1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

missing shortcuts all of the time

Discussion in 'Virus & Other Malware Removal' started by bethl, Apr 19, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. bethl

    bethl Thread Starter

    Joined:
    May 19, 2000
    Messages:
    10
    I am running win 98, and everytime I turn my computer on, it goes through a whole series of message boxes saying "invalid shortcut" with a bunch of letters and numbers, none of which look familiar. I have run Ad Aware, PC Bug Doctor, Spybot, but they still come back...I ran 'hijack this' and hoped someone could tell me what to do next. I have tried to get rid of them in the startup (msconfig), but to no avail. Also run Norton Antivirus each day, which allows me to get on line....check out the start up things down below, and the global??? Please help...thank you!! bethl

    Logfile of HijackThis v1.97.7
    Scan saved at 9:09:44 PM, on 4/19/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\COMMON FILES\UPDATER\WUPDATER.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\RunDLL.exe
    C:\WINDOWS\SYSTEM\AUPDATE.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\U0XD3DLV.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
    C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\RB32\RB32.EXE
    C:\Games\game.exe
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\MY DOCUMENTS\SHELLEY_LOFTSGARD\HIJACKTHIS.EXE

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.daktel.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EZN
    R3 - URLSearchHook: WebSearch Class - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - C:\PROGRAM FILES\SCBAR\V2\SCBAR.DLL
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINDOWS\HH.DLL
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
    O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRAM FILES\LYCOS\IEAGENT\CSIE.DLL
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRAM FILES\POPUPCOP\POPUPCOP.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
    O4 - HKLM\..\Run: [rb32 lptt01] "c:\program files\rb32\rb32.exe"
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [U0XD3DLV.EXE] C:\WINDOWS\U0XD3DLV.EXE /dk
    O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [AutoUpdater] C:\WINDOWS\SYSTEM\aupdate.exe
    O4 - HKCU\..\Run: [U0XD3DLV.EXE] C:\WINDOWS\U0XD3DLV.EXE /dk
    O4 - Startup: 7ORGT3OO.lnk = C:\WINDOWS\7orgt3oo.exe
    O4 - Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
    O4 - Startup: ZHJGODTE.lnk = C:\WINDOWS\zhjgodte.exe
    O4 - Startup: 75L4U349.lnk = C:\WINDOWS\75l4u349.exe
    O4 - Startup: BZUU7Z03.lnk = C:\WINDOWS\bzuu7z03.exe
    O4 - Startup: RANQ02O1.lnk = C:\WINDOWS\ranq02o1.exe
    O4 - Startup: 9AEP1EUW.lnk = C:\WINDOWS\9aep1euw.exe
    O4 - Startup: RZ5OHOG1.lnk = C:\WINDOWS\rz5ohog1.exe
    O4 - Startup: R2UMIHCV.lnk = C:\WINDOWS\r2umihcv.exe
    O4 - Startup: U4PDTZ9Y.lnk = C:\WINDOWS\u4pdtz9y.exe
    O4 - Startup: ZX4EGBFW.lnk = C:\WINDOWS\zx4egbfw.exe
    O4 - Startup: 9FGPHVPP.lnk = C:\WINDOWS\9fgphvpp.exe
    O4 - Startup: 8RY7KT4K.lnk = C:\WINDOWS\8ry7kt4k.exe
    O4 - Startup: URATY4RR.lnk = C:\WINDOWS\uraty4rr.exe
    O4 - Startup: 763XOX1G.lnk = C:\WINDOWS\763xox1g.exe
    O4 - Startup: 6C20NPDX.lnk = C:\WINDOWS\6c20npdx.exe
    O4 - Startup: T0D9M2IL.lnk = C:\WINDOWS\t0d9m2il.exe
    O4 - Startup: BT2VDKVF.lnk = C:\WINDOWS\bt2vdkvf.exe
    O4 - Startup: D8I8M86N.lnk = C:\WINDOWS\d8i8m86n.exe
    O4 - Startup: U0XD3DLV.lnk = C:\WINDOWS\u0xd3dlv.exe
    O4 - Global Startup: 7ORGT3OO.lnk = C:\WINDOWS\7orgt3oo.exe
    O4 - Global Startup: ZHJGODTE.lnk = C:\WINDOWS\zhjgodte.exe
    O4 - Global Startup: 75L4U349.lnk = C:\WINDOWS\75l4u349.exe
    O4 - Global Startup: BZUU7Z03.lnk = C:\WINDOWS\bzuu7z03.exe
    O4 - Global Startup: RANQ02O1.lnk = C:\WINDOWS\ranq02o1.exe
    O4 - Global Startup: 9AEP1EUW.lnk = C:\WINDOWS\9aep1euw.exe
    O4 - Global Startup: RZ5OHOG1.lnk = C:\WINDOWS\rz5ohog1.exe
    O4 - Global Startup: R2UMIHCV.lnk = C:\WINDOWS\r2umihcv.exe
    O4 - Global Startup: U4PDTZ9Y.lnk = C:\WINDOWS\u4pdtz9y.exe
    O4 - Global Startup: ZX4EGBFW.lnk = C:\WINDOWS\zx4egbfw.exe
    O4 - Global Startup: 9FGPHVPP.lnk = C:\WINDOWS\9fgphvpp.exe
    O4 - Global Startup: 8RY7KT4K.lnk = C:\WINDOWS\8ry7kt4k.exe
    O4 - Global Startup: URATY4RR.lnk = C:\WINDOWS\uraty4rr.exe
    O4 - Global Startup: 763XOX1G.lnk = C:\WINDOWS\763xox1g.exe
    O4 - Global Startup: 6C20NPDX.lnk = C:\WINDOWS\6c20npdx.exe
    O4 - Global Startup: T0D9M2IL.lnk = C:\WINDOWS\t0d9m2il.exe
    O4 - Global Startup: BT2VDKVF.lnk = C:\WINDOWS\bt2vdkvf.exe
    O4 - Global Startup: D8I8M86N.lnk = C:\WINDOWS\d8i8m86n.exe
    O4 - Global Startup: U0XD3DLV.lnk = C:\WINDOWS\u0xd3dlv.exe
    O8 - Extra context menu item: Open Image in New Window - res://C:\Program Files\PopUpCop\popupcop.dll/imagenew
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37568.4377662037
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: Yahoo! Chat - http://cs6.chat.sc5.yahoo.com/c381/chat.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {4EE301F2-2A6A-4BE0-9FBD-97CDAA40E3E4} (iWon Installer Start) - http://downloads.iwon.com/images/nocache/copilot/i1initialsetup1.0.0.2.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://sc.communities.msn.com/controls/chat/msnchat45.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/111fc91f2d01b0944c01/netzip/RdxIE601.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw14fd.law14.hotmail.msn.com/activex/HMAtchmt.ocx
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopSwatterInitialSetup1.0.0.8.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,203
    Hi Bethl and welcome to TSG,

