Help with badurl.grandstreetinteractive.com on kids computer

Kids download everything, time for a lesson in restraint! I cant eve run updates as the browser is jammed. Thanks for any help!

Logfile of HijackThis v1.97.7
Scan saved at 11:42:24 AM, on 9/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\nuwjphs.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\system32\antitask.exe
C:\WINDOWS\System32\RUNDLL32.exe
D:\HijackThis.exe
D:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\calsdr.dll
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll (file missing)
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\MIKAYL~1\LOCALS~1\Temp\ksatitna.dat
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\MIKAYL~1\LOCALS~1\Temp\ksatitna.dat
O2 - BHO: (no name) - {72AC6865-B1D3-4C32-A27B-4B3BF04DE655} - C:\DOCUME~1\BENCAL~1\LOCALS~1\Temp\ksatitna.dat
O2 - BHO: (no name) - {8109AF33-6949-4833-8881-43DCC232B7B2} - C:\DOCUME~1\LORICA~1\LOCALS~1\Temp\ksatitna.dat
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\Run: [LVDQISAOY] C:\WINDOWS\LVDQISAOY.exe
O4 - HKLM\..\Run: [FIP] C:\WINDOWS\FIP.exe
O4 - HKLM\..\Run: [SHTMLM] C:\WINDOWS\System32\SHTMLM.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [cgobtgkiyh] C:\WINDOWS\System32\nuwjphs.exe
O4 - HKLM\..\Run: [antitask] C:\WINDOWS\system32\antitask.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll ",cdaEngineMain
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [*antitask] C:\WINDOWS\system32\antitask.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\lsp.dll' missing
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://fr.encyclopedia.yahoo.com/rsc/tdserver.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx
O16 - DPF: {DCF0768D-BA7A-101A-B57A-0000C0C3ED5F} - http://203.199.200.61/ads/shareit/da/trans/SysUpd.CAB

 

You are pretty badly eaten up with a variety of spyware/malware, browser hijackers, and at least one virus. It should be possible to clean the system and get it working again but it will most likely take several cleanup runs to get things right.

You will probably want to print this for reference while doing the cleaning.

First thing to do is download a copy of the latest version of Hijackthis (should be v1.98.2) and replace the one you have now. It will fit easily on a floppy so since the affected PC can't browse, download it from a working system, put it on a floppy, and then onto the problem PC.

Close all open windows then run Hijackthis v1.98.2, check all the following for removal, and then let HJT remove them. (Note that the items in green are not spyware/malware but are simply things you don't need running at startup - they slow the system slightly and don't provide you any benefit. Note also that the three 016 items may not be baddies but since 016 entries will be rebuilt when you visit the site that needs them, harmless to remove and I don't really like the looks of these.)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\calsdr.dll
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll (file missing)
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\MIKAYL~1\LOCALS~1\Temp\ksatitna.dat
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\MIKAYL~1\LOCALS~1\Temp\ksatitna.dat
O2 - BHO: (no name) - {72AC6865-B1D3-4C32-A27B-4B3BF04DE655} - C:\DOCUME~1\BENCAL~1\LOCALS~1\Temp\ksatitna.dat
O2 - BHO: (no name) - {8109AF33-6949-4833-8881-43DCC232B7B2} - C:\DOCUME~1\LORICA~1\LOCALS~1\Temp\ksatitna.dat
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\Run: [LVDQISAOY] C:\WINDOWS\LVDQISAOY.exe
O4 - HKLM\..\Run: [SHTMLM] C:\WINDOWS\System32\SHTMLM.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe (*** you have a virus ***)
O4 - HKLM\..\Run: [cgobtgkiyh] C:\WINDOWS\System32\nuwjphs.exe
O4 - HKLM\..\Run: [antitask] C:\WINDOWS\system32\antitask.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll ",cdaEngineMain
O4 - HKLM\..\RunOnce: [*antitask] C:\WINDOWS\system32\antitask.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\lsp.dll' missing
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://dialxs.nl/install/dialxs.ocx
O16 - DPF: {DCF0768D-BA7A-101A-B57A-0000C0C3ED5F} - http://203.199.200.61/ads/shareit/da/trans/SysUpd.CAB

This item is unknown to me. The only search references I could find were in languages I don't understand and that Google didn't translate particularly well. Unless you know for sure what it is, I'd suggest getting rid of it - both the 04 registry entry and also the file itself.
O4 - HKLM\..\Run: [FIP] C:\WINDOWS\FIP.exe

Next, go to control panel and add/remove and uninstall Wild Tangent.

Then open the My Computer folder, right-click on the C: drive and click on Properties then on the button for cleanup. Run that and let it clean all except 'compress old files'.

Open Windows Explorer and delete the contents of all these folders if they are present. You may not have several of them
c:\temp
c:\windows\temp
c:\documents and settings\username\temp (where username means do the deletion for all user accounts)
c:\documents and settings\username\local settings\temp
c:\documents and settings\username\local settings\history
c:\documents and settings\username\local settings\temporary internet files

Boot to safe mode. Easiest is to click on start, click on run, key in msconfig, go to the boot.ini tab and check /safeboot then reboot. Note that you will need to run msconfig and uncheck that option when finished to boot up in normal mode.

