Well, I'm having some grand luck with pop ups. I can't get rid of them. I've ran Spyware, Adaware and have Norton, but nothing can get rid of them. I had this findfast file that I thought was causing them, but no luck. At one point, or more like several points, things were cliking in the background, as if I was opening something, causing my regular page to get all mess up. It would do things like causing me to highlight the entire page and all kinds of other stuff. That hasn't seemed to have happened in a while, but the pop ups still continue. I don't know what to do anymore. I ran hijack this and this is the log it gave me:

Logfile of HijackThis v1.97.7
Scan saved at 1:42:22 AM, on 5/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 5.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\Xay5.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\NrgUxg.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.comcast.net/comcast.html
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.dll,CMICtrlWnd
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 5.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BEIL] C:\WINDOWS\BEIL.exe
O4 - HKLM\..\Run: [2FZSMQ92999E8Z] C:\WINDOWS\System32\Upwt.exe
O4 - HKLM\..\Run: [BELRV] C:\WINDOWS\BELRV.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - Startup: Reboot.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Dice Derby by pogo - [url]http://checkeredflag.pogo.com/applet-5.8.2.19/checkeredflag/checkeredflag-ob-assets.cab[/url]
O16 - DPF: Fortune Bingo by pogo - [url]http://superbingo.pogo.com/applet/superbingo/superbingo-ob-assets.cab[/url]
O16 - DPF: Greenback Bayou by pogo - [url]http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab[/url]
O16 - DPF: Jungle Gin by pogo - [url]http://gin.pogo.com/applet/gin/gin-ob-assets.cab[/url]
O16 - DPF: Mah Jong Garden by pogo - [url]http://mahjong.pogo.com/applet/mahjong/mahjong-ob-assets.cab[/url]
O16 - DPF: Pop Fu by pogo - [url]http://popfu.pogo.com/applet-5.8.2.19/popfu/popfu-ob-assets.cab[/url]
O16 - DPF: Squelchies by pogo - [url]http://squelchies.pogo.com/applet/squelchies/squelchies-ob-assets.cab[/url]
O16 - DPF: Texas Hold'em Poker by pogo - [url]http://holdem2.pogo.com/applet-5.8.2.19/holdem/holdem-ob-assets.cab[/url]
O16 - DPF: Tri-Peaks by pogo - [url]http://peaks.pogo.com/applet-5.8.3.20/peaks/peaks-ob-assets.cab[/url]
O16 - DPF: Word Whomp Whackdown by pogo - [url]http://whackdown.pogo.com/applet-5.8.2.19/whackdown/whackdown-ob-assets.cab[/url]
O16 - DPF: World Class Solitaire by pogo - [url]http://klondike.pogo.com/applet-5.8.2.19/worldclass/worldclass-ob-assets.cab[/url]
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - [url]http://www.apple.com/qtactivex/qtplugin.cab[/url]
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - [url]http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab[/url]
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - [url]http://www.wildtangent.com/webdrivers/webinstall/Install.cab[/url]
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - [url]http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB[/url]
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - [url]http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe[/url]
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - [url]http://software-dl.real.com/285f5bcdaf8b3a41f502/netzip/RdxIE601.cab[/url]
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - [url]http://mirror.worldwinner.com/games/v40/freecell/freecell.cab[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab[/url]
O16 - DPF: {785EA525-5066-495F-ADF6-3B8316515DEF} (Collapse Control) - [url]http://mirror.worldwinner.com/games/v47/collapse/collapse.cab[/url]
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://www.pandasoftware.com/activescan/as5/asinst.cab[/url]
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - [url]http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37577.9027662037[/url]
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} - [url]http://download.microsoft.com/download/vizact2000/Install/10/WIN98Me/EN-US/msorun.cab[/url]
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - [url]http://install.wildtangent.com/bgn/partners/wildgames/blasterball2Remix/install.cab[/url]
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - [url]http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab[/url]
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - [url]http://antu.popcap.com/games/popcaploader_v5.cab[/url]

Any help would be appreciated as this is about to drive me crazy! No matter what I do or get rid of they just keep coming back. Thanks everyone.

