Expert: Carolyn Meinel - 7/31/2008

Question


I have hp pavilion dv2000.my cursor moves randomly around the desktop,
and then clicks or double clicks, opening programs.this happened when
im connected to internet

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:43:21 PM, on 30/7/2008
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:Program FilesDigitalPersonaBinDpAgent.exe
C:Windowssystem32   askeng.exe
C:Windowssystem32Dwm.exe
C:WindowsExplorer.EXE
C:Program FilesApoint2KApoint.exe
C:Program FilesHewlett-PackardHP Quick Launch ButtonsQLBCTRL.exe
C:Program FilesHewlett-PackardHP QuickTouchHPKBDAPP.exe
C:Program FilesWindows DefenderMSASCui.exe
C:Windowssystem32wuauclt.exe
C:Program FilesHPDigital ImaginginHpqSRmon.exe
C:Program FilesHPHP Software UpdatehpwuSchd2.exe
C:Program FilesHewlett-PackardHP Wireless AssistantHPWAMain.exe
C:Program FilesHewlett-PackardHP Wireless AssistantWiFiMsg.exe
C:Program FilesJavajre1.6.0_02injusched.exe
C:WindowsSystem32hkcmd.exe
C:WindowsSystem32igfxpers.exe
C:Program FilesMicrosoft OfficeOffice12GrooveMonitor.exe
C:Program FilesAviraAntiVir PersonalEdition Classicavgnt.exe
C:Program FilesWindows Sidebarsidebar.exe
C:Program FilesSpybot - Search & DestroyTeaTimer.exe
C:Program FilesApoint2KApMsgFwd.exe
C:Program FilesHewlett-PackardSharedHpqToaster.exe
C:Program FilesApoint2KApntex.exe
C:Windowssystem32igfxsrvc.exe
C:Program FilesOperaOpera.exe
C:Windowssystem32NOTEPAD.EXE
C:Program FilesTrend MicroHijackThisHijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page =
http://www.yahoo.com
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL =
http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_sg&c=81&bd=Pavilion...
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL
= http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page =
http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_sg&c=81&bd=Pavilion...
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant =

R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =

R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName
=
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no
file)
O2 - BHO: Adobe PDF Reader Link Helper -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon
FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection -
{53707962-6F74-2D53-2644-206D7942484F} - C:PROGRA~1SPYBOT~1SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no
file)
O2 - BHO: Groove GFS Browser Helper -
{72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:PROGRA~1MICROS~2Office12GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
C:Program FilesJavajre1.6.0_02inssv.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no
file)
O4 - HKLM..Run: [Apoint] C:Program FilesApoint2KApoint.exe
O4 - HKLM..Run: [IAAnotif] C:Program FilesIntelIntel Matrix
Storage Manageriaanotif.exe
O4 - HKLM..Run: [QlbCtrl] %ProgramFiles%Hewlett-PackardHP Quick
Launch ButtonsQlbCtrl.exe /Start
O4 - HKLM..Run: [OnScreenDisplay] C:Program FilesHewlett-PackardHP
QuickTouchHPKBDAPP.exe
O4 - HKLM..Run: [UCam_Menu] "C:Program
FilesCyberLinkYouCamMUITransferMUIStartMenu.exe" "C:Program FilesCyberLinkYouCam" update
"SoftwareCyberLinkYouCam
.0"
O4 - HKLM..Run: [Windows Defender] %ProgramFiles%Windows
DefenderMSASCui.exe -hide
O4 - HKLM..Run: [hpqSRMon] C:Program FilesHPDigital
ImaginginhpqSRMon.exe
O4 - HKLM..Run: [Adobe Reader Speed Launcher] "C:Program
FilesAdobeReader 8.0ReaderReader_sl.exe"
O4 - HKLM..Run: [HP Health Check Scheduler]
[ProgramFilesFolder]Hewlett-PackardHP Health CheckHPHC_Scheduler.exe
O4 - HKLM..Run: [HP Software Update] C:Program FilesHpHP Software
UpdateHPWuSchd2.exe
O4 - HKLM..Run: [hpWirelessAssistant] C:Program
FilesHewlett-PackardHP Wireless AssistantHPWAMain.exe
O4 - HKLM..Run: [WAWifiMessage] C:Program FilesHewlett-PackardHP
Wireless AssistantWiFiMsg.exe
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program
FilesJavajre1.6.0_02injusched.exe"
O4 - HKLM..Run: [IgfxTray] C:Windowssystem32igfxtray.exe
O4 - HKLM..Run: [HotKeysCmds] C:Windowssystem32hkcmd.exe
O4 - HKLM..Run: [Persistence] C:Windowssystem32igfxpers.exe
O4 - HKLM..Run: [GrooveMonitor] "C:Program FilesMicrosoft
OfficeOffice12GrooveMonitor.exe"
O4 - HKLM..Run: [avgnt] "C:Program FilesAviraAntiVir
PersonalEdition Classicavgnt.exe" /min
O4 - HKCU..Run: [Sidebar] C:Program Fileswindows
sidebarsidebar.exe /autoRun
O4 - HKCU..Run: [SpybotSD TeaTimer] C:Program FilesSpybot - Search
& DestroyTeaTimer.exe
O4 - HKCU..Run: [Yahoo! Pager] "C:Program
FilesYahoo!MessengerYahooMessenger.exe" -quiet
O4 - HKCU..RunOnce: [ypagerps] cmd.exe /C del "C:Program
FilesYahoo!Messengerypagerps.dll"
O4 - HKUSS-1-5-19..Run: [Sidebar] %ProgramFiles%Windows
SidebarSidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-19..Run: [WindowsWelcomeCenter] rundll32.exe
oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..Run: [Sidebar] %ProgramFiles%Windows
SidebarSidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUSS-1-5-21-243560997-2411228239-10737493-1005..Run: [Sidebar]
C:Program FilesWindows Sidebarsidebar.exe /autoRun (User 'fari')
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:PROGRA~1MICROS~2Office12EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... -
C:Program FilesWIDCOMMBluetooth Softwaretsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... -
C:Program FilesWIDCOMMBluetooth Softwaretsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:Program FilesJavajre1.6.0_02inssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_02inssv.dll
O9 - Extra button: Send to OneNote -
{2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote -
{2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -
C:Windowsdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 -
{85d1f590-48f4-11d9-9669-0800200c9a66} - C:Windowsdoscandel.exe
(file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:PROGRA~1MICROS~2Office12REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 -
{CCA281CA-C863-46ef-9331-5C8D4460577F} - C:Program FilesWIDCOMMBluetooth Softwaretsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 -
{CCA281CA-C863-46ef-9331-5C8D4460577F} - C:Program FilesWIDCOMMBluetooth
Softwaretsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
C:PROGRA~1SPYBOT~1SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
C:PROGRA~1SPYBOT~1SDHelper.dll
O10 - Unknown file in Winsock LSP: c:windowssystem32wpclsp.dll
O10 - Unknown file in Winsock LSP: c:windowssystem32wpclsp.dll
O10 - Unknown file in Winsock LSP: c:windowssystem32wpclsp.dll
O10 - Unknown file in Winsock LSP: c:windowssystem32wpclsp.dll
O10 - Unknown file in Winsock LSP: c:windowssystem32wpclsp.dll
O10 - Unknown file in Winsock LSP: c:windowssystem32wpclsp.dll
O10 - Unknown file in Winsock LSP: c:windowssystem32wpclsp.dll
O10 - Unknown file in Winsock LSP: c:windowssystem32wpclsp.dll
O10 - Unknown file in Winsock LSP: c:windowssystem32wpclsp.dll
O13 - Gopher Prefix:
O17 -
HKLMSystemCCSServicesTcpip..{0AB1C2EB-CBDF-44E0-AEFC-BC1E503E6A17}: NameServer = 202.56.250.5 202.56.250.6
O17 -
HKLMSystemCS1ServicesTcpip..{0AB1C2EB-CBDF-44E0-AEFC-BC1E503E6A17}: NameServer = 202.56.250.5 202.56.250.6
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD}
- C:PROGRA~1MICROS~2Office12GR99D3~1.DLL
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler
(AntiVirScheduler) - Avira GmbH - C:Program FilesAviraAntiVir
PersonalEdition Classicsched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard
(AntiVirService) - Avira GmbH - C:Program FilesAviraAntiVir PersonalEdition
Classicavguard.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. -
C:Program FilesHewlett-PackardHP Quick Launch ButtonsCom4Qlb.exe
O23 - Service: Biometric Authentication Service (DpHost) -
DigitalPersona, Inc. - C:Program FilesDigitalPersonaBinDpHostW.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:Program
FilesHP GamesMy HP Game ConsoleGameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:Program
FilesHewlett-PackardHP Health Checkhphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. -
C:Program FilesHewlett-PackardSharedhpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:Program FilesCommon
FilesInstallShieldDriverE0Intel 32IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service
(LightScribeService) - Hewlett-Packard Company - C:Program FilesCommon
FilesLightScribeLSSrvc.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) -
Unknown owner - C:Program FilesHPQuickPlayKernelTVQPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner
- C:Program FilesHPQuickPlayKernelTVQPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown
owner - C:Program FilesCyberLinkShared FilesRichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer
Networking Ltd. - C:Program FilesSpybot - Search & DestroySDWinSec.exe
O23 - Service: ServiceLayer - Nokia. - C:Program FilesCommon
FilesPCSuiteServicesServiceLayer.exe
O23 - Service: XAudioService - Conexant Systems, Inc. -
C:Windowssystem32DRIVERSxaudio.exe

