MidADdle MUST DIE

[Dshadna]

You are trying to delete the file itself, as well as the registry references to it. Before you can do that, you have to stop it from running. You can either boot into safe mode, which bypasses the list of programs scheduled to run at startup, or you can go into task manager, find the process, and click the end process button.

After you have done that, you would go into hijack, check the boxes next to the items you want to remove, and click the fix checked button. Then browse the directory to find the actual files and delete them.

Thank you that was exactly what I needed to know. I took the time last night to be certian that I wrote everything down exactly so that this morning I could get to it when I was refreshed and not stressing out. It took about 2 hours of searching the registry, and then searching for all files related to everything you all recommened be shut down. I made sure before doing anything that I was certian of what I was doing. I found the [s] and [vONa] files almost immediatly and was able to get them out and then find any files they were hidden in. I also checked with "dates created" to be certian, because I had a relativly vauge idea of when problems appeared to start.

I've now got it all cleared off the pc and restarted the computer. The one problem I had was that midaddle kept unchecking itself in the spyblasters, so I've told my partner to make certain when she turns her pc on to go immideatly to that program and make certian that everything is checked and protect against them. The other thing, and you all can tell me if it's a problem or not is that when I took the computer out of safe mode (diagnostic) and let it restart; it went straight to selective startup rather than Normal startup. It appears to be running just fine this way and in fact is where it was when this all began; but without all the programs that you all recommended.

We've now got spybot installed (had to exclude wild tangent from the search or the thing wouldn't work. (Which reminds me; we now are getting an error report about a dll for WT missing whenever the computer starts.....any recommendations or suggestions?) We've also got zonelabs installed and we're slowly getting in configured to where it won't appear to be so intrusive. Also with spybots, we did the "Teatimer" thingie. I've been running it for some time and haven't experienced any problems that I'm aware of. When we installed the firewall, we had to restart the pc and I had her immidatly go to spyblasters and see if midADdle was checked or unchecked; this time it stayed checked. I had her select all and protect again just to be certain. We went to common files to see if the folder was back with MidADdle and it was finally gone. We went to Neopets and Roadrunner and then went to check and no problems. It appears at this time that all of your suggestions and such may have done the trick this time.

So once again. A big Southern THANK YA'LL for your hard work and your patience with us as we solved this problem. I'm sure that I'll be back again as you've helped me with some other problems and I have NO complaints.

[NooNoo]

wt.dll looks like its a leftover. I found no information about it.

Search the registry for reference to it and remove the key if found. Also start, run, type in sysedit and check in win.ini for references there.

[Dshadna]

wt.dll looks like its a leftover. I found no information about it.

Search the registry for reference to it and remove the key if found. Also start, run, type in sysedit and check in win.ini for references there.

Thank you NooNoo. Will do. I appreciate all the help from everyone. It's been 24 hours and so far no more midaddle. I believe we've finally gotten rid of it and protected (I HOPE) from it.

D

[NooNoo]

[Dshadna]

Posting new HJT log. Something hit her pc again and with a vengance. We found nothing of midaddle, but I will express which thing hit me as being wrong on the HJT log that I ran before going into safe mode. It's not the same as what shows up when I ran it in safe mode. I'll post both so you all can see.

This is the log before safe mode:

Logfile of HijackThis v1.97.7
Scan saved at 10:17:50 AM, on 8/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)[/color]

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Sharon Bass\My Documents\Downloaded Programs for PC\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
[color=#0000ff]R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaE ngineMain
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Compaq VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Support (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

[Dshadna]

O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir8d196a.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.1682291667
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/beta_reg/soesysinfo.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio4.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://pcpitstop.com/antivirus/PitPav.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

The O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize is the one that just doesn't seem right. All she did was go on her computer, go to neopets to log in and hit the s button to type in her name and everything began popping up, computer started going into standby and wouldn't turn off. I got her off the net, managed to get the system restore off (pain in the arse it was). and then got her into safe mode. She has Zonelabs, spyblaster, Adaware, Spybot all running. Any ideas.

[Dshadna]

Something else to mention.

About the same time that the Midaddle showed up, when we are starting the pc it has a black screen has a line that looks like it is loading something up began. Now one thing I can remember is that happened right after an electrical storm. This was not happening for the last 3 years that she has owned the pc but only this short amount of time in the last 2-3 weeks or so. I don't know if it is relevant, but felt I should mention it. Also, it pops up something about initilizing something, but it never stays up long enough to see just what it is trying to initialize. This too has not always been and began about the same time as the Midaddle crap showed up.


Any help is appreciated. I wish there was something I could do to help you all as much as you've been helping me.