missing shortcuts all of the time

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

bethl

Thread Starter
Joined
May 19, 2000
Messages
10
I am running win 98, and everytime I turn my computer on, it goes through a whole series of message boxes saying "invalid shortcut" with a bunch of letters and numbers, none of which look familiar. I have run Ad Aware, PC Bug Doctor, Spybot, but they still come back...I ran 'hijack this' and hoped someone could tell me what to do next. I have tried to get rid of them in the startup (msconfig), but to no avail. Also run Norton Antivirus each day, which allows me to get on line....check out the start up things down below, and the global??? Please help...thank you!! bethl

Logfile of HijackThis v1.97.7
Scan saved at 9:09:44 PM, on 4/19/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\COMMON FILES\UPDATER\WUPDATER.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\AUPDATE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\U0XD3DLV.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\RB32\RB32.EXE
C:\Games\game.exe
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\MY DOCUMENTS\SHELLEY_LOFTSGARD\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.daktel.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EZN
R3 - URLSearchHook: WebSearch Class - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - C:\PROGRAM FILES\SCBAR\V2\SCBAR.DLL
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINDOWS\HH.DLL
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRAM FILES\LYCOS\IEAGENT\CSIE.DLL
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRAM FILES\POPUPCOP\POPUPCOP.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [rb32 lptt01] "c:\program files\rb32\rb32.exe"
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [U0XD3DLV.EXE] C:\WINDOWS\U0XD3DLV.EXE /dk
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [AutoUpdater] C:\WINDOWS\SYSTEM\aupdate.exe
O4 - HKCU\..\Run: [U0XD3DLV.EXE] C:\WINDOWS\U0XD3DLV.EXE /dk
O4 - Startup: 7ORGT3OO.lnk = C:\WINDOWS\7orgt3oo.exe
O4 - Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - Startup: ZHJGODTE.lnk = C:\WINDOWS\zhjgodte.exe
O4 - Startup: 75L4U349.lnk = C:\WINDOWS\75l4u349.exe
O4 - Startup: BZUU7Z03.lnk = C:\WINDOWS\bzuu7z03.exe
O4 - Startup: RANQ02O1.lnk = C:\WINDOWS\ranq02o1.exe
O4 - Startup: 9AEP1EUW.lnk = C:\WINDOWS\9aep1euw.exe
O4 - Startup: RZ5OHOG1.lnk = C:\WINDOWS\rz5ohog1.exe
O4 - Startup: R2UMIHCV.lnk = C:\WINDOWS\r2umihcv.exe
O4 - Startup: U4PDTZ9Y.lnk = C:\WINDOWS\u4pdtz9y.exe
O4 - Startup: ZX4EGBFW.lnk = C:\WINDOWS\zx4egbfw.exe
O4 - Startup: 9FGPHVPP.lnk = C:\WINDOWS\9fgphvpp.exe
O4 - Startup: 8RY7KT4K.lnk = C:\WINDOWS\8ry7kt4k.exe
O4 - Startup: URATY4RR.lnk = C:\WINDOWS\uraty4rr.exe
O4 - Startup: 763XOX1G.lnk = C:\WINDOWS\763xox1g.exe
O4 - Startup: 6C20NPDX.lnk = C:\WINDOWS\6c20npdx.exe
O4 - Startup: T0D9M2IL.lnk = C:\WINDOWS\t0d9m2il.exe
O4 - Startup: BT2VDKVF.lnk = C:\WINDOWS\bt2vdkvf.exe
O4 - Startup: D8I8M86N.lnk = C:\WINDOWS\d8i8m86n.exe
O4 - Startup: U0XD3DLV.lnk = C:\WINDOWS\u0xd3dlv.exe
O4 - Global Startup: 7ORGT3OO.lnk = C:\WINDOWS\7orgt3oo.exe
O4 - Global Startup: ZHJGODTE.lnk = C:\WINDOWS\zhjgodte.exe
O4 - Global Startup: 75L4U349.lnk = C:\WINDOWS\75l4u349.exe
O4 - Global Startup: BZUU7Z03.lnk = C:\WINDOWS\bzuu7z03.exe
O4 - Global Startup: RANQ02O1.lnk = C:\WINDOWS\ranq02o1.exe
O4 - Global Startup: 9AEP1EUW.lnk = C:\WINDOWS\9aep1euw.exe
O4 - Global Startup: RZ5OHOG1.lnk = C:\WINDOWS\rz5ohog1.exe
O4 - Global Startup: R2UMIHCV.lnk = C:\WINDOWS\r2umihcv.exe
O4 - Global Startup: U4PDTZ9Y.lnk = C:\WINDOWS\u4pdtz9y.exe
O4 - Global Startup: ZX4EGBFW.lnk = C:\WINDOWS\zx4egbfw.exe
O4 - Global Startup: 9FGPHVPP.lnk = C:\WINDOWS\9fgphvpp.exe
O4 - Global Startup: 8RY7KT4K.lnk = C:\WINDOWS\8ry7kt4k.exe
O4 - Global Startup: URATY4RR.lnk = C:\WINDOWS\uraty4rr.exe
O4 - Global Startup: 763XOX1G.lnk = C:\WINDOWS\763xox1g.exe
O4 - Global Startup: 6C20NPDX.lnk = C:\WINDOWS\6c20npdx.exe
O4 - Global Startup: T0D9M2IL.lnk = C:\WINDOWS\t0d9m2il.exe
O4 - Global Startup: BT2VDKVF.lnk = C:\WINDOWS\bt2vdkvf.exe
O4 - Global Startup: D8I8M86N.lnk = C:\WINDOWS\d8i8m86n.exe
O4 - Global Startup: U0XD3DLV.lnk = C:\WINDOWS\u0xd3dlv.exe
O8 - Extra context menu item: Open Image in New Window - res://C:\Program Files\PopUpCop\popupcop.dll/imagenew
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37568.4377662037
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: Yahoo! Chat - http://cs6.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {4EE301F2-2A6A-4BE0-9FBD-97CDAA40E3E4} (iWon Installer Start) - http://downloads.iwon.com/images/nocache/copilot/i1initialsetup1.0.0.2.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://sc.communities.msn.com/controls/chat/msnchat45.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/111fc91f2d01b0944c01/netzip/RdxIE601.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw14fd.law14.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopSwatterInitialSetup1.0.0.8.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,066
Hi Bethl and welcome to TSG,

