I need help to remove a file called "rfcpghzvi" that may be causing adware problems

I have a problem with "zipzapproms" popups. I have gone through my computer and removed most of the problems. There is a program called
"rfcpgyzvi" on my computer that I have tried to remove without success. Can you please let me know what I am doing wrong.
Here is the Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 7:36:20 PM, on 2/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\System32\drivers\CDAC11BA.EXE
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\fxssvc.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINDOWS\system32\devldr32.exe
D:\PROGRA~1\ACDSYS~1\ACDSEE\CAMDET~1.EXE
D:\Program Files\QuickTime\qttask.exe
D:\PROGRAM FILES\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe
D:\Program Files\DELL\Dell Laser MFP 1600n\PaperPort\pptd40nt.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\QUICKENW\QWDLLS.EXE
D:\WINDOWS\system32\wuauclt.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
D:\Program Files\12Ghosts\12popup.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - D:\Program Files\12Ghosts\12popup.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - D:\Program Files\12Ghosts\12popup.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [Camera Detector] D:\PROGRA~1\ACDSYS~1\ACDSEE\CAMDET~1.EXE
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [P3000x_S2P] D:\PROGRAM FILES\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe
O4 - HKLM\..\Run: [PaperPort PTD] D:\Program Files\DELL\Dell Laser MFP 1600n\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] D:\Program Files\DELL\Dell Laser MFP 1600n\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: 12Ghosts Popup-Killer.lnk = D:\Program Files\12Ghosts\12popup.exe
O4 - Global Startup: Quicken Startup.lnk = D:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O23 - Service: C-DillaCdaC11BA - Macrovision - D:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

Here is the Installed Software:

INSTALLED SOFTWARE (65) - LINDA-QQWL0YWJZ - 2/19/2005 7:35:34 PM

12Ghosts Popup-Killer
ACDSee
Adobe Acrobat 5.0 Ver: 5.0
Adobe Download Manager 1.2 (Remove Only)
Dell Laser MFP 1600n Software Uninstall
DIGReqEx Ver: 9.0.0917.2 Installed: 7/9/2004
Family Lawyer 2000
HijackThis 1.99.1 Ver: 1.99.1
Legal Search
LiveReg (Symantec Corporation) Ver: 2.2.5.1678
LiveUpdate 2.5 (Symantec Corporation) Ver: 2.5.55.0
MathPlayer Ver: 1.1 beta 3 Installed: 7/9/2004
Microsoft .NET Framework (English) Ver: 1.0.3705 Installed: 4/18/2004
Microsoft .NET Framework (English) v1.0.3705
Microsoft AntiSpyware Ver: 1.0 Installed: 2/16/2005
Microsoft Data Access Components KB870669
Microsoft Office Outlook Connector for MSN Ver: 1.0.5378 Installed: 7/9/2004
Microsoft Office Professional Edition 2003 Ver: 11.0.5614.0 Installed: 4/17/2004
Microsoft Picture It! Express 7.0 Ver: 7.0.0.0000 Installed: 4/18/2004
Microsoft Picture It! Express 9 Ver: 9.0.1305
Microsoft Picture It! Express 9 Ver: 9.0.1305 Installed: 7/9/2004
Microsoft Picture It! Library 9 Ver: 9.0.1305
Microsoft Picture It! Library 9 Ver: 9.0.1305 Installed: 7/9/2004
MSN
MSN Dial Up Accelerator Ver: 1.0
MSN Encarta Plus Support Files Ver: 9.0.0801 Installed: 7/9/2004
MSN Messenger 6.2 Ver: 6.2.0205 Installed: 2/11/2005
MSN Toolbar
Nero - Burning Rom Ver: 5.5.9 Installed: 6/12/2004
Norton AntiVirus 2003 Ver: 9.05.0 Installed: 4/18/2004
PaperPort 9.0 Ver: 9.02.0814 Installed: 12/23/2004
PhotoSuite 4 (Remove Only)
Photovista Panorama 2.02 Ver: 2.0.2.1287 Installed: Sat Apr 24 23:06:01 PDT 2004
Quicken 2001 Basic
QuickTime
Registrar Lite 2.00
rfcpgyzvi
SafeCast Shared Components
Shockwave
Shockwave Flash
SpySubtract
The Plain-Language Law Dictionary
TurboTax Deluxe 2004
Ultra WinCleaner One Click! Version 8.0 Ver: 8.0
WebFldrs XP Ver: 9.50.6513 Installed: 4/17/2004
WexTech AnswerWorks Ver: 1.00.000
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707 Ver: 20040929.110854
Windows XP Hotfix - KB867282 Ver: 20050127.090417
Windows XP Hotfix - KB873333 Ver: 20050114.005213
Windows XP Hotfix - KB873339 Ver: 20041117.092459
Windows XP Hotfix - KB885250 Ver: 20050118.202711
Windows XP Hotfix - KB885835 Ver: 20041027.181713
Windows XP Hotfix - KB885836 Ver: 20041028.173203
Windows XP Hotfix - KB886185 Ver: 20041021.090540
Windows XP Hotfix - KB887472 Ver: 20041014.162858
Windows XP Hotfix - KB888113 Ver: 20041116.131036
Windows XP Hotfix - KB888302 Ver: 20041207.111426
Windows XP Hotfix - KB890047 Ver: 20041221.124506
Windows XP Hotfix - KB890175 Ver: 20041201.233338
Windows XP Hotfix - KB891781 Ver: 20050110.165439
Windows XP Service Pack 2 Ver: 20040803.231319
Yahoo! Anti-Spy
Yahoo! Toolbar

