Desktop hijacked

[ts_letter]

Ok something hijacked my desktop. It was originally an ad for some kind of spyware blocker... who in their wrong mind would use a blocker that hijacks your desktop to begin with, If you clicked it it would redirect to a web site. I found out it was something running a program that was overlaying a website on my desktop. So I erased the program and the stored internet file and now my desktop is solid white. I still have access to my desktop icons but if I right click my desktop I cant access the normal properties (with screensaver... in it) I get info on a file that is unknown... it has source info and here it is



style="BORDER-RIGHT: medium none; BORDER-TOP: medium none; BORDER-LEFT: medium none; BORDER-BOTTOM: medium none"
bottomMargin=0 bgColor=#004e98 leftMargin=0 background="" topMargin=0
rightMargin=0>

 


How can I get rid of this I know my normal background is still there because if I cntrl/alt/delete to task manager it pops back up and it flashes for a min on start up. I msconfiged so only necessary things are starting on startup and it is still there. Win xp.

[glc]

Read the sticky thread about HijackThis logs, do the prerequisites if you can, and post a log.

[ts_letter]

Here is the Hijack This Log I have already run Spybot, cswshredder and a couple other programs. I had the cool search so was very happy with what shredder did. It gave me back control of Iexplorer. The only problems I have now are this desktop hijack and pop ups. Anyone know a good free pop up blocker as well.



Logfile of HijackThis v1.98.2
Scan saved at 2:16:46 PM, on 11/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\scagent.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WinMX\WinMX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Wendy\LOCALS~1\Temp\Rar$EX00.128\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://s-redirect.com/?a=2&b=n-ex
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://s-redirect.com/?a=2&b=n-ex
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.upsearch.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.upsearch.org
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.upsearch.org
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://s-redirect.com/?a=2&b=n-ex
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://s-redirect.com/?a=2&b=n-ex
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.upsearch.org
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winewx32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Visit CrackPortal.com - Cracks, serialz, keygens - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - http://www.crackportal.com/ie/btn.php (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Visit CrackPortal.com - Cracks, serialz, keygens - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - http://www.crackportal.com/ie/btn.php (file missing) (HKCU)
O13 - DefaultPrefix:
O13 - WWW Prefix:
O16 - DPF: Contains -
O16 - DPF: DownloadInformation -
O16 - DPF: InstalledVersion -
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: v3cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {005B8B1B-C709-7E9B-A9D9-1FAD0DFDD35F} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {017A16D7-6EB1-5CEC-7164-22C6115BCCA8} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {01868D12-6859-6534-2EA7-1217610BE86D} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} (SBITAX7Ctrl Class) - http://movie-browser.com/tl7000.dll
O16 - DPF: {025A0B59-165E-5137-A3DD-731768999603} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {03E44B2F-C137-7617-C2FE-099779403274} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {03E5546F-D9A5-6595-B992-1C2D210EE269} - http://66.117.42.151/1/gdnUS243.exe
O16 - DPF: {056A6535-80DF-3CC8-9938-3B88540F3E77} - http://66.117.42.151/1/rdgUS243.exe
O16 - DPF: {05706724-8010-3EA1-2314-737919FD0593} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {0584DA6F-B611-4467-4243-2A995032B933} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {06173EE1-722F-14AD-5BA0-00FA4950E36F} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {061CD1BF-FB47-463F-CD1C-430A731DBB6B} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {0697C60B-5749-37DF-FC48-388C283D2473} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {069B6475-295B-13D5-F584-76BD55C539EF} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {0920B589-0262-089C-1EC7-02F82682375B} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {0958A54D-E094-758B-A5DE-67185D0836B6} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {099C7FDB-BF30-445A-69E1-442957E4629E} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {0A2C607D-889F-40E2-BAFD-78AC07EAFAA9} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {0A4AFE6D-0BCB-3306-E42F-3FB558F55626} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {0A889817-863C-6ED6-2FDC-64B91825513D} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {0BC22E91-3536-0AAE-8B25-79A7409FEA48} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {0F75BFB0-F369-1A47-CD24-235B4B4F97A1} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {0FFFFFFF-0FFF-0FFF-0FFF-0FFFFFFFFFFF} - http://www.3p4urajz.com/statistics/inst.exe
O16 - DPF: {1037C1BD-E0CC-3E03-B130-73A276E44C86} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://C:\Documents and Settings\Wendy\Local Settings\Temp\WAS44A8.tmp\html\file.exe
O16 - DPF: {1171A62F-05D2-11D1-83FC-00A0C9089C5A} (FlashProp Class) -
O16 - DPF: {1220C214-1789-0F45-8437-0A4C163CA4BF} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {1327A11D-F687-6DC3-FE2F-25083E6C1E15} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {13AEC8DE-F44B-38B0-CDE2-0F3B6FF79F35} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {1423CDFE-256E-68BA-55FE-0416007E9965} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {14BD2C54-58A0-0359-379F-5585441708ED} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {15633769-54C4-514A-8832-46A129315575} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {15A8578F-0664-511A-CA55-5C350EB7D438} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {16192F0B-EF52-515C-8D27-1D6D57808034} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {16A72D29-AB52-7163-B3D0-544C436E81C5} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {178A91AC-C704-53D6-A311-35EA47427D81} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {181CF870-ED69-1847-0EFB-3F2330AEA9DF} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {18208E2D-B2E7-3616-4F92-600C3696C5EA} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {18D96D86-19B4-6530-B1D5-7A8B105C7644} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {1B0AA568-9609-4E33-7D44-1BBE256D31ED} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {1C09CD9A-4B1F-7389-EF47-75001373C292} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {1E3ED7BC-6036-4432-36A1-6FF066BB0C01} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {1F29D9FB-7B6F-33EB-0859-7268624994AE} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {20846963-2F72-679B-0913-51CD19C37E3C} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {20A0A4A8-FD69-4728-9543-468417A23B53} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {21E15920-16FF-70DD-6591-007242DBA010} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {22A9F66E-2FD2-5DB7-8A76-184521D8004D} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {25FF111E-35A8-27D4-3994-0527055B34E6} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {26CC02FB-2DEA-262D-951D-26FF62E08B34} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {26DD089D-00BD-283E-A048-29B8424E1EC7} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {26F06864-0100-3360-E364-264B751BB76E} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {27B42643-0FC4-28F6-B71D-504729633097} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {27EEBB29-2302-17BB-AE0A-40967DA3C76F} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {282E2A3C-327F-5766-1BED-6A7F16E8A802} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {286FBF41-1B2B-0239-7914-32D61270896E} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {28708F05-A76E-471B-7E46-21961CB90C53} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {28FCE888-9448-16E4-0943-6B171D56EC4D} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {2A62D2AF-C5DE-2837-C77A-6F2A5F66B5F2} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {2A78CE72-95AF-7CED-ED08-4B9F3338FAD2} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {2B417483-568A-329D-0379-7B08239A6A09} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {2B955E12-7151-2E28-B467-36D1274E40B6} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {2BCC883C-D5CD-0403-E479-48355D14474D} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {2C57CA2A-6C10-6706-DFDE-24EA47302ACC} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {2D2ADAE9-3A6F-243F-AEAF-60E34D6E414A} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {2DD99709-87CC-4712-F20F-4FB10A471AFC} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {2EF77E83-9B5D-41A7-F2FB-7EF330921053} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {2F25F71F-35F5-7531-A4EA-59DC76834DF3} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {2F4772CF-7FDF-35F1-3C90-75D43EA7E0B4} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {313F9C5A-0BFC-145E-4E9C-5E401669DE57} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {3188BFD2-F78B-7812-ABC6-1DA73C62F9F6} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {31C77283-E157-0F63-D182-19F70AEF4D0A} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {348B25C7-CD3B-64CC-EBCC-519B62194638} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {356E716B-0150-6E94-0A4E-0CCF3D30783D} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {35A2A625-9020-4801-F514-5FFB6A44E1DB} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwa...06_regular.cab
O16 - DPF: {389A0C8F-0E50-2A80-D0B3-15BD3CDF646E} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {38B0A65C-D77F-0A34-4FA3-78963A3F2586} - http://67.19.99.158/1/rdgUS871.exe
O16 - DPF: {3946326C-D1FC-14CD-DF1B-2097196EB7EB} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {39DA2444-065F-47CB-B27C-CCB1A39C06B7} -
O16 - DPF: {3A2282C5-9EEF-1491-2A9A-643D420ECFFA} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {3A99A51F-4B98-14C3-6ECD-06264EE2AC2E} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {3AED9A53-FBDF-70A3-5E2F-20A275AF3895} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {3B9BE22C-84A9-6E7D-1779-70D831F4E391} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {3CF3F38B-972C-310D-E352-6234514B511E} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {3DA93B38-E0B0-368F-BC6F-1ED3132464B4} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {3E5ACAF6-B5C9-6EF0-9D84-308249040BA8} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {3E88ADCF-A0F9-02AB-4DBD-191B19E95430} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {3ED8E151-54C6-3F67-496F-6560078CD207} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {3F53C982-6B08-4CE8-2B6B-182D7FE8D37A} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {3FA17D98-15A7-36EC-672D-044F043E0B80} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {4000F293-1BF0-476D-E0CF-70480B4CD11E} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {41E406C3-E8F3-208C-EED8-5FDC14AB7B74} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {4281F783-A0E6-37B1-DD45-588063975893} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {42FB46FC-780E-7818-640E-1E6A08E81168} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {43527251-AE74-5F59-CB43-5B7444FE2779} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {43E850E6-F8E2-169F-EA9B-09BF3BF763DD} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {44BD3870-DF79-472A-ED19-3FD238350BF8} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {44E1F77B-77B5-7803-7CB3-3CD812AF4ACE} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {47B61DCE-878F-6059-4D44-078B495BE647} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {480FAAA3-23AC-73AE-4D4A-108506ACC01F} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia.cab
O16 - DPF: {4A160E7D-525B-4C46-B932-70B86685946A} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {4A448564-42E7-3191-A45A-394A7D9F591C} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {4ADC8BD1-0581-07BF-CBA5-25AB2405E316} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {4B4CA79E-1946-5388-E9CE-077234C05127} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {4B68BF17-5828-450B-783F-63A663261626} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {4B7A070D-62F0-4C72-FBC8-36D307F0CF97} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {4C3A80E0-1287-188F-32EB-364C2658478E} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {4C640174-1933-438B-C472-6ED671CB485B} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {4D25CB4F-5FAC-2A22-BEA2-303B205FEC19} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {4DFF5BDF-1113-63C4-EA62-363E36455B7D} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {4FEA5518-9FC7-1AA4-2BCB-1BD61AD2B7F0} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {51C51B50-1E60-4681-329