1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Please Help with MidAddle HijackThis Log

Discussion in 'Virus & Other Malware Removal' started by sethark, Sep 8, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. sethark

    sethark Thread Starter

    Joined:
    Sep 8, 2004
    Messages:
    24
    I can't seem to get rid of MidAddle. Here is my Hijack This log. Can anyone help? Thank you.

    Logfile of HijackThis v1.98.2
    Scan saved at 9:58:46 AM, on 9/8/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\brsvc01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\brss01a.exe
    C:\WINDOWS\System32\PackethSvc.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\Mixer.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\support.com\bin\tgcmd.exe
    C:\documents and settings\administrator\local settings\temp\VLEOjd.exe
    C:\documents and settings\administrator\local settings\temp\vqY.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\America Online 7.0\aoltray.exe
    C:\QUICKENW\QWDLLS.EXE
    C:\WINDOWS\System32\Nmut5Cu7.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
    C:\WINDOWS\System32\VchsYJo.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\SethArk\My Documents\Hijack This\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} - C:\Program Files\Aladdin Systems\Internet Cleanup\PopFiltr.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Administrator\Local Settings\Temp\tHn.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -on
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
    O4 - HKLM\..\Run: [52T456#2DK3#NY] C:\WINDOWS\System32\IvpTdB.exe
    O4 - HKLM\..\Run: [VLEOjd] C:\documents and settings\administrator\local settings\temp\VLEOjd.exe
    O4 - HKLM\..\Run: [vqY] C:\documents and settings\administrator\local settings\temp\vqY.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Lwt9RXbqV] cdondmgr.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
    O4 - Global Startup: APC UPS Status.lnk = ?
    O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
    O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
    O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
    O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44297DA} - http://bannerfarm.ace.advertising.com/bannerfarm/47041/WrapperOuter1154.EXE
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50177/QDow_AS2.cab
     
  2. LDTate

    LDTate Malware Specialist

    Joined:
    Aug 13, 2004
    Messages:
    789
    Hello sethark. Welcome to the TSG

    This is what I suggest you do first.

    Make sure you have the up-to-date versions of Spybot and Ad-aware. All are free and available bellow.

    Download Spybot, install and update. Then download Ad-aware, install, and update.

    Spybot:
    Go to Start > Programs >Spybot > Search & Destroy and choose Spybot S&D

    Close ALL windows except Spybot S&D
    Click the button to "Search for Updates" and download and install the Updates.
    Next click the button "Check for Problems"
    When Spybot is complete, it will be showing "RED" (RED) entries "BLACK" entries and "GREEN" (GREEN) entries in the window
    Put a check mark beside the RED (RED) entries ONLY. Choose "Fix Selected Problems" and allow Spybot to fix the RED (RED) entries.

    Ad-Aware FULL SCAN:

    Install the program and launch it.

    First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

    From main window :Click Start then under Select a scan Mode tick Perform full system scan.

    Next deselect Search for negligible risk entries.

    Now to scan just click the Next button.

    When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

    Download CWShredder from my signature bellow. Unzip it on the desktop.
    Open CWShredder and with ALL other windows closed, click fix.

    Next do a online scan. Click Here set it to autoclean, if it cannot tell it to delete found files,,
    Copy its report back here if its unable to please.

    1. Open My Computer
    2. Right click on your hard drive that you wish to clean (C drive, for example)
    3. In the context menu that opens, select properties
    4. Under the general tab you should select Disk Cleanup
    5. Windows will scan your drive which will take a few seconds/minutes
    6. A box will display the various files you can remove.
    Check all boxes except compress old files
    7. Click OK and windows will comply.

    Restart your computer.

    Post a new HijackThis log.
     
  3. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, You should try this Peper trojan uninstaller or two of them...

    http://downloads.subratam.org/PeperFix.exe

    You must remain connected to the Net with this uninstaller when you run it.

    (Keep a page in IE open)

    Run it once, shut down stuff, restart...come back here or home page, and run it again. You will not see any dialog, nothing really happens..that is the way it works.

    [[Then, you can either post a new log, or try this one:

    Watch for a query about connecting to the IP shown, you have to to get rid of Registry entries, though I do not know if it still does this!!]]

    Submit a fresh HJT log when done.
     
  4. sethark

    sethark Thread Starter

    Joined:
    Sep 8, 2004
    Messages:
    24
    Thanks guys. I have Spybot and SpySweeper. The trouble has been that Spybot doesn't even recognize Midaddle and Spy Sweeper only partially deletes it and requires me to go into Safe Mode to manually delete the folder. It then immediately returns. I will try your solution(s) of installing Ad-Aware, CW Shredder and Peper Fix.
     
  5. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Good! AdAware (and SpyBot) are two things no one should be without. Removing Peper will not "patch" your computer to prevent a return. Visit Windows Updates and get all critical or security updates for your operating system. Get an alternate browser, such as Firefox, to use for general surfing. There are some features it does not have, things like online virus scans may not work in Firefox "out of the box"... but it's a great browser and configurable, and less apt to be vulnerable to intrusions by malwares.
     
  6. sethark

    sethark Thread Starter

    Joined:
    Sep 8, 2004
    Messages:
    24
    Thanks Byteman. It doesn't sound like PeperFix.exe will help me then. I'll stick to the AdAware and CWShredder solution
     
  7. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    The Peper fix is to REMOVE the present infection.

    I put in the part about it not Protecting you from another infection...so that you didnt think it did that. The tool is just an easier way to remove the infection, though it is possible to remove it manually. We will check your logs after the tool is run and you reboot> to see if it stays gone.

    AdAware and Spybot may not completely remove the bits and pieces, though I know they do detect it. So do some antivirus programs.

    You do also need AAW and SpyBot> they will probably clean up whatever is left on the system! Then, a final look at a Hijackthis log and you will be good to go!
     
  8. sethark

    sethark Thread Starter

    Joined:
    Sep 8, 2004
    Messages:
    24
    Ok. I understand now. I'm not going to be able to get to it today but I'll post my results as soon as I do (in the next day or so). Thanks so much for all your input. I really appreciate it.
     
  9. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    The Peper trojan will no doubt change filenames from now to then, so after you do try the removers and AAW or SpyBot> post a Hijackthis log for review, good luck.
     
  10. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    After you have done all of the suggestions, I request you post a new HJT log for review. :)
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/271611

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice