Very recently my comp has been getting an extreme amount of adware & trojan attacks, now I think I've managed to get rid of most of it through various virus scans & spyware removers *crosses fingers* except for this extremely annoying HTML document that has taken over my desktop wallpaper. Basically it covers it up with it own message (something akin to IS YOUR COMPUTER INFECTED?????? etc..) and I have been unable to remove it thus far. It's also giving me the standard fare of IE pop-ups (If I see ONE more Viagra ad...grrrrr). Anyone have any experience dealing with this particular annoyance? I'm guessing some of my registry has been trifled with but I don't have the tech knowledge to deal with it :D.

Is this the name of it?

Trojan-Spy.HTML.Smitfraud.c

I have the blasted thing too...I have a whole thread about it in the spam forums called "I'm Furious....S.O.B..."

Microsoft AntiSpyware
+ Spybot Search and Destroy
+ EZ Antivirus
+ Kazaa uninstalled
---------------------------------------------
A bulletproof IE and peace on the internet. :D

Don't think I've seen that one mentioned anywhere in my scans SK :D

For anyone that knows about this stuff here is my "Hijack this" log file.

EDIT: damn, just looked at some of the logfile and found part of the problem, damned spyware add on toolbars :D.



Logfile of HijackThis v1.99.1
Scan saved at 6:05:02 PM, on 4/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\ahtun.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\windows\system32\taskmg.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Documents and Settings\Shawn.SHAWN-U4W5L42A5\Application Data\emon.exe
C:\WINDOWS\System32\??ool32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Shawn.SHAWN-U4W5L42A5\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {47F4B603-7C9B-544E-CBA2-71D207D9DFC8} - C:\WINDOWS\System32\ulp.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\system32\dllcache\svchost.exe
O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmg.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [eSgcclY] C:\WINDOWS\wpwgrk.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitegiy32.exe
O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\System32\canada.exe -N
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [yfsetgp] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [oetvkna] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [tbtgjft] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [hmdgoem] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [xhdjrao] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [yuvktny] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [hrmbupg] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [hxvmnrc] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [cimaslu] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [tdnriqo] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [qrvfbot] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [snwaxdy] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [axfiliv] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [dxlfahl] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [qohrrvx] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [stnrqdq] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [jnwfiox] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [coduwvr] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [aikwpkr] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [qriilay] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [nsorlnc] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [benlkdp] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [upeikpd] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [hfvadxd] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [wghwtya] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [esiwyhy] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [vuqjsnm] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [ohrygcn] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [gghqona] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [xjoigcr] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [elavvad] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [sykjgbw] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [mpybwox] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [hlucqgv] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [jemwayl] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [dahlexu] c:\windows\lecypyn.exe
O4 - HKCU\..\Run: [Ceab] C:\Documents and Settings\Shawn.SHAWN-U4W5L42A5\Application Data\emon.exe
O4 - HKCU\..\Run: [Ntrdu] C:\WINDOWS\System32\??ool32.exe
O4 - HKCU\..\Run: [jejyhck] c:\windows\uhhkqlo.exe
O4 - HKCU\..\Run: [inlqcii] c:\windows\elcgmbp.exe
O4 - HKCU\..\Run: [ejmljiu] c:\windows\uhhkqlo.exe
O4 - HKCU\..\Run: [peiknxo] c:\windows\elcgmbp.exe
O4 - HKCU\..\Run: [muigdyx] c:\windows\uhhkqlo.exe
O4 - HKCU\..\Run: [ucjyepx] c:\windows\elcgmbp.exe
O4 - HKCU\..\Run: [wqsrelq] c:\windows\uhhkqlo.exe
O4 - HKCU\..\Run: [gqdsmdv] c:\windows\elcgmbp.exe
O4 - HKCU\..\Run: [qmhyrkj] c:\windows\fxjvfwi.exe
O4 - HKCU\..\Run: [aeihcva] c:\windows\fxjvfwi.exe
O4 - HKCU\..\Run: [odambiw] c:\windows\fxjvfwi.exe
O4 - HKCU\..\Run: [vtuxoic] c:\windows\fxjvfwi.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Microsoft AntiSpyware helper - {90DF0DF7-BA7C-44CB-AF64-BD3A4E21D784} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {90DF0DF7-BA7C-44CB-AF64-BD3A4E21D784} - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {0FE80489-398E-12B2-7A2B-44CD62AA6434} - http://69.50.182.94/1/rdgCA1882.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c18.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Debug oupost relations (LAGOS) - Unknown owner - C:\WINDOWS\System32\ahtun.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

If you can find the name HiJackThis should do nicely.

I highly reccomend Microsoft Anti-Spyware beta also.

