Hi Folks - Nice Looking Forums here. I wonder if you can help me coz avast a/v is reporting a virus on our computer but we cant seem to get rid of it. We are using Windows Millenium on a Gateway Desktop.

Virus Name: Win32:Exdl (Adw)
File Name: C:\Windows\system\exdl.exe

The recommended action is "Move to Chest". Neither this nor the option "To Delete" works. A HijackThis log follows if that is of any help. Any advice that can help us would be most appreciated.

Logfile of HijackThis v1.97.7
Scan saved at 00:20:16, on 16/01/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSUU.EXE
C:\WINDOWS\SYSTEM\IPYE.EXE
C:\WINDOWS\SYSCY32.EXE
C:\WINDOWS\APPWY.EXE
C:\WINDOWS\JAVAYC.EXE
C:\WINDOWS\ATLAE32.EXE
C:\WINDOWS\APPAA32.EXE
C:\WINDOWS\SYSTEM\NETSX32.EXE
C:\WINDOWS\SYSTEM\SYSUA.EXE
C:\WINDOWS\SYSTEM\APIHZ32.EXE
C:\WINDOWS\IPKD32.EXE
C:\WINDOWS\ATLBK.EXE
C:\WINDOWS\SYSTEM\NTQB.EXE
C:\WINDOWS\WINKN32.EXE
C:\WINDOWS\SYSTEM\ADDFQ.EXE
C:\WINDOWS\NETJC.EXE
C:\WINDOWS\SYSTEM\WINLR.EXE
C:\WINDOWS\SYSTEM\NTBJ32.EXE
C:\WINDOWS\SYSTEM\MFCHI.EXE
C:\WINDOWS\D3SX32.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\MFCXN32.EXE
C:\WINDOWS\WINNX32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\EICON\DIVA\DITASK.EXE
C:\PROGRAM FILES\EICON\DIVA\WATCH.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\BULLSEYE NETWORK\BIN\BARGAINS.EXE
C:\PROGRAM FILES\NAVISEARCH\BIN\NLS.EXE
C:\WINDOWS\SYSTEM\SDKPP.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\TRAYDEVIL\TRAYDEVIL.EXE
C:\WINDOWS\D3SX32.EXE
C:\PROGRAM FILES\SONY CORPORATION\IMAGE TRANSFER\SONYTRAY.EXE
C:\WINDOWS\SYSTEM\NETSX32.EXE
C:\PROGRAM FILES\POWERQUEST\DATAKEEPER 5.0\DATAKEEPER.EXE
C:\PROGRAM FILES\STICKIES\STICKIES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\MFCHI.EXE
C:\WINDOWS\ATLSI32.EXE
C:\WINDOWS\SYSTEM\MFCHI.EXE
C:\WINDOWS\IEBA.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSUU.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\system\xdcfk.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\system\xdcfk.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\system\xdcfk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\system\xdcfk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\system\xdcfk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
res://C:\WINDOWS\system\xdcfk.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\system\xdcfk.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = iexplore
O2 - BHO: (no name) - {288490AB-B9EF-D3C0-464C-36A4F2E0FE93} -
C:\WINDOWS\JAVAOO.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [RestartWatch] C:\Program files\Eicon\Diva\WATCH.EXE
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program
Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\SYSTEM\IEDriver\IEDriver.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye
Network\bin\bargains.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program
Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [SDKPP.EXE] C:\WINDOWS\SYSTEM\SDKPP.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common
Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil
Software\Avast4\ashserv.exe
O4 - HKLM\..\RunServices: [SYSUU.EXE] C:\WINDOWS\SYSTEM\SYSUU.EXE
O4 - HKLM\..\RunServices: [IPYE.EXE] C:\WINDOWS\SYSTEM\IPYE.EXE
O4 - HKLM\..\RunServices: [APPAA32.EXE] C:\WINDOWS\APPAA32.EXE
O4 - HKLM\..\RunServices: [APPWY.EXE] C:\WINDOWS\APPWY.EXE
O4 - HKLM\..\RunServices: [APIHZ32.EXE] C:\WINDOWS\SYSTEM\APIHZ32.EXE
O4 - HKLM\..\RunServices: [SYSCY32.EXE] C:\WINDOWS\SYSCY32.EXE
O4 - HKLM\..\RunServices: [SYSUA.EXE] C:\WINDOWS\SYSTEM\SYSUA.EXE
O4 - HKLM\..\RunServices: [ATLAE32.EXE] C:\WINDOWS\ATLAE32.EXE
O4 - HKLM\..\RunServices: [NETSX32.EXE] C:\WINDOWS\SYSTEM\NETSX32.EXE
O4 - HKLM\..\RunServices: [JAVAYC.EXE] C:\WINDOWS\JAVAYC.EXE
O4 - HKLM\..\RunServices: [ATLBK.EXE] C:\WINDOWS\ATLBK.EXE
O4 - HKLM\..\RunServices: [NTQB.EXE] C:\WINDOWS\SYSTEM\NTQB.EXE
O4 - HKLM\..\RunServices: [ADDFQ.EXE] C:\WINDOWS\SYSTEM\ADDFQ.EXE
O4 - HKLM\..\RunServices: [IPKD32.EXE] C:\WINDOWS\IPKD32.EXE
O4 - HKLM\..\RunServices: [WINKN32.EXE] C:\WINDOWS\WINKN32.EXE
O4 - HKLM\..\RunServices: [WINNX32.EXE] C:\WINDOWS\WINNX32.EXE
O4 - HKLM\..\RunServices: [D3SX32.EXE] C:\WINDOWS\D3SX32.EXE
O4 - HKLM\..\RunServices: [MFCHI.EXE] C:\WINDOWS\SYSTEM\MFCHI.EXE
O4 - HKLM\..\RunServices: [NTBJ32.EXE] C:\WINDOWS\SYSTEM\NTBJ32.EXE
O4 - HKLM\..\RunServices: [MFCXN32.EXE] C:\WINDOWS\MFCXN32.EXE
O4 - HKLM\..\RunServices: [NETJC.EXE] C:\WINDOWS\NETJC.EXE
O4 - HKLM\..\RunServices: [WINLR.EXE] C:\WINDOWS\SYSTEM\WINLR.EXE
O4 - HKLM\..\RunServices: [ATLSI32.EXE] C:\WINDOWS\ATLSI32.EXE
O4 - HKLM\..\RunServices: [IEBA.EXE] C:\WINDOWS\IEBA.EXE
O4 - HKCU\..\Run: [TrayDevil] C:\PROGRAM FILES\TRAYDEVIL\traydevil.exe
O4 - HKCU\..\Run: [Spyware Vanisher] C:\SPYWAREVANISHER-FREE\FREESCANNER.EXE
-FastScan
O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image
Transfer\SonyTray.exe
O4 - Startup: DataKeeper.lnk = C:\Program Files\PowerQuest\DataKeeper
5.0\DataKeeper.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk =
C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
[url]http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38248.4020138889[/url]
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
Control) - [url]http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
[url]http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]

