A month ago i had problems with a hijacking of my homepage to C:\Spad\Start.html. I asked someone on computercops.biz to help and they helped me to "get rid of it" - in fact, it didn't work and only caused the trojan to hide itself in the registry. Now it has come back.
The symptoms are as follows

• Homepage changed in IE6 to C:\spex\start.html
• Icons on my desktop with an X on it called "default" or "-- The nicest hobby on Earth ;) --"
• Random 4-letter ".dat" files (in the C:\Documents and Settings\%USERNAME\Local Settings\Temp folder) trying to connect to the internet. I have opened one in notepad and added it to this post for you to see what it does. BTW, I have ZoneAlarm and that catches the files trying to access the net: it says "llki.dat [or any 4 letters followed by .dat] is trying to access the Internet."
• Pop-ups occur that look like system "exclamations". They are a side-effect of the .dat files and if you look at the one in this post you will see what they can say.
• Once a toolbar came up at the top of the screen called "World Wide Web" with 2 search boxes. One called "Search:" and directly you to wowweb.com and the other "Surf:" and directed you to msn.com. Weird....

I have tried running Norton Antivirus 2003, Ad-Aware 6 and Spybot S&D through the system but they find a few things, "fix"/"quarantine" them and each program finds something different. Also, I have run HijackThis through it, "fixed" the files i believe are messing it up and they always come back!

Note about the HijackThis log: the first 2 R0's are www.google.com. I HAVE NOT set this as my homepage: i have set it as www.google.co.uk. In addition, i have posted this log recently after trying to remove a few things so if I post another one in reply later on, it may be different.

This is the Hijack This log:
========================
Logfile of HijackThis v1.97.7
Scan saved at 12:58:27, on 27/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Utilities\NProtect.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\System32\Launcher.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\AKT\My Documents\Downloaded\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/broadband
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [PrimaLauncher] C:\WINDOWS\System32\Launcher.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/broadband
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7952.6449537037
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by17fd.bay17.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF300152-0CAF-465C-B301-754FA5D7D88E}: NameServer = 212.74.114.129 212.74.114.193
============END OF LOG==========

Now this is the .dat file in text format:

============START OF .DAT FILE======
MZ�   ÿÿ ¸ @ ¸ º ´ Í!¸
LÍ!This program cannot be run in DOS mode.