Answer
First, here's the good news. This is probably not being done to your computer by organized crime.

You appear to have a Trojan that is enabling someone -- probably a bratty 13-year-old -- play with your computer whenever you get online. He probably has all his friends over so they can watch him teasing you as they view an image of your computer's desktop on the bratty kid's computer. If your computer was infected by the kinds of Trojans that professional criminals use, it wouldn't be so obvious.

The guilty process in that Hijack This report probably is windowssystem32wpclsp.dll. You might be able to clean your computer yourself by booting into Safe Mode -- command line, and deleting this file. But because it is a .dll, it is only part of the malicious program you're trying to remove. The danger of manually removing just this .dll is that the other remaining parts of the program might slow your computer or make it crash.

IMHO, your best bet is to install and run a better Internet security program than whatever you are running now. Here's what will almost certainly work.

1) Download either Kapersky Internet Security, which offers a free 30 day trial at http://kapersky.com or F-Secure's Complete Internet security suite, which offers a free thirty day trial: https://store.f-secure.com/cgi-bin/dlreg/ml=EN?ID=FSISTB&desid=TRIAL

2) Disconnect from the Internet.

3) Uninstall your current antivirus. This is absolutely essential because otherwise it and F-Secure or Kapersky will fight each other and might crash your computer. It isn't good enough to just turn off your old antivirus because it probably has been crippled by your virus infection.

4) Install your Internet Security product. Download any updates available.

5) Run a complete scan of your computer. Follow any instructions it might give you.

6) Reboot.

If this works, you can either keep your new Internet Security product or uninstall it and reinstall your old antivirus from either a download of the latest version from their website (if that's how they sell it) or from the disk it was on when you bought it. Be sure to get all the latest updates right away. Usually antivirus companies are pretty good about updating their programs whenever some new attack becomes able to evade or cripple their product.

If you weren't running an antivirus program that includes antispyware protection and a firewall, then I recommend that you not reinstall your old program. Nowadays we need total protection, and this includes antispyware and a firewall.

7) To prevent future infections, don't use Internet Explorer, as it is susceptible to introducing viruses, adware and spyware into your computer. Instead you could use Firefox, free from Mozilla.org . Instead of using Outlook for email, you could use Thunderbird, free from Mozilla.org, or Eudora, free from Eudora.com .