You have at least one very nasty infection there... Please download CWShredder and run it:

http://www.intermute.com/spysubtract/cwshredder_download.html

Then please use the link in my signature to download the latest version (1.99) of HijackThis, reboot and post a new log with the new version...

Thanks budfred. Sorry for the delay but I had a very busy weekend. Here are the most recent results:

Logfile of HijackThis v1.99.0
Scan saved at 17:47:33, on 18/01/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSUU.EXE
C:\WINDOWS\APPAA32.EXE
C:\WINDOWS\SYSTEM\APIHZ32.EXE
C:\WINDOWS\ATLAE32.EXE
C:\WINDOWS\JAVAYC.EXE
C:\WINDOWS\SYSTEM\IPYE.EXE
C:\WINDOWS\APPWY.EXE
C:\WINDOWS\SYSCY32.EXE
C:\WINDOWS\SYSTEM\SYSUA.EXE
C:\WINDOWS\IPKD32.EXE
C:\WINDOWS\SYSTEM\NETSX32.EXE
C:\WINDOWS\WINNX32.EXE
C:\WINDOWS\WINKN32.EXE
C:\WINDOWS\ATLBK.EXE
C:\WINDOWS\D3SX32.EXE
C:\WINDOWS\SYSTEM\ADDFQ.EXE
C:\WINDOWS\SYSTEM\NTQB.EXE
C:\WINDOWS\SYSTEM\NTBJ32.EXE
C:\WINDOWS\SYSTEM\MFCHI.EXE
C:\WINDOWS\MFCXN32.EXE
C:\WINDOWS\NETJC.EXE
C:\WINDOWS\ATLSI32.EXE
C:\WINDOWS\IEIR.EXE
C:\WINDOWS\SYSTEM\WINLR.EXE
C:\WINDOWS\APPRI32.EXE
C:\WINDOWS\SYSTEM\MSRP32.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\NETYT.EXE
C:\WINDOWS\ADDXE32.EXE
C:\WINDOWS\SYSTEM\IEYR.EXE
C:\WINDOWS\IEBA.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\EICON\DIVA\DITASK.EXE
C:\PROGRAM FILES\EICON\DIVA\WATCH.EXE
C:\PROGRAM FILES\BULLSEYE NETWORK\BIN\BARGAINS.EXE
C:\PROGRAM FILES\NAVISEARCH\BIN\NLS.EXE
C:\WINDOWS\SYSTEM\SDKPP.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\TRAYDEVIL\TRAYDEVIL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SONY CORPORATION\IMAGE TRANSFER\SONYTRAY.EXE
C:\WINDOWS\SYSTEM\SYSUU.EXE
C:\PROGRAM FILES\POWERQUEST\DATAKEEPER 5.0\DATAKEEPER.EXE
C:\WINDOWS\SYSTEM\MSRP32.EXE
C:\PROGRAM FILES\STICKIES\STICKIES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MFCHI.EXE
C:\WINDOWS\NETJC.EXE
C:\WINDOWS\NETJC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\CRXL32.EXE
C:\WINDOWS\IPKD32.EXE
C:\WINDOWS\IPKD32.EXE
C:\WINDOWS\SYSTEM\IEYR.EXE
C:\WINDOWS\ADDFH.EXE
C:\WINDOWS\SYSTEM\IPZF32.EXE
C:\WINDOWS\SYSTEM\IEYR.EXE
C:\WINDOWS\IEIR.EXE
C:\WINDOWS\SYSTEM\ADDNX32.EXE
D:\DESKTOP\HIJACK THIS2\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\system\bzoxx.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\system\bzoxx.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
res://C:\WINDOWS\system\bzoxx.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\system\bzoxx.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\system\bzoxx.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\system\bzoxx.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\system\bzoxx.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [RestartWatch] C:\Program files\Eicon\Diva\WATCH.EXE
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program
Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\SYSTEM\IEDriver\IEDriver.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye
Network\bin\bargains.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program
Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [SDKPP.EXE] C:\WINDOWS\SYSTEM\SDKPP.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common
Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil
Software\Avast4\ashserv.exe
O4 - HKLM\..\RunServices: [SYSUU.EXE] C:\WINDOWS\SYSTEM\SYSUU.EXE
O4 - HKLM\..\RunServices: [IPYE.EXE] C:\WINDOWS\SYSTEM\IPYE.EXE
O4 - HKLM\..\RunServices: [APPAA32.EXE] C:\WINDOWS\APPAA32.EXE
O4 - HKLM\..\RunServices: [APIHZ32.EXE] C:\WINDOWS\SYSTEM\APIHZ32.EXE
O4 - HKLM\..\RunServices: [SYSCY32.EXE] C:\WINDOWS\SYSCY32.EXE
O4 - HKLM\..\RunServices: [SYSUA.EXE] C:\WINDOWS\SYSTEM\SYSUA.EXE
O4 - HKLM\..\RunServices: [ATLAE32.EXE] C:\WINDOWS\ATLAE32.EXE
O4 - HKLM\..\RunServices: [NETSX32.EXE] C:\WINDOWS\SYSTEM\NETSX32.EXE
O4 - HKLM\..\RunServices: [JAVAYC.EXE] C:\WINDOWS\JAVAYC.EXE
O4 - HKLM\..\RunServices: [ATLBK.EXE] C:\WINDOWS\ATLBK.EXE
O4 - HKLM\..\RunServices: [NTQB.EXE] C:\WINDOWS\SYSTEM\NTQB.EXE
O4 - HKLM\..\RunServices: [ADDFQ.EXE] C:\WINDOWS\SYSTEM\ADDFQ.EXE
O4 - HKLM\..\RunServices: [IPKD32.EXE] C:\WINDOWS\IPKD32.EXE
O4 - HKLM\..\RunServices: [WINKN32.EXE] C:\WINDOWS\WINKN32.EXE
O4 - HKLM\..\RunServices: [WINNX32.EXE] C:\WINDOWS\WINNX32.EXE
O4 - HKLM\..\RunServices: [D3SX32.EXE] C:\WINDOWS\D3SX32.EXE
O4 - HKLM\..\RunServices: [MFCHI.EXE] C:\WINDOWS\SYSTEM\MFCHI.EXE
O4 - HKLM\..\RunServices: [NTBJ32.EXE] C:\WINDOWS\SYSTEM\NTBJ32.EXE
O4 - HKLM\..\RunServices: [MFCXN32.EXE] C:\WINDOWS\MFCXN32.EXE
O4 - HKLM\..\RunServices: [NETJC.EXE] C:\WINDOWS\NETJC.EXE
O4 - HKLM\..\RunServices: [WINLR.EXE] C:\WINDOWS\SYSTEM\WINLR.EXE
O4 - HKLM\..\RunServices: [ATLSI32.EXE] C:\WINDOWS\ATLSI32.EXE
O4 - HKLM\..\RunServices: [IEBA.EXE] C:\WINDOWS\IEBA.EXE
O4 - HKLM\..\RunServices: [IEIR.EXE] C:\WINDOWS\IEIR.EXE
O4 - HKLM\..\RunServices: [IEYR.EXE] C:\WINDOWS\SYSTEM\IEYR.EXE
O4 - HKLM\..\RunServices: [APPRI32.EXE] C:\WINDOWS\APPRI32.EXE
O4 - HKLM\..\RunServices: [MSRP32.EXE] C:\WINDOWS\SYSTEM\MSRP32.EXE
O4 - HKLM\..\RunServices: [ADDXE32.EXE] C:\WINDOWS\ADDXE32.EXE
O4 - HKLM\..\RunServices: [NETYT.EXE] C:\WINDOWS\SYSTEM\NETYT.EXE
O4 - HKLM\..\RunServices: [CRXL32.EXE] C:\WINDOWS\CRXL32.EXE
O4 - HKLM\..\RunServices: [ADDFH.EXE] C:\WINDOWS\ADDFH.EXE
O4 - HKLM\..\RunServices: [IPZF32.EXE] C:\WINDOWS\SYSTEM\IPZF32.EXE
O4 - HKLM\..\RunServices: [ADDNX32.EXE] C:\WINDOWS\SYSTEM\ADDNX32.EXE
O4 - HKCU\..\Run: [TrayDevil] C:\PROGRAM FILES\TRAYDEVIL\traydevil.exe
O4 - HKCU\..\Run: [Spyware Vanisher] C:\SPYWAREVANISHER-FREE\FREESCANNER.EXE
-FastScan
O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image
Transfer\SonyTray.exe
O4 - Startup: DataKeeper.lnk = C:\Program Files\PowerQuest\DataKeeper
5.0\DataKeeper.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk =
C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} -
C:\WINDOWS\MSOPT.DLL

