched her computer to see if it was on it and found several instances of it. I then began searching for ways to rid her computer of it. Following is the detailed list of what we have done and things we've discovered in the process. We also found these and were able to remove successfully.

1. Program Files/SEP/SEP.dll
2. Software/Memory Watcher
3. C: Documentandsettings/sharonbass/localsettings/temp/fixit.exe
4. Docummentandsettings/sharonbass/localsettings/temp/middaddle.exe

We began by running her adaware and it found several instances also of MidADdle and so we deleted/quaranteened them. That however did not solve the problem. I again began searching for even more information after realizeing that it is MalWare.

I found these instructions on 2 different sites that were talking specifically about MidADdle that others said worked for them. It did delete them, temporarliy, but it's come back. Here are the step by step instructions that I followed.

1. Disconnect from the internet.
2. Restart Computer
3. Run
4. Msconfig
5. Select Diagnostic Startup
6. click ok computer will restart
7. Start
8. Run
9. Regedit
10. Select Find
11. Type MidADdle and find next
12. Delete Files/keys that are specifically MidADdle
13. Repeat until all instances are removed
14. After deleting all of these, go to
15. C: PRogram Files/Common Files
16. Find MidADdle and delete (SOmetimes it would let us delete and sometimes it would not)
17. Go to start
18. Run
19. Msconfig
20. Normal Start up (Her's was in selective startup)

These are the things that I found with MidADdle while in the registry.

• HKEY_LocalMachines.software/{E8EAEB34-F7B5-4C55-87FF-7s0FAF53D84}
• HKEY_Classes_ROOT:CLSID\{E8EAEB34-F7B5-4C55-87FF-7s0FAF53D84}
• HKEY_CLASSES_ROOT:TYPELIB WINAFFILIATE BHO.WINAFFILIATE.IEEXTENS.1
• {E8EAEB34-F7B5-4C55-87FF-7s0FAF53D841}
• C: Documents and SEtting/SharonBass/Local Setting/Temporary INternet/Content.ie5/0v1266v
• C:Program files/common files/Midaddle/midaddle.dll
• Something about File Rename that had midaddle in it, so we deleted it.
• Something about Threading with Midaddle and apartment in it, so we deleted it.

We deleted these and then went back into normal mode. Here is some fun begins, but we learned something in the process. We found that while in Diagnositc or Safe Mode, these could be deleted. Last night, after making certian that all things were off the computer concerning MidADdle, we turned off her computer and this morning turned it back on, and went straight to the Programfiles/Common files and this is what we found Midaddle.dll 116KB

They at first reappeared only when she went to Neopets.com or Roadrunner. This morning they reappeared simply when she turned on her computer. She hadn't even gone on the net.

She runs AVG and keeps it updated faithfully. She is using XP's Firewall. (This is where we differ, I also use ZONELABS and my computer has not been affected by any of this).

Does anyone have a reliable way to rid her computer of this crap? I've let her know that you all will most likely recommend that she download Hijack This to be able to read what is on her pc, and she's hesitienat, but I think she is finally reaching a point where she will allow me to get it set up and run on her computer.

Thanks in advance for all your help.

[Dshadna]

OK, I won't disappoint. Download and run Hijack! Also, she has ad-aware, but it's obviously compromised since she has the virus. She should run an online scanner to check for the spyware, since it shouldn't be effected. Then, as much of a pain as it is, she should start installing those wonderful programs from Noonoo's sticky thread. I've only had one virus/trojan/malware not get stopped by the combination of those.

Thank you for your quick answer. I'll have her do those things. We did go to PCPitstop and also the PANDA site to scan and neither one comes up with any virus or spyware. We've tried to download spybot several times to her computer but each time it says something aobut corrupted file. She's not a happy camper, but hopefully we can help her get happier. I'll write down the list of what's in the sticky and we'll start doing it and see what happens.

[GrandDad]

Yes , do all thats in NooNoo's sticky post .

As for online scans you can try ;
http://housecall.trendmicro.com/

if nothing else the online scans will give you more of what could be on that PC .

Don't know what Anti-virus your using but if you don't have this (AVG);
http://www.grisoft.com/us/us_dwnl7.php

it works great , and its free .