E-23C73C42D9DE} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {51D70DCA-3799-35E4-1431-4A5A59CA72D9} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {5343507E-3E11-3299-9779-6EB109909B67} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {53BF64F2-B525-745C-83A4-3D744D714BAB} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {53D15537-265E-50C3-83A9-6B4919AECA15} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {54A6A0B6-9303-4B70-202F-106911288BC9} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {553B5F42-7512-4425-13DF-7BCD2903C3A2} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {56B5795B-9CBD-5637-EE9D-13C4779FFD90} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {57DD6081-28DB-7F2E-A01E-13605A85B8AC} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {57EB84B0-2F48-2C2B-6A47-2B066C00A7DA} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {57EC8586-A9D2-21CA-8B67-210B69C5D31A} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {59BCD6B9-7299-1447-4A0D-10EF04C083E2} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {59F8472C-17DE-2279-BB82-0F735D631E1B} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {5A331565-9EE2-6F40-EA09-32E32C7793B5} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {5AA34229-E286-198A-99B4-630A73C260C1} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {5AB5CE9B-47BC-2F97-362C-3FDA40702620} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {5B14B685-1C00-6982-E4C3-1D2210F7EE0C} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {5CFB2FE7-4B84-6F21-2B33-72D13D96B4E4} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {5DE66AC8-8E17-4A63-B1FE-42A13CD472B7} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {5E5E45BC-37A2-5E9D-3F5D-62406C9C1964} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {5E76F10D-B625-2180-AF2D-4F046EA6BA6C} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {5F497EBA-494A-75D5-FD99-79D900481BB7} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {5FD69910-DCF2-58A9-B745-057D7A5B4A5E} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {60207CF1-E3A2-10E0-8765-1BB71A3C5FE5} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {61FBAACC-1C41-5ACA-11B1-06217325AD14} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {633B0154-85EE-3668-8AE7-7DAE1F8FA945} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {636CDAC2-9897-1230-C281-3E8444FFFF11} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {639EACC1-9F3A-7B5B-6300-4EE51B91E9EE} - http://209.8.161.54/1/rdgUS1022.exe
O16 - DPF: {64AAF31C-6822-6DA0-3814-06BF03FC1482} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {657906D7-AEEB-06A2-D858-72184175E589} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {674E24CB-3135-0858-01EF-27F92A02205F} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {69C43E99-294A-3A85-6A83-279D0CB5C074} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {6A793C29-319B-3511-750B-07DF0DDDC299} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {6B84C824-6321-14A9-8BB0-774A163ADB49} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {6CC80C47-DDF7-7F20-C4A9-6AC5669F1324} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {6D460C80-E8C2-5E49-E6C7-2F5D745EEDE2} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {6D999365-65DA-64FE-B381-17A002F36169} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {6E7E9D0F-E810-6C81-6E48-7005323E51C0} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {6EF8CC18-69DF-700E-486E-30EF66AAF536} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {6F52459A-7EE4-461F-65BF-4A9F4A9D5F7F} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {6F54F9A5-A1C8-3264-D411-35441C4A72E2} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {6F5655CC-9A61-0A2E-FB6C-36D077ACCB27} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {7176A827-F837-1F0E-FD28-6689582D5E67} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {72172E6B-6228-0382-1DAF-50E424EEFD7F} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {723D3780-C1D1-3787-97E7-397F7569F9B7} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {73A234CD-A8C7-0EAE-0438-72093534FE8F} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {74CCEAF3-299C-176D-1CD0-73136D3490AA} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {7549C9B2-A839-08DA-EFF2-1D94364F4EF5} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {75529275-C7BA-3D29-1693-47A539A0F15A} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {75FF3449-B811-63A4-FB2B-0168433EC5F2} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {7650E1DB-EBF2-25DC-9260-462515829980} - http://63.219.176.203/1/gdnUS778.exe
O16 - DPF: {7672B57F-561B-3752-0CD6-5E835B8DDFC4} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {7708E5A6-05D0-4FF9-D2E0-67201E5AB0D3} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {77C74B45-7C24-2793-6699-6C8670890547} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {77C89766-2A42-3F54-2CFA-03A96FB2EFB9} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {79C6214D-3985-1B26-0302-7C98010D6C1A} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {7AAC1A7B-02F6-2B21-FEDF-6BC90BBAE9C9} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {7C775461-B746-111B-B43A-6B571A64999E} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {7CC9CD79-FC20-6C44-1936-3EE951396D1B} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {7E67FAA8-9304-0368-F82D-248F7C8F80AC} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {7F2E4064-539C-19D7-2274-46D7760AB0B1} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {87D1A6EF-8CBC-458A-84B5-0333562418CD} - http://www.sitetracking.info/cttdl.cab
O16 - DPF: {9EAC0102-5E61-2312-BC2D-000000000000} (Search Toolbar) - http://www.awmdabest.com/cabl/379/tubby.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINDOWS\httpfilter.dll

