Homepage Changing on Auto - WANT IT STOPPED!!

I didn't have a bad experience, and although HijackThis may not have used the term "questionable," it most certainly did recommend exactly what i've described above. I don't have a problem with this, either, as i don't keep any personal information on my box, don't keep an addressbook, don't use Outlook Express, don't use Inbox, don't keep e-mail addresses on my box, don't copy e-mails to my box . . . in short, anyone rooting around in my box for such things will be wandering in a desert.

And i frankly find all this quite entertaining.

Craven, i deleted all the registry entries which i could definitely identify as associated with attempts to hijack my home page. I haven't a problem with deleting either of those two "hosts" files, either, as i generally don't surf, don't care if i keep cookies (i usually delete those on a regular basis)--i go on-line to come here, and to look at specific sites for game enhancements. My sweetiepie and i used to IM, but we haven't done so in so long, that i don't need that either.

I may not be an electronic whizzkid, but i'm no dumby either. I've eliminated everything on my box that i don't want, and i do know how to manage the registry, and recognize (often learned through trial and horrid error) what processes should be running in the task manager window. Believe it or not, i do know how to keep my box running the way i want it to.

here you are Monger: have at it....

Logfile of HijackThis v1.97.7
Scan saved at 8:43:39 PM, on 7/13/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\KHOOKER.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\LEXMARKX73\ACMONITOR_X73.EXE
C:\PROGRAM FILES\LEXMARKX73\ACBTNMGR_X73.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\GLOBALDIALER\DOMER00067\Y.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSDMN.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOWNLOADS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.thebestse.com/search.shtml?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebestse.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.thebestse.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.thebestse.com/search.shtml?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.thebestse.com/search.shtml?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.thebestse.com/search.shtml?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebestse.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.thebestse.com/search.shtml?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.thebestse.com/search.shtml?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.thebestse.com/search.shtml?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.thebestse.com/search.shtml?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.able2know.com"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ircwtri2.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ircwtri2.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\SYSTEM\khooker.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [Truefonts] C:\WINDOWS\FONTS\fonts.hta
O4 - HKLM\..\Run: [Msoffice] C:\WINDOWS\FONTS\msoffice.hta
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\domer00067\Y.EXE -remove
O4 - Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://www.hugesearch.net/search.php?qq=
O13 - WWW Prefix: http://www.hugesearch.net/search.php?qq=
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37798.4159027778
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: {B160422D-0A48-11D4-BD9B-00A0C9B0AB7B} (Download Class) - http://expressit.broderbund.com/plugin/Download.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/CursorManiaInitialSetup1.0.0.6.cab
O16 - DPF: {79B96C72-C0D0-4DC8-BC7E-9F314A918228} - http://imgfarm.com/images/nocache/myspeedbar/myinitialsetup1.0.0.3.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside.com/cab/WONWebLauncherControl.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab
O16 - DPF: ConferenceRoom Java Client - http://mail.igl.net:8000/java/cr.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {1E89F686-B78D-4C85-9EFC-3474516E3FE2} - http://directplugin.com/plugin/109998.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

Feel free to delete any thebestse entry.

You should probably also delete the hugesearch entries.

hey, let me ask this....a few weeks ago, my IE also stopped inserting the http:// automatically, now I'm having to type that crap in everytime....will this end that as well? It seemed to begin right around this same timeframe.

That's why I recommended the removal of the hugesearch entries. Some of them are a default prefix hijack.

Removing all the entries that have either of those urls should do it. There might be others but that's a safe place to start.

You've got a CoolWebSearch infection.
Download CWShredder
http://www.merijn.org/files/cwshredder.zip
Unzip...Run it......press "Fix", follow its prompts & instructions.. press 'Next', and allow it to fix all it finds.
reboot......
then rescan with HijackThis.post your new log here in this thread.
There'll be more to "fix".. but considerably less :wink:

Or..if you'd prefer to do it manually....then close all other windows...with only Hijackthis running...check off:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.thebestse.com/search.shtml?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebestse.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.thebestse.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.thebestse.com/search.shtml?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.thebestse.com/search.shtml?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.thebestse.com/search.shtml?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebestse.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.thebestse.com/search.shtml?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.thebestse.com/search.shtml?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.thebestse.com/search.shtml?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.thebestse.com/search.shtml?q=
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [Truefonts] C:\WINDOWS\FONTS\fonts.hta
O4 - HKLM\..\Run: [Msoffice] C:\WINDOWS\FONTS\msoffice.hta
O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\domer00067\Y.EXE -remove
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O13 - DefaultPrefix: http://www.hugesearch.net/search.php?qq=
O13 - WWW Prefix: http://www.hugesearch.net/search.php?qq=
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/CursorManiaInitialSetup1.0.0.6.cab
O16 - DPF: {79B96C72-C0D0-4DC8-BC7E-9F314A918228} - http://imgfarm.com/images/nocache/myspeedbar/myinitialsetup1.0.0.3.cab
O16 - DPF: {1E89F686-B78D-4C85-9EFC-3474516E3FE2} - http://directplugin.com/plugin/109998.exe

Press "Fix Checked"...reboot


After restarting...go to:
C:\PROGRAM Files & delete the TOOLBAR folder..the GlobalDialer folder
C:\WINDOWS\FONTS & delete fonts.hta ...msoffice.hta

Whichever way you feel most comfortable with & use...please rescan & post your new log after rescanning.

okay, last night i did what craven said, then i told it NOT to make backups of those things. That **** is still on my pc. tonight when I get home I'm going to do what discogail suggests as far as downloading that other program and using it's fix option. I'll let you all know what comes of it.

