MidADdle MUST DIE

**NooNoo** · August 7th, 2004, 05:36 AM

wt.dll looks like its a leftover. I found no information about it.

Search the registry for reference to it and remove the key if found. Also start, run, type in sysedit and check in win.ini for references there.

**Dshadna** · August 7th, 2004, 11:24 AM

Originally Posted by NooNoo

wt.dll looks like its a leftover. I found no information about it.

Search the registry for reference to it and remove the key if found. Also start, run, type in sysedit and check in win.ini for references there.

Thank you NooNoo. Will do. I appreciate all the help from everyone. It's been 24 hours and so far no more midaddle. I believe we've finally gotten rid of it and protected (I HOPE) from it.

D

**NooNoo** · August 7th, 2004, 12:43 PM

**Dshadna** · August 10th, 2004, 11:02 AM

Originally Posted by NooNoo

Posting new HJT log. Something hit her pc again and with a vengance. We found nothing of midaddle, but I will express which thing hit me as being wrong on the HJT log that I ran before going into safe mode. It's not the same as what shows up when I ran it in safe mode. I'll post both so you all can see.

This is the log before safe mode:

Logfile of HijackThis v1.97.7
Scan saved at 10:17:50 AM, on 8/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)[/color]

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Sharon Bass\My Documents\Downloaded Programs for PC\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
[color=#0000ff]R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaE ngineMain
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Compaq VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Support (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

**Dshadna** · August 10th, 2004, 11:02 AM

O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir8d196a.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.1682291667
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/beta_reg/soesysinfo.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio4.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://pcpitstop.com/antivirus/PitPav.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

The O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize is the one that just doesn't seem right. All she did was go on her computer, go to neopets to log in and hit the s button to type in her name and everything began popping up, computer started going into standby and wouldn't turn off. I got her off the net, managed to get the system restore off (pain in the arse it was). and then got her into safe mode. She has Zonelabs, spyblaster, Adaware, Spybot all running. Any ideas.

**Dshadna** · August 10th, 2004, 11:16 AM

Something else to mention.

About the same time that the Midaddle showed up, when we are starting the pc it has a black screen has a line that looks like it is loading something up began. Now one thing I can remember is that happened right after an electrical storm. This was not happening for the last 3 years that she has owned the pc but only this short amount of time in the last 2-3 weeks or so. I don't know if it is relevant, but felt I should mention it. Also, it pops up something about initilizing something, but it never stays up long enough to see just what it is trying to initialize. This too has not always been and began about the same time as the Midaddle crap showed up.

Any help is appreciated. I wish there was something I could do to help you all as much as you've been helping me.

**NooNoo** · August 10th, 2004, 02:25 PM

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize - you have an nvidia card, this is a startup option. You can remove it and start it manually when needed.

Other than that, I don't see anything there that's a problem. PS that blue hurts my eyes, please don't bother colouring the text - thanks.

What do the popups say? Are the advertisements?

Wildtangent could be the cause.

**Dshadna** · August 10th, 2004, 02:57 PM

I apologize for the coloured text, I didn't realize it would stay that way. I copied and pasted from the email we sent from Shad's pc to mine and just hit enter and all. Wasn't thinking about it. I'll try to remember.

The popup's are that it's opening the same page we're on over 15 times or more. It does it for about 10 minutes, if we can't get the pc to shut down right. It will open up that many instances of HJT and SPybot, if we accidently scroll over the programs and all. If we accidently scroll over Log out while trying to get the pc to shut down, it sets the pc into standby mode. It takes patience and a steady hand to get it to let us get to where we need to get the pc to boot properly. I did manage to get into system restore to turn it off. I managed finally to get into safe mode and run the Spybot and HJT, and to check for files and anything related to Midaddle....and the registry, but made no changes.

Once I can get the pc to boot properly at least twice, then it doesn't seem to have the same problem. Until we go back on the internet on any page. Then it does it again. We're completly stumped.

One thing I can say is that someone she trusts sent her an email yesterday with attatchement, and she immidelty went in and deleted it without opening it and then emptied the delete bin in Outlook Express. That was the last thing she did before turning off the compuer. She got on this morning and went to Neopets and this all began again. Coincindence??

Nothing about Midaddle shows up again. No virus or anything show up when the virus scan is run, spyware blaster shows it's protecting against everything and Spybot and Adaware show nothing (except spybot shows the DOS exploit which I've been reading about and we are up-to-date on everything so we're leaving that one alone). Two online virus scanners show nothing either.

I'll wait for a response to see what you think we should look into next.