[corturbra]

Switch off system restore before you start

In Safe Mode
Run Hi-jack this and Spybot
Also check in Add/Remove programs and uninstall SEP/Middadle.
Follow previous instructions that you've done to get rid of registry entries

Scrap the MS firewall it is pants, install ZoneAlarms its free FFS and like yourself I run ZoneAlarms and AVG and I have never, repeat never gotten anything on my PC.

Good luck. I had fun with this kiddy about a week or so ago and I did the above to get shot of it, so far it hasn't come back

[Dshadna]

Switch off system restore before you start

In Safe Mode
Run Hi-jack this and Spybot
Also check in Add/Remove programs and uninstall SEP/Middadle.
Follow previous instructions that you've done to get rid of registry entries

Scrap the MS firewall it is pants, install ZoneAlarms its free FFS and like yourself I run ZoneAlarms and AVG and I have never, repeat never gotten anything on my PC.

Good luck. I had fun with this kiddy about a week or so ago and I did the above to get shot of it, so far it hasn't come back

Ok, I will run all these in safe mode (If I can get her computer into safe mode again, it's a b**ch to try to get it there). I have run them all in regular mode but nothing is found. Already removed the SEP/Middadle from the Control Panel and it's not come back. I'll try this with system restore off now though..

[rihay]

Hello DSHADNA:

it is obviously that your problem is not ony midaddle you have other spybots and virus running on the background. such as

smsss.exe
s.exe.
you need to get rid off them the same way that you are trying to del midaddle.. it should work.

and so on..

Ok this will be long as I'm going to take you step by step with what we've done to try to get midADdle off of my partner's computer.

First, we realized something was wrong on July 31, 2004 when she opened an email from a trusted friend that had an attachment. When she went to send the email to her son, **it hit the fan with her computer and it began popping up 3 and 4 instances of the same window and sending the email 3-4 times to her son. She immedatily called him and told him to simply delete any email from her until further notice and we sent an email from my computer which hasn't been affected to let anyone on her email list know to delete all emails from her until further notice.

I began searching to find what could be the problem and midaddle jumped out for some reason, and so we searched her computer to see if it was on it and found several instances of it. I then began searching for ways to rid her computer of it. Following is the detailed list of what we have done and things we've discovered in the process. We also found these and were able to remove successfully.

1. Program Files/SEP/SEP.dll
2. Software/Memory Watcher
3. C: Documentandsettings/sharonbass/localsettings/temp/fixit.exe
4. Docummentandsettings/sharonbass/localsettings/temp/middaddle.exe

We began by running her adaware and it found several instances also of MidADdle and so we deleted/quaranteened them. That however did not solve the problem. I again began searching for even more information after realizeing that it is MalWare.

I found these instructions on 2 different sites that were talking specifically about MidADdle that others said worked for them. It did delete them, temporarliy, but it's come back. Here are the step by step instructions that I followed.

1. Disconnect from the internet.
2. Restart Computer
3. Run
4. Msconfig
5. Select Diagnostic Startup
6. click ok computer will restart
7. Start
8. Run
9. Regedit
10. Select Find
11. Type MidADdle and find next
12. Delete Files/keys that are specifically MidADdle
13. Repeat until all instances are removed
14. After deleting all of these, go to
15. C: PRogram Files/Common Files
16. Find MidADdle and delete (SOmetimes it would let us delete and sometimes it would not)
17. Go to start
18. Run
19. Msconfig
20. Normal Start up (Her's was in selective startup)

These are the things that I found with MidADdle while in the registry.

• HKEY_LocalMachines.software/{E8EAEB34-F7B5-4C55-87FF-7s0FAF53D84}
• HKEY_Classes_ROOT:CLSID\{E8EAEB34-F7B5-4C55-87FF-7s0FAF53D84}
• HKEY_CLASSES_ROOT:TYPELIB WINAFFILIATE BHO.WINAFFILIATE.IEEXTENS.1
• {E8EAEB34-F7B5-4C55-87FF-7s0FAF53D841}
• C: Documents and SEtting/SharonBass/Local Setting/Temporary INternet/Content.ie5/0v1266v
• C:Program files/common files/Midaddle/midaddle.dll
• Something about File Rename that had midaddle in it, so we deleted it.
• Something about Threading with Midaddle and apartment in it, so we deleted it.

