Can't get rid of Search the web!!

I have now read and performed all the steps outlined by Major Attitude to rid my computer of viruses/trojans and spyware. I have run:
Trend Micros online scan
Symantec security check (then rebooted in safe mode)
CCleaner
Ad-Aware SE
Spybot (what a great program!)
CWShredder, Kill2me and HSremove.

All the nasties are gone except for Search the Web and a nasty pop-up from CAsalemedia.
I have read the Hijackthis tutorial and run it several times. I have looked at the lists by PacMan for Startup and TonyK's BHO list but must admit I am in over my head.
I hope someone out there can help me. I am a novice but have learned alot doing this. It is actually fun.
I have a logfile to post if anyone is interested.

 

welcome to MG Kirsten, good to have you aboard

are those only a select few you ran in the READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal. . .?
http://forums.majorgeeks.com/showthread.php?t=35407

or did ya do everything suggested?

couldn't hurt to go through again and make sure you are all up to date
on the software. . .

and since you have been here
http://forums.majorgeeks.com/showthread.php?t=38752
on how to post HJT logs properly

(version 1.98.2, HJT in its own folder not on desktop, or documents and settings, attaching log using manage attachments as a .txt file)

post one and lets take a look

 

Hi Jarcher,
I followed the "recipe" and did everything it said (several times because I forgot to run in safe mode the first time, and the second time I forgot to disable system recovery) with the exception of about:Buster because I am not having those kinds of problems. We have 2 accounts on our computer. Do I have to run everything on both of them or can I run it on "administrator?
I will try to post my logfile in the manner described. I am concerned about the R1 setting "proxyoverride=local host". It looks suspicious.

 

I would also get rid of the following

O4 - HKLM\..\Run: [Free blue comp road] C:\Documents and Settings\All Users\Application Data\SKIPNEWFREEBLUE\active info.exe
O4 - HKLM\..\Run: [Default Remote Mail Meta] C:\Documents and Settings\All Users\Application Data\Flaw Warn Default Remote\Inter poke.exe
O16 - DPF: DnB-Betaling - http://www16.dnb.no/nettbank/bf.cab

I went to dnb betaling and it wanted me to set their page as my home page.. that red flagged me.

 

that is all to true. . .

you are also running HJT from your desktop

good that its in its own folder, but it would be wise to move it to C:\

I don't know this, if you do not this, it is safe to fix

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pub.tv2.no/nettavisen/

if you did not add this to your trusted zones fix it
O15 - Trusted Zone: http://www.snapfiles.com

if you do not know these fix these also
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://content.ancestry.com/asfiles/files/install/MFImgVwr.cab

O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab

 

DnB is the Norwegian bank (Den Norske Bank) where we pay our bills. Can it stay where it is?

 

The Trend Micro is a virus protection program if I'm not mistaken.

 

right, it is. . but that is an extra button that is not needed
it is ok to remove

every time you go to that site you get a prompt to make it your home page
you can safley remove that entry and still be able to access that site


all of the suggestions for removel can be removed
with no unhelpful changes in daily PC usage
you can still do what you have always done

 

Thanks for all the help. I hope I don't end up posting this 2x. I wrote a long message, went to look for files and when I returned it was gone. I have now removed many of the items suggested. http://pub.tv2.no/nettavisen is my husbands homepage. I ran HijackThis on both accounts and am therefore posting 2 logfiles. I ran in safe mode with hidden files and common extensions showing. I turned off system restore. I am still not sure if I am running it from the right folder.
I read with interest the info on host files. Mine looks fine but there is still a nasty pop-up running on my machine with a numerical address (http://216.251.34.73). How do I add this to the host file to block it.
One more question, if I may. I have Google for a homepage and I don't see it on my logfile.
I am beginning to think I am a closet geek. It makes it more fun to know how the machine runs.

 

K log

this can go
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O16 - DPF: DnB-Betaling - http://www16.dnb.no/nettbank/bf.cab


file is missing its usless it can be removed

O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php (file missing)


R log
if any of the above is still in his log after you remove them from yours
remove them from his
has this as his main page

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pub.tv2.no/nettavisen/

if he wants it then thats ok then

fix those and post a new log each