Did you run CWShredder?? If not, please do so and post another log after a reboot... If you did, let me know and I will look for the more complex fix to use for this....

Sorry Budfred - I'm a dunce.

When I opened CWShredder yesterday, the option "fix" was highlighted and I
didnt use it, but I did just now and I have just run HJT as well. After I
ran Cwshredder I restarted the computer and ran a scan through HJT and below are the results.

Logfile of HijackThis v1.99.0
Scan saved at 10:48:49, on 19/01/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\SYSUU.EXE
C:\WINDOWS\SYSTEM\IPYE.EXE
C:\WINDOWS\ATLAE32.EXE
C:\WINDOWS\SYSTEM\APIHZ32.EXE
C:\WINDOWS\SYSTEM\NTQB.EXE
C:\WINDOWS\SYSTEM\ADDFQ.EXE
C:\WINDOWS\D3SX32.EXE
C:\WINDOWS\WINNX32.EXE
C:\WINDOWS\SYSTEM\NETSX32.EXE
C:\WINDOWS\WINKN32.EXE
C:\WINDOWS\APPAA32.EXE
C:\WINDOWS\ATLBK.EXE
C:\WINDOWS\SYSCY32.EXE
C:\WINDOWS\IPKD32.EXE
C:\WINDOWS\SYSTEM\NTBJ32.EXE
C:\WINDOWS\SYSTEM\SYSUA.EXE
C:\WINDOWS\JAVAYC.EXE
C:\WINDOWS\SYSTEM\MFCHI.EXE
C:\WINDOWS\MFCXN32.EXE
C:\WINDOWS\SYSTEM\WINLR.EXE
C:\WINDOWS\NETJC.EXE
C:\WINDOWS\IEBA.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\ATLSI32.EXE
C:\WINDOWS\SYSTEM\MSRP32.EXE
C:\WINDOWS\SYSTEM\IEYR.EXE
C:\WINDOWS\IEIR.EXE
C:\WINDOWS\ADDXE32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\APPRI32.EXE
C:\WINDOWS\ADDFH.EXE
C:\WINDOWS\SYSTEM\NETYT.EXE
C:\WINDOWS\CRXL32.EXE
C:\WINDOWS\SYSTEM\IPZF32.EXE
C:\WINDOWS\SYSTEM\ADDNX32.EXE
C:\WINDOWS\APIJT32.EXE
C:\WINDOWS\SYSTEM\IPPT32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\EICON\DIVA\DITASK.EXE
C:\PROGRAM FILES\EICON\DIVA\WATCH.EXE
C:\PROGRAM FILES\EICON\DIVA\CGSERVER.EXE
C:\PROGRAM FILES\BULLSEYE NETWORK\BIN\BARGAINS.EXE
C:\PROGRAM FILES\EICON\DIVA\DIINFO.EXE
C:\PROGRAM FILES\NAVISEARCH\BIN\NLS.EXE
C:\WINDOWS\SYSTEM\SDKPP.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\TRAYDEVIL\TRAYDEVIL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SONY CORPORATION\IMAGE TRANSFER\SONYTRAY.EXE
C:\PROGRAM FILES\POWERQUEST\DATAKEEPER 5.0\DATAKEEPER.EXE
C:\PROGRAM FILES\STICKIES\STICKIES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\D3SX32.EXE
C:\WINDOWS\SYSTEM\APIHZ32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\ATLBK.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
D:\DESKTOP\HIJACK THIS2\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\lmoke.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\lmoke.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
res://C:\WINDOWS\lmoke.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\lmoke.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\lmoke.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\lmoke.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\lmoke.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {90AD3177-D505-1146-3DDF-60FC741016D6} -
C:\WINDOWS\IEWE.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [RestartWatch] C:\Program files\Eicon\Diva\WATCH.EXE
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program
Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\SYSTEM\IEDriver\IEDriver.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye
Network\bin\bargains.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program
Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [SDKPP.EXE] C:\WINDOWS\SYSTEM\SDKPP.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common
Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil
Software\Avast4\ashserv.exe
O4 - HKLM\..\RunServices: [SYSUU.EXE] C:\WINDOWS\SYSTEM\SYSUU.EXE
O4 - HKLM\..\RunServices: [IPYE.EXE] C:\WINDOWS\SYSTEM\IPYE.EXE
O4 - HKLM\..\RunServices: [APPAA32.EXE] C:\WINDOWS\APPAA32.EXE
O4 - HKLM\..\RunServices: [APIHZ32.EXE] C:\WINDOWS\SYSTEM\APIHZ32.EXE