You have lots of issues in your log so I'm going to request that this thread be moved over to the Security forum.

In the meantime though, you can run the following programs and then post another log for the experts to look at. I also suspect you may have the Adtomi parasite but not 100% sure.

AD-AWARE

Go here: http://www.lavasoftusa.com/support/download/
and download Ad-Aware 6 Build 181

Install the program and launch it.

First in the main window look in the bottom right-hand corner and click on Check for updates now and download the latest reference files.

Make sure the following settings are made and on -------ON=GREEN

From main window: Click Start then Activate in-depth scan (recommended)

Click Use custom scanning options then click Customize and have these options selected: Under Drives and Folders put a check by Scan within archives and below that under Memory and Registry put a check by all the options there.

Now click on the Tweak button in that same window. Under Scanning engine select Unload recognized processes during scanning and under Cleaning Engine select Let windows remove files in use at next reboot

Click proceed to save your settings.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it. (Right click the window and choose select all from the drop down menu and click Next)

Restart your computer

Download and run: SPYBOT SEARCH & DESTROY, here:

http://download.com.com/3000-2144-1...tml?tag=lst-0-1

Open Spybot Search & Destroy (Click Start, Programs, Spybot S&D (Advanced Mode). Click online, Search for updates, Download all available updates. Close all Browser windows, Click ''Check for Problems'', Put a check in every entry Spybot Search & Destroy flags with a red exclamation mark and click ''Fix Selected Problems'' , Then restart your computer.

Download both of these for added protection: SPYWAREBLASTER & SPYWAREGUARD, here:

http://www.javacoolsoftware.com/spywareblaster.html

Cookie
 
Joined
Jul 26, 2002
Messages
46,349
Here are the removal instructions for Adtomi ("Morze" trojan).

To get rid of Adtomi run this script put together by Mosaic1:

Click here to download 9xAdtomi Cleanup.zip.

Unzip the files to a folder of your choice.

Now see if there is an Adtomi or yahoo stocks icon in your system tray , it might be a red ?? and if so right click and select remove , you must be online for this part

--A web page from Adtomi would appear "-uninstall was succesful!".

*Note: Not all infections have this icon, so if you don't have it just proceed with the rest.


Now go offline before proceeding with the rest of these instructions.


If you have a Script Blocking Program enabled, disable it first so the scripts may run.

Next press CTRL+ ALT+DEL to bring up task manager, look in applications for this file U0XD3DLV.EXE and End Task on it. Open Task Manager again and make sure it is gone.
If it isn't listed in the applications, then look in processes tab.

Close all open windows, open the Adtomi cleanup folder and Double Click Cleanup.bat then close the Adtomi cleanup folder while the cleanup.bat file runs.

*NOTE: DO NOT Touch the VBS files. The bat file will run the scripts all by itself.

It will:

Remove the Adtomi Spyware files from the Windows Folder
Clean the Startup Folders
Create Backups of the Adtomi exe files it deletes and save them in this folder
Create a list of all oddly named files deleted from the Windows Folder
Uninstall the Browserhelper.dll browser plugin
Start HijackThis and give you directions on what to remove.


When you have finished please restart the computer.

Go to the folder that you extracted the Adtomi cleanup files to and find the Adtomi.txt file. Copy and paste the contents of that text file here along with a fresh Hijack This log. There will be a bit left to remove with Hijack This.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top