Hijacked computer PLEASE HELP XADSQ

Please help me. I only just learned what Hijacking is. I inherited this computer and it seems to have a lot of pop-ups and XXXdialer stuff on it. I could delete them though Hijackthis if I only knew which ones to delete. My log is as follows:

Logfile of HijackThis v1.97.7
Scan saved at 11:41:40 AM, on 9/18/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\DRWATSON.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\MXTARGET.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL
O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL
O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\SYSTEM\MSCB.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Winad Client] C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE
O4 - HKLM\..\Run: [izubco] C:\WINDOWS\SYSTEM\brvzbab.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [STOPzilla] "c:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\SYSTEM\TOOLBAR.DLL/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Ebates (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/ProductUpdates/content/opuc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiqonline.com/WebIQ/bin/WebIQ.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38002.9066898148
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://media.toontown.com/toontown/sv1.4.11/ttinst.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/035a1a62f10cdd709822/netzip/RdxIE601.cab
O16 - DPF: Jacada ISOLENDR Application - https://www.unitrinpc.com/isol_End/classes/ISOLENDR.cab
O16 - DPF: {197AB1D7-A7DD-4C86-A938-1FCC0DB21B85} (DMProxyCtl Class) - http://dm.cometsystems.com/dm/dm_286.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=10f08450ab596047f6c94d90b79b47d1528d9dc4c40924e2499f8b9bd779519ddd40d759133a448fde7f410342650f82cf 1f1ae7:7ba4efda898ff66841613117fb4ea0f9
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab

These Pop-ups are most annoying I tried to use Spybot and adaware but they didn't seem to find very much. Thank you so much for your time.

Aaron

Hi Aaron,

You seem to be infected with the IMISERV virus.

First, let's do an onlne virus scan from at least two of these sites:

Trend Micro Housecall
http://housecall.trendmicro.com/

Panda Active Scan
www.pandasoftware.com/activescan/activescan

Bitdefender
http://www.bitdefender.com/scan/licence.php

Please report if anything has been found or fixed.

Then...

Let's do some more cleaning up:

Download Ad-Aware SE Personal Edition from: http://www.lavasoft.de/support/download/

Run Adaware, click the "Check for Updates now" link. Install the latest reference file

Perform a "Full system scan" with Adaware. Remove all checked items.

Then...

Download, install and UPDATE Spybot Search and Destroy 1.3. Scan and fix all items checked in RED. http://www.majorgeeks.com/download2471.html

Then...

Please update HijackThis, you are using an outdated version:

Open HijackThis, click Config > Misc Tools > Check for Update online

Or download a copy of version 1.98.2 at: http://www.majorgeeks.com/download3155.html

Please move or unzip HijackThis to a permanent folder such as C:\HJT\ It is important that it is in it's own folder as it will make important backups of what we will fix. Please open My Computer > double-click your C:\ drive > File > New > Folder > name it HJT and put HijackThis into that folder.

Post a fresh log with this new version.

Tom

Thank you for your help.
I did an online virus scan with Panda and Bitdefender and I will post the results following. I also downloaded the Ad-Aware SE personal and Sybot search and destroy. THE PROBLEM NOW: When I try to download the newer version of HijackThis I am getting the initial download zip from the site, however the download doesn't seem to want to take on my computer. It blinks on and off and won't let me finish the download. PLEASE HELP. Thanks again for your efforts and time.

Here are the Panda and Bitedefender logs:

Panda:

Incident Status Location

Virus:Trj/Downloader.GK No disinfected C:\WINDOWS\TEMP\THI463.TMP\twaintec.cab[polall1m.exe]
Virus:Trj/Downloader.GK No disinfected C:\WINDOWS\TEMP\polmx3.cab[polmx3.exe]
Virus:Trj/Downloader.GK No disinfected C:\WINDOWS\TEMP\THI5FBD.TMP\polall1r.cab[polall1r.exe]
Virus:Trj/Downloader.GK No disinfected C:\WINDOWS\TEMP\THI5E99.TMP\polall1r.cab[polall1r.exe]
Virus:Trj/Downloader.GK No disinfected C:\WINDOWS\TEMP\THI2BCA.TMP\polall1r.cab[polall1r.exe]
Virus:Trj/Downloader.GK No disinfected C:\WINDOWS\TEMP\THI1879.TMP\polall1r.cab[polall1r.exe]
Virus:Exploit/CodeBase.A Disinfected C:\install.htm
Bitdefender:

