Please check my Hijacked. Thanks.

  • pampee
  • Student
  • Student
  • pampee
  • Posts: 90
  • Loc: Philippines

Post 3+ Months Ago

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:33:52 PM, on 3/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\keyboard\services.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Documents and Settings\All Users\Application Data\Fearghus\lsass.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\cFosSpeed\spd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Garena\Garena.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\keyboard\services.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [USB2.0] C:\Documents and Settings\All Users\Application Data\Microsoft\USB2.0\usb-hi.exe
O4 - HKLM\..\Run: [Keyboard] C:\Documents and Settings\All Users\Application Data\Fearghus\lsass.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - Global Startup: kbdrv16.com
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 5805 bytes
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

O4 - HKLM\..\Run: [USB2.0]
C:\Documents and Settings\All Users\Application Data\Microsoft\USB2.0\usb-hi.exe

O4 - Global Startup: kbdrv16.com

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
  • pampee
  • Student
  • Student
  • pampee
  • Posts: 90
  • Loc: Philippines

Post 3+ Months Ago

O4 - Global Startup: kbdrv16.com

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

this one keep coming back. whenever i run HijackThis again. please help.
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

Run regedit and search for kbdrv16.com in the registry. Delete it.

Was game guard something that you installed? Do you still use it? If not, uninstall it.
  • pampee
  • Student
  • Student
  • pampee
  • Posts: 90
  • Loc: Philippines

Post 3+ Months Ago

- HKLM\..\Run: [USB2.0]
C:\Documents and Settings\All Users\Application Data\Microsoft\USB2.0\usb-hi.exe

O4 - Global Startup: kbdrv16.com

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

this files are keep coming back. i already delete the kbdrv16.com in regedit but its still here. i run my HijackThis again and its still there. please help.
  • pampee
  • Student
  • Student
  • pampee
  • Posts: 90
  • Loc: Philippines

Post 3+ Months Ago

23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

i installed a game and this one comes with it. is it safe? i tried to delete this but it just keep coming back just like the others. what should i do? format my PC?
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

Don't format. It should be ok. Leave it alone if you aren't having any problems.
  • pampee
  • Student
  • Student
  • pampee
  • Posts: 90
  • Loc: Philippines

Post 3+ Months Ago

isnt it a keylogger?

how about these two? what should i do?
HKLM\..\Run: [USB2.0]
C:\Documents and Settings\All Users\Application Data\Microsoft\USB2.0\usb-hi.exe

O4 - Global Startup: kbdrv16.com
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

I listed those 2 in my first response to be deleted.
  • pampee
  • Student
  • Student
  • pampee
  • Posts: 90
  • Loc: Philippines

Post 3+ Months Ago

but it just keep coming back! and i could not manual delete these folders C:\Documents and Settings\All Users\Application Data\Microsoft\USB2.0\usb-hi.exe. even antivir detect this one as a threat. whenever i open this folder.
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

The only other way to get rid of it is to search for it & delete it in the registry.

Start run regedit edit find
  • pampee
  • Student
  • Student
  • pampee
  • Posts: 90
  • Loc: Philippines

Post 3+ Months Ago

this matter starts to annoy me. i cant delete it. it just keep coming back. even antivir cannot delete it. ive know that this things came from FEARGHUS file that i have in my PC. i dont know how i got this. maybe in my brother's USB stick or annything. even i navigate in the registry and change some values like this one "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon
c.) change the value of the Shell key to just explorer.exe" i got from the internet. it doesnt affect a thing.(F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\keyboard\services.exe)
  • pampee
  • Student
  • Student
  • pampee
  • Posts: 90
  • Loc: Philippines

Post 3+ Months Ago

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\keyboard\services.exe. even i change the Shell value to just explorer.exe it kust coming back to Explorer.exe C:\WINDOWS\system32\keyboard\services.exe. please someone help. even hijack cant remove this. please im desperately need your help.
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

Go into the registry again. Click edit, find, type usb-hi.exe & press enter. When it finds it, delete it. Press F3. When it finds it in another place, delete it. Press F3 again & delete the next instance of it. Keep doing that until it says finished.
  • grinch2171
  • Moderator
  • Genius
  • User avatar
  • Posts: 6800
  • Loc: Martinsburg, WV

Post 3+ Months Ago

Try running combofix

http://www.bleepingcomputer.com/combofi ... e-combofix
  • pampee
  • Student
  • Student
  • pampee
  • Posts: 90
  • Loc: Philippines

Post 3+ Months Ago

this is my log after i run combofix

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:33 PM, on 3/31/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\keyboard\services.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Documents and Settings\All Users\Application Data\Fearghus\lsass.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\cFosSpeed\spd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\keyboard\services.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [USB2.0] C:\Documents and Settings\All Users\Application Data\Microsoft\USB2.0\usb-hi.exe
O4 - HKLM\..\Run: [Keyboard] C:\Documents and Settings\All Users\Application Data\Fearghus\lsass.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - Global Startup: kbdrv16.com
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 5269 bytes
  • pampee
  • Student
  • Student
  • pampee
  • Posts: 90
  • Loc: Philippines

Post 3+ Months Ago

see the entry what ive been saying to u guys? its still there.

