MidADdle MUST DIE

[Dshadna]

Ok this will be long as I'm going to take you step by step with what we've done to try to get midADdle off of my partner's computer.

First, we realized something was wrong on July 31, 2004 when she opened an email from a trusted friend that had an attachment. When she went to send the email to her son, **it hit the fan with her computer and it began popping up 3 and 4 instances of the same window and sending the email 3-4 times to her son. She immedatily called him and told him to simply delete any email from her until further notice and we sent an email from my computer which hasn't been affected to let anyone on her email list know to delete all emails from her until further notice.

I began searching to find what could be the problem and midaddle jumped out for some reason, and so we searched her computer to see if it was on it and found several instances of it. I then began searching for ways to rid her computer of it. Following is the detailed list of what we have done and things we've discovered in the process. We also found these and were able to remove successfully.

1. Program Files/SEP/SEP.dll
2. Software/Memory Watcher
3. C: Documentandsettings/sharonbass/localsettings/temp/fixit.exe
4. Docummentandsettings/sharonbass/localsettings/temp/middaddle.exe

We began by running her adaware and it found several instances also of MidADdle and so we deleted/quaranteened them. That however did not solve the problem. I again began searching for even more information after realizeing that it is MalWare.

I found these instructions on 2 different sites that were talking specifically about MidADdle that others said worked for them. It did delete them, temporarliy, but it's come back. Here are the step by step instructions that I followed.

1. Disconnect from the internet.
2. Restart Computer
3. Run
4. Msconfig
5. Select Diagnostic Startup
6. click ok computer will restart
7. Start
8. Run
9. Regedit
10. Select Find
11. Type MidADdle and find next
12. Delete Files/keys that are specifically MidADdle
13. Repeat until all instances are removed
14. After deleting all of these, go to
15. C: PRogram Files/Common Files
16. Find MidADdle and delete (SOmetimes it would let us delete and sometimes it would not)
17. Go to start
18. Run
19. Msconfig
20. Normal Start up (Her's was in selective startup)

These are the things that I found with MidADdle while in the registry.

• HKEY_LocalMachines.software/{E8EAEB34-F7B5-4C55-87FF-7s0FAF53D84}
• HKEY_Classes_ROOT:CLSID\{E8EAEB34-F7B5-4C55-87FF-7s0FAF53D84}
• HKEY_CLASSES_ROOT:TYPELIB WINAFFILIATE BHO.WINAFFILIATE.IEEXTENS.1
• {E8EAEB34-F7B5-4C55-87FF-7s0FAF53D841}
• C: Documents and SEtting/SharonBass/Local Setting/Temporary INternet/Content.ie5/0v1266v
• C:Program files/common files/Midaddle/midaddle.dll
• Something about File Rename that had midaddle in it, so we deleted it.
• Something about Threading with Midaddle and apartment in it, so we deleted it.

We deleted these and then went back into normal mode. Here is some fun begins, but we learned something in the process. We found that while in Diagnositc or Safe Mode, these could be deleted. Last night, after making certian that all things were off the computer concerning MidADdle, we turned off her computer and this morning turned it back on, and went straight to the Programfiles/Common files and this is what we found Midaddle.dll 116KB

They at first reappeared only when she went to Neopets.com or Roadrunner. This morning they reappeared simply when she turned on her computer. She hadn't even gone on the net.

She runs AVG and keeps it updated faithfully. She is using XP's Firewall. (This is where we differ, I also use ZONELABS and my computer has not been affected by any of this).

Does anyone have a reliable way to rid her computer of this crap? I've let her know that you all will most likely recommend that she download Hijack This to be able to read what is on her pc, and she's hesitienat, but I think she is finally reaching a point where she will allow me to get it set up and run on her computer.

Thanks in advance for all your help.

[Darlid01]

OK, I won't disappoint. Download and run Hijack! Also, she has ad-aware, but it's obviously compromised since she has the virus. She should run an online scanner to check for the spyware, since it shouldn't be effected. Then, as much of a pain as it is, she should start installing those wonderful programs from Noonoo's sticky thread. I've only had one virus/trojan/malware not get stopped by the combination of those.