I think you have a number of malware viruses on your system. I am not experienced enough at the moment to tell you what to remove but Budfred or one of the others will be along soon to help you clean out your machine.


Thanks:)

Until Budferd comes along to check this out, do the following and post back to us.

1) Investigate the following files:

BELRV.exe
BEIL.exe

What I mean by investigate is search for the files and locate them. Rt click and choose properties on the version tab tell us the company name if any and the versionb name.

You do have some things that look suspicious, but I'd prefer to wait for Budfred to come along. I'm getting better at these, but I'm not an expert yet and I don't want to lead you astray.

Once we have everything fixed, you can get a great free popup blocker here (http://www.endpopups.com)

I can recommend that popup blocker = "Popup Manager".
I installed it [probably on the recommendation of classicsoftware] and I'm delighted with it.
It just sits as an unobtrusive little green rectangle at bottom left of screen.
When a popup attempts to display the rectangle turns red.
If you want to see the popup just right-click on the rectangle and select to allow.

You have the Peper Trojan on your computer. Identified by this item:

O4 - HKLM\..\Run: [2FZSMQ92999E8Z] C:\WINDOWS\System32\Upwt.exe

Note the 14 character, randomly named item starting with a number.

You can download and run this Peper Trojan Uninstaller: http://www.memorywatcher.com/uninst.exe. Once it's finished downloading, double click it and let it install & run until it's finished. Run it a second time just to make sure.

Then reboot and post a fresh log.

:)

Yep, you got Peper all right and that is probably the main problem. You also have Netster and that is a problem, but easier to fix. Use HJT to fix:

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/285f5bc...ip/RdxIE601.cab

You mentioned getting rid of FindFast which is a major and unnecessary resource hog... It is still there:

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

And these are other resource hogs that you can dump. The first is not malware, but it doesn't have to run and your computer will run faster without it. The second is a registration reminder that many believe is malware:

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: PowerReg Scheduler.exe

These look suspicious and if you don't recognize them, you may be better off fixing them. You can check Properties first like classicsoftware said to be sure:

O4 - HKLM\..\Run: [BEIL] C:\WINDOWS\BEIL.exe
O4 - HKLM\..\Run: [BELRV] C:\WINDOWS\BELRV.exe
O4 - Startup: Reboot.exe

And these need to be fixed:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - - (no file)

If I were you, I would probably fix ALL of those O16 items. They are ActiveX controls and will be reset if you visit the site again. You will probably have to log in again on some sites if you do, but it is probably worth it to make sure you got rid of the popups.....

Some things may already be gone after you run the Peperfix. As Steve said, reboot and post a fresh log and we can see if there are any more problems....

Thanks everybody for helping me first off. You are all great as you have helped me out of binds many times before when I built my first computer. I'm really thankful you take the time to go through that long file to find the problem. Thank you all very much.

I had to reinstall flash, but that's no big deal. No problems thus far, but that's how it started out in the past, but I'm thinking that it's not going to be a problem this time. I did just install those two files that I wasn't sure of. If they are needed, which it doesn't look like they are since no one here seems to know about them and I sure don't, then I will find out how to put them back on, but for now I'm definately not worried about them.

Here is the new log:

Logfile of HijackThis v1.97.7
Scan saved at 4:12:57 PM, on 5/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 5.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\Zwo6.exe
C:\WINDOWS\System32\Zwo6.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.comcast.net/comcast.html
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.dll,CMICtrlWnd
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 5.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [2FZSMQ92999E8Z] C:\WINDOWS\System32\LesQ.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - Startup: Reboot.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Thanks again everyone for your help.

Did you run the Peper uninstaller? The trojan is still there...

O4 - HKLM\..\Run: [2FZSMQ92999E8Z] C:\WINDOWS\System32\LesQ.exe

This is also still there, do you know that it is safe??

O4 - Startup: Reboot.exe

Also, with the Peperfix it is often a good idea to run it twice to make sure it gets everything and make sure you are online when you run it.

Also, I just noticed you do not have an entry for HJT in your Running Processes, have you edited your log??

Reboot.exe seems to be a safe program.

