Please check my Hijacked. Thanks.

this is my log after i run combofix

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:33 PM, on 3/31/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\keyboard\services.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Documents and Settings\All Users\Application Data\Fearghus\lsass.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\cFosSpeed\spd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\keyboard\services.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [USB2.0] C:\Documents and Settings\All Users\Application Data\Microsoft\USB2.0\usb-hi.exe
O4 - HKLM\..\Run: [Keyboard] C:\Documents and Settings\All Users\Application Data\Fearghus\lsass.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - Global Startup: kbdrv16.com
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 5269 bytes

see the entry what ive been saying to u guys? its still there.

O4 - HKLM\..\Run: [USB2.0] C:\Documents and Settings\All Users\Application Data\Microsoft\USB2.0\usb-hi.exe

O4 - Global Startup: kbdrv16.com

want to see my combofix.txt result? is it okay to post it here? please help me.

Did combofix find anything?

Try doing this

First Turn off System Restore

Steps to turn off System Restore

1. Click Start, right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the System Restore tab.
3. Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
4. Click OK.
5. When you receive the following message, click Yes to confirm that you want to turn off System Restore.

Then After Restart you Computer Safe Mode With Networking how to Restart
1. Log out and reboot your machine.
2. When the machine starts the reboot sequence, press the F8 key repeatedly.
3. Select Safe Mode with Networking from the resulting menu.
4. When the log in screen comes up, log in as Administrator. By default, Administrator has no password.
5. The machine will continue booting, but the Windows desktop will look different.
6. Once logged in run Malwarebytes

Reboot the computer and re-enable System Restore. Scan your system again to see if the files are gone.

From your most recent HiJack This log, you need to remove the following items


You may want to check this site out.

http://czetsuya-tech.blogspot.com/2009/ ... e-usb.html

what do you mean "run malwarebytes"? im gonna download this? for the entries just what ive been saying it just keeps coming back. i cant delete them.

Sorry, usually Don2007 recommends downloading Malwarebytes when he is helping people.

Yes, download it from http://www.malwarebytes.org. Install it and update it and have it perform a full scan.

Turn off system restore prior to running the scan.

ComboFix didnt do anything. i downloaded Malwarebytes and seen one in the registry system32 folder and delete it but when i reboot my pc its still here. and those entries just i posted earlier, all of them are still here.

Did you disable System Restore? Did you run Malwarebytes in Safe Mode?

Kaspersky did the job i just follow the instructions said in the Lab Forum. But after removing the said entries i started having a BLUE SCREEN or something. That tells me Windows has been shut down to prevent blah blah blah. if this happen again blah blah blah. and some numbers in it. Im sure later or sooner i will format my pc. But as for ill just wait. Thanks again guys.

Another well done job by the anti virus software people!! They removed the virus & didn't even charge extra for the pretty blue screen.

Hi!

Use HijackThis to remove kbdrv16.com worm infection...

Hi!

Experience could be bitter but, of course, a better teacher.
When I got infected with this strange kbdrv16.com worm I did some research
on worm defense. I like to protect my computer from malicious worms and
maybe I could share some of my observations here.

kbdrv16.com came from (an infected) usb mass storage device like
memory stick, mp3/mp4 players, digicams, etc. that we insert to
our computer's usb port.

To remove kbdrv16.com, you must have at least a hijacking utility.
An almost de facto standard is Trend Micro's HijackThis.

You simply run HijackThis, do a scan and check the ff items for
removal or repair:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\keyboard\services.exe
O4 - HKLM\..\Run: [USB2.0] C:\Documents and Settings\All Users\Application Data\Microsoft\USB2.0\usb-hi.exe
O4 - HKLM\..\Run: [Keyboard] C:\Documents and Settings\All Users\Application Data\Fearghus\lsass.exe
O4 - Global Startup: kbdrv16.com

That's four items and you must repair them simultaneously,
otherwise you won't be able to get rid of the worm at all!

This is one way, kbdrv16.com is removed.


P.S.

You should also delete the hidden autorun.inf and scrap files
from your usb mass storage devices.