Quote:

Originally Posted by Dshadna

Ok this will be long as I'm going to take you step by step with what we've done to try to get midADdle off of my partner's computer.

First, we realized something was wrong on July 31, 2004 when she opened an email from a trusted friend that had an attachment. When she went to send the email to her son, **it hit the fan with her computer and it began popping up 3 and 4 instances of the same window and sending the email 3-4 times to her son. She immedatily called him and told him to simply delete any email from her until further notice and we sent an email from my computer which hasn't been affected to let anyone on her email list know to delete all emails from her until further notice.

I began searching to find what could be the problem and midaddle jumped out for some reason, and so we searched her computer to see if it was on it and found several instances of it. I then began searching for ways to rid her computer of it. Following is the detailed list of what we have done and things we've discovered in the process. We also found these and were able to remove successfully.

1. Program Files/SEP/SEP.dll
2. Software/Memory Watcher
3. C: Documentandsettings/sharonbass/localsettings/temp/fixit.exe
4. Docummentandsettings/sharonbass/localsettings/temp/middaddle.exe

We began by running her adaware and it found several instances also of MidADdle and so we deleted/quaranteened them. That however did not solve the problem. I again began searching for even more information after realizeing that it is MalWare.

I found these instructions on 2 different sites that were talking specifically about MidADdle that others said worked for them. It did delete them, temporarliy, but it's come back. Here are the step by step instructions that I followed.

1. Disconnect from the internet.
2. Restart Computer
3. Run
4. Msconfig
5. Select Diagnostic Startup
6. click ok computer will restart
7. Start
8. Run
9. Regedit
10. Select Find
11. Type MidADdle and find next
12. Delete Files/keys that are specifically MidADdle
13. Repeat until all instances are removed
14. After deleting all of these, go to
15. C: PRogram Files/Common Files
16. Find MidADdle and delete (SOmetimes it would let us delete and sometimes it would not)
17. Go to start
18. Run
19. Msconfig
20. Normal Start up (Her's was in selective startup)

These are the things that I found with MidADdle while in the registry.

• HKEY_LocalMachines.software/{E8EAEB34-F7B5-4C55-87FF-7s0FAF53D84}
• HKEY_Classes_ROOT:CLSID\{E8EAEB34-F7B5-4C55-87FF-7s0FAF53D84}
• HKEY_CLASSES_ROOT:TYPELIB WINAFFILIATE BHO.WINAFFILIATE.IEEXTENS.1
• {E8EAEB34-F7B5-4C55-87FF-7s0FAF53D841}
• C: Documents and SEtting/SharonBass/Local Setting/Temporary INternet/Content.ie5/0v1266v
• C:Program files/common files/Midaddle/midaddle.dll
• Something about File Rename that had midaddle in it, so we deleted it.
• Something about Threading with Midaddle and apartment in it, so we deleted it.

We deleted these and then went back into normal mode. Here is some fun begins, but we learned something in the process. We found that while in Diagnositc or Safe Mode, these could be deleted. Last night, after making certian that all things were off the computer concerning MidADdle, we turned off her computer and this morning turned it back on, and went straight to the Programfiles/Common files and this is what we found Midaddle.dll 116KB

They at first reappeared only when she went to Neopets.com or Roadrunner. This morning they reappeared simply when she turned on her computer. She hadn't even gone on the net.

She runs AVG and keeps it updated faithfully. She is using XP's Firewall. (This is where we differ, I also use ZONELABS and my computer has not been affected by any of this).

Does anyone have a reliable way to rid her computer of this crap? I've let her know that you all will most likely recommend that she download Hijack This to be able to read what is on her pc, and she's hesitienat, but I think she is finally reaching a point where she will allow me to get it set up and run on her computer.

Thanks in advance for all your help.

