Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' :

R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)

O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKCU\..\Run: [AddClass] C:\WINNT\AddCLS.exe

O8 - Extra context menu item: &iSearch The Web - res://C:\WINNT\system32\iSearch\toolbar_.dll/SEARCH.HTML

O9 - Extra button: iSearch Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: iSearch Toolbar (HKLM)

If you never added the 015 entries, fix them.

Reboot into safe mode following the instructions here & navigate to & delete

C:\Program Files\Internet Optimizer< folder
C:\WINNT\AddCLS.exe< file

Reboot normally.

Download Registrar Lite from here:
http://www.resplendence.com/download/reglite.exe

Put it in its own folder. You may want to keep this program. It is an excellent free, registry editor.

Copy and paste the follow text into the address bar, then hit 'Go':
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks

In the pane on the right are the values associated with that key.
We want to remove this one>
_{1C78AB3F-A857-482e-80C0-3A1E5238A565}

Notice the underscore at the end.

Right click on it, and select delete.
If you get a confirmation question, respond OK then close out of the program.

Please go here & install ALL critical updates required for your system.


Post a new log after a reboot please.

Thanks forthe suggestion, Crunchie. I started the shredder and clicked on the 'check for update' and it says I have the latest version. I will try running it again making very sure to select 'Fix' and not just scan only.

Yikes! I see you are a lot faster than I am. I will follow the instructions in your last post at 10:25 AM Thursday.!

It's 1 AM here & I'm off to bed B4 my daughter get's up lol. I will check back later.

latest log.

I had difficulty following some of your last instructions.
When I went to the C: drive in safe mode, I did not find the Internet optimizer folder or the WINNT\AddCls.exe.

I believe I need to keep the 015 entries. I recognize them as node names on a VPN I need to log onto.

I downloaded the Register Lite editor , but when I tried to past the HKEY_CURRENT_USERS..... into the address bar, I was taken to some kind of an MSN search page. Was not able to locat the Key you indicated to remove.

I have started running spybot and ad-aware inbetween these posts. I hope that is the right thing to do.

Logfile of HijackThis v1.97.7
Scan saved at 1:09:48 AM, on 5/17/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINNT\System32\svchost.exe
C:\OfficeScan NT\ntrtscan.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\Program Files\ISS\BlackICE\rapapp.exe
C:\Program Files\Reflection\rtsserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\OfficeScan NT\ofcdog.exe
C:\WINNT\Explorer.EXE
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\hjk\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://metalink.oracle.com/metalink/...l2_gui.startup
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Metro Wastewater District
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.2.18:80
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe"
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://finweb.metro.local
O15 - Trusted Zone: http://prodweb.metro.local
O15 - Trusted Zone: http://testweb.metro.local
O15 - Trusted Zone: http://web2.metro.local
O16 - DPF: IEToolbarCab - http://www.dailytoolbar.com/DailyToolbar.CAB
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {ed54a7b0-6c1c-11d5-b63d-00c04faedb18} - http://prodweb.metro.local/jinitiator/jinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = metro.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE584773-00EE-4D9C-B4B1-1C9A5F907FCC}: NameServer = 12.127.16.83,12.127.18.83
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = metro.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = metro.local

Clean log . For some reason that R3 doesn't show up now.

:cheesy: Thanks so much for the feedback, crunchie!. Per your suggestion, I have learned to run hijackthis to fix, not just scan, plus running spybot, ad-aware and using Black Ice to block intruders.

I am trainable!

Thats what I like to hear. Music to my ears