[glc]

1. scagent.exe is a Trojan. Housecall didn't pick it up?

2. HJT needs to be run from a dedicated folder, not from temp.

3. Use HJT to remove the following, reboot, and repost a log.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://s-redirect.com/?a=2&b=n-ex
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://s-redirect.com/?a=2&b=n-ex
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.upsearch.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.upsearch.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.upsearch.org
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://s-redirect.com/?a=2&b=n-ex
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://s-redirect.com/?a=2&b=n-ex
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.upsearch.org
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winewx32.exe
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Visit CrackPortal.com - Cracks, serialz, keygens - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - http://www.crackportal.com/ie/btn.php (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Visit CrackPortal.com - Cracks, serialz, keygens - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - http://www.crackportal.com/ie/btn.php (file missing) (HKCU)
O13 - DefaultPrefix:
O13 - WWW Prefix:
O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINDOWS\httpfilter.dll

Also remove all the O16 items except the Housecall control.

If you stayed off the crack sites, you wouldn't get this crap.

The Google Toolbar is one of the better popup blockers out there, and it's free.

A better one is use Firefox instead of IE.

Administrative note: Please do not use the size tags when you post.

[ts_letter]

Ok how do I get rid of scagent and this elitebar thing I tried removeing it with hijack this and it just came back on its own when I rebooted. I cant use housecall any more because trying to use causes an error that shuts down my internet access. Elitebar removes googlesbar bringing back my popup problem. I still dont have my desktop back.

[ts_letter]

Logfile of HijackThis v1.98.2
Scan saved at 7:46:26 AM, on 11/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\scagent.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Hijack\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 53.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 53.dll
O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winewx32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINDOWS\httpfilter.dll

[glc]

http://www.giantcompany.com/antispyw....EliteBar.aspx

Please do not attempt to manually remove these items from your computer; Removing these items incorrectly or partially can cause your computer to experience critical errors, prevent your computer from restarting or cause loss of Internet connectivity. Should you be infected with SearchMiracle.EliteBar, you can clean your machine of this spyware threat for free by downloading GIANT Antispyware now (Download the GIANT AntiSpyware Free trial).

http://www.giantcompany.com/download...D=70&skip=true

Oops. Good luck - I apologize for having you remove all that stuff manually - you may have to restore the HJT backup if that tool doesn't work.

[ts_letter]

I downloaded and fully ran giant but still no desktop and I still have about blank plus giant took 5 hrs... that 5 hours to run a complete search

[ts_letter]

Ok can someone read this source info and help me restore my desktop all i want is my desktop back.

< !DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
< !----
***** This file is automatically generated by Microsoft Windows *****
-------- >< HTML >< HEAD >
< META http-equiv=Content-Type
content="text/html; charset=x-user-defined" >< / HEAD >
< BODY
style="BORDER-RIGHT: medium none; BORDER-TOP: medium none; BORDER-LEFT: medium none; BORDER-BOTTOM: medium none"
bottomMargin=0 bgColor=#004e98 leftMargin=0 background="" topMargin=0
rightMargin=0 > < IFRAME id = 0
style="Z-INDEX: 10004; BACKGROUND: none transparent scroll repeat 0% 0%; LEFT: 0px; WIDTH: 800px; POSITION: absolute; TOP: 1px; HEIGHT: 599px"
name=DeskMovrW marginWidth=0 marginHeight=0
src="file:///C:/WINDOWS/desktop.html" frameBorder=0 scrolling=no
subscribed_url="C:\WINDOWS\desktop.html" resizeable="">

[glc]

http://www.theeldergeek.com/desktop_settings.htm

Remove Web items from your desktop. UI-35 may be your key - delete everything you can.