$ å†G¡ç)E¡ç)E¡ç)E¡ç(E¼ç)E"ïtE¨ç)E—Á"E§ç)ERich¡ç)E PE L

’æÚ@ à 

  À  0 @     0        À d  | .text v    à 
8 (
  & @ V b ú | Š ’   ¬ ¾ î Ü Ð À ® p   Z Ø ð "#%&' 0@ $@ @ @ ð@ Ø@ È@ ¸@ ¬@ tibsystems. statsbank.com boards.cexx.org adultwebmasterinfo.com spywareinfo. dialerschutz.de webmasterworld.com crutop.nu gofu**yourself.com FindCloseUrlCache FindNextUrlCacheEntryA FindFirstUrlCacheEntryA wininet.dll COMSPEC " " .bat /c @echo off
:start
echo > %1
del %1
if exist %1 goto start
del %0
http://www.wowweb.net/search.php?said=pmcap4&q=party%20poker The $1 MILLION GUARANTEED PRIZE IS WITING FOR YOU!!! Do you wish to apply for it with our -- Look for another playground --s?
Note: by clicking YES you confirm, that you at least 21 yr. old. Internet Explorer: $1000000 Guaranteed Prize http://www.wowweb.net/search.php?said=pmcr...yware%20removal http://www.wowweb.net/search.php?said=pmcr...dware%20removal Your computer may be infected with Trojan Horse Virus!!! Do you wish to remove it? Internet explorer:Trojan Horse ALERT! open http://www.wowweb.net/search.php?said=pmca...0spyware%20scan SOFTWARE\Microsoft\Internet Explorer\Main\Config cid The following SPYWARE was detected on your computer:
IETray
IEAccess/IEDial
MoneyTree
Xrenoder
IEDll
Gator
SVAPlyer
You need to perform the FREE SPYWARE SCAN In order to keep your computer functional!!! Caution:Spyware Trojan Horse ALERT! Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects {8403CB53-12B3-4537-9DEC-4F12F70A883D} CLSID SVhˆ@ 2ÛÿT@ ‹ð…ötiW‹=X@ hp@ Vÿ×hX@ V£´@ ÿ×hD@ V£°@ ÿ׋
´@ £¸@ …É_t0‹
°@ …Ét&…Àt"è¿ „Àtè& „ÀtV³
ÿ`@ ŠÃ^[Ã2ÛVÿ`@ ŠÃ^[Ã������SUVW‹=p@ j j ÿ׋ð…öu_^]2À[Ã�µ Pè6 ‹èƒÄ…íu_^]2À[ÃUVÿ×;ðtUè8 ƒÄ2À_^][Ã3Û…ö~(‹ý3Àf‹„Àt¾ÈQh|@ è ƒÄ…ÀuÊCƒÇ;Þ|ÚUèú ƒÄ°
_^][ÃQSVWh  è ‹øƒÄ…ÿ„‚ �D$ÇD$  PWj ÿ´@ ‹Ø…Ût]¡„@ ¾„@ …Àt‹‹WQRè¿ ƒÄ…Àu%‹FƒÆ…Àuã�D$ÇD$  PWSÿ°@ …ÀtëºWèm ƒÄ2À_^[YÃSÿ¸@ WèV ƒÄ_^°
[YÃ������������‹D$�ì@
…Àt&€8 t!�L$ QPÿL@ ƒøÿtPÿP@ °
�Ä@
Ã2À�Ä@
Ã���QS‹\$UVWSh
ÿ@ ‹5@ SÿÖ‹ø‹D$ û…À‰|$tPÿÖ‰D$�,8ëÇD$ ‹D$�,8ë‹|$‹t$ …öt‹L$‹ÑÁéó¥‹Êƒáó¤‹õÿ,@ ¹ ŠÐ€â€ÂaˆFÁèIuï‹D$�MPQÆ ÿH@ Sè!ÿÿÿƒÄ„Àu¥_^][YÃ�����ìL ¹ �D$LVW¾°@ �|$ó¥f¥h¬@ P¤ÿH@ j �L$[h¤@ QèÿÿÿƒÄ�T$Wj h€ jj j h @Rÿ0@ ‹ð�D$j P�L$jFQVÿ\@ Vÿ(@ ‹5$@ �T$Th @ RÿÖ�D$Th  Pÿ@ ‹”$\ �LXQRÿ @ �D$Thœ@ PÿÖ�Œ$T h  Qh”@ ÿ@ j �T$Xh¼@ �„$\ RPj j ÿh@ _^�ÄL Ã������Qè:üÿÿ„Àuj èïþÿÿƒÄj ÿ8@ SUV‹5@ �D$WPh?  j hô@ h €ÿÖ‹= @ hÌ@ ‹L$Qÿ׋T$Rÿ@ �D$Ph?  j h€@ h €ÿÖhÌ@ ‹L$Qÿ×j4h\@ h�@ j ÿt@ ‹=$@ ‹h@ ƒøuWh  è‚ h  ‹èèv UhŒ@ hX@ h
€‹ðè¿
ƒÄh@ Vÿ×j j j Vh@ j ÿÓVè^ UèX ƒÄh †
ÿ4@ j4hä@ h�@ j ÿt@ ƒøuWh  è h  ‹èèû
UhŒ@ hX@ h
€‹ðèD
ƒÄhP@ Vÿ×j j j Vh@ j ÿÓVèã
UèÝ
ƒÄhÀ' ÿ4@ j4h\@ h�@ j ÿt@ ƒøuWh  èŒ
h  ‹èè€
UhŒ@ hX@ h
€‹ðèÉ ƒÄh@ Vÿ×j j j Vh@ j ÿÓVèh
Uèb
ƒÄhÀ' ÿ4@ jhÜ@ h8@ j ÿt@ ƒøuWh  è
h  ‹èè
UhŒ@ hX@ h
€‹ðèN ƒÄhø@ Vÿ×j j j Vh@ j ÿÓVèí Uèç ƒÄj è�üÿÿƒÄj ÿ8@ _^][��������������Q‹L$‹T$SUV�D$W3öPj
VQR2Û‰t$$ÿ@ …Àu^‹|$ ‹L$‹-@ �D$PVVVWQ‰t$4ÿÕ‹D$;Æt8PèK ƒÄ�T$‹ð‹D$RVj j WPÿÕ…Àu‹L$$VQÿH@ ³
Vè< ƒÄ‹D$…ÀtPÿ@ _^ŠÃ][YÃ��‹D$Pjÿ@@ Pÿ<@ Ã�����������‹D$Pj ÿ@@ PÿD@ Ã�����������SV‹D$W‹|$€? t9Š„Òt1„Ò‹Ït‹ð+÷Š„Òt¾¾Ò+Úu ŠT
A„Òuæ€9 t
ŠP
@„ÒuÏ3À_^[Ã���‹L$ŠT$Š
„Àt:ÂtŠA
A„ÀuôSŠ3À:Ú•ÀH[#ÁÃ������� 8 Ê  ” þ p $ L  Œ j h 
8 (
  & @ V b ú | Š ’   ¬ ¾ î Ü Ð À ® p   Z Ø ð ï FreeLibrary ˜
GetProcAddress HLoadLibraryA Å FindClose É FindFirstFileA ¹lstrcpyA Õ
GetTickCount ¿lstrlenA Ë
GetTempPathA P
GetEnvironmentVariableA u
GetModuleFileNameA °lstrcatA . CloseHandle —WriteFile M CreateFileA ISleep ¯ ExitProcess HeapAlloc ›
GetProcessHeap HeapFree KERNEL32.dll #
GetKeyboardLayoutList Þ
MessageBoxA USER32.dll É
RegCloseKey Ð
RegDeleteKeyA â
RegOpenKeyExA ì
RegQueryValueExA ADVAPI32.dll 
ShellExecuteA SHELL32.dll
===========
If someone would PLEASE help - all hope has failed elsewhere.
Most gratefully,
AKT. :(

This is going to take a few steps, First I want to clean upo a CWS infection.

First:
Please Download CoolWebShredder, from
http://www.merijn.org/files/cwshredder.zip
http://www.zerosrealm.com/downloads/CWShredder.zip

Extract CWShredder to its own folder,

Reboot in Safe Mode*** and run the program.

Be sure all open windows are closed.

Click the 'Fix ->' button.

Make sure you let it fix all CWS Remnants.

Afterwards Reboot.

Then, please Post a fresh Hijack This log in this thread.


Then:
Please copy the text in the box below to Notepad and save it to your desktop as spex.bat.

Regedit /e spex.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions"
Start notepad.exe spex.txt
Exit

Double-click on the spex.bat file, and it will run and create a text document (spad.txt) on your desktop which will open in Notepad.
Copy and paste the contents of that entire file in this thread.

OK, I've done what you've requested and here are the results of both the hijackthis log and the spex.txt.

=====START OF HIJACKTHIS LOG====
Logfile of HijackThis v1.97.7
Scan saved at 18:30:41, on 28/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Utilities\NProtect.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\System32\Launcher.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Documents and Settings\AKT\My Documents\Downloaded\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/broadband
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [PrimaLauncher] C:\WINDOWS\System32\Launcher.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/broadband
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7952.6449537037
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by17fd.bay17.hotmail.msn.com/activex/HMAtchmt.ocx
========END OF HIJACK THIS LOG========
========START OF SPEX.TXT===========
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}]
"MenuText"="Sun Java Console"
"CLSID"="{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}"
"ClsidExtension"="{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}]
"clsid"="{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}]
"ButtonText"="Research"
"BandCLSID"="{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"
"Icon"="C:\\PROGRA~1\\MICROS~2\\OFFICE11\\REFBAR.ICO"
"Default Visible"="Yes"
"HotIcon"="C:\\PROGRA~1\\MICROS~2\\OFFICE11\\REFBARH.ICO"
"CLSID"="{E0DD6CAB-2D10-11D2-8F1A-0000F87ABD16}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}]
"CLSID"="{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"
"Exec"="C:\\Program Files\\Messenger\\MSMSGS.EXE"
"Default Visible"="Yes"
"HotIcon"="C:\\Program Files\\Messenger\\MSMSGS.EXE,302"
"Icon"="C:\\Program Files\\Messenger\\MSMSGS.EXE,301"
"ButtonText"="Messenger"
"MenuText"="Windows Messenger"
"ToolTip"="Windows Messenger"

========END OF SPEX.TXT=====
The HijackThis log seems clean (i think) but do you know why when I typed in my homepage as "http://www.google.co.uk/" (exactly) it changed to "www.google.com" (exactly)???

AKT :unsure:

Your log is clean.

However, there may be remants of an infection left (thanks for the spex log).
We will get rid of those, then I would like another HiJackThis log to be sure nothing came back.

As for the google.uk vs google.com issue. I always set my homepage by navigating to the site I want, then opening the Internet Options and have it use current page. There is a possibility that your Hosts file is redirecting goggle.uk to google.com. Heres how to check:
Download the Hoster from here: http://members.aol.com/toadbee/hoster.zip
Install the program and run it.

Use should be self explanatory.

OK, now to clean up:
Please copy the text in the box below to Notepad and save it to your desktop as fixspex.reg

REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}]
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}

Locate fixspex.reg on your Desktop and double-click on it.

You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".

Reboot.

Delete the following folder:
c:\spex

Delete the following files:
c:\Documents and Settings\<username>\Local Settings\temp\c_10230.dll
c:\Windows\System32\hpcmdty.dll


Then run HiJackThis and post a new log in this thread.

I will do that but before I do, I thought I would ask what you think of this first.

I have 4 different Users on my computer (AKT, C--, D-- & J--). When J went on his settings yesterday, I quickly made a HijackThis log of his settings. There are "nasty" results on his settings. I tried to redo the steps with Safe Mode and CWShredder but the 640x400 settings only allowed me to see "Administrator" & "AKT". I don't normally see "Admininstrator" and I did the CWShredder thing on my settings (AKT). Do you want me to post the results on J's HijackThis log?? I would've thought that HijackThis & CWShredder would work on all settings.

This is J's HijackThis log

=========START OF J'S HIJACKTHIS LOG========
Logfile of HijackThis v1.97.7
Scan saved at 17:35:23, on 29/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Utilities\NProtect.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\System32\Launcher.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE
C:\Documents and Settings\AKT\My Documents\Downloaded\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex.com/search.php?said=spage&qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spex/start.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/broadband
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [PrimaLauncher] C:\WINDOWS\System32\Launcher.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/broadband
O15 - Trusted Zone: http://www.mt-download.com
O15 - Trusted Zone: http://www.myexexex.com
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7952.6449537037
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by17fd.bay17.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF300152-0CAF-465C-B301-754FA5D7D88E}: NameServer = 212.74.114.129 212.74.114.193
===========END OF J'S HIJACKTHIS LOG====

As you can see, it's a log worse off than mine. I don't want to do the step above that you suggested before trying to sort this. I _have not_ done the steps you suggested yet. I don't know what takes priority. What should I do?

AKT :huh:

Some infections will run in the user's space only and reamin unique to the users. Others will run for all users and unfortunately, I do not have a breakdown.

For the spec infection, use the fix below and check for each user. Then post slogs a necessary. The log for 'J' is clean excpet for the spex issue.

Please copy the text in the box below to Notepad and save it to your desktop as fixspex.reg



Locate fixsexd.reg on your Desktop and double-click on it.

You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".

Reboot.

Delete the following folder:
c:\spex

Delete the following files:
c:\Documents and Settings\<username>\Local Settings\temp\c_10230.dll c:\Windows\System32\hpcmdty.dll

OK, I've done as you said with the registry thing. I wasn't able to find c_10230.dll and hpcmdty.dll (I did a search on the whole C: drive as well - and I had "Search in hidden files & folders" and "View Hidden Files and Folders" selected.
In the HJT log, weirdly there are 2 R0's (google.co.uk which is what I have set it to and google.com which I have not (being fiercly British :king: !)) I ran the Hoster file but I couldn't understand how it worked.
Anyhow, This is the HijackThis log from my settings.
=====START OF HIJACKTHIS LOG=====
Logfile of HijackThis v1.97.7
Scan saved at 21:03:52, on 29/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Utilities\NProtect.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\System32\Launcher.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\AKT\My Documents\Downloaded\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/broadband
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [PrimaLauncher] C:\WINDOWS\System32\Launcher.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/broadband
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7952.6449537037
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by17fd.bay17.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF300152-0CAF-465C-B301-754FA5D7D88E}: NameServer = 212.74.114.129 212.74.114.193

========END OF HIJACKTHIS LOG=====

I don't know what to do on J's setting (I hate talking in codenames but it's a public website) - could you please give me some idea on how to tackle that one.
On my settings I seem to not be having any problems since I turned on IE6 10 minutes ago (so good so far) so if you could just give me a help on how to deal with J's settings then I would be very gratefully.

Thanks again,
AKT :king:

P.S. I don't know if this is bug-related or not but I don't seem to be able to see animated GIFs animated on my computer.. Weird...

check each user separately, and remove the spex infection if found. If you have any doubts, post a HiJackThis log in this thread.

Also check c:windows and c:\windows\System32\ for the file something.ddl and let me know the results.

And no, none of the changes we made would affect animated gifs/

OK, I've got rid of the infected listings on J's HijackThis log by "check"ing them and clicking Fix (I hope) and also got rid of 2 safe zone listings I found in C's HJT log. I found "something.dll" in C:\Windows\System32 but NOT in C:\Windows. I have had no annoying popups so far. Great!
Thanks,
AKT :)