Jump to content


Photo

Need Help Removing MidADdle! It Wont Go Away!


  • Please log in to reply
1 reply to this topic

#1 xghoulx

xghoulx

    Member

  • New Member
  • Pip
  • 1 posts

Posted 30 July 2004 - 01:50 PM

Recently my computer has been infected with some sort of spyware and I have no idea how it gone on here in the first place. When I load up Internet Explorer, first it directs me to a site labled www.ads234.com, and then it goes to my homepage of www.yahoo.com. Whenever I try to clink a link to go to a new website, my status bar shows that it's loading a site from www.ads234.com first, BEFORE the status bar shows its loading the link I want.

Every so often when I try to visit a web site I am directed to a site at www.ads234.com FIRST, and it displays this huge ad in my face and says "Please visit our sponser while this page loads." It makes me wait 10-20 seconds before it finally goes to the page I want. The thing that really makes me mad about this is I have a DSL connection, and most websites take about 2 seconds to load. I'm not about to wait 10-20 seconds to load some page and be forced to view an advertisement.

I searched all through yahoo/google search engines for ways to remove this. I finally found out that I had something called "midADdle" on my computer. Someone on a message board posted that I should go to start/find and search for everthing labled "midaddle" and delete all the files, so that is what I did.

However, a few minutes later I checked and this didn't do anything. I was still being directed to www.ads234.com when I loaded Interent Explorer, and I still saw the ads sometimes. Later, on another message board, someone said to go to add/remove programs and uninstall it that way.

However, I am not experienced in matters like this, and I didn't do that originally. I tried to go to add/remove programs to remove it and when I did it said "this program has already been removed, would you like to delete it from the add/remove programs list?" Apparently I already deleted some of the files manually, and therefore I was unable to go to add/remove programs and uninstall the right way.

Now I am stuck without having MidADdle listed in add/remove programs, and I still get directed to www.ads234.com when I try to visit websites.

I ran the following programs trying to fix this already: ad-aware, spybot, spyware doctor, symantec anti-virus

Can anybody help me? Someone told me to download the MidADdle program again, and then try to remove it using add/remove programs. The problem is, I don't know where I got it in the first place. I searched all over google/yahoo looking for an installation file (to actually install the thing by my own consent) and I couldn't even find that.

This is my Hijack this log:

Logfile of HijackThis v1.97.7
Scan saved at 11:35:58 AM, on 7/30/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\documents and settings\new\local settings\temp\Yf3d.exe
C:\documents and settings\new\local settings\temp\Yf3d.exe
C:\documents and settings\user1\local settings\temp\y98.exe
C:\documents and settings\user1\local settings\temp\y98.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\windows\temp\KqHn5.exe
C:\windows\temp\KqHn5.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\System32\RunDll32.exe
C:\windows\temp\b.exe
C:\windows\temp\b.exe
C:\WINDOWS\System32\srsprn.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\dpsiscon.exe
C:\AIM95\aim.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Games\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-D1FB-EF7FB3D5FA7D} - C:\WINDOWS\DOWNLO~1\gspec.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: GlobalSpec Engineering Toolbar - {4E7BD74F-2B8D-469E-D1FB-EF7FB3D5FA7D} - C:\WINDOWS\DOWNLO~1\gspec.dll
O4 - HKLM\..\Run: [Yf3d.exe] C:\documents and settings\new\local settings\temp\Yf3d.exe
O4 - HKLM\..\Run: [Yf3d] C:\documents and settings\new\local settings\temp\Yf3d.exe
O4 - HKLM\..\Run: [y98.exe] C:\documents and settings\user1\local settings\temp\y98.exe
O4 - HKLM\..\Run: [y98] C:\documents and settings\user1\local settings\temp\y98.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [mswspl] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [KqHn5.exe] C:\windows\temp\KqHn5.exe
O4 - HKLM\..\Run: [KqHn5] C:\windows\temp\KqHn5.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\System32\IEDriver\IExplore.exe /U
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [b.exe] C:\windows\temp\b.exe
O4 - HKLM\..\Run: [b] C:\windows\temp\b.exe
O4 - HKLM\..\Run: [479i3pQ] srsprn.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Steam] "c:\games\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [LwqsRfc3e] dpsiscon.exe
O4 - HKCU\..\Run: [AIM] C:\AIM95\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {4E7BD74F-2B8D-469E-D1FB-EF7FB3D5FA7D} (GlobalSpec Engineering Toolbar) - http://www.globalspe...olbar/gspec.cab
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - http://d.66.155.171....128744OneCC.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...37692.936087963
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft...ols/SassCln.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4CFB94B8-1713-41E0-BD9A-F0F714626CC5}: NameServer = 206.13.29.12 206.13.30.12