O4 - HKLM\..\Run: [USB2.0] C:\Documents and Settings\All Users\Application Data\Microsoft\USB2.0\usb-hi.exe

O4 - Global Startup: kbdrv16.com
  • pampee
  • Student
  • Student
  • pampee
  • Posts: 90
  • Loc: Philippines

Post 3+ Months Ago

want to see my combofix.txt result? is it okay to post it here? please help me.
  • grinch2171
  • Moderator
  • Genius
  • User avatar
  • Posts: 6800
  • Loc: Martinsburg, WV

Post 3+ Months Ago

Did combofix find anything?

Try doing this

First Turn off System Restore

Steps to turn off System Restore

1. Click Start, right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the System Restore tab.
3. Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
4. Click OK.
5. When you receive the following message, click Yes to confirm that you want to turn off System Restore.

Then After Restart you Computer Safe Mode With Networking how to Restart
1. Log out and reboot your machine.
2. When the machine starts the reboot sequence, press the F8 key repeatedly.
3. Select Safe Mode with Networking from the resulting menu.
4. When the log in screen comes up, log in as Administrator. By default, Administrator has no password.
5. The machine will continue booting, but the Windows desktop will look different.
6. Once logged in run Malwarebytes

Reboot the computer and re-enable System Restore. Scan your system again to see if the files are gone.
  • grinch2171
  • Moderator
  • Genius
  • User avatar
  • Posts: 6800
  • Loc: Martinsburg, WV

Post 3+ Months Ago

From your most recent HiJack This log, you need to remove the following items
Quote:
C:\WINDOWS\system32\keyboard\services.exe

C:\Documents and Settings\All Users\Application Data\Fearghus\lsass.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\keyboard\services.exe

O4 - HKLM\..\Run: [Keyboard] C:\Documents and Settings\All Users\Application Data\Fearghus\lsass.exe

O4 - Global Startup: kbdrv16.com

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)


You may want to check this site out.

http://czetsuya-tech.blogspot.com/2009/ ... e-usb.html
  • pampee
  • Student
  • Student
  • pampee
  • Posts: 90
  • Loc: Philippines

Post 3+ Months Ago

what do you mean "run malwarebytes"? im gonna download this? for the entries just what ive been saying it just keeps coming back. i cant delete them.
  • grinch2171
  • Moderator
  • Genius
  • User avatar
  • Posts: 6800
  • Loc: Martinsburg, WV

Post 3+ Months Ago

Sorry, usually Don2007 recommends downloading Malwarebytes when he is helping people.

Yes, download it from http://www.malwarebytes.org. Install it and update it and have it perform a full scan.

Turn off system restore prior to running the scan.
  • pampee
  • Student
  • Student
  • pampee
  • Posts: 90
  • Loc: Philippines

Post 3+ Months Ago

ComboFix didnt do anything. i downloaded Malwarebytes and seen one in the registry system32 folder and delete it but when i reboot my pc its still here. and those entries just i posted earlier, all of them are still here.
  • grinch2171
  • Moderator
  • Genius
  • User avatar
  • Posts: 6800
  • Loc: Martinsburg, WV

Post 3+ Months Ago

Did you disable System Restore? Did you run Malwarebytes in Safe Mode?
  • pampee
  • Student
  • Student
  • pampee
  • Posts: 90
  • Loc: Philippines

Post 3+ Months Ago

Kaspersky did the job i just follow the instructions said in the Lab Forum. But after removing the said entries i started having a BLUE SCREEN or something. That tells me Windows has been shut down to prevent blah blah blah. if this happen again blah blah blah. and some numbers in it. Im sure later or sooner i will format my pc. But as for ill just wait. Thanks again guys.
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

Another well done job by the anti virus software people!! They removed the virus & didn't even charge extra for the pretty blue screen.
  • Lemniscatus
  • Born
  • Born
  • Lemniscatus
  • Posts: 2

Post 3+ Months Ago

Hi!

Use HijackThis to remove kbdrv16.com worm infection...
  • Lemniscatus
  • Born
  • Born
  • Lemniscatus
  • Posts: 2

Post 3+ Months Ago

Hi!

Experience could be bitter but, of course, a better teacher.
When I got infected with this strange kbdrv16.com worm I did some research
on worm defense. I like to protect my computer from malicious worms and
maybe I could share some of my observations here.

kbdrv16.com came from (an infected) usb mass storage device like
memory stick, mp3/mp4 players, digicams, etc. that we insert to
our computer's usb port.

To remove kbdrv16.com, you must have at least a hijacking utility.
An almost de facto standard is Trend Micro's HijackThis.

You simply run HijackThis, do a scan and check the ff items for
removal or repair:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\keyboard\services.exe
O4 - HKLM\..\Run: [USB2.0] C:\Documents and Settings\All Users\Application Data\Microsoft\USB2.0\usb-hi.exe
O4 - HKLM\..\Run: [Keyboard] C:\Documents and Settings\All Users\Application Data\Fearghus\lsass.exe
O4 - Global Startup: kbdrv16.com

That's four items and you must repair them simultaneously,
otherwise you won't be able to get rid of the worm at all!

This is one way, kbdrv16.com is removed. :mrgreen:


P.S.

You should also delete the hidden autorun.inf and scrap files
from your usb mass storage devices.

Post Information

  • Total Posts in this topic: 28 posts
  • Users browsing this forum: No registered users and 80 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.