[DurangoDAWG]

I removed the Slmss folder.

I did a RegSearch of novo and Kazaa (still some registry stuff out there - guess I have to delete them manually ???)

REGEDIT4

; Registry Search by Bobbi Flekman © 2005
; Version: 1.0.2.2

; Results at 11/13/2005 7:42:11 PM for strings:
; 'kazaa'
; 'novo'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\N. Central Asia Standard Time]
"Display"="(GMT+06:00) Almaty, Novosibirsk"

[HKEY_LOCAL_MACHINE\SOFTWARE\Novo]




[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{260240CF-5AD9-4A62-A0CB-A0963F852894}]
@="KazaaMan Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{260240CF-5AD9-4A62-A0CB-A0963F852894}\ProgID]
@="KazaaConnect.KazaaMan.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{260240CF-5AD9-4A62-A0CB-A0963F852894}\VersionIndependentProgID]
@="KazaaConnect.KazaaMan"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{55A3781E-5251-4894-AA7D-DF389C5795A9}]
@="IKazaaMan"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KazaaConnect.KazaaMan]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KazaaConnect.KazaaMan]
@="KazaaMan Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KazaaConnect.KazaaMan\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KazaaConnect.KazaaMan\CurVer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KazaaConnect.KazaaMan\CurVer]
@="KazaaConnect.KazaaMan.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KazaaConnect.KazaaMan.1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KazaaConnect.KazaaMan.1]
@="KazaaMan Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\KazaaConnect.KazaaMan.1\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{BFD09628-386E-42E6-9EFF-D0FDC15BB36C}\1.0]
@="KazaaConnect 1.0 Type Library"

[HKEY_LOCAL_MACHINE\SOFTWARE\KOptimizer]
"UninstallContentPath"="C:\\Program Files\\Kazaa\\Content"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\kazaa-lite.ws]

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\kazaa-lite.ws]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\kazaa-lite.ws]

[HKEY_USERS\S-1-5-21-3675345140-2382750585-1605616401-1003\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="kazaa"

[HKEY_USERS\S-1-5-21-3675345140-2382750585-1605616401-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"e"="C:\\SpyWare Folder\\bfu\\bfu\\Kazaa 2.0.2.bfu"

[HKEY_USERS\S-1-5-21-3675345140-2382750585-1605616401-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"i"="C:\\SpyWare Folder\\bfu-kazaabegone.zip"

[HKEY_USERS\S-1-5-21-3675345140-2382750585-1605616401-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"j"="C:\\SpyWare Folder\\bfu\\bfu\\Kazaa 2.0.bfu"

[HKEY_USERS\S-1-5-21-3675345140-2382750585-1605616401-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\bfu]
"a"="C:\\SpyWare Folder\\bfu\\bfu\\Kazaa 2.0.2.bfu"

[HKEY_USERS\S-1-5-21-3675345140-2382750585-1605616401-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\bfu]
"b"="C:\\SpyWare Folder\\bfu\\bfu\\Kazaa 2.0.bfu"

[HKEY_USERS\S-1-5-21-3675345140-2382750585-1605616401-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\zip]
"g"="C:\\SpyWare Folder\\bfu-kazaabegone.zip"

[HKEY_USERS\S-1-5-21-3675345140-2382750585-1605616401-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Kazaa Media Desktop]

[HKEY_USERS\S-1-5-21-3675345140-2382750585-1605616401-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\kazaa-lite.ws]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\kazaa-lite.ws]

; End Of The Log...

[Advertisements]

they're just ghost entries...and some ought to be there..I'll write a little reg file to delete the bad one but probably won't get it till tomorrow.

Like I say they are just useless ghost entries...I think we can call you clean and good to go..everything running ok???

[jwbirdsong]

they're just ghost entries...and some ought to be there..I'll write a little reg file to delete the bad one but probably won't get it till tomorrow.

Like I say they are just useless ghost entries...I think we can call you clean and good to go..everything running ok???

[DurangoDAWG]

Everything seems to be fine - just slow (only has 128MB of RAM - so I will have to get them more RAM). I currently have TrojanHunter, Ewido and AVG running on startup, are all of these necessary?

[jwbirdsong]

Well you could stop EITHER ewido or TrojanHunter as they overlap pretty much; but leave AVG and at least one of those. Go ahead and post a FINAL HJT log and I'll post some final step for ya but I'll wait till tomorrow and get your reg file to kill those ghost entries.

[DurangoDAWG]

I see that both TrojanHunter and Ewido both are trial versions, when I give the PC back to my friend will they have to continue the subscription, or will it still guard but not download new updates?

HJT log follows

Logfile of HijackThis v1.99.1
Scan saved at 9:29:15 PM, on 11/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\alg.exe
C:\WINNT\system32\wuauclt.exe
C:\SpyWare Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1131603448825
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINNT\System32\ImapiRox.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINNT\SYSTEM32\LxrSG20s.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

[jwbirdsong]

Trojan hunter will cease to function and you will lose the premium feature of Ewido..

Congratulations, your log is clean.

To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.

More info and download is available at link in my signature

And also see TonyKlein's good advice in
So how did I get infected in the first place?

[DurangoDAWG]

I may have spoken too soon. I am getting occasional pop-ups that cover the entire screen (and taskbar).

