55 replies to this topic

[Michigan Czar]

It started running after I did the scan with it. i had never used it before that, should I turn it off?

[Siggyx]

Yes please. it could be blocking the removal of the line we are trying to kill. Thats the good and bad about a tool like that it will stop thinmgs from taking over your system but will stop you from removing things. Then try to remove it.

[Michigan Czar]

Do you want me to try removing it with killbox and not in safe mode? Or do you want me to redo all the steps from post #28?

[Siggyx]

Using killbox remove this file C:\DOCUME~1\Rhonda\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\H7HM4MUB\WinAntiVirusPro2006FreeInstall[1].exe

[Michigan Czar]

It still says the file doesn't exist.

[Siggyx]

we both know it does as it is in there. Ok let me think for a sec

Reboot.

Download Blacklight Beta from here:
http://www.f-secure....light/try.shtml
Hit I accept. It will take you to download page.
Download blbeta.exe and save it to the Desktop.
Once saved... double click blbeta.exe to install the program.
Click accept agreement and Click scan
This app too may fire off a warning from antivirus. Let the driver load.
Wait for it to finish.
If it displays any items...don't do anything with them yet. Just hit exit (close)
It will drop a log on Desktop that starts with fsbl....big number
Please post contents of log and a new hijackthis log please.

[Michigan Czar]

It didn't find anything.

05/29/06 22:52:27 [Info]: BlackLight Engine 1.0.36 initialized
05/29/06 22:52:27 [Info]: OS: 5.1 build 2600 (Service Pack 2)
05/29/06 22:52:27 [Note]: 7019 4
05/29/06 22:52:27 [Note]: 7005 0
05/29/06 22:52:33 [Note]: 7006 0
05/29/06 22:52:33 [Note]: 7011 1344
05/29/06 22:52:34 [Note]: 7026 0
05/29/06 22:52:35 [Note]: 7026 0
05/29/06 22:52:48 [Note]: FSRAW library version 1.7.1015
05/29/06 22:55:04 [Note]: 7007 0

Logfile of HijackThis v1.99.1
Scan saved at 10:57:38 PM, on 5/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\Rhonda\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dial
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: ["C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager] SBC Yahoo! Connection Manager
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NI.UWA6P_0001_N73M1004] "C:\DOCUME~1\Rhonda\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\H7HM4MUB\WinAntiVirusPro2006FreeInstall[1].exe" -nag
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://viewers.strea...MINIBrowser.CAB
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Userinit Logon Verification (UsrInitVerif) - Unknown owner - C:\WINDOWS\userinit.exe (file missing)

[Michigan Czar]

Did you have a chance to review this yet? It is seeming impossible to get rid of this file.

[Siggyx]

I am doing some checking around. I have not has this issue before with this file so something is blocking it's removal. Was it present in add/remove programs?

[Siggyx]

Can you open hijackthis. Then click on config at the bottom right. Next, click on Misc Tools. Next, click on open unistall manager. Next, clcik on save list at the right and then post the list here please.

[Michigan Czar]