Definitely do that. What discogail recommended seems to be removal software for a specific hijack which she said is the one you have.

Hijack this would likely have worked if you'd fixed they additional keys that discogail referenced:

R3 - Default URLSearchHook is missing
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [Truefonts] C:\WINDOWS\FONTS\fonts.hta
O4 - HKLM\..\Run: [Msoffice] C:\WINDOWS\FONTS\msoffice.hta
O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\domer00067\Y.EXE -remove
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/CursorManiaInitialSetup1.0.0.6.cab
O16 - DPF: {79B96C72-C0D0-4DC8-BC7E-9F314A918228} - http://imgfarm.com/images/nocache/myspeedbar/myinitialsetup1.0.0.3.cab
O16 - DPF: {1E89F686-B78D-4C85-9EFC-3474516E3FE2} - http://directplugin.com/plugin/109998.exe

O4 - HKLM\..\Run: [Truefonts] C:\WINDOWS\FONTS\fonts.hta
O4 - HKLM\..\Run: [Msoffice] C:\WINDOWS\FONTS\msoffice.hta

The culprits.........they'll restore the hijack every time..one of the cute little CWS hooks to thwart removal.
Run the CWshredder,,,& then post a new log...you'll be fine..

Logfile of HijackThis v1.97.7
Scan saved at 7:41:53 PM, on 7/14/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\KHOOKER.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\PROGRAM FILES\LEXMARKX73\ACMONITOR_X73.EXE
C:\PROGRAM FILES\LEXMARKX73\ACBTNMGR_X73.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\MY DOWNLOADS\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.thebestse.com/search.shtml?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebestse.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.thebestse.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.thebestse.com/search.shtml?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.thebestse.com/search.shtml?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.thebestse.com/search.shtml?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebestse.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.thebestse.com/search.shtml?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.thebestse.com/search.shtml?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.thebestse.com/search.shtml?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.thebestse.com/search.shtml?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.able2know.com"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ircwtri2.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ircwtri2.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\SYSTEM\khooker.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\domer00067\Y.EXE -remove
O4 - Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37798.4159027778
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: {B160422D-0A48-11D4-BD9B-00A0C9B0AB7B} (Download Class) - http://expressit.broderbund.com/plugin/Download.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/CursorManiaInitialSetup1.0.0.6.cab
O16 - DPF: {79B96C72-C0D0-4DC8-BC7E-9F314A918228} - http://imgfarm.com/images/nocache/myspeedbar/myinitialsetup1.0.0.3.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside.com/cab/WONWebLauncherControl.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab
O16 - DPF: ConferenceRoom Java Client - http://mail.igl.net:8000/java/cr.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {1E89F686-B78D-4C85-9EFC-3474516E3FE2} - http://directplugin.com/plugin/109998.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

here's the re-run hijack log after running cwshredder.exe

close all other windows...with only Hijackthis running...check off:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.thebestse.com/search.shtml?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebestse.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.thebestse.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.thebestse.com/search.shtml?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.thebestse.com/search.shtml?q=
http://www.thebestse.com/search.shtml?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebestse.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.thebestse.com/search.shtml?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.thebestse.com/search.shtml?q=
http://www.thebestse.com/search.shtml?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.thebestse.com/search.shtml?q=
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\domer00067\Y.EXE -remove
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/CursorManiaInitialSetup1.0.0.6.cab
O16 - DPF: {79B96C72-C0D0-4DC8-BC7E-9F314A918228} - http://imgfarm.com/images/nocache/myspeedbar/myinitialsetup1.0.0.3.cab
O16 - DPF: {1E89F686-B78D-4C85-9EFC-3474516E3FE2} - http://directplugin.com/plugin/109998.exe


Press "Fix Checked"...reboot
After restarting...go to:
C:\PROGRAM Files & delete the TOOLBAR folder..the GlobalDialer folder...

See if hunkydoryness has returned.

hukydoryness has INDEED returned. Thanks so much to alll of you - gail, you were wonderful in the OR!

This is so frustrating...
I tried to use everything specified in this post, and still no luck. Every time I log in or restart. I get 5 shortcuts on my desktop, 5 in my favorites, and my home page changes to "thebestse.com". If I could only get in front of the guy that created this hijack, I'd really let him have it!!!

