Help! I think I've been hijacked ??

[fc3646]

While looking through a radio scanner web ring, my Norton AV started quarentineing a bunch of files. Now my IE home page has been changed to a site called Cool Web Search (this is whats in the address bar: "http://213.159.117.132/index.php". It also tries to install something from Globalised Communications Limited. I always click on "NO" when it wants to install.
Also, I can't double click on "my computer" to get into my c: drive. The computer locks up.
There is also a program in my task bar called "C:\WINDOWS\dl.html "
I did a web search on this and came up with a CWS trojan. I downloaded CWS shredder, Spybot Search and Destroy, AdAware and HijackThis (using mozilla, IE won't let me download anything either). All have failed to fix the problem. Below is the HijackThis log.

Any help would be greatly appriciated!!

Here is the hijack log:

Logfile of HijackThis v1.97.7
Scan saved at 7:06:15 PM, on 6/2/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\QUICKENW\QAGENT.EXE
C:\WINDOWS\SYSTEM32\WINTIME.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\PROGRAM FILES\DATA LIFEGUARD\8263142\PROGRAM\BACKWEB-8263142.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\SYSTEM\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QAGENT] C:\PROGRAM FILES\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Data LifeGuard.lnk = C:\Program Files\Data LifeGuard\8263142\Program\backWeb-8263142.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://3dgamers.tukati.com/tukati/1.6.7.7/tukati.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...7886.2365393518
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/T...nloads/outc.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/...bin/actxcab.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1.../v6/brix6ie.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.co...v45/yacscom.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.co...t/c381/chat.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/sof...nch/alaunch.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/...director/sw.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.microsoft.com/product...t/opuc/opuc.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/f...etup1.0.0.5.cab
O16 - DPF: ConferenceRoom Java Client - http://web.webchat.org./java/cr.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Insta...rsinstaller.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/09b8c20b996c3a...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4...23/cpbrkpie.cab

[kram 2.0]

Get your AntiVius running. If you don't have one, download AVG and scan it. It should pick it up.

kram

[thorlo6]

I agree with Kram8806, you need an AV that you can scan your PC with. I don't know if the AVG antivirus is free or not, I did glance at the web page to AVG. If it isn't, you can go to www.avast.com and run their AV. The home version is free and so are any and all updates. Hope this helps.thorlo6

[glc]

If it's a virus, his Norton should have picked it up if the definitions are current and the program is from the last couple of years.

[fc3646]

I am running Norton AV, set to auto live update. It gets new virus defs once a week. My current def date is 6-2-04.

Any ideas on how to get rid of this????

[SARGE]

http://www.pjwalczak.com/spguard/index.php

[kram 2.0]

That's rather wierd - Norton usually does a decent job picking up stuff and is usually up to date . Might you just go ahead and try running another AntiVirus? I would see if you get anything from Housecall - an online Antivirus Scan. See what you canpick up with that.

Hope that helps,
kram

[pam123]

This link will tell you exactly what you've got :http://www.spywareguide.com/product_show.php?id=599

The only thing I can add is that your luck landed you with one of the variants for which formatting is the only option.
As for the Globalised Communication Limited pop-up, it's a dialer that will connect you to some very expensive porn sites and, probably, off-shore internet casinos. It will also charge you something like $3, or more, per minute while it does it.
Click and your phone bill goes through the roof.
What you'd also know, if you were able to get into IE, is that your favorites list should now have close to 100 porn sites added to it.
As you just found out Mozilla is immune and, when you reformat, make sure you download and install all the security updates for the latest IE and also in Internet Options you have your security set too low, you want to go over the java machine and acitve X applets especially. I recommend www.spywareinfo.com .
When you download Spybot for the new install make sure you use the immunizer as well.
The sleaze responsible for cool web search spend a good deal of their time coming up with variants to defeat spybot, AV, companies and the hijack blaster people so your best bet is to stay on top of the problem.

[fc3646]

Crap...
I guess this is as good a time as any to get XP....
Also I checked my bookmarks...nothing has been added there.
I wonder if Norton caught part of it.

Here is my Norton AV log from when I got this stupid thing:

Date: 6/1/04, Time: 8:44:58, Lowthorp on LOWTHORP
The file
C:\WINDOWS\Temporary Internet Files\Content.IE5\5J7F5146\mstasks1[1].txt
is infected with the Backdoor.Tofger virus.
Unable to repair this file.