Thanks NooNoo.

**Dshadna** · August 10th, 2004, 10:17 PM

It's been suggested by some people I know who have had problems similar to ours that we should consider reformatting the hard drive. Is setting it back to factory setting the same as reformatting the hard drive?

My question is: We have the compaq Restore CD to take it back to factory settings. We have the cd for the optical wireless mouse, the CD burning, the ATI Video card. What else would we need, and where would I find it? I've done the google search and am more confused now then when I began looking.

(We also have the cd's for some of the programs we've added to her pc like solitare 3 and Everquest. We know that EQ will take almost 20 hours to reinstall, so we're prepared for that. I have the web addy's for all the programs you all recommended, so those can be restored with little problem. We know that any documents or pics need to be saved before even considering this).

Would setting it to factory settings erase the problem altogether? Does the CD Restore disc also contain the windows xp home that was on the computer when we first got it? We never had a disc for Windows xp home with her Compaq. Should we even consider this as an option?

If we do this, what do I need to know?

I've reached the end of my rope on this and just need to know what I should do. I'm frustrated and aggravated that this has happened again. Why do people do things like this to ruin other people's pc's? What possible reason is good enough for their maliciousness?

**NooNoo** · August 11th, 2004, 07:37 AM

What possible reason is good enough for their maliciousness?

In short money. The current problems with this sort of malware are about selling information or advertising. A good old fashioned trojan was theivery - clever, hidden, and designed to just steal personal information. They are both about control.

OK to compaq - depending on the model, compaqs have a quick restore - which is just a install over type thing, it is non destructive of the data. All compaqs have the full restore which is destructive and (all things being equal) should take care of the problem.

Post your full compaq model - lets see what is available at compaq.com for it.

Also have you installed spybot teatimer utility? Set spybot to block bad pages? These can be enormously useful. If you have a firewall such as zone alarm, it can be set to ask for every program accessing the internet - pretty soon whatever is causing your headache will show itself there.

It's up to you - you want to back up every thing and wipe or track the little bugger down and blast it?

**Dshadna** · August 11th, 2004, 12:43 PM

I'd rather track the bugger down and anialate it.

Compaq Presario 5320US
Compaq P/N 470022-354 UPC 720591134747

We replaced the nVidia Vanta Graphics card with a Radeon 7000 Series card over a year ago. Everything else is the same, except we now have a logitch Wireless Optical mouse for the pc.

It has a 10/100 Ethernet Networking Card in it also.

Not sure what else you need to know, but I have a printout we did when we first got the pc of what's on it and I've handwritten notes of what's been replaced.

Also have you installed spybot teatimer utility? Set spybot to block bad pages? These can be enormously useful. If you have a firewall such as zone alarm, it can be set to ask for every program accessing the internet - pretty soon whatever is causing your headache will show itself there.

Yes, we installed the Teatimer and have it set to block bad pages. We have the ZoneAlarm Firewall asking permission for everything to the point that Shad is getting fed up with but will live with it to get this taken care of.

Thanks NooNoo for being so patient and for being willing to help us.

Edit to ask a question from Shad:

Could it be that the electical storm we had that caused a power surge may have done some damage to the pc? We have very good surge protector's on both pc's, but are concerned that may be a problem. Also, could the storm have caused a problem with the keyboard? She's had problems with the factory sent keyboard since she got the pc in Dec 2001. Sometimes when booting up it says the keyboard isn't there and it is attached, no loose connection or anything.

**hudsonsmith** · August 11th, 2004, 12:47 PM

Try running sfc /scannow. It will check if any of your system files are corrupt or have been replaced.

**Dshadna** · August 11th, 2004, 12:52 PM

What is sfc /scannow?
Where do I find it to run it?

Thanks Hudson

Edit:
I found out what it is by doing a google. Now I just need to know how to find it to run it.

**hudsonsmith** · August 11th, 2004, 01:08 PM

Start/Run and just type it in the window

**NooNoo** · August 11th, 2004, 05:35 PM

Originally Posted by Dshadna

I'd rather track the bugger down and anialate it.

Compaq Presario 5320US
Compaq P/N 470022-354 UPC 720591134747

We replaced the nVidia Vanta Graphics card with a Radeon 7000 Series card over a year ago. Everything else is the same, except we now have a logitch Wireless Optical mouse for the pc.

It has a 10/100 Ethernet Networking Card in it also.

Not sure what else you need to know, but I have a printout we did when we first got the pc of what's on it and I've handwritten notes of what's been replaced.

Bloody Hell!! Someone actually takes note!! I am very impressed.