Here's some info... I've ran AdAware, cwshredder, and hijackthis. CWshredder found nothing, AdAware found some misc stuff that I deleted, and Hijackthis found "thebestse" a bunch of times, and I keep deleting it, but it comes back EVERY TIME I restart. Any clues?

TIA

Logfile of HijackThis v1.97.7
Scan saved at 10:18:02 PM, on 3/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\bef\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stltoday.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\systeminit.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: SideStep (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://221.21.21.100/officescan/ClientInstall/WinNTChk.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://221.21.21.100/officescan/clientinstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://221.21.21.100/officescan/clientinstall/setup.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/20031218/akamai.info.apple.com/iTunes4/WW/win/019-0123.20031218.zes4d/iTunesSetup.exe
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://221.21.21.100/officescan/clientinstall/RemoveCtrl.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://128.252.163.240/activex/AxisCamControl.cab
O16 - DPF: {C72242D0-3AB5-453D-842C-8A3C9AC0838D} - http://download.sidestep.com/get/k00719/sb027.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7ABD710B-DA28-45FE-8A9A-E82A4CC30E5A}: NameServer = 24.217.0.3,24.217.0.4
O19 - User stylesheet: C:\WINDOWS\sstyle.css
O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)

i know they'll help you like they did me. good luck!

See THIS

So, any news on this one?

I did as stated in all the posts, but to no avail.

It was gone after one restart... but after a second restart there it was again... The changing of the homepage can be stoped by Ad-Watch, but the adding of the links on the desktop and the links to My Favorites can't be stopped...

Here's my Hijack log. It doesn't show the thebestse.com links because they were blocked by Ad-Watch...

Does anybody have anymore tips?

Thx in advance...


Logfile of HijackThis v1.97.7
Scan saved at 20:39:24, on 24-3-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Cacheman\Cacheman.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
F:\Utils\Security\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aaotracker.4players.de/usertracker.php
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [system32.dll] C:\WINDOWS\system\systeminit.exe
O4 - HKLM\..\Run: [Norton] WINSRV.EXE
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Cacheman] C:\Program Files\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: sytem32.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

I ran the HiJackThis on my Windows 2000 Pro system and also deleted the lines with the ip address preceding the yahoo, lycos, google, etc addresses and that fixed it for me. My favorites bar is still weird though.

More problems with thebestse.com
Here is my log.

Logfile of HijackThis v1.97.7
Scan saved at 9:37:27 AM, on 3/25/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINNT\system32\sstray.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\My Documents\Downloads\HiJackThis\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.thebestse.com/search.shtml
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebestse.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.thebestse.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.thebestse.com/search.shtml
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.thebestse.com/search.shtml
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.thebestse.com/search.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebestse.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.thebestse.com/search.shtml
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.thebestse.com/search.shtml
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.thebestse.com/search.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.thebestse.com/search.shtml
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: 69.93.33.155 msn.com
O1 - Hosts: 69.93.33.155 search.msn.com
O1 - Hosts: 69.93.33.155 www.msn.com
O1 - Hosts: 69.93.33.155 www.google.com
O1 - Hosts: 69.93.33.155 google.com
O1 - Hosts: 69.93.33.155 altavista.com
O1 - Hosts: 69.93.33.155 www.altavista.com
O1 - Hosts: 69.93.33.155 yahoo.com
O1 - Hosts: 69.93.33.155 www.yahoo.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [system32.dll] C:\WINNT\system\systeminit.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Configuration Utility.lnk = E:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: SATARaid.lnk = E:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
O4 - Global Startup: ZoneAlarm.lnk = E:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Resize &Window - C:\ietools\resize_window.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/069cbad842ea2804aa00/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37894.8487384259
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O19 - User stylesheet: C:\WINNT\sstyle.css
O19 - User stylesheet: C:\WINNT\sstyle.css (HKLM)

So far, I've reset my home page link in IE and removed these parts:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.thebestse.com/search.shtml
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebestse.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.thebestse.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.thebestse.com/search.shtml
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.thebestse.com/search.shtml
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.thebestse.com/search.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thebestse.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.thebestse.com/search.shtml
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.thebestse.com/search.shtml
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.thebestse.com/search.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.thebestse.com/search.shtml
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: 69.93.33.155 msn.com
O1 - Hosts: 69.93.33.155 search.msn.com
O1 - Hosts: 69.93.33.155 www.msn.com
O1 - Hosts: 69.93.33.155 www.google.com
O1 - Hosts: 69.93.33.155 google.com
O1 - Hosts: 69.93.33.155 altavista.com
O1 - Hosts: 69.93.33.155 www.altavista.com
O1 - Hosts: 69.93.33.155 yahoo.com
O1 - Hosts: 69.93.33.155 www.yahoo.com

And then I reboot and I open my browser and I'm back at www.thebestse.com.

Any thing I'm missing?