Please check my Hijacked. Thanks.

March 28th, 2009, 4:18 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:33:52 PM, on 3/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\keyboard\services.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Documents and Settings\All Users\Application Data\Fearghus\lsass.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\cFosSpeed\spd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Garena\Garena.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\keyboard\services.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [USB2.0] C:\Documents and Settings\All Users\Application Data\Microsoft\USB2.0\usb-hi.exe
O4 - HKLM\..\Run: [Keyboard] C:\Documents and Settings\All Users\Application Data\Fearghus\lsass.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - Global Startup: kbdrv16.com
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 5805 bytes

March 28th, 2009, 5:07 am

O4 - HKLM\..\Run: [USB2.0]
C:\Documents and Settings\All Users\Application Data\Microsoft\USB2.0\usb-hi.exe

O4 - Global Startup: kbdrv16.com

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

March 28th, 2009, 8:27 pm

O4 - Global Startup: kbdrv16.com

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

this one keep coming back. whenever i run HijackThis again. please help.

March 28th, 2009, 8:45 pm

Run regedit and search for kbdrv16.com in the registry. Delete it.

Was game guard something that you installed? Do you still use it? If not, uninstall it.

March 28th, 2009, 10:10 pm

- HKLM\..\Run: [USB2.0]
C:\Documents and Settings\All Users\Application Data\Microsoft\USB2.0\usb-hi.exe

O4 - Global Startup: kbdrv16.com

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

this files are keep coming back. i already delete the kbdrv16.com in regedit but its still here. i run my HijackThis again and its still there. please help.

March 28th, 2009, 10:11 pm

23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

i installed a game and this one comes with it. is it safe? i tried to delete this but it just keep coming back just like the others. what should i do? format my PC?

March 29th, 2009, 6:12 am

Don't format. It should be ok. Leave it alone if you aren't having any problems.

March 29th, 2009, 9:54 pm

isnt it a keylogger?

how about these two? what should i do?
HKLM\..\Run: [USB2.0]
C:\Documents and Settings\All Users\Application Data\Microsoft\USB2.0\usb-hi.exe

O4 - Global Startup: kbdrv16.com

March 30th, 2009, 5:11 am

I listed those 2 in my first response to be deleted.

March 30th, 2009, 5:50 pm

but it just keep coming back! and i could not manual delete these folders C:\Documents and Settings\All Users\Application Data\Microsoft\USB2.0\usb-hi.exe. even antivir detect this one as a threat. whenever i open this folder.

March 30th, 2009, 8:26 pm

The only other way to get rid of it is to search for it & delete it in the registry.

Start run regedit edit find

March 30th, 2009, 9:16 pm

this matter starts to annoy me. i cant delete it. it just keep coming back. even antivir cannot delete it. ive know that this things came from FEARGHUS file that i have in my PC. i dont know how i got this. maybe in my brother's USB stick or annything. even i navigate in the registry and change some values like this one "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon
c.) change the value of the Shell key to just explorer.exe" i got from the internet. it doesnt affect a thing.(F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\keyboard\services.exe)

March 30th, 2009, 9:19 pm

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\keyboard\services.exe. even i change the Shell value to just explorer.exe it kust coming back to Explorer.exe C:\WINDOWS\system32\keyboard\services.exe. please someone help. even hijack cant remove this. please im desperately need your help.

March 31st, 2009, 5:11 am

Go into the registry again. Click edit, find, type usb-hi.exe & press enter. When it finds it, delete it. Press F3. When it finds it in another place, delete it. Press F3 again & delete the next instance of it. Keep doing that until it says finished.

[grinch2171]

March 31st, 2009, 5:17 am

Try running combofix

http://www.bleepingcomputer.com/combofi ... e-combofix