Please Help with MidAddle HijackThis Log

[sethark]

I can't seem to get rid of MidAddle. Here is my Hijack This log. Can anyone help? Thank you.

Logfile of HijackThis v1.98.2
Scan saved at 9:58:46 AM, on 9/8/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\documents and settings\administrator\local settings\temp\VLEOjd.exe
C:\documents and settings\administrator\local settings\temp\vqY.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\QUICKENW\QWDLLS.EXE
C:\WINDOWS\System32\Nmut5Cu7.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\System32\VchsYJo.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\SethArk\My Documents\Hijack This\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} - C:\Program Files\Aladdin Systems\Internet Cleanup\PopFiltr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Administrator\Local Settings\Temp\tHn.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -on
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [52T456#2DK3#NY] C:\WINDOWS\System32\IvpTdB.exe
O4 - HKLM\..\Run: [VLEOjd] C:\documents and settings\administrator\local settings\temp\VLEOjd.exe
O4 - HKLM\..\Run: [vqY] C:\documents and settings\administrator\local settings\temp\vqY.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Lwt9RXbqV] cdondmgr.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44297DA} - http://bannerfarm.ace.advertising.com/bannerfarm/47041/WrapperOuter1154.EXE
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50177/QDow_AS2.cab

 

[LDTate]

Hello sethark. Welcome to the TSG

This is what I suggest you do first.

Make sure you have the up-to-date versions of Spybot and Ad-aware. All are free and available bellow.

Download Spybot, install and update. Then download Ad-aware, install, and update.

Spybot:
Go to Start > Programs >Spybot > Search & Destroy and choose Spybot S&D

Close ALL windows except Spybot S&D
Click the button to "Search for Updates" and download and install the Updates.
Next click the button "Check for Problems"
When Spybot is complete, it will be showing "RED" (RED) entries "BLACK" entries and "GREEN" (GREEN) entries in the window
Put a check mark beside the RED (RED) entries ONLY. Choose "Fix Selected Problems" and allow Spybot to fix the RED (RED) entries.

Ad-Aware FULL SCAN:

Install the program and launch it.

First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

From main window :Click Start then under Select a scan Mode tick Perform full system scan.

Next deselect Search for negligible risk entries.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Download CWShredder from my signature bellow. Unzip it on the desktop.
Open CWShredder and with ALL other windows closed, click fix.

Next do a online scan. Click Here set it to autoclean, if it cannot tell it to delete found files,,
Copy its report back here if its unable to please.

1. Open My Computer
2. Right click on your hard drive that you wish to clean (C drive, for example)
3. In the context menu that opens, select properties
4. Under the general tab you should select Disk Cleanup
5. Windows will scan your drive which will take a few seconds/minutes
6. A box will display the various files you can remove.
Check all boxes except compress old files
7. Click OK and windows will comply.

Restart your computer.

Post a new HijackThis log.

 

[Byteman]

Hi, You should try this Peper trojan uninstaller or two of them...

http://downloads.subratam.org/PeperFix.exe

You must remain connected to the Net with this uninstaller when you run it.

(Keep a page in IE open)

Run it once, shut down stuff, restart...come back here or home page, and run it again. You will not see any dialog, nothing really happens..that is the way it works.

[[Then, you can either post a new log, or try this one:

Watch for a query about connecting to the IP shown, you have to to get rid of Registry entries, though I do not know if it still does this!!]]

Seeing flrman1's post in another thread:

"As a reminder ...

Run this uninstaller to get rid of peper:

http://www.zerosrealm.com/downloads/uninst.exe

*Note: Just click on the uninst.exe and let it run. When it is finished it will just close. There will be no dialogue. Also you must be connected to the internet for the uninstaller to be effective."


...... reminded me of something ...

It may ask for connection to 66.150.207.200 ... if you allow it then ALL of the Peper trojan will be removed ... if you block it the registry keys will stay.

(HKLM\Software\[Random String] and the orphaned run key)

If you see the orphaned run key, it may be because the uninstaller was denied access to 66.150.207.200.

Submit a fresh HJT log when done.

 

[sethark]

Thanks guys. I have Spybot and SpySweeper. The trouble has been that Spybot doesn't even recognize Midaddle and Spy Sweeper only partially deletes it and requires me to go into Safe Mode to manually delete the folder. It then immediately returns. I will try your solution(s) of installing Ad-Aware, CW Shredder and Peper Fix.

 

[Byteman]

Hi, Good! AdAware (and SpyBot) are two things no one should be without. Removing Peper will not "patch" your computer to prevent a return. Visit Windows Updates and get all critical or security updates for your operating system. Get an alternate browser, such as Firefox, to use for general surfing. There are some features it does not have, things like online virus scans may not work in Firefox "out of the box"... but it's a great browser and configurable, and less apt to be vulnerable to intrusions by malwares.

 

[sethark]

Thanks Byteman. It doesn't sound like PeperFix.exe will help me then. I'll stick to the AdAware and CWShredder solution

 

[Byteman]

The Peper fix is to REMOVE the present infection.

I put in the part about it not Protecting you from another infection...so that you didnt think it did that. The tool is just an easier way to remove the infection, though it is possible to remove it manually. We will check your logs after the tool is run and you reboot> to see if it stays gone.

AdAware and Spybot may not completely remove the bits and pieces, though I know they do detect it. So do some antivirus programs.

You do also need AAW and SpyBot> they will probably clean up whatever is left on the system! Then, a final look at a Hijackthis log and you will be good to go!

 

[sethark]

Ok. I understand now. I'm not going to be able to get to it today but I'll post my results as soon as I do (in the next day or so). Thanks so much for all your input. I really appreciate it.

 

[Byteman]

The Peper trojan will no doubt change filenames from now to then, so after you do try the removers and AAW or SpyBot> post a Hijackthis log for review, good luck.

 

[cybertech]

After you have done all of the suggestions, I request you post a new HJT log for review.