[Dshadna]

Quote:

Originally Posted by Darlid01

OK, I won't disappoint. Download and run Hijack! Also, she has ad-aware, but it's obviously compromised since she has the virus. She should run an online scanner to check for the spyware, since it shouldn't be effected. Then, as much of a pain as it is, she should start installing those wonderful programs from Noonoo's sticky thread. I've only had one virus/trojan/malware not get stopped by the combination of those.

Thank you for your quick answer. I'll have her do those things. We did go to PCPitstop and also the PANDA site to scan and neither one comes up with any virus or spyware. We've tried to download spybot several times to her computer but each time it says something aobut corrupted file. She's not a happy camper, but hopefully we can help her get happier. I'll write down the list of what's in the sticky and we'll start doing it and see what happens.

[GrandDad]

Yes , do all thats in NooNoo's sticky post .

As for online scans you can try ;
http://housecall.trendmicro.com/

if nothing else the online scans will give you more of what could be on that PC .

Don't know what Anti-virus your using but if you don't have this (AVG);
http://www.grisoft.com/us/us_dwnl7.php

it works great , and its free .

[corturbra]

Switch off system restore before you start

In Safe Mode
Run Hi-jack this and Spybot
Also check in Add/Remove programs and uninstall SEP/Middadle.
Follow previous instructions that you've done to get rid of registry entries

Scrap the MS firewall it is pants, install ZoneAlarms its free FFS and like yourself I run ZoneAlarms and AVG and I have never, repeat never gotten anything on my PC.

Good luck. I had fun with this kiddy about a week or so ago and I did the above to get shot of it, so far it hasn't come back

[Dshadna]

Quote:

Originally Posted by corturbra

Switch off system restore before you start

In Safe Mode
Run Hi-jack this and Spybot
Also check in Add/Remove programs and uninstall SEP/Middadle.
Follow previous instructions that you've done to get rid of registry entries

Scrap the MS firewall it is pants, install ZoneAlarms its free FFS and like yourself I run ZoneAlarms and AVG and I have never, repeat never gotten anything on my PC.

Good luck. I had fun with this kiddy about a week or so ago and I did the above to get shot of it, so far it hasn't come back

Ok, I will run all these in safe mode (If I can get her computer into safe mode again, it's a b**ch to try to get it there). I have run them all in regular mode but nothing is found. Already removed the SEP/Middadle from the Control Panel and it's not come back. I'll try this with system restore off now though..

[Dshadna]

Had to put into 2 different posts as it was too long for one

Logfile of HijackThis v1.97.7
Scan saved at 2:55:53 PM, on 8/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\docume~1\sharon~1\locals~1\temp\vONa.exe
C:\documents and settings\sharon bass\local settings\temp\S.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Sharon Bass\My Documents\Downloaded Programs for PC\HijackThis.exe

[Dshadna]

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaE ngineMain
O4 - HKLM\..\Run: [vONa] C:\docume~1\sharon~1\locals~1\temp\vONa.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [S] C:\documents and settings\sharon bass\local settings\temp\S.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Compaq VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Support (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir8d196a.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.1682291667
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/beta_reg/soesysinfo.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio4.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://pcpitstop.com/antivirus/PitPav.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

[hudsonsmith]

These are bad:
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll (file missing)
O4 - HKLM\..\Run: [vONa] C:\docume~1\sharon~1\locals~1\temp\vONa.exe
O4 - HKLM\..\Run: [S] C:\documents and settings\sharon bass\local settings\temp\S.exe

Boot into safe mode and run hijack again. Kill the registry entries and delete the files as well.

[Darlid01]

Yep you have pretty much neutered MidADdle but you now have W97M.Gogaru.A
http://securityresponse.symantec.com....gogaru.a.html

I don't recognise the vONa.exe

Quote:

Originally Posted by hudsonsmith

These are bad:
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll (file missing)
O4 - HKLM\..\Run: [vONa] C:\docume~1\sharon~1\locals~1\temp\vONa.exe
O4 - HKLM\..\Run: [S] C:\documents and settings\sharon bass\local settings\temp\S.exe

Boot into safe mode and run hijack again. Kill the registry entries and delete the files as well.

