Possible malware on my son's notebook?

[glhglh]

when i open IE, the tabs just keep opening and opening.

i have attached mbam, and hyjackthis logs,

 

[Cinders]

You do have some nasty stuff on your son's computer.

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll for example

Go to this link and follow the instructions; an expert will be along shortly to help you out.

 

[Bobbye]

Please disable the Real Time Protection before proceeding:
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
Open Spybot s&D and disable the Resident.
Please see this site for additional information:Temporarily Disable Real Time Monitoring Programs:
http://wiki.castlecops.com/Malware_Removal:_Temporarily_Disable_Real_Time_Monitoring_Programs

Download the most current Java from here. Save to the desktop. Do NOT run yet: http://java.com/en/download/manual.jsp

* Please download SuperAntiSpyware from http://www.superantispyware.com/
* Launch SuperAntiSpyware and click on 'Check for updates'.
* Wait for the updates to be installed
* On the main screen click on 'Scan your computer'.
* Check: 'Perform Complete Scan then Click 'Next' to start the scan.
* Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
* Make sure everything found has a checkmark next to it,then press 'Next'.
* Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Attach the notepad file here on your reply

Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below:

C:\Windows\SysWOW64\chkawdll.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dl
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_07\bin\jusched.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~2\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~2\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~2\Java\JRE16~2.0_0\bin\ssv.dll

The following are for part of the Norton Security. but the program might not be installed correctly. You should check the status of the program before removing the entries. Do NOT remove them if the program is correctly installed and working okay

O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)> Norton Confidential
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)> Norton Confidential

Remove this and update from the beta version to the final version:
O2 - BHO: Windows Live Toolbar Beta - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot inti Safe Mode.
Access the Startup menu using msconfig through Start> Run> msconfig> Selective Startup> UNCHECK any processes for the following:

WOW
Java
Windows Live beta

Access Add/remove Programs and uninstall the following:

Windows Live Beta
Look for any other programs that are not being used and if found, uninstall them.

Checking the Services: Right click on Start> Explore> Windows> system32> verify the presence of all the 023 Services showing 'file missing'. No action is needed if they are present. Lack of permissions on the system folder is the most likely explanation. As the user account would be denied access to the system folder, the HJT tool cannot confirm that the file mentioned by the run entries exists, so therefore lists it as missing. If you have a 64bit version of Vista, I suspect that HiJackThis is not fully 64bit-aware.
DO NOT remove. Just verify:

O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

Reboot into Normal Mode. If you stopped proesses on Startup, you will get a nag message that you can juts close after checking 'don't sow this message again'. Stay in Selective Startup

Run HijackThis again and attach logs for Hijack and SuperAntispyware.

Regarding this entry: I am reserving the final disposition of this. The CLSID does NOT match the malware entry for 'searchhelper.dll' and I saw notices of this enhancement being added through service packs for servers.
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll

If anyone else can reconcile the string to the malware, please advise.