Memory ok
Master Boot Record 80 ok (Windows 95 B20 - Windows 98)
Partition Boot 1 (primary) (active) ok (Win95 OSR2, Win98 FAT32)
Boot Sector of Drive A: ok (Read Error)
C:\WINDOWS\TEMP\THI463.TMP\twaintec.cab=>preInsTT.exe infected: Adware.Serchentrix.A
C:\WINDOWS\TEMP\THI463.TMP\twaintec.cab=>polall1m.exe=>(CExe r)=>(MS-Compress 5) infected: Trojan.Downloader.Agent.AE
C:\WINDOWS\TEMP\THI463.TMP\preInsTT.exe infected: Adware.Serchentrix.A
C:\WINDOWS\TEMP\THI463.TMP\preInsTT.exe unable to disinfect
C:\WINDOWS\TEMP\Del7062.TMP infected: Adware.180Solutions.5.11
C:\WINDOWS\TEMP\Del7062.TMP unable to disinfect
C:\WINDOWS\TEMP\polmx3.cab=>polmx3.exe=>(Upx) infected: Trojan.Downloader.Agent.AE
C:\WINDOWS\TEMP\randreco.exe=>(ASPack 2.12) infected: Trojan.Downloader.Agent.AF
C:\WINDOWS\TEMP\randreco.exe=>(ASPack 2.12) unable to disinfect
C:\WINDOWS\TEMP\THI5FBD.TMP\polall1r.cab=>polall1r.exe=>(Upx) infected: Trojan.Downloader.Agent.AE
C:\WINDOWS\TEMP\THI5E99.TMP\polall1r.cab=>polall1r.exe=>(Upx) infected: Trojan.Downloader.Agent.AE
C:\WINDOWS\TEMP\THI2BCA.TMP\polall1r.cab=>polall1r.exe=>(Upx) infected: Trojan.Downloader.Agent.AE
C:\WINDOWS\TEMP\THI1879.TMP\polall1r.cab=>polall1r.exe=>(Upx) infected: Trojan.Downloader.Agent.AE
C:\WINDOWS\Application Data\sysyo\sysyo.dll=>(Upx) infected: Trojan.Downloader.Winjj.A
C:\WINDOWS\Application Data\sysyo\sysyo.dll=>(Upx) unable to disinfect
C:\WINDOWS\Application Data\sysyo\msiesh.dll=>(Upx) infected: Trojan.Downloader.Winjj.A
C:\WINDOWS\Application Data\sysyo\msiesh.dll=>(Upx) unable to disinfect
C:\WINDOWS\Downloaded Program Files\WinadX.dll=>(Upx) infected: Trojan.Downloader.Winupdt.A
C:\WINDOWS\Downloaded Program Files\WinadX.dll=>(Upx) unable to disinfect
C:\WINDOWS\Temporary Internet Files\Q3567836.exe=>(Upx) infected: Trojan.Downloader.HQFeat.A
C:\WINDOWS\Temporary Internet Files\Q3567836.exe=>(Upx) unable to disinfect
C:\WINDOWS\UnstSA2.exe=>(Embedded EXE o) infected: Trojan.Clicker.Delf.R
C:\Program Files\Windows Media Player\wmplayer.exe=>(Upx) infected: Trojan.Downloader.HQFeat.A
C:\Program Files\Windows Media Player\wmplayer.exe=>(Upx) unable to disinfect
C:\Program Files\Winad Client\WinClt.exe=>(Upx) infected: Trojan.Downloader.Winupdt.A
C:\Program Files\Winad Client\WinClt.exe=>(Upx) unable to disinfect
C:\Program Files\Winad Client\ClientCom.dll=>(Upx) infected: Trojan.Downloader.Winupdt.A
C:\Program Files\Winad Client\ClientCom.dll=>(Upx) unable to disinfect
C:\Program Files\Winad Client\Winad.exe=>(Upx) infected: Trojan.Downloader.Winupdt.A
C:\Program Files\Winad Client\Winad.exe=>(Upx) unable to disinfect
C:\TEMP\FLEOK\msbb.exe infected: Adware.180Solutions.5.11
C:\TEMP\FLEOK\msbb.exe unable to disinfect
C:\TEMP\Installer2.exe=>(Embedded EXE o) infected: Trojan.Clicker.Delf.R
C:\TEMP\msbbhook.dll infected: Adware.1088
C:\TEMP\msbbhook.dll unable to disinfect
C:\TEMP\optimize.exe=>(Petite 2.2) infected: Trojan.Downloader.Dyfuca.CY
C:\TEMP\optimize.exe=>(Petite 2.2) unable to disinfect
D:\Program Files\Common Files\Symantec Shared\VirusDefs\TMPB3A3.TMP\VIRSCAN8.027 infected: Trivial.25.A
D:\Program Files\Common Files\Symantec Shared\VirusDefs\TMPB3A3.TMP\VIRSCAN8.027 unable to disinfect
D:\Program Files\Norton AntiVirus\Quarantine\6FF74340 infected: Win32.Netsky.C@mm
D:\Program Files\Norton AntiVirus\Quarantine\6FF74340 disinfected
D:\Program Files\Norton AntiVirus\Quarantine\6FF74340 unable to disinfect
D:\Program Files\Norton AntiVirus\Quarantine\0A546B62 infected: Win32.Netsky.C@mm
D:\Program Files\Norton AntiVirus\Quarantine\0A546B62 disinfected
D:\Program Files\Norton AntiVirus\Quarantine\0A546B62 unable to disinfect