O4 - HKLM\..\RunServices: [SYSCY32.EXE] C:\WINDOWS\SYSCY32.EXE
O4 - HKLM\..\RunServices: [SYSUA.EXE] C:\WINDOWS\SYSTEM\SYSUA.EXE
O4 - HKLM\..\RunServices: [ATLAE32.EXE] C:\WINDOWS\ATLAE32.EXE
O4 - HKLM\..\RunServices: [NETSX32.EXE] C:\WINDOWS\SYSTEM\NETSX32.EXE
O4 - HKLM\..\RunServices: [JAVAYC.EXE] C:\WINDOWS\JAVAYC.EXE
O4 - HKLM\..\RunServices: [ATLBK.EXE] C:\WINDOWS\ATLBK.EXE
O4 - HKLM\..\RunServices: [NTQB.EXE] C:\WINDOWS\SYSTEM\NTQB.EXE
O4 - HKLM\..\RunServices: [ADDFQ.EXE] C:\WINDOWS\SYSTEM\ADDFQ.EXE
O4 - HKLM\..\RunServices: [IPKD32.EXE] C:\WINDOWS\IPKD32.EXE
O4 - HKLM\..\RunServices: [WINKN32.EXE] C:\WINDOWS\WINKN32.EXE
O4 - HKLM\..\RunServices: [WINNX32.EXE] C:\WINDOWS\WINNX32.EXE
O4 - HKLM\..\RunServices: [D3SX32.EXE] C:\WINDOWS\D3SX32.EXE
O4 - HKLM\..\RunServices: [MFCHI.EXE] C:\WINDOWS\SYSTEM\MFCHI.EXE
O4 - HKLM\..\RunServices: [NTBJ32.EXE] C:\WINDOWS\SYSTEM\NTBJ32.EXE
O4 - HKLM\..\RunServices: [MFCXN32.EXE] C:\WINDOWS\MFCXN32.EXE
O4 - HKLM\..\RunServices: [NETJC.EXE] C:\WINDOWS\NETJC.EXE
O4 - HKLM\..\RunServices: [WINLR.EXE] C:\WINDOWS\SYSTEM\WINLR.EXE
O4 - HKLM\..\RunServices: [ATLSI32.EXE] C:\WINDOWS\ATLSI32.EXE
O4 - HKLM\..\RunServices: [IEBA.EXE] C:\WINDOWS\IEBA.EXE
O4 - HKLM\..\RunServices: [IEIR.EXE] C:\WINDOWS\IEIR.EXE
O4 - HKLM\..\RunServices: [IEYR.EXE] C:\WINDOWS\SYSTEM\IEYR.EXE
O4 - HKLM\..\RunServices: [APPRI32.EXE] C:\WINDOWS\APPRI32.EXE
O4 - HKLM\..\RunServices: [MSRP32.EXE] C:\WINDOWS\SYSTEM\MSRP32.EXE
O4 - HKLM\..\RunServices: [ADDXE32.EXE] C:\WINDOWS\ADDXE32.EXE
O4 - HKLM\..\RunServices: [NETYT.EXE] C:\WINDOWS\SYSTEM\NETYT.EXE
O4 - HKLM\..\RunServices: [CRXL32.EXE] C:\WINDOWS\CRXL32.EXE
O4 - HKLM\..\RunServices: [ADDFH.EXE] C:\WINDOWS\ADDFH.EXE
O4 - HKLM\..\RunServices: [IPZF32.EXE] C:\WINDOWS\SYSTEM\IPZF32.EXE
O4 - HKLM\..\RunServices: [ADDNX32.EXE] C:\WINDOWS\SYSTEM\ADDNX32.EXE
O4 - HKLM\..\RunServices: [APIJT32.EXE] C:\WINDOWS\APIJT32.EXE
O4 - HKLM\..\RunServices: [IPPT32.EXE] C:\WINDOWS\SYSTEM\IPPT32.EXE
O4 - HKCU\..\Run: [TrayDevil] C:\PROGRAM FILES\TRAYDEVIL\traydevil.exe
O4 - HKCU\..\Run: [Spyware Vanisher] C:\SPYWAREVANISHER-FREE\FREESCANNER.EXE
-FastScan
O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image
Transfer\SonyTray.exe
O4 - Startup: DataKeeper.lnk = C:\Program Files\PowerQuest\DataKeeper
5.0\DataKeeper.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk =
C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -
{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} -
C:\WINDOWS\MSOPT.DLL

I am pretty sure we can kill this thing without having to do the really complicated fix... Try this next... Run the Housecall online virus scan from my links below and fix anything it finds... Then download the trial version of TrojanHunter, manually update it and run it... Post back with a fresh log after reboot and let me know if the programs seemed to find anything... Here is the TrojanHunter link:

http://www.trojanhunter.com/

Sorry for the delay in getting back to you, but we were away for a few days. The Housecall online scan that you suggested I do will not work. The
message "microsoft encountered a problem and needs to close" comes up on
screen.

Okay, the garbage must be blocking it... Try this instead... Download CWShredder and AboutBuster:

Get CWShredder here:

http://www.intermute.com/spysubtract/cwshredder_download.html

Download AboutBuster from the same site as HJT in my links below...

After you download them, reboot to Safe Mode (tap on F8 before WinME starts loading and choose Safe Mode)... Run both programs and run AboutBuster twice... Save the logs for AboutBuster...

Reboot to Normal mode and run a fresh HJT log... Post that and the AboutBuster logs here with a report about what CWShredder said it found and how things are running....