[NooNoo]

someone has been porn surfing
C:\docume~1\sharon~1\locals~1\temp\vONa.exe
C:\documents and settings\sharon bass\local settings\temp\S.exe

Kill both of them

[Dshadna]

Quote:

Originally Posted by NooNoo

someone has been porn surfing
C:\docume~1\sharon~1\locals~1\temp\vONa.exe
C:\documents and settings\sharon bass\local settings\temp\S.exe

Kill both of them

There are only two of us who use either computer and neither of us has ever porn surfed. I will kill both of those immidatly.

Thanks you all.

After doing this I will post the new HJT Log.

[Dshadna]

Quote:

Originally Posted by Dshadna

There are only two of us who use either computer and neither of us has ever porn surfed. I will kill both of those immidatly.

Thanks you all.

After doing this I will post the new HJT Log.

Allow me to ask a stupid question before I mess anything up.

Exactly HOW do you "KILL PROCESS" with HJT? Please give step by step instructions as if I were a dunce. I want to be certian I don't do something wrong.

I think I know how, but would much rather have you all tell me exactly what to do.

Thanks ya'll.
D

[hudsonsmith]

You are trying to delete the file itself, as well as the registry references to it. Before you can do that, you have to stop it from running. You can either boot into safe mode, which bypasses the list of programs scheduled to run at startup, or you can go into task manager, find the process, and click the end process button.

After you have done that, you would go into hijack, check the boxes next to the items you want to remove, and click the fix checked button. Then browse the directory to find the actual files and delete them.

[Dshadna]

Quote:

Originally Posted by hudsonsmith

You are trying to delete the file itself, as well as the registry references to it. Before you can do that, you have to stop it from running. You can either boot into safe mode, which bypasses the list of programs scheduled to run at startup, or you can go into task manager, find the process, and click the end process button.

After you have done that, you would go into hijack, check the boxes next to the items you want to remove, and click the fix checked button. Then browse the directory to find the actual files and delete them.

Thank you that was exactly what I needed to know. I took the time last night to be certian that I wrote everything down exactly so that this morning I could get to it when I was refreshed and not stressing out. It took about 2 hours of searching the registry, and then searching for all files related to everything you all recommened be shut down. I made sure before doing anything that I was certian of what I was doing. I found the [s] and [vONa] files almost immediatly and was able to get them out and then find any files they were hidden in. I also checked with "dates created" to be certian, because I had a relativly vauge idea of when problems appeared to start.

I've now got it all cleared off the pc and restarted the computer. The one problem I had was that midaddle kept unchecking itself in the spyblasters, so I've told my partner to make certain when she turns her pc on to go immideatly to that program and make certian that everything is checked and protect against them. The other thing, and you all can tell me if it's a problem or not is that when I took the computer out of safe mode (diagnostic) and let it restart; it went straight to selective startup rather than Normal startup. It appears to be running just fine this way and in fact is where it was when this all began; but without all the programs that you all recommended.

We've now got spybot installed (had to exclude wild tangent from the search or the thing wouldn't work. (Which reminds me; we now are getting an error report about a dll for WT missing whenever the computer starts.....any recommendations or suggestions?) We've also got zonelabs installed and we're slowly getting in configured to where it won't appear to be so intrusive. Also with spybots, we did the "Teatimer" thingie. I've been running it for some time and haven't experienced any problems that I'm aware of. When we installed the firewall, we had to restart the pc and I had her immidatly go to spyblasters and see if midADdle was checked or unchecked; this time it stayed checked. I had her select all and protect again just to be certain. We went to common files to see if the folder was back with MidADdle and it was finally gone. We went to Neopets and Roadrunner and then went to check and no problems. It appears at this time that all of your suggestions and such may have done the trick this time.

So once again. A big Southern THANK YA'LL for your hard work and your patience with us as we solved this problem. I'm sure that I'll be back again as you've helped me with some other problems and I have NO complaints.