We've tried all of those things for mine last nite..and it still isn't back to normal... :cry:

Just taking a brief look, however....I would remove the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [eSgcclY] C:\WINDOWS\wpwgrk.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitegiy32.exe
O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\System32\canada.exe -N
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [yfsetgp] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [oetvkna] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [tbtgjft] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [hmdgoem] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [xhdjrao] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [yuvktny] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [hrmbupg] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [hxvmnrc] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [cimaslu] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [tdnriqo] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [qrvfbot] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [snwaxdy] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [axfiliv] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [dxlfahl] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [qohrrvx] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [stnrqdq] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [jnwfiox] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [coduwvr] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [aikwpkr] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [qriilay] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [nsorlnc] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [upeikpd] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [hfvadxd] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [wghwtya] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [esiwyhy] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [vuqjsnm] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [ohrygcn] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [gghqona] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [xjoigcr] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [elavvad] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [sykjgbw] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [mpybwox] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [hlucqgv] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [jemwayl] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [dahlexu] c:\windows\lecypyn.exe
O4 - HKCU\..\Run: [Ceab] C:\Documents and Settings\Shawn.SHAWN-U4W5L42A5\Application Data\emon.exe
O4 - HKCU\..\Run: [Ntrdu] C:\WINDOWS\System32\??ool32.exe
O4 - HKCU\..\Run: [jejyhck] c:\windows\uhhkqlo.exe
O4 - HKCU\..\Run: [inlqcii] c:\windows\elcgmbp.exe
O4 - HKCU\..\Run: [ejmljiu] c:\windows\uhhkqlo.exe
O4 - HKCU\..\Run: [peiknxo] c:\windows\elcgmbp.exe
O4 - HKCU\..\Run: [muigdyx] c:\windows\uhhkqlo.exe
O4 - HKCU\..\Run: [ucjyepx] c:\windows\elcgmbp.exe
O4 - HKCU\..\Run: [wqsrelq] c:\windows\uhhkqlo.exe
O4 - HKCU\..\Run: [gqdsmdv] c:\windows\elcgmbp.exe
O4 - HKCU\..\Run: [qmhyrkj] c:\windows\fxjvfwi.exe
O4 - HKCU\..\Run: [aeihcva] c:\windows\fxjvfwi.exe
O4 - HKCU\..\Run: [odambiw] c:\windows\fxjvfwi.exe
O4 - HKCU\..\Run: [vtuxoic] c:\windows\fxjvfwi.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://ny.contentmatch.net (http://ny.contentmatch.net/) (HKLM)
O16 - DPF: {0FE80489-398E-12B2-7A2B-44CD62AA6434} - http://69.50.182.94/1/rdgCA1882.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M.../bridge-c18.cab (http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c18.cab)
O23 - Service: Debug oupost relations (LAGOS) - Unknown owner - C:\WINDOWS\System32\ahtun.exe


[b]But make sure to do a google search for EVERY ONE of these .exe files before pulling the trigger since I don't know what's on your computer so there might be valid programs that I'm not familar with.

You may have to run HJT in safemode after you've gotten rid of these things to remove any trojan downloaders and annoyances that keep regenerating.

Wish I was good enough to wade through a HJT file and pick the bad stuff. Like Burby said, google the .exe names and see what it tells you before you pull the trigger.

My suggestion: Get rid of IE. Don't use it. It's the most easily broken into browser on the planet.

I use Firefox and have never had a problem with spyware or trojans or viruses coming in via my browser. I've had friends throw some pretty imaginative viruses at me (we develop them for fun because 2 of my friends work for security firms and do that for a living) but none have been able to reach me except by email (then it's on me for having accepted it).

IE has a serious case of the bloat and I absolutely abhor bloatware.

oh yea, check into getting spywareblaster from Javacool too.

Wish I was good enough to wade through a HJT file and pick the bad stuff. Like Burby said, google the .exe names and see what it tells you before you pull the trigger.

I might be able to wade through an HJT file but I can't open up my car door to fix a window motor :p

Ahhh, thanks Burbs. Sorting through the mess now...this white screen that's replaced my wallpaper is starting to piss me off (it was a giant ad I managed to remove somehow, it just hasn't been fully restored yet).

Hijack This is great.

What you can do, is take those processes, and the ones that you're not sure about, google it. Then you can see what the task is, if its a virus, adware, and whatnot, it even will show you have to remove it.

Edit:

Once you detect the suspicious ones, just end the proccess and see if it does anything.

Ahhh, thanks Burbs. Sorting through the mess now...this white screen that's replaced my wallpaper is starting to piss me off (it was a giant ad I managed to remove somehow, it just hasn't been fully restored yet).

Np, you're probably a day or two worth of cleaning and frustration away from getting everything, but you're definitely on the right track. Something taking up your wallpaper with an ad -- that's a new one though, and I'm suddenly glad I haven't come across it yet.