Nope, it's not in the add/remove programs and it wasn't earlier when you had asked me to uninstall it if I found it. I looked at this hijack log and it appears to match my add/remove programs. I hope you spot something here I am missing, thanks! Ad-Aware SE Personal Adobe Acrobat 4.0 Adobe Reader 7.0 AOL Instant Messenger a-squared Personal 1.6.5 CleanUp! Command Creative Modem Blaster V.92 USB DiMAGE Viewer ewido anti-malware HighMAT Extension to Microsoft Windows XP CD Writing Wizard HijackThis 1.99.1 J2SE Runtime Environment 5.0 Update 3 LimeWire 4.9.30 Macromedia Flash Player 8 McAfee VirusScan Enterprise Microsoft Office 2000 Small Business Network Monitor Panda ActiveScan QuickTime Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows XP (KB883939) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896422) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB896688) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899588) Security Update for Windows XP (KB899589) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB903235) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB905915) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB911567) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB912812) Security Update for Windows XP (KB912919) Security Update for Windows XP (KB913446) Security Update for Windows XP (KB913580) Snowball Wars by OIN Spybot - Search & Destroy 1.3 The Game Of Life Update for Windows XP (KB894391) Update for Windows XP (KB896727) Update for Windows XP (KB898461) Update for Windows XP (KB900485) Update for Windows XP (KB908531) Update for Windows XP (KB910437) Viewpoint Media Player Windows Installer 3.1 (KB893803) Windows Installer 3.1 (KB893803) Windows Media Format Runtime Windows Media Player 10 Windows XP Hotfix - KB867282 Windows XP Hotfix - KB873333 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885250 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB887742 Windows XP Hotfix - KB887797 Windows XP Hotfix - KB888113 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890047 Windows XP Hotfix - KB890175 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB890923 Windows XP Hotfix - KB891781 Windows XP Hotfix - KB893066 Windows XP Hotfix - KB893086

[Siggyx]

Ok lets do this.

Please uninstall Ewido. You can always add it back if you like as it is free.

Next

Please download VundoFix.exe from here:

http://www.atribune..../click.php?id=4

and save it to your desktop


Double-click VundoFix.exe to run it.

Checkmark the box "Run Vundo as task"

You will receive a message saying vundofix will close and re-open in a minute or less. Click OK

When VundoFix re-opens, click the Scan for Vundo button

Once it's done scanning, click the Remove Vundo button.

You will receive a prompt asking if you want to remove the files, click YES

Once you click yes, your desktop will go blank as it starts removing Vundo.

When completed, it will prompt that it will shutdown your computer, click OK.

Turn your computer back on.

Please post the contents of C:\vundofix.txt and a new hijackthis log.

NEXT

Please download WebRoot SpySweeper from HERE >>> http://www.webroot.c...ode=af1&rc=3597 (It's a 2 week trial):
Click the Free Trial link under to "SpySweeper" to download the program.
Install it. Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, click Options on the left side.
Click the Sweep Options tab.
Under What to Sweep please put a check next to the following:
Sweep Memory
Sweep Registry
Sweep Cookies
Sweep All User Accounts
Enable Direct Disk Sweeping
Sweep Contents of Compressed Files
Sweep for Rootkits
Please UNCHECK Do not Sweep System Restore Folder.
Click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply as well as a new hijackthsi log please.

[Michigan Czar]

I ran VundoFix and it found no infected files. Here is a new log. I will now contiue on with the steps I still have to do.

Logfile of HijackThis v1.99.1
Scan saved at 6:41:39 PM, on 5/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\Rhonda\LOCALS~1\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dial
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: ["C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager] SBC Yahoo! Connection Manager
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NI.UWA6P_0001_N73M1004] "C:\DOCUME~1\Rhonda\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\H7HM4MUB\WinAntiVirusPro2006FreeInstall[1].exe" -nag
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://viewers.strea...MINIBrowser.CAB
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Userinit Logon Verification (UsrInitVerif) - Unknown owner - C:\WINDOWS\userinit.exe (file missing)

[Michigan Czar]

Okay, that found a bunch of stuff to clean. Here is the log.

********
6:54 PM: | Start of Session, Wednesday, May 31, 2006 |
6:54 PM: Spy Sweeper started
6:54 PM: Sweep initiated using definitions version 689
6:54 PM: Starting Memory Sweep
7:06 PM: Memory Sweep Complete, Elapsed Time: 00:11:07
7:06 PM: Starting Registry Sweep
7:06 PM: Found Adware: mirar webband
7:06 PM: HKU\.default\software\microsoft\internet explorer\toolbar\webbrowser\ || {9a9c9b68-f908-4aab-8d0c-10ea8997f37e} (ID = 135063)
7:06 PM: Found Adware: surfsidekick
7:06 PM: HKLM\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143400)
7:06 PM: Found Adware: zenosearchassistant
7:06 PM: HKLM\software\microsoft\windows\currentversion\app management\arpcache\zeno search assistant\ (2 subtraces) (ID = 147930)
7:06 PM: HKLM\software\microsoft\windows\currentversion\app management\arpcache\enhanced ads by zeno\ (2 subtraces) (ID = 147931)
7:06 PM: Found Adware: findthewebsiteyouneed hijack
7:06 PM: HKU\.default\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555438)
7:06 PM: Found Adware: command
7:06 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ (7 subtraces) (ID = 892523)
7:06 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || nomodify (ID = 958653)
7:06 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || noremove (ID = 958654)
7:06 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || norepair (ID = 958655)
7:06 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)
7:06 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)
7:06 PM: HKCR\mirar_dummy_ats.mirar_dummy_ats1\ (5 subtraces) (ID = 1055242)
7:06 PM: HKCR\mirar_dummy_ats.mirar_dummy_ats1.1\ (3 subtraces) (ID = 1055248)
7:06 PM: HKCR\mirar_dummy_ats.mirar_dummy_ats1.1\clsid\ (1 subtraces) (ID = 1055250)
7:06 PM: HKCR\typelib\{34568171-e2ca-4fcd-a99f-43771f766b8a}\ (9 subtraces) (ID = 1055268)
7:06 PM: HKLM\software\classes\mirar_dummy_ats.mirar_dummy_ats1\ (5 subtraces) (ID = 1055285)
7:06 PM: HKLM\software\classes\mirar_dummy_ats.mirar_dummy_ats1.1\ (3 subtraces) (ID = 1055291)
7:06 PM: HKLM\software\classes\mirar_dummy_ats.mirar_dummy_ats1.1\clsid\ (1 subtraces) (ID = 1055293)
7:06 PM: HKLM\software\classes\typelib\{34568171-e2ca-4fcd-a99f-43771f766b8a}\ (9 subtraces) (ID = 1055323)
7:06 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\system32\winats.dll (ID = 1055333)
7:06 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/winats.dll\ (2 subtraces) (ID = 1066860)
7:06 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}\ (7 subtraces) (ID = 1110756)
7:06 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || uninstallstring (ID = 1134952)
7:06 PM: Found Adware: winantivirus pro
7:06 PM: HKLM\software\winantivirus pro 2006\ (2 subtraces) (ID = 1216196)
7:06 PM: Found Adware: bookedspace
7:06 PM: HKCR\appid\cfg32s.dll\ (1 subtraces) (ID = 1347879)
7:06 PM: HKCR\appid\{27a1ca0d-78ce-4e23-8a89-2c95c15954b3}\ (1 subtraces) (ID = 1347881)
7:06 PM: HKLM\software\classes\appid\cfg32s.dll\ (1 subtraces) (ID = 1347930)
7:06 PM: HKLM\software\classes\appid\{27a1ca0d-78ce-4e23-8a89-2c95c15954b3}\ (1 subtraces) (ID = 1347932)
7:06 PM: HKU\WRSS_Profile_S-1-5-21-1417001333-1993962763-842925246-500\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143397)
7:06 PM: HKU\WRSS_Profile_S-1-5-21-1417001333-1993962763-842925246-500\software\microsoft\windows\currentversion\run\ || surfsidekick 3 (ID = 143403)
7:06 PM: HKU\S-1-5-21-1417001333-1993962763-842925246-1003\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
