Leftovers from Project1, command.exe viruses

[jholland1964]

I am going through your logs now. One thing I question; you say you ran CCleaner first and THEN your anti-virus program. CCleaner "should" have cleaned out your internet temp files but the anti-virus program finds trojans in your Internet Explorer Temp files.
You need to navigate to these folders;

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\HQ3N07CP\

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Q2NYU0PG\

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XE8XKAS7\

and delete whatever is in those files. Don't delete the files themselves, JUST THE CONTENTS of those folders

[InRetro]

yeah, I noticed that and thought it was strange, I ran CCleaner twice to double-check but they were still there.

I used the Antivirus program to remove the files in the end and a subsequent antivirus scan showed those folders to be clean.

[jholland1964]

You say there was no Spysweeper scan...do you mean you could not run one or didn't run one? Because Spysweeper does show in the Start up programs section (O4) of your HJT log.
You didn't say, did you remove and quarantine all items found by AdAwareSE? If not, run the program again and do that.
You mention that Spybot came up clean. I always use BOTH Spybot and AdAwareSE...each program really looks for different items so for safety sake I always use both. Generally AdAware will find more than Spybot but occasionally something will be found by Spybot but not AdAware. One highly recommended FREE program, that I use to assist in keeping the items found by those two programs to a bare minimum is SpywareBlaster
SpywareBlaster works by setting "kill bits" in the registry. These "kill
bit" registry entries are set for the spyware ActiveX CLSIDs (unqiue IDs
that identify an ActiveX control). When a kill bit is set for a CLSID, the
ActiveX control that uses that CLSID cannot install itself
nor can it run if it already installed. What is so nice is that this means it does not have to run in the background. Keep it updated and you will really have a well protected computer.

I don't see much in the HJT log, just a few minor items you can clean up with another scan with HJT. Run it again and place checkmarks next to the following;

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Once you have placed the checkmarks then click the FIX button and then exit HJT.
I am not the expert with the WPFind logs. I am certain that if PP sees anything else in those he will post back with the needed instructions.
Judy