Link (http://www.liutilities.com/products/wintaskspro/processlibrary/reboot/)

I saw that Steve, but the way it is listed in the log looks suspicious, that is why I want to know if PhilSlick knows what it is and that it is safe. It would be an easy name for some malware file to spoof and use to keep infesting a system....

Ok Can you point me in the direction of info on LesQ.exe. The thing that makes me think it's suspect is when I search google, there are no matches, usually a sign of something nasty.

Ok, I got rid of the reboot thing. Don't know what it was so I guess it's best to get rid of it. Wasn't about to run it either to see what it was. Properties didn't give me much info other then it being an application and that was about it. So it's gone.

The log, sorry about that. I took out the HJT as it had the name of the person's computer I'm doing this one so I thought I would take it out. If you need me to put it in then let me know and that's not a problem.

Now for the Peper uninstaller. Looks like there is some trouble here. When I run it it brings up the menu to install and cuts off about half way through. No matter how many times I try to open it, or download it, it never completes install. Any ideas?

Ooops, ok, I was still typing this before I saw the message about reboot being safe. Doesn't look like it'll cause any problems though and since I didn't use it doesn't look like it was a loss either. Oh well.

Ok, I really have to read everything before I edit. I guess overall it was a good idea just to get rid of it. I know that I didn't install it with any other program, knowingly, so I don't really think that it was safe. Just better to get rid of it.

Maybe you should try another uninstaller. Try this one:

http://home.comcast.net/~radio104/peperuninst.exe

The naming of the Peper trojan and it's corresponding parts goes basiclly as follows:

It has a randomly named, 14 character name starting with a number. It can be any combination of characters. In this case:

[2FZSMQ92999E8Z]

The .exe name is also random, in this case LesQ.exe

That is why there is no info on it.

There is almost always two other randomly named executables that go along with it. In this case they are probably:

C:\WINDOWS\System32\Zwo6.exe
C:\WINDOWS\System32\Zwo6.exe

Well try that other uninstaller. Remember, you have to be online for it to work and run it twice, just to make sure.

Got that, now can you direct mew to a link where I can read more?

Never mind, Steve already addressed what I was going to say.....:D :D

New question from classicsoftware... There is a full tutorial on it in Boot Camp, the old one or the new SWI....

http://www.mjc1.com/files/peperpage/

http://www.kephyr.com/spywarescanner/library/pepertrojan/index.phtml

http://www.sophos.com/virusinfo/analyses/trojpepera.html

Well, I don't know what the problem is or what's blocking it, if in fact anything is, but it's doing the same thing. It will get about half way and then just close in the installing files part. It seems that this program is going to be stubborn and doesn't want to leave. Any other ideas?

Taking it out of the registry, is that only a temporary solution, or only gets rid of part of it? From those links I read it kind of looks that way, but I'm no computer expert so I thought that I would ask.

Ok, I'm kicking myself in the butt as I said that I needed to read everything before I edit, yet I did the same thing again. By reading more into the links I see that you have to manually uninstall it and do it exactly like it says or it won't work. Is this what I'm going to have to do? Last option type of thing?

Boy, this one is stubborn! Actually Adaware should have taken care of it to start with. You ran Adaware before you posted the first log and there it was. And remains.

I'd say give mjc's peper page a try, if you are comfortable in the registry.

edit: If you're not comfortable in the reg., let us know. I'm sure we can find a way...;)

Yeah, I don't mind the registry. I'm going to go ahead and give that a try and hope that it finally gets rid of it. I will post as soon as I'm done.

Ok, I think everything is better now, but I'll let the experts decide. Here is the new log.

Logfile of HijackThis v1.97.7
Scan saved at 10:59:14 PM, on 5/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 5.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
C:\Documents and Settings\xxxxxxxxx xxxx\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.comcast.net/comcast.html
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.dll,CMICtrlWnd
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 5.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Yep, looks clean... Congrats...

Good job Steve and classicsoftware....

Hey, thanks everyone. You were all a very big help. I'm sure I'll be back in the very near future for some diagnostics on my computer, as this is my fiance's. Thanks again everyone. That was driving me crazy for way to long.