# [Solved] Deleted Short cuts keep coming back



## bazeel (Feb 8, 2004)

I delete two short cuts from the desktop and delete them from the recycle bin. Next time I boot up - lo and behold - there they are again.

The shortcut is a search engine through Internet Explorer. Every time I actrivate it, the default address is a site that is NOT WANTED. So I clear history, reset the default web page to 'use blank', delete cookies and temporary internet files. Close all and restart. Like magic they (the short cuts and unwanted page reference in history) still appear.
Any help will be appreciated.


----------



## raybro (Apr 27, 2003)

Download HighJackThis Here. Unzip it to it's own folder(create the folder first), close all open windows including browser, and open the program. Click the "Scan"button. When the scan is done, the scan button will have changed to a "Save Log" button. It will save to NotePad. Save it to a convenient place. Open the saved logfile, copy the entire file and paste it here in a post. Not as an attachment, but pasted into the body of the post.

_DO NOT FIX ANYTHING YET  _. Most items in the scan will be harmless or even required to operate windows. Wait for someone to analyze the scan and make recommendations.


----------



## bazeel (Feb 8, 2004)

Thanks Ray.
I'll be posting the log as soon as I have it. 
Basil


----------



## bazeel (Feb 8, 2004)

Hi Ray.
Follows is the log file from my friend Tim's computer. (XP Pro).
I first downloaded and installed Spybot S&D and scanned. The first 11 entries listed were associated with Start and Search pages that were the offending ones so I marked them for delete and ran. I then removed the items from the desktop and recycle bin, rebooted and guess what - yup they were back!
So I ran HijackThis and here is the log. Entries that refer to brutal-video.net and drusearch.com are the names of the offending shortcuts and web pages.
I really appreciate the help.
Basil.

Logfile of HijackThis v1.97.7
Scan saved at 12:21:25 PM, on 09/02/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Parent\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://brutal-video.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://drusearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://drusearch.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://brutal-video.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://drusearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://brutal-video.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://brutal-video.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://drusearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://drusearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://drusearch.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://drusearch.com/search.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe
O4 - HKLM\..\RunServices: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37312.4225115741
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## Flrman1 (Jul 26, 2002)

Click here to download CWShredder. Close all browser windows,UnZip the file, click on the cwshredder.exe then click *"Fix" (Not "Scan only")* and let it do it's thing.

When it is finished restart your computer.

To help prevent this from happening again, I strongly recommend you install the folowing patches for the vulnerabilities that this hijacker exploits:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-011.asp

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-075.asp

*Note: The simplest way to make sure you have all the security patches is to go to Windows update and install all "Critical Updates"

Also this:

*O4 - HKLM\..\Run: [windows auto update] msblast.exe*

It is most likely just a leftover from the blaster worm, but just to be safe go ahead and run this removal tool:

http://www.nod32.it/tools/LVSCLEAN.ZIP

Then post another log please.


----------



## raybro (Apr 27, 2003)

Do two things..

First, download CWShredder Here. Unzip and update it. Then click the "Fix" button in the lower right corner. Close the program.

Reboot your computer

Close any open windows (including browser) and open HJT. Run a new scan. Put a check by each of the following items and click "Fix Checked".

*Note:*Some of the items identified to be fixed may have been removed by CWShredder. Go ahead and fix the ones that are still listed.

*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://brutal-video.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://drusearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://drusearch.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://brutal-video.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://drusearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://brutal-video.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://brutal-video.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://drusearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://drusearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://drusearch.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://drusearch.com/search.html
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe
O4 - HKCU\..\Run: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe
O9 - Extra button: Related (HKLM)*

Reboot and run another HJT scan and post it.


----------



## bazeel (Feb 8, 2004)

Thanks Flrman1 and Raybro.
All is well and Tim is currently updating his win xp pro with the 40 critical updates he needs!
Thanks again.
Basil.


----------



## Flrman1 (Jul 26, 2002)

You're Welcome


----------