Date: 6/1/04, Time: 8:45:04, Lowthorp on LOWTHORP
The file
C:\WINDOWS\Temporary Internet Files\Content.IE5\5J7F5146\mstasks1[1].txt
was infected with the Backdoor.Tofger virus.
The file was quarantined.


Date: 6/1/04, Time: 8:45:06, Lowthorp on LOWTHORP
The file
C:\WINDOWS\mstasks1.exe
is infected with the Backdoor.Tofger virus.
Unable to repair this file.


Date: 6/1/04, Time: 8:45:08, Lowthorp on LOWTHORP
The file
C:\WINDOWS\mstasks1.exe
was infected with the Backdoor.Tofger virus.
The file was quarantined.


Date: 6/1/04, Time: 8:45:36, Lowthorp on LOWTHORP
The file
C:\WINDOWS\Temporary Internet Files\Content.IE5\ID34X8ZY\mstasks1[1].txt
is infected with the Backdoor.Tofger virus.
Unable to repair this file.


Date: 6/1/04, Time: 8:45:40, Lowthorp on LOWTHORP
The file
C:\WINDOWS\Temporary Internet Files\Content.IE5\ID34X8ZY\mstasks1[1].txt
was infected with the Backdoor.Tofger virus.
The file was quarantined.


Date: 6/1/04, Time: 8:45:42, Lowthorp on LOWTHORP
The file
C:\WINDOWS\mstasks1.exe
is infected with the Backdoor.Tofger virus.
Unable to repair this file.


Date: 6/1/04, Time: 8:45:46, Lowthorp on LOWTHORP
The file
C:\WINDOWS\mstasks1.exe
was infected with the Backdoor.Tofger virus.
The file was quarantined.


Date: 6/1/04, Time: 8:45:54, Lowthorp on LOWTHORP
The file
C:\WINDOWS\Temporary Internet Files\Content.IE5\5J7F5146\mstasks1[1].txt
is infected with the Backdoor.Tofger virus.
Unable to repair this file.


Date: 6/1/04, Time: 8:45:56, Lowthorp on LOWTHORP
The file
C:\WINDOWS\Temporary Internet Files\Content.IE5\5J7F5146\mstasks1[1].txt
was infected with the Backdoor.Tofger virus.
The file was quarantined.


Date: 6/1/04, Time: 8:45:58, Lowthorp on LOWTHORP
The file
C:\WINDOWS\mstasks1.exe
is infected with the Backdoor.Tofger virus.
Unable to repair this file.


Date: 6/1/04, Time: 8:46:00, Lowthorp on LOWTHORP
The file
C:\WINDOWS\mstasks1.exe
was infected with the Backdoor.Tofger virus.
The file was quarantined.


Date: 6/1/04, Time: 8:46:04, Lowthorp on LOWTHORP
The file
C:\WINDOWS\Temporary Internet Files\Content.IE5\ID34X8ZY\mstasks1[1].txt
is infected with the Backdoor.Tofger virus.
Unable to repair this file.


Date: 6/1/04, Time: 8:46:10, Lowthorp on LOWTHORP
The file
C:\WINDOWS\Temporary Internet Files\Content.IE5\ID34X8ZY\mstasks1[1].txt
was infected with the Backdoor.Tofger virus.
The file was quarantined.


Date: 6/1/04, Time: 8:46:12, Lowthorp on LOWTHORP
The file
C:\WINDOWS\mstasks1.exe
is infected with the Backdoor.Tofger virus.
Unable to repair this file.


Date: 6/1/04, Time: 8:46:14, Lowthorp on LOWTHORP
The file
C:\WINDOWS\mstasks1.exe
was infected with the Backdoor.Tofger virus.
The file was quarantined.


Date: 6/1/04, Time: 8:47:22, Lowthorp on LOWTHORP
The file
C:\WINDOWS\Temporary Internet Files\Content.IE5\5J7F5146\msits[1].exe
is infected with the Backdoor.Jeem virus.
Unable to repair this file.


Date: 6/1/04, Time: 8:47:26, Lowthorp on LOWTHORP
The file
C:\WINDOWS\Temporary Internet Files\Content.IE5\5J7F5146\msits[1].exe
is infected with the Backdoor.Jeem virus.
Unable to quarantine this file.


Date: 6/1/04, Time: 8:47:36, Lowthorp on LOWTHORP
The file
C:\WINDOWS\Temporary Internet Files\Content.IE5\5J7F5146\msits[1].exe
is infected with the Backdoor.Jeem virus.
Unable to delete this file.


Date: 6/1/04, Time: 8:47:44, Lowthorp on LOWTHORP
The file
C:\WINDOWS\Temporary Internet Files\Content.IE5\5J7F5146\msits[1].exe
is infected with the Backdoor.Jeem virus.
Access to the file was denied.


Date: 6/1/04, Time: 8:47:44, Lowthorp on LOWTHORP
The file
C:\tmp001.exe
is infected with the Backdoor.Jeem virus.
Unable to repair this file.


Date: 6/1/04, Time: 8:47:46, Lowthorp on LOWTHORP
The file
C:\tmp001.exe
was infected with the Backdoor.Jeem virus.
The file was quarantined.


Date: 6/1/04, Time: 8:47:56, Lowthorp on LOWTHORP
The file
C:\WINDOWS\Temporary Internet Files\Content.IE5\877RISXT\child[1].exe
is infected with the Download.Trojan virus.
Unable to repair this file.


Date: 6/1/04, Time: 8:47:58, Lowthorp on LOWTHORP
The file
C:\WINDOWS\Temporary Internet Files\Content.IE5\877RISXT\child[1].exe
is infected with the Download.Trojan virus.
Unable to quarantine this file.


Date: 6/1/04, Time: 8:48:02, Lowthorp on LOWTHORP
The file
C:\WINDOWS\Temporary Internet Files\Content.IE5\877RISXT\child[1].exe
is infected with the Download.Trojan virus.
Unable to delete this file.


Date: 6/1/04, Time: 8:48:02, Lowthorp on LOWTHORP
The file
C:\WINDOWS\Temporary Internet Files\Content.IE5\877RISXT\child[1].exe
is infected with the Download.Trojan virus.
Access to the file was denied.


Date: 6/1/04, Time: 9:33:34, Lowthorp on LOWTHORP
Virus scan started.

[Lobos]

Click here to down load CWShredder by Merijn Bellekom, the creator of Hijack This
Update They just had an update
Run it, press 'Fix', and allow it to fix all it finds.
And remember to click "Fix" (Not "Scan only")
Reboot




Run hijack this put a check next to these close all browsers and hit fix

Make sure not to miss one

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
http://www.kissysoftware.com/asp/wintime.asp

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Data LifeGuard.lnk = C:\Program Files\Data LifeGuard\8263142\Program\backWeb-8263142.exe


O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/...bin/actxcab.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1.../v6/brix6ie.cab


O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/sof...nch/alaunch.cab

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/f...etup1.0.0.5.cab

O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Insta...rsinstaller.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/09b8c20b996c3a...ip/RdxIE601.cab

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4...23/cpbrkpie.cab



-----------------------------------------------------------------------------------------------------------------------------------
most of them look like they are in your temp files
1) Open Control Panel
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

reboot post a new log

[fc3646]

I updated CWS shredder and it found and fixed a couple of things.
I ran Hijack This and there were a lot of things not on the list you posted. Here is my new Hijack This log.
Also I have my home page back, so maybe it's getting better.

Logfile of HijackThis v1.97.7
Scan saved at 8:27:48 AM, on 6/4/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\QUICKENW\QAGENT.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\PROGRAM FILES\DATA LIFEGUARD\8263142\PROGRAM\BACKWEB-8263142.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\SYSTEM\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QAGENT] C:\PROGRAM FILES\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Data LifeGuard.lnk = C:\Program Files\Data LifeGuard\8263142\Program\backWeb-8263142.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://3dgamers.tukati.com/tukati/1.6.7.7/tukati.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...886.2365393518
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/Te...loads/outc.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/d...in/actxcab.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/12...v6/brix6ie.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/soft...ch/alaunch.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.microsoft.com/productu.../opuc/opuc.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/fu...tup1.0.0.5.cab
O16 - DPF: ConferenceRoom Java Client - http://web.webchat.org./java/cr.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/09b8c20b996c3aa...p/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/40...3/cpbrkpie.cab

[glc]

You will need to disable your Norton autoprotect when you delete your temporary internet files if there are viruses in them, or the autoprotect will drive you nuts.