    You have lots of issues in your log so I'm going to request that this thread be moved over to the Security forum.

    In the meantime though, you can run the following programs and then post another log for the experts to look at. I also suspect you may have the Adtomi parasite but not 100% sure.

    AD-AWARE

    Go here: http://www.lavasoftusa.com/support/download/
    and download Ad-Aware 6 Build 181

    Install the program and launch it.

    First in the main window look in the bottom right-hand corner and click on Check for updates now and download the latest reference files.

    Make sure the following settings are made and on -------ON=GREEN

    From main window: Click Start then Activate in-depth scan (recommended)

    Click Use custom scanning options then click Customize and have these options selected: Under Drives and Folders put a check by Scan within archives and below that under Memory and Registry put a check by all the options there.

    Now click on the Tweak button in that same window. Under Scanning engine select Unload recognized processes during scanning and under Cleaning Engine select Let windows remove files in use at next reboot

    Click proceed to save your settings.

    Now to scan just click the Next button.

    When the scan is finished mark everything for removal and get rid of it. (Right click the window and choose select all from the drop down menu and click Next)

    Restart your computer

    Download and run: SPYBOT SEARCH & DESTROY, here:

    http://download.com.com/3000-2144-1...tml?tag=lst-0-1

    Open Spybot Search & Destroy (Click Start, Programs, Spybot S&D (Advanced Mode). Click online, Search for updates, Download all available updates. Close all Browser windows, Click ''Check for Problems'', Put a check in every entry Spybot Search & Destroy flags with a red exclamation mark and click ''Fix Selected Problems'' , Then restart your computer.

    Download both of these for added protection: SPYWAREBLASTER & SPYWAREGUARD, here:

    http://www.javacoolsoftware.com/spywareblaster.html

    Cookie
     
  3. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Also, proably one of the first things you should do is follow Derek's advice in post 3 here for removal of the "Morze" trojan -- it is the one creating all those shortcuts. Then do the other adware removal procedures as well, reboot and post another Scanlog.

    http://forums.techguy.org/showpost.php?p=1549190&postcount=3
     
  4. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Here are the removal instructions for Adtomi ("Morze" trojan).

    To get rid of Adtomi run this script put together by Mosaic1:

    Click here to download 9xAdtomi Cleanup.zip.

    Unzip the files to a folder of your choice.

    Now see if there is an Adtomi or yahoo stocks icon in your system tray , it might be a red ?? and if so right click and select remove , you must be online for this part

    --A web page from Adtomi would appear "-uninstall was succesful!".

    *Note: Not all infections have this icon, so if you don't have it just proceed with the rest.


    Now go offline before proceeding with the rest of these instructions.


    If you have a Script Blocking Program enabled, disable it first so the scripts may run.

    Next press CTRL+ ALT+DEL to bring up task manager, look in applications for this file U0XD3DLV.EXE and End Task on it. Open Task Manager again and make sure it is gone.
    If it isn't listed in the applications, then look in processes tab.

    Close all open windows, open the Adtomi cleanup folder and Double Click Cleanup.bat then close the Adtomi cleanup folder while the cleanup.bat file runs.

    *NOTE: DO NOT Touch the VBS files. The bat file will run the scripts all by itself.

    It will:

    Remove the Adtomi Spyware files from the Windows Folder
    Clean the Startup Folders
    Create Backups of the Adtomi exe files it deletes and save them in this folder
    Create a list of all oddly named files deleted from the Windows Folder
    Uninstall the Browserhelper.dll browser plugin
    Start HijackThis and give you directions on what to remove.


    When you have finished please restart the computer.

    Go to the folder that you extracted the Adtomi cleanup files to and find the Adtomi.txt file. Copy and paste the contents of that text file here along with a fresh Hijack This log. There will be a bit left to remove with Hijack This.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/222100

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice