Browser still Hijacked...HJT Log attached...Please help!

I have tried everything I can think of on this hijack and it still persists... homepage now at: res://bthev.dll/index.html#96676

HJT Log as follows:

Logfile of HijackThis v1.98.1
Scan saved at 7:51:55 AM, on 8/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\myCIO\VScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\myCIO\Agent\myAgtSvc.exe
C:\WINDOWS\mfciu32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\myCIO\Agent\myagttry.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\WLANSTA.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\apihv32.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~2\TRAYAP~1.EXE
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\myCIO\Agent\UpdDlg.exe
C:\Documents and Settings\rallen\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bthev.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bthev.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bthev.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bthev.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bthev.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bthev.dll/index.html#96676
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {2344D7E7-CE38-897A-FF8F-1D623F27EA1C} - C:\WINDOWS\system32\atlug.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [myCIO.com ASaP] C:\WINDOWS\myCIO\Agent\myagttry.exe
O4 - HKLM\..\Run: [myCIO.com Splash] C:\WINDOWS\myCIO\VScan\Splash.exe
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [apihv32.exe] C:\WINDOWS\apihv32.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~2\TRAYAP~1.EXE
O4 - HKLM\..\RunOnce: [netuv.exe] C:\WINDOWS\netuv.exe
O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: axscanner - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: axscannerruntime - http://www.pestscan.com/scanner/axscannerruntime.cab
O16 - DPF: mscomctl - http://www.pestscan.com/scanner/mscomctl.cab
O16 - DPF: msvcp71 - http://download.pestpatrol.com/Downloads/Components/msvcp71.cab
O16 - DPF: msvcr71 - http://download.pestpatrol.com/Downloads/Components/msvcr71.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://195.225.177.13/sv/online.chm::/on-line.exe
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://virusscanasap.mcafeeasap.com/VS2/bin/myCioAgt.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab

hi, what you have is called coolwebsearch (aka coolwww, coolweb hijack),
first, get a copy of lavasoft adaware6, and update the definitions. scan and delete everything it finds.
next, search your computer for bthev.dll, it will probably be in c:\winxp or equivilant, depending on your operating system.
When you find it, open it in notepad and highlight all the code.
Delete all the code and save the file- simple as that!
to stop it possibly re-occuring, find bthev.dll again, and:
right click bthev.dll>properties>read only>ok

Re-scan with adaware, again deleting everything it finds, and change your homepage back to whatever you want. You should be fixed- i was when this happend to me!
Reply back here with questions/coments etc

Did the AdAware scan and delete. Did 2 searches, but no sign of the file bthev.dll on my computer.... no joy, CWS is still there.

hmmm.... let me have a think then.
have you tried searching the whole computer for it? also you could try using cwshredder. http://www.spywareinfo.com/~merijn .
update the defintions first then scan - it didnt work for me, but it could be that your spyware is a different varient to mine.
also, when you scan with adaware, and it finds syware files, can you have a look at what the files are called nad where they are. Just qurantine them, and could you report back to me please.
i'll have a think and a look around
until i get back to you, have alook at www.spywareinfo.com
the forums should have some information on it.
ill get back to you soon hopefully

Thanks.... tried CW Shredder to no avail. Attached per your request is the AdAware Log...

Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Page.dll/index.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "res://zyaip.dll/index.html#96676"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "res://zyaip.dll/index.html#96676"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Page.dll/index.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "res://zyaip.dll/index.html#96676"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "res://zyaip.dll/index.html#96676"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainDefault_Page_URL.dll/index.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "res://zyaip.dll/index.html#96676"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Default_Page_URL
Data : "res://zyaip.dll/index.html#96676"


Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 3
Objects found so far: 3


¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Tracking Cookie Object recognized!
Type : File
Data : rallen@bluestreak[1].txt
Object : C:\Documents and Settings\rallen\Cookies\

Created on : 8/13/2004 7:27:23 PM
Last accessed : 8/19/2004 5:58:15 PM
Last modified : 8/13/2004 7:27:23 PM



Tracking Cookie Object recognized!
Type : File
Data : rallen@casalemedia[1].txt
Object : C:\Documents and Settings\rallen\Cookies\

Created on : 8/13/2004 7:27:54 PM
Last accessed : 8/19/2004 5:58:15 PM
Last modified : 8/13/2004 7:27:54 PM



Tracking Cookie Object recognized!
Type : File
Data : rallen@fastclick[2].txt
Object : C:\Documents and Settings\rallen\Cookies\

Created on : 8/13/2004 7:27:51 PM
Last accessed : 8/19/2004 5:58:18 PM
Last modified : 8/13/2004 7:27:53 PM



Tracking Cookie Object recognized!
Type : File
Data : rallen@tribalfusion[1].txt
Object : C:\Documents and Settings\rallen\Cookies\

Created on : 8/13/2004 7:27:51 PM
Last accessed : 8/19/2004 5:58:26 PM
Last modified : 8/13/2004 7:27:51 PM



Tracking Cookie Object recognized!
Type : File
Data : rallen@z1.adserver[1].txt
Object : C:\Documents and Settings\rallen\Cookies\

Created on : 8/13/2004 7:27:52 PM
Last accessed : 8/19/2004 5:58:37 PM
Last modified : 8/13/2004 7:27:53 PM


¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


Deep scanning and examining files (C
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 8


2:00:17 PM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:06:06:247
Objects scanned :50538
Objects identified :8
Objects ignored :0
New objects :8

ok,
could you search your computer for zyaip.dll , and if you find it, follow the instructions as above, but with zyaip.dll instead of bthev.dll, and then reply back please.

Searched everywhere, including hidden folders. No dice.

are you deleting the .dll files with adaware, and then searching for them? if so, you need to just qurantine them, and then search for them. i'll have another search around, and i am sure we can beat this.
in the mean time, you could have a look in the forums at www.spywareinfo.com