Yeah, I'm starting to think it might just be easier to re-format the whole deal :D (I did so a few weeks ago so I wouldn't be losing a lot of stuff).

I have had to fix a customers system with that problem before.

the HiJackThis, Spybot, Ad-Aware route didnt kill it. I found some info on a spyware forum that did help. Let me try to find that article again and ill post a link.

edited for HJT
as for what i would kill in hijackthis...i bolded the ones. Do this in safe mode. I would manually look in your windows folder for one of those odd files like qqlmbdn.exe and sort by date. Take a look at anything that is the same size as that file from the same date.

After removing this, run adaware and spybot again in safe mode.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {47F4B603-7C9B-544E-CBA2-71D207D9DFC8} - C:\WINDOWS\System32\ulp.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\system32\dllcache\svchost.exe
O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmg.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe[b]
[b]O4 - HKLM\..\Run: [eSgcclY] C:\WINDOWS\wpwgrk.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitegiy32.exe
O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\System32\canada.exe -N
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [yfsetgp] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [oetvkna] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [tbtgjft] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [hmdgoem] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [xhdjrao] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [yuvktny] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [hrmbupg] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [hxvmnrc] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [cimaslu] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [tdnriqo] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [qrvfbot] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [snwaxdy] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [axfiliv] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [dxlfahl] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [qohrrvx] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [stnrqdq] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [jnwfiox] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [coduwvr] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [aikwpkr] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [qriilay] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [nsorlnc] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [benlkdp] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [upeikpd] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [hfvadxd] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [wghwtya] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [esiwyhy] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [vuqjsnm] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [ohrygcn] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [gghqona] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [xjoigcr] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [elavvad] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [sykjgbw] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [mpybwox] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [hlucqgv] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [jemwayl] c:\windows\qqlmbdn.exe
O4 - HKCU\..\Run: [dahlexu] c:\windows\lecypyn.exe
O4 - HKCU\..\Run: [Ceab] C:\Documents and Settings\Shawn.SHAWN-U4W5L42A5\Application Data\emon.exe
O4 - HKCU\..\Run: [Ntrdu] C:\WINDOWS\System32\??ool32.exe
O4 - HKCU\..\Run: [jejyhck] c:\windows\uhhkqlo.exe
O4 - HKCU\..\Run: [inlqcii] c:\windows\elcgmbp.exe
O4 - HKCU\..\Run: [ejmljiu] c:\windows\uhhkqlo.exe
O4 - HKCU\..\Run: [peiknxo] c:\windows\elcgmbp.exe
O4 - HKCU\..\Run: [muigdyx] c:\windows\uhhkqlo.exe
O4 - HKCU\..\Run: [ucjyepx] c:\windows\elcgmbp.exe
O4 - HKCU\..\Run: [wqsrelq] c:\windows\uhhkqlo.exe
O4 - HKCU\..\Run: [gqdsmdv] c:\windows\elcgmbp.exe
O4 - HKCU\..\Run: [qmhyrkj] c:\windows\fxjvfwi.exe
O4 - HKCU\..\Run: [aeihcva] c:\windows\fxjvfwi.exe
O4 - HKCU\..\Run: [odambiw] c:\windows\fxjvfwi.exe
O4 - HKCU\..\Run: [vtuxoic] c:\windows\fxjvfwi.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Microsoft AntiSpyware helper - {90DF0DF7-BA7C-44CB-AF64-BD3A4E21D784} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {90DF0DF7-BA7C-44CB-AF64-BD3A4E21D784} - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {0FE80489-398E-12B2-7A2B-44CD62AA6434} - http://69.50.182.94/1/rdgCA1882.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M.../bridge-c18.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Debug oupost relations (LAGOS) - Unknown owner - C:\WINDOWS\System32\ahtun.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

ah ha...found a post. It involves registry editing...so it ain't my fault is something goes kablooey. Remember to back up your registry first.

http://castlecops.com/postlite50388-spyware+desktop+replace.html


regedit
Kcu>software>microsoft>internet explorer>desktop>components
IN the left panel, locate and delte subkey: 0


HTH

Thanks D'ark, that got rid of the white screen :D..and the system has yet to go Kablooey :P.

Castlecops is pretty good, but they're a little slow to answer your problems directly, glad to see you're making progress though.

when all else fails, save your important files to CD's or whatever, then format your hard drive and re-install windows and CoH...

I've had great results with Firefox as well. I only use IE for OS updates.

when all else fails, save your important files to CD's or whatever, then format your hard drive and re-install windows and CoH...

LOL Well hopefully he won't have to go that route yet.

Thanks for your help on this one guys, It finally looks like I've cleared out the last of the trash on my comp :D