Jump to content


Photo

Midaddle Nightmare?


  • Please log in to reply
1 reply to this topic

#1 RAIL

RAIL

    Member

  • New Member
  • Pip
  • 1 posts

Posted 27 July 2004 - 04:28 PM

Greetings all,

Hopefully someone here can offer some help for my situation. Although I have used the most recent versions of Adaware and Spybot, not to mention HijackThis, I have been unable to remove this accursed malware from my system. Essentially, it is opening IE popups on my desktop, touting various online gambling and (ohhh the irony) Spyware prevention apps. Using adaware, I FOUND midaddle, but could not delete it. I did manage to delete its .dll from my C/Programs/Common folder by entering Safe Mode. I have also used HijackThis to remove several other suspicious lines of code (including Sep) from the list, prior to generating this latest scan. The entries I can't get rid of (by any means) are indicated by "***". When they are removed, they simply respawn others like themselves. My frustration level is peaking, and I simply have never dealt with any malware as insidious as this. So... for anyone that might be able to assist (please!), here is the log:



Logfile of HijackThis v1.98.0
Scan saved at 1:47:49 PM, on 7/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version! ****(this is due to my attempts to delete IE from my system.)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0XIC1.EXE
C:\Program Files\FBM Software\ZeroSpyware Lite\NetGuard Lite.exe
***C:\WINDOWS\System32\MwdDO78j.exe
***C:\WINDOWS\System32\Xcz76.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\America Online 9.0b\waol.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [EPSON Stylus Photo 900] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0XIC1.EXE /P22 "EPSON Stylus Photo 900" /O5 "LPT1:" /M "Stylus Photo 900"
***O4 - HKLM\..\Run: [29@N4@85M9Z@55] C:\WINDOWS\System32\PnkdB03.exe
O4 - HKCU\..\Run: [NetGuard Lite] "C:\Program Files\FBM Software\ZeroSpyware Lite\NetGuard Lite.exe" -STARTUP
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0b\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://http.gamezone...0.20/tukati.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{42F104FA-8E8D-4BDC-A578-62F4F5F2BC72}: NameServer = 205.188.146.146
O17 - HKLM\System\CCS\Services\Tcpip\..\{E45C62F9-1D61-4AA4-8F46-1F66F6AC00C4}: NameServer = 66.51.205.100,66.51.206.100


(Note that EVEN AFTER REMOVING the 3 specified entries in the above, using HijackThis, they CONTINUE TO REAPPEAR.)

My theory: there is a hidden file that is propagating these files, although I can't seem to locate it using any of the tools I have.

Thanks in advance,

RAIL------*

#2 Marianna

Marianna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 752 posts

Posted 27 July 2004 - 05:35 PM

Hi Rail

What I can see is, you have the PEPER trojan

O4 - HKLM\..\Run: [29@N4@85M9Z@55]


Download the peper fix here. Make sure you are connected to the net and run it. If asked by your firewall for permission to access the net, please grant permission. Reboot and run it a second time while connected to the net.

Press Ctrl+Alt+Del and 'end task' on any of the follow that are present:
PnkdB03.exe
MwdDO78j.exe
Xcz76.exe

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked.
Make sure all browser and all Windows Explorer windows are closed before fixing

O4 - HKLM\..\Run: [29@N4@85M9Z@55] C:\WINDOWS\System32\PnkdB03.exe

C:\WINDOWS\System32\MwdDO78j.exe
C:\WINDOWS\System32\Xcz76.exe

Make sure you can view hidden and system files: Instructions here

Then Boot to safe mode: Instructions here

Delete the following files IF still resent:
C:\WINDOWS\System32\PnkdB03.exe
C:\WINDOWS\System32\MwdDO78j.exe
C:\WINDOWS\System32\Xcz76.exe

Then use the Disk Cleanup Utility to empty all your Temp folders

Problems gone??

If yes - Then Disable system restore: Instructions here
Reboot

Enable System Restore.
"The only source of knowledge is experience"
Albert Einstein (1879 - 1955)

Microsoft MVP Consumer Security 2006 - 2010




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button