While in safe mode, delete all the following (and include c:\windows\fip.exe unless you know it is safe)
C:\WINDOWS\System32\nuwjphs.exe
C:\WINDOWS\system32\antitask.exe
C:\WINDOWS\System32\calsdr.dll
C:\WINDOWS\twaintec.dll
C:\WINDOWS\systb.dll
C:\WINDOWS\alchem.exe
C:\WINDOWS\System32\SahAgent.exe
C:\WINDOWS\LVDQISAOY.exe
C:\WINDOWS\wupdt.exe
c:\windows\system32\lsp.dll
C:\Program Files\WildTangent (the entire folder)

Boot back to normal mode and then run a virus scan from one of the online scanners (see Quicklinks from my signature).

Download, immediately update, and then run Ad-Aware SE (quicklinks). You want to run a full scan and delete all items if finds.

Download, immediately update, and then run Spybot. Delete all items it prechecks. The others are harmless and can be left alone. When the scan is finished, click on the immunize icon then on the green cross to immunize the PC against a large number of known bad items.

Run Hijackthis to create another log and post it here. Also post which, if any, of the above did not complete properly.

 

Reply

First of all THANK YOU!

Second, I got as far as the step to do an online scan, but I cant open any sites, browser gives the not found error. Here is the latest HiJackThis Log. And I must apologize as I have three kids standing over me so I may have missed something. They are anxious, but I think a good lesson in computer downloads is in order for them.

Logfile of HijackThis v1.97.7
Scan saved at 11:42:24 AM, on 9/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe

edit note: most of the hjt log contents removed. Newt

 

Something got done out of sequence here and the shopping list of stuff to do was in the order it will pretty much have to follow.

First step - get the latest version of Hijackthis (v1.98.2) on the PC.

Basically, you gotta follow the list so this stuff doesn't come back faster than you can kill it.

BTW - as the father of a large batch of kids, you have my sympathy. Been there. Got the tee shirt. Got the gray hair.

 

ok still have the print out, will try again tomorrow ehen kids are at school...........thanks

 

tdslori - good idea.

broni - Thanks for the info. If FIP.exe does belong to that app then I gotta say I'm not impressed with what you would get for your money.

 

Thanks Newt, here is the new log. Hope it looks better!

Logfile of HijackThis v1.98.2
Scan saved at 10:30:44 AM, on 9/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8b5e9cdb91dddbb342695fbdc36fe0e4\update\update.exe
C:\Documents and Settings\Mikayla Callen\Desktop\DO NOT DELETE\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nick.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://fr.encyclopedia.yahoo.com/rsc/tdserver.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

 

Not only does it look lots better but my guess is the machine is running quite a bit better as well.

For keeping things clean, updating and running both Ad-aware and Spybot every couple of weeks is a good idea. Also be good to download SpywareBlaster (quicklinks again) and update then run it. It is a passive protection program that as of now will block over 3000 bad items from ever getting to the PC. Some overlap with the Spybot immunize items but they play well together. Just update SpywareBlaster every month or so.

Kids being kids, even with the added layers of protection they may still get some bad items onto the PC so if it starts acting the least bit quirky, feel free to post another HJT log for us to take a look at. It would not be such a good idea to fix things without advice though since HJT does not know good vs. bad and will happily break the PC if you tell it to.

A couple of things that puzzle me so mostly posting about them to get some expert input since I'm sorta middling at this whole security thing and we do have some experts.

C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
Wuauclt.exe running from \system32 is normal and the file is the "Windows Update AutoUpdate Client" that checks Microsoft from time to time for new updates that your PC needs. The confusion for me is seeing two instances running. Not sure why that is but probably someone will know and post a reason. Leave it be for now since autoupdate won't work without at least one of them running.

C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8b5e9cdb91dddbb342695fbdc36fe0e4\update\update.exe
Also not sure why this one is showing as a running process. Again, legit update piece I think but not sure why it didn't put itself to bed when the last update finished. And again, leave it alone for now.

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
I think the 'file missing' indicates these entries are not active and both are things you probably want. On the other hand, HJT has been known to report 'file missing' when that wasn't the case.

 

Thanks again for all the help! Have a great day!

Lori

 

Hello

When windows update is finished, ie this doesnt show
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8b5e9cdb91dddbb342695fbdc36fe0e4\update\update. exe

And after you have restarted the PC a few time's
Use Option four here to uninstall shopathome
http://www10.brinkster.com/expl0iter/freeatlast/junk/sah~uninstall.htm
But that's optional if things are running OK.

I assume it will prompt you to reboot, if not do so. then take a quick visit to
Sun and get the latest version of there plugin
Click Get it now over to the right: http://java.com/en/index.jsp