Any suggestions are appreciated! Please help!

Edit:

Now the folder I deleted came back, it is named "midaddle" and in the folder it has midaddle.dll, but it does not have an unistall file, and its not listed in add/remove programs. I already deleted this thing yestarday, I have no idea how it suddenly "reappeared" like this. It is located in C:/Program Files/Common Files/midaddle

Edited by xghoulx, 30 July 2004 - 02:08 PM.


#2 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 30 July 2004 - 06:00 PM

Hello CujoJpN ,Welcome to SWI.
Print out these instructions so you can read them while you clean your system.


Move Hijack This to its own folder.Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Move hijack this there. Hijack this makes backups of everything you fix, these backups are saved in the same folder the program is.


Now close all open windows AND browsers and check these items for HJT to fix:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
O4 - HKLM\..\Run: [Yf3d.exe] C:\documents and settings\new\local settings\temp\Yf3d.exe
O4 - HKLM\..\Run: [Yf3d] C:\documents and settings\new\local settings\temp\Yf3d.exe
O4 - HKLM\..\Run: [y98.exe] C:\documents and settings\user1\local settings\temp\y98.exe
O4 - HKLM\..\Run: [y98] C:\documents and settings\user1\local settings\temp\y98.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [KqHn5.exe] C:\windows\temp\KqHn5.exe
O4 - HKLM\..\Run: [KqHn5] C:\windows\temp\KqHn5.exe
O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\System32\IEDriver\IExplore.exe /U
O4 - HKLM\..\Run: [b.exe] C:\windows\temp\b.exe
O4 - HKLM\..\Run: C:\windows\temp\b.exe
O4 - HKLM\..\Run: [479i3pQ] srsprn.exe
O4 - HKCU\..\Run: [LwqsRfc3e] dpsiscon.exe


For TV-Media, you will need to run this Regedit:

Copy the entire contents inside of the QUOTE box into Notepad, hit enter to add a blank line. Then save as remove.reg (save as type: 'all files' ) to the desktop

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""


Go to the Desktop and DoubleClick Remove.reg, hit yes on the prompt to add its contents to the Registry!

Please reboot into safe mode - How do I boot into "Safe" mode?


Delete these files:

C:\documents and settings\new\local settings\temp\Yf3d.exe
C:\documents and settings\user1\local settings\temp\y98.exe
C:\windows\temp\KqHn5.exe
C:\windows\temp\b.exe
C:\WINDOWS\System32\srsprn.exe
C:\WINDOWS\System32\ dpsiscon.exe
C:\WINDOWS\System32\SearchBar.htm

DELETE THESE FOLDERS:
C:/Program Files/Common Files/midaddle
C:\Program Files\TV Media
C:\WINDOWS\System32\IEDriver


You may need to show hidden files to delete them.How to show all hidden and system files

The following [b]DIRECTORY CONTENTS
(But not the directory) need to be deleted while in safe mode.
* C:\Windows\Temp\
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet
content including cookies. This is recommended and strongly suggested.
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
* Empty your "Recycle Bin".

Then disable your system restore

1 Right-click My Computer, and then click Properties.
2 Click the System Restore tab.
3 Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
4 Click Apply
5 this will delete all existing restore points. Click Yes to do this.
6 Click OK.

Reboot into normal mode enable System Restore and post a fresh log in this thread to give you further recommendations.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button