We deleted these and then went back into normal mode. Here is some fun begins, but we learned something in the process. We found that while in Diagnositc or Safe Mode, these could be deleted. Last night, after making certian that all things were off the computer concerning MidADdle, we turned off her computer and this morning turned it back on, and went straight to the Programfiles/Common files and this is what we found Midaddle.dll 116KB

They at first reappeared only when she went to Neopets.com or Roadrunner. This morning they reappeared simply when she turned on her computer. She hadn't even gone on the net.

She runs AVG and keeps it updated faithfully. She is using XP's Firewall. (This is where we differ, I also use ZONELABS and my computer has not been affected by any of this).

Does anyone have a reliable way to rid her computer of this crap? I've let her know that you all will most likely recommend that she download Hijack This to be able to read what is on her pc, and she's hesitienat, but I think she is finally reaching a point where she will allow me to get it set up and run on her computer.

Thanks in advance for all your help.

[Dshadna]

I've already taken care of the s.exe.

Did some reading on the smss.exe
and it appears to be a legitmeate part of the windowXP operating system. I'll wait for NooNoo or Hudson to correct me if that is wrong.

smss - smss.exe - Process Information

Process File: smss or smss.exe
Process Name: Session Manager Subsystem
Description: Application that is used to start, manage, and delete user sessions or client sessions under Terminal Server.
Company: Microsoft Corp.
System Process: Yes
Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): No
Common Errors: N/A

[NooNoo]

rihay posted about smsss.exe - an extra s makes ALL the difference. Check the spelling of the file in your processes Dshadna!!

rihay, thanks for the tip!

[Dshadna]

rihay posted about smsss.exe - an extra s makes ALL the difference. Check the spelling of the file in your processes Dshadna!!

rihay, thanks for the tip!

This is what he posted in another place where I had been looking for ways to rid the pc of MidADdle. This is why I double checked what process he was talking about and why I am hestiant to follow his directions.

Dshadna : I took a look @ your log that you posted on windrivers.. and it looks like you have several spybots and virus..not to mention the DAMN midadle..
your doing everything so far... with the instructions but you keep leavign some of the spybots and viruses out .. and thats what keeps bringing midadle back. THESE ARE NOT TO BE RUNNING ON YOUR SYSTEM AT ALL AND THIS GOES FOR EVERYONE.

smss.exe
lsass.exe
vONA.exe
S.exe
pctspk.exe
wkcalrem.exe

This is what I found by checking http://computercops.biz/sl-100.html

smss.exe--Session Manager Subsystem
Description: Application that is used to start, manage, and delete user sessions or client sessions under Terminal Server. (Legitimate running smss.exe is found in System32 subdirectory)
Mine is found here:C:\WINDOWS\System32\smss.exe

lsass.exe --Local Security Authentication Server
Description: Windows Local Security Authority Server Process handles Windows security mechanisms. It verifies the validity of user logons to your computer or server. Technically, the software generates the process that is responsible for authenticating users for the Winlogon service.

--also found this when searching the computercops startup list.
lsass.exe--Added as a result of the RANDEX.AR VIRUS! Note - this is not the legitimate Lsass.exe system file should normally NOT figure in Msconfig/Startup!

How do I know which one is legimetate and which one isn't?
Mine is found here: C:\WINDOWS\system32\lsass.exe


vONA.exe --Already taken care of

S.exe--Already taken care of

pctspk.exe--Used for modems based upon PC-TEL chipsets. Normally used for some Voice and Speakerphone functions and also for some Power management options. If you remove it you may not be able to use any of those functions
Mine is found here: C:\WINDOWS\System32\pctspk.exe

wkcalrem.exe--Produces a pop-up reminder of events scheduled using the MS Works Calendar
Mine is found here: C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe


I just want to be very sure before I do anything else to the pc. I don't want to delete something that is necessary for the running of the pc or for a program we use, such as Microsoft Works Reminder for the Calender, which we do use. Maybe I am too cautious, but the pc is running correctly now and there has been nothing found with Spybot, SpywareBlaster, Adaware or anything else. Please, NooNoo or Hudson, will you double check the first log that I put in to be certian for me. I can repost it again if you prefer, but it will take some time to get a new log for posting.

[NooNoo]

How do I know which one is legimetate and which one isn't?
Mine is found here: C:\WINDOWS\system32\lsass.exe

That's the correct - but does it figure in the msconfig startup tab? If it does, its not right.