and this is the results from regedit4

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "rfcpgyzvi" 2/19/2005 7:46:19 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"rfcpgyzvi "= "d:\\windows\\system32\\rfcpgyzvi.exe -start "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rfcpgyzvi]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rfcpgyzvi]
"UninstallString "= "d:\\windows\\system32\\rfcpgyzvi.exe -uninstall "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rfcpgyzvi]
"DisplayName "= "rfcpgyzvi "

[HKEY_USERS\S-1-5-21-1275210071-436374069-1957994488-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"D:\\windows\\system32\\rfcpgyzvi.exe "= "rfcpgyzvi "

[HKEY_USERS\S-1-5-21-1275210071-436374069-1957994488-1003\Software\Resplendence Sp\Registrar Lite\Settings]
"LastOpenedKey "= "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\rfcpgyzvi "

I tried to remove these using reglite to remove these but they still come back. Can you please let me know what I am doing wrong.

 

Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

Download Pocket Killbox from here: http://www.downloads.subratam.org/KillBox.zip

Unzip the files to a folder, then open and double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

C:\WINDOWS\System32\rfcpgyzvi.exe

Check the box to delete on reboot and click the red X to the right. Click OK, then NO to reboot now. Close the Killbox.

Now use Reglite to delete the rfcpgyzvi value and key from the following locations.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rfcpgyzvi


Reboot and let us know how things are.

 

I ran killbox. When I ran LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run, I could not find a "rfcpgyzvi ". I deleted it in the Unstall. I then rebooted. I ran InstalledPrograms and it still come up.
Here is the InstalledPrograms:
INSTALLED SOFTWARE (65) - LINDA-QQWL0YWJZ - 2/20/2005 5:20:01 PM

12Ghosts Popup-Killer
ACDSee
Adobe Acrobat 5.0 Ver: 5.0
Adobe Download Manager 1.2 (Remove Only)
Dell Laser MFP 1600n Software Uninstall
DIGReqEx Ver: 9.0.0917.2 Installed: 7/9/2004
Family Lawyer 2000
HijackThis 1.99.1 Ver: 1.99.1
Legal Search
LiveReg (Symantec Corporation) Ver: 2.2.5.1678
LiveUpdate 2.5 (Symantec Corporation) Ver: 2.5.55.0
MathPlayer Ver: 1.1 beta 3 Installed: 7/9/2004
Microsoft .NET Framework (English) Ver: 1.0.3705 Installed: 4/18/2004
Microsoft .NET Framework (English) v1.0.3705
Microsoft AntiSpyware Ver: 1.0 Installed: 2/16/2005
Microsoft Data Access Components KB870669
Microsoft Office Outlook Connector for MSN Ver: 1.0.5378 Installed: 7/9/2004
Microsoft Office Professional Edition 2003 Ver: 11.0.5614.0 Installed: 4/17/2004
Microsoft Picture It! Express 7.0 Ver: 7.0.0.0000 Installed: 4/18/2004
Microsoft Picture It! Express 9 Ver: 9.0.1305
Microsoft Picture It! Express 9 Ver: 9.0.1305 Installed: 7/9/2004
Microsoft Picture It! Library 9 Ver: 9.0.1305
Microsoft Picture It! Library 9 Ver: 9.0.1305 Installed: 7/9/2004
MSN
MSN Dial Up Accelerator Ver: 1.0
MSN Encarta Plus Support Files Ver: 9.0.0801 Installed: 7/9/2004
MSN Messenger 6.2 Ver: 6.2.0205 Installed: 2/11/2005
MSN Toolbar
Nero - Burning Rom Ver: 5.5.9 Installed: 6/12/2004
Norton AntiVirus 2003 Ver: 9.05.0 Installed: 4/18/2004
PaperPort 9.0 Ver: 9.02.0814 Installed: 12/23/2004
PhotoSuite 4 (Remove Only)
Photovista Panorama 2.02 Ver: 2.0.2.1287 Installed: Sat Apr 24 23:06:01 PDT 2004
Quicken 2001 Basic
QuickTime
Registrar Lite 2.00
rfcpgyzvi
SafeCast Shared Components
Shockwave
Shockwave Flash
SpySubtract
The Plain-Language Law Dictionary
TurboTax Deluxe 2004
Ultra WinCleaner One Click! Version 8.0 Ver: 8.0
WebFldrs XP Ver: 9.50.6513 Installed: 4/17/2004
WexTech AnswerWorks Ver: 1.00.000
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707 Ver: 20040929.110854
Windows XP Hotfix - KB867282 Ver: 20050127.090417
Windows XP Hotfix - KB873333 Ver: 20050114.005213
Windows XP Hotfix - KB873339 Ver: 20041117.092459
Windows XP Hotfix - KB885250 Ver: 20050118.202711
Windows XP Hotfix - KB885835 Ver: 20041027.181713
Windows XP Hotfix - KB885836 Ver: 20041028.173203
Windows XP Hotfix - KB886185 Ver: 20041021.090540
Windows XP Hotfix - KB887472 Ver: 20041014.162858
Windows XP Hotfix - KB888113 Ver: 20041116.131036
Windows XP Hotfix - KB888302 Ver: 20041207.111426
Windows XP Hotfix - KB890047 Ver: 20041221.124506
Windows XP Hotfix - KB890175 Ver: 20041201.233338
Windows XP Hotfix - KB891781 Ver: 20050110.165439
Windows XP Service Pack 2 Ver: 20040803.231319
Yahoo! Anti-Spy
Yahoo! Toolbar

