WINME running on PIII machine.

Backround
Problems started when kids discovered an on-line game last month. Two days after that, SS&D found problems for the first time ever. From my notes, it reported:

Casale Media
ABetterInternet
Numbsoft
Stration.C

This morning SS&D reported CoolWWWSearch.Service

The default home page changed from msn to "about.blank"

AVG7.5 A/V does not report anything. Ad_Aware finds tracking Cookies.

Problems
The machine is running IE6 which now takes a few minutes to load on a broadband connection. Sometime HD goes nuts for no reason, while machine is sitting idle. The mouse cursor "sticks" to the screen for one second before anything happens. Some of these ills are related to running ME, I am sure. But the machine has become sluggish compared to before.

I'd appreciate some help in getting to the bottom of possible infection.

Thanks

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:23:31 AM, on 3/16/2007
Platform: Windows ME (Win9x 4.90.3000)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS_V2.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKUS\.DEFAULT\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY (User 'Default user')
O4 - .DEFAULT Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe (User 'Default user')
O4 - .DEFAULT Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~6\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {869F3BBC-A812-4D13-A93B-7B3FC816DCD5} (McAfee.com Updater) - http://download.mcafee.com/molbin/clinic/virusscan/mcasupd.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\SYSTEM\BROWSEUI.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\SYSTEM\BROWSEUI.DLL

--
End of file - 4676 bytes

mwav log

Object "winpopup Spyware/Adware" found in File System! Action Taken: Entries Removed.
Object "purityscan Spyware/Adware" found in File System! Action Taken: Entries Removed.
Object "zlob Trojan-Downloader" found in File System! Action Taken: Entries Removed.
Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: Entries Removed.
Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: Entries Removed.
Entry "HKCR\WMDMPDAExplorer.WMDMPDAExplorer.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: Entries Removed.
Entry "HKCR\WMDMPDAExplorer.WMDMPDAExplorer" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: Entries Removed.
Entry "HKCR\BackWeb.5.5" refers to invalid object "{53FCF358-5323-11D0-A864-0000B43699FC}". Action Taken: Entries Removed.
Entry "HKCR\FASTPIXEL.FASTPIXEL.1" refers to invalid object "{6F79DCE0-DCF5-11D0-800E-080009E9498B)". Action Taken: Entries Removed.
Entry "HKCR\BETTERPIXEL.BETTERPIXEL.1" refers to invalid object "{AD5EF240-9EBE-11D0-800E-080009E9498B)". Action Taken: Entries Removed.
Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object "C:\PROGRA~1\BACKWEB\BACKWEB\PROGRAM\REGISTER.EXE". Action Taken: Entries Removed.
Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object "C:\PROGRA~1\BACKWEB\BACKWEB\PROGRAM\PRVCNT.EXE". Action Taken: Entries Removed.
Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object "C:\PROGRA~1\BACKWEB\BACKWEB\PROGRAM\UPDCHAN.EXE". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPSJBMGR.EXE". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\Program Files\Common Files\Borland Shared\BDE\IDAPINST.DLL". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\SYSTEM\QuickTime\QuickTimeVRAuthoring.q tx". Action Taken: Entries Removed.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\SYSTEM\QuickTime\QuickTimeMPEG.qtx". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts" refers to invalid object ".". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts" refers to invalid object ".CDX". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts" refers to invalid object ".pdr". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts" refers to invalid object ".msg". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts" refers to invalid object ".pub". Action Taken: Entries Removed.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\FileExts" refers to invalid object ".old". Action Taken: Entries Removed.

The machine had the latest security updates patches from MS as of 2-3 weeks ago. I checked this morning and MS told me I have a Mac. Pic posted in the Jokes Thread, today.

XD Microsoft really needs to get around to fixing that imo.

Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.zip) (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)]

Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.zip) (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

When I double-clicked on the .cmd file, I was not presented with any option to select. Instead, I got huge (944 KB) text file. What do I do?

I did some googling on smitfraudfix. If I understood correctly, this tool works for 2000 and XP only.

The PC in question runs WIN ME. Could this be why .cmd didn't work as instructed?

Still waiting for help

hmm.... try Lavasofts coolwebsearch remover- it is an add on tool for ad-aware
NOTE
i looked for it, but couldn't find it on their website, but, it may be hidden on one of the "project eco" stuff (i saw CWS remover a long time ago)
I would suggest to run each one
Here(Link to Lavasoft Download page) (http://lavasoft.com/download_and_buy/plugins_for_ad-aware/)
their at the bottom