[jwbirdsong]

See if this is your problem http://www.daniweb.c...hread13221.html
fix is Go to Start > Control panel>Display. The Display properties dialog box will open up. Click on the Desktop Tab, click on the Customize Desktop button, click on the Web tab. Remove the check marks from any items listed in the "Web pages" box. Make sure that "Lock desktop items" is unchecked as well. Hit OK twice.

If that's not it can you describe in a little more detail please

[DurangoDAWG]

No, they just seem to be very large pop-ups (not all of them). I am able to to get to the taskbar then Close them out. I saw a couple for 888.com (casino website - although spyware may not be from them). One just popped up for adchannel.contextplus.net I am currently running ewido scanner and it found 9 items (almost done). AdAware and SpyBot came up clean.

[jwbirdsong]

Need to check a couple of thing please

Would you use Bobbi Flekman's tool again and do a reg search for

adchannel

--- you MUST do it in Safe Mode.

See if you have a

ContextPlus

in the Add/Remove in control Panel.

Post reg search log and whether or not ContextPlus is present in Add/Remove

[DurangoDAWG]

RegSearch did find something but no ContextPlus in Add/Remove. I did run ewido and it found and removed another item (see below). Another couple windows popped up (not sure if they are different errors or part of the first one). The windows were:
WinFixer2005 (this was for an ad for WinFixer2005)
count.exitexchange.com/exit/1100741

REGEDIT4

; Registry Search by Bobbi Flekman © 2005
; Version: 1.0.2.2

; Results at 11/14/2005 7:25:28 PM for strings:
; 'adchannel'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\CoiesAz8dl8m]
"ServerAddress"="adchannel.contextplus.net"

[HKEY_LOCAL_MACHINE\SOFTWARE\CoiesAz8dl8m]
"LegalNote"="http://adchannel.con...onbranded.html"

; End Of The Log...


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:54:44 PM, 11/13/2005
+ Report-Checksum: 87EB1ABD

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{C52CBAEC-D969-4635-9F50-426CC15CE463} -> Spyware.MyBHOSpy : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2R2RG7YV\mm[2].js -> Spyware.Chitika : Cleaned with backup


::Report End

[DurangoDAWG]

Also productopinions.org pop-ups are popping up. Doing a RegSearch gave:

REGEDIT4

; Registry Search by Bobbi Flekman © 2005
; Version: 1.0.2.2

; Results at 11/14/2005 7:41:00 PM for strings:
; 'productop'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\ProductOptions]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions]

[HKEY_USERS\S-1-5-21-3675345140-2382750585-1605616401-1003\Software\Google\NavClient\1.1\History]
"productopinions.org"=hex:4e,58,79,43

; End Of The Log...

[jwbirdsong]

DurangoDAWG
Please make sure these instruction are followed TO THE LETTER.

Please download AproposFix © Swandog46 from here:
http://swandog46.gee.../aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.

Edited by jwbirdsong, 14 November 2005 - 10:04 PM.

[DurangoDAWG]

AproposFix log and HJT follow.

Log of AproposFix v1

************

Running from directory:
C:\Documents and Settings\Owner\Desktop\aproposfix

************

Registry entries found:

[HKEY_LOCAL_MACHINE\Software\CoiesAz8dl8m]
@="Y654_:0IJJIJJKJ7ioTWGBMIJJIYLJsejjpJoGAB 4POJz90D 9AJ 3Vy4y0wKAGA"
"Device"="\\\\.\\pMS7Ayt0"
"DriverPath"="C:\\WINNT\\System32\\drivers\\el9cmcia.sys"
"DriverName"="Conm_hi"
"HideUninstallerName"="C:\\Program Files\\Ame corp\\wexsvcrt.exe"
"HDll"="C:\\WINNT\\System32\\newegwiz.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.con...onbranded.html"
"PartnerId"="WB.OLD"
"InstallationId"="{Xe785580-004d-387d-4af2-59b3b061f0b3}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Ame corp\\imgocmgr.exe"
"AutoUpdater"="C:\\WINNT\\System32\\aaadosys.exe"
"Version"="2.0.106"
"LastAURestoreMsgTS"="2005:11:13-06:41:16:187"

************

Removing hidden service:
Service Conm_hi removed.

Removing hidden folder:

Deleting files:

Deletion of file C:\WINNT\System32\drivers\el9cmcia.sys succeeded!
Deletion of file C:\WINNT\System32\aaadosys.exe succeeded!
Deletion of file C:\WINNT\System32\newegwiz.dll succeeded!

Backing up files:
Done!

Removing registry entries:

REGEDIT4

[-HKEY_CURRENT_USER\Software\CoiesAz8dl8m]
[-HKEY_LOCAL_MACHINE\Software\CoiesAz8dl8m]

Done!

Finished!

Logfile of HijackThis v1.99.1
Scan saved at 8:39:55 PM, on 11/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\wuauclt.exe
C:\SpyWare Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1131603448825
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINNT\System32\ImapiRox.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINNT\SYSTEM32\LxrSG20s.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

[jwbirdsong]

That SHOULD take care of those "secret pop-ups" you were getting...run for a day and see how it goes. You show no Firewall running..do you just use the Windows XP firewall?? Or maybe a hardware firewall?? Just kinda curious.

Let's see if the popups stay gone this time...My bet is yes; but I was wrong once before!!
Are you 100% current of WindowsUpdates- Critical Updates?