and here is the RegSrch:
REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "rfcpgyzvi" 2/20/2005 5:24:51 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"rfcpgyzvi "= "d:\\windows\\system32\\rfcpgyzvi.exe -start "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rfcpgyzvi]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rfcpgyzvi]
"UninstallString "= "d:\\windows\\system32\\rfcpgyzvi.exe -uninstall "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rfcpgyzvi]
"DisplayName "= "rfcpgyzvi "

[HKEY_USERS\S-1-5-21-1275210071-436374069-1957994488-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"D:\\windows\\system32\\rfcpgyzvi.exe "= "rfcpgyzvi "

I looked into systems32 and I could not find the file "rfcpgyzvi"

The popups do not come up with msn explorer but if I try to use internet explorer, the popups are blocked and when I close out the blocker's window, it caused internet explorer to crash.

What else can I try?

 

Go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and OK. DO NOT allow restart.

Paste the following in Killbox and allow reboot.

D:\WINDOWS\System32\rfcpgyzvi.exe (my oversight......sorry)

Your computer will restart in safe mode. Logon to your user account.

Save these to text so you can access them in safe mode for copy/pasting.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\rfcpgyzvi
The forum format puts a space in the word current that you will need to edit out before clicking Go.
Run Reglite again in search of those entries and delete.

Uncheck the /safeboot box in msconfig and ok to reboot.

Scan your PC with RAV. If any files are infected, click the report button then copy and paste it here.

Run another HijackThis scan and post the log.

 

I did what you told me. On the previous killbox, I did paste D:\WINDOWS\System32\rfcpgyzvi.exe. When the computer rebooted, I kept it in the safe mode and searched the System32 file. I found 3 other files,
rfcpgyzvi (DAT), rfcpgyzvi_navps (DAT) & rfcpgyzvi_nav (DAT) that I deleted. I then ran a search on regedit and found 1 other file in the registry with rfcpgyzvi that I deleted.
Here are the results of the virus scan and Hijackthis:
Scan started at 2/20/2005 8:25:44 PM

Scanning memory...
Scanning boot sectors...
Scanning files...

Scanned
============================
Objects: 33852
Directories: 2662
Archives: 1150
Size(Kb): 439397
Infected files: 0

Found
============================
Viruses found: 0
Suspicious files: 0
Disinfected files: 0
Mail files: 374


Logfile of HijackThis v1.99.1
Scan saved at 8:39:24 PM, on 2/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\drivers\CDAC11BA.EXE
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\PROGRA~1\ACDSYS~1\ACDSEE\CAMDET~1.EXE
D:\Program Files\QuickTime\qttask.exe
D:\WINDOWS\system32\devldr32.exe
D:\PROGRAM FILES\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe
D:\Program Files\DELL\Dell Laser MFP 1600n\PaperPort\pptd40nt.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\system32\fxssvc.exe
D:\QUICKENW\QWDLLS.EXE
C:\Program Files\interMute\SpySubtract\SpySub.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\12Ghosts\12popup.exe
D:\Program Files\MSN\MSNCoreFiles\msn.exe
D:\Program Files\MSN\MSNIA\msniasvc.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - D:\Program Files\12Ghosts\12popup.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - D:\Program Files\12Ghosts\12popup.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [Camera Detector] D:\PROGRA~1\ACDSYS~1\ACDSEE\CAMDET~1.EXE
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [P3000x_S2P] D:\PROGRAM FILES\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe
O4 - HKLM\..\Run: [PaperPort PTD] D:\Program Files\DELL\Dell Laser MFP 1600n\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] D:\Program Files\DELL\Dell Laser MFP 1600n\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: 12Ghosts Popup-Killer.lnk = D:\Program Files\12Ghosts\12popup.exe
O4 - Global Startup: Quicken Startup.lnk = D:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7736B340-D766-41B5-8AFE-61607F642980}: NameServer = 205.171.3.65 205.171.2.65
O23 - Service: C-DillaCdaC11BA - Macrovision - D:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

I started Internet Explorer and it appears that the popup ads are gone. I hope this takes care of the popup ads. If you see any problems, let me know. If not thanks for all the help.

 

Looks clean. Re-enable system restore and create a manual restore point.