7:07 PM: HKU\S-1-5-18\software\microsoft\internet explorer\toolbar\webbrowser\ || {9a9c9b68-f908-4aab-8d0c-10ea8997f37e} (ID = 135102)
7:07 PM: HKU\S-1-5-18\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
7:07 PM: Registry Sweep Complete, Elapsed Time:00:01:00
7:07 PM: Starting Cookie Sweep
7:07 PM: Found Spy Cookie: 2o7.net cookie
7:07 PM: rhonda@2o7[2].txt (ID = 1957)
7:07 PM: Found Spy Cookie: falkag cookie
7:07 PM: rhonda@as1.falkag[2].txt (ID = 2650)
7:07 PM: Found Spy Cookie: atwola cookie
7:07 PM: rhonda@atwola[1].txt (ID = 2255)
7:07 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
7:07 PM: Starting File Sweep
7:07 PM: c:\windows\zabstract (6 subtraces) (ID = -2147449272)
7:07 PM: Found Adware: dollarrevenue
7:07 PM: drsmartload1.exe (ID = 245972)
7:13 PM: Found Adware: enbrowser
7:13 PM: uni_ehhh.exe (ID = 296335)
7:13 PM: qsxxauzw.exe (ID = 294100)
7:42 PM: atmtd.dll._ (ID = 166754)
7:43 PM: Found Adware: targetsaver
7:43 PM: tsupdate2[1].ini (ID = 193498)
7:47 PM: drsmartload45a.exe (ID = 298783)
7:47 PM: drsmartload46a.exe (ID = 298784)
7:48 PM: dquloqzx.exe (ID = 294100)
7:52 PM: drsmartload45a.exe (ID = 298756)
7:55 PM: installer[1].exe (ID = 231664)
7:55 PM: vocabulary (ID = 78283)
7:55 PM: nt68rrtc12.sys (ID = 220230)
7:55 PM: af[1].exe (ID = 293578)
7:56 PM: atmtd.dll (ID = 166754)
7:56 PM: mzrwc.dll (ID = 195129)
7:56 PM: class-barrel (ID = 78229)
7:56 PM: stub_venthh.exe (ID = 294169)
7:56 PM: sskknwrd.dll (ID = 77733)
7:57 PM: zxdnt3d.cfg (ID = 91140)
7:57 PM: zeno.lnk (ID = 146127)
7:57 PM: oa1sval1kihpsrpbujl5w0.vbs (ID = 185675)
7:59 PM: File Sweep Complete, Elapsed Time: 00:51:52
7:59 PM: Full Sweep has completed. Elapsed time 01:04:14
7:59 PM: Traces Found: 140
8:12 PM: Removal process initiated
8:12 PM: Quarantining All Traces: dollarrevenue
8:12 PM: Quarantining All Traces: enbrowser
8:12 PM: Quarantining All Traces: surfsidekick
8:12 PM: Quarantining All Traces: bookedspace
8:12 PM: Quarantining All Traces: command
8:12 PM: Quarantining All Traces: findthewebsiteyouneed hijack
8:12 PM: Quarantining All Traces: mirar webband
8:12 PM: Quarantining All Traces: targetsaver
8:13 PM: Quarantining All Traces: winantivirus pro
8:13 PM: Quarantining All Traces: zenosearchassistant
8:13 PM: Quarantining All Traces: 2o7.net cookie
8:13 PM: Quarantining All Traces: atwola cookie
8:13 PM: Quarantining All Traces: falkag cookie
8:13 PM: Removal process completed. Elapsed time 00:01:21
********
6:49 PM: | Start of Session, Wednesday, May 31, 2006 |
6:49 PM: Spy Sweeper started
6:50 PM: Your spyware definitions have been updated.
6:54 PM: | End of Session, Wednesday, May 31, 2006 |


Logfile of HijackThis v1.99.1
Scan saved at 8:16:25 PM, on 5/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\Rhonda\LOCALS~1\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dial
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: ["C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager] SBC Yahoo! Connection Manager
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NI.UWA6P_0001_N73M1004] "C:\DOCUME~1\Rhonda\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\H7HM4MUB\WinAntiVirusPro2006FreeInstall[1].exe" -nag
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://viewers.strea...MINIBrowser.CAB
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Userinit Logon Verification (UsrInitVerif) - Unknown owner - C:\WINDOWS\userinit.exe (file missing)

[Siggyx]

I am having another teacher look at the log for another opinion, hang in there.