Thanks Again,
Aaron

I was able to pull Hijack this 1.98.2 off of another computer and install it on this one. The log is as follows:

Logfile of HijackThis v1.98.2
Scan saved at 2:15:58 PM, on 9/23/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\EBATESMOEMONEYMAKER0.EXE
C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE
C:\PROGRAM FILES\WINAD CLIENT\WINCLT.EXE
C:\WINDOWS\SYSTEM\BRVZBAB.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\EBATESMOEMONEYMAKER1.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\MXTARGET.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\SYSTEM\MSCB.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [STOPzilla] "c:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [Winad Client] C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE
O4 - HKLM\..\Run: [tgwppurwlxhut] C:\WINDOWS\SYSTEM\brvzbab.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\SYSTEM\TOOLBAR.DLL/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: Ebates - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiqonline.com/WebIQ/bin/WebIQ.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://media.toontown.com/toontown/sv1.4.11/ttinst.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/035a1a62f10cdd709822/netzip/RdxIE601.cab
O16 - DPF: Jacada ISOLENDR Application - https://www.unitrinpc.com/isol_End/classes/ISOLENDR.cab
O16 - DPF: {197AB1D7-A7DD-4C86-A938-1FCC0DB21B85} (DMProxyCtl Class) - http://dm.cometsystems.com/dm/dm_286.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=10f08450ab596047f6c94d90b79b47d1528d9dc4c40924e2499f8b9bd779519ddd40d759133a448fde7f410342650f82cf 1f1ae7:7ba4efda898ff66841613117fb4ea0f9
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

Thanks again for your help. Also, what's up with all the XXX dialer crud on this computer? I know some people love the porn, but how do we get it off of this computer?

Aaron

You might want to print these instructions for reference.

You are infected with the peper trojan:

Download PeperFix: http://downloads.subratam.org/PeperFix.exe
Save it to your Desktop.
Click on the PeperFix.exe to launch it.

Click the Find and Fix button.

It will scan the %Systemroot% folder and locate all the peper files. You will be prompted to reboot. Reboot and it will delete the peper files.
Ensure that you are online before starting the fix. Make sure to run the fix twice.

Then....

Boot into Safe Mode. Reboot your computer, start tapping F8 when it first starts booting, select Safe Mode.

Make sure your computer is configured to show all files and folders.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden Files and Folders heading select Show Hidden Files and Folders.
Uncheck the Hide Protected Operating System Files (recommended) option.
Click Yes to confirm.
Click OK.

Delete the following files:

C:\WINDOWS\Downloaded Program Files\WinadX.dll
C:\WINDOWS\UnstSA2.exe
C:\Program Files\Windows Media Player\wmplayer.exe

Delete the following folders:

C:\Program Files\Winad Client\
C:\WINDOWS\Application Data\sysyo\

Open My Computer, browse to C:\WINDOWS\TEMP\ folder and delete all files and folders in it.

Open Internet Explorer click Tools > Internet Options > General. Click "Delete Files",also check "delete all offline content" Click OK.

Empty your Recycle Bin.

Reboot normally.

Then....

I'd like you to do a couple of trojan scans. Install and perform a full system scan with each of these trial programs:

Trojan Hunter
http://www.misec.net/trojanhunter/

DiamondCS TDS-3
http://tds.diamondcs.com.au/

Please post your results along with a fresh HijackThis log.

Tom