Looking for a JavaEE Architect or Potential Tech Co-Founder?
Please don't hesitate to contact me.

How to remove Kbdrv16.com, Lsass.exe, USB-HI.EXE

Just last night I copied a file from a USB of my apartment mate and I noticed that there was something wrong the way the explorer is showing. I inspect my system and found two instances of services.msc in windows task manager [press ctrl + shift + esc] one run by my currently logged user and one by SYSTEM. I searched my computer for instances of a virus or a worm, etc and I found an abnormal entries, files on my computer/registry:

+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon
under Shell string value there is an abnormal appended string c:\windows\system32\keyboard\services.exe, normal is explorer.exe
+c:\documents and settings\all users\application data\fearghus\lsass.exe
+C:\Documents and Settings\All Users\Application Data\Microsoft\USB2.0\usb-hi.exe
+C:\Documents and Settings\All Users\Application Data\Fearghus\lsass.exe
+C:\Documents and Settings\All Users\Start Menu\Programs\Startup\kbdrv16.com

I successfully removed the following by:

1.) starting my windows in safe mode with command prompt (press F8 repeatedly while OS is booting)
2.) deleting the entry in the registry
a.) start regedit, in the command prompt type regedit
b.) navigate here HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon
c.) change the value of the Shell key to just explorer.exe
3.) navigate to c:\documents and settings\all users\application data\
>cd c:\documents and settings\all users\application data\
a.) delete the fearghus directory
>rd /s fearghus
4.) navigate to C:\Documents and Settings\All Users\Application Data\Microsoft\
>cd C:\Documents and Settings\All Users\Application Data\Microsoft\
a.) delete USB2.0 directory
>rd /s USB2.0
5.) remove the entry on the Startup
a.) navigate to C:\Documents and Settings\All Users\Start Menu\Programs\Startup\kbdrv16.com
b.) execute delete file command
>del kbdrv16.com
6.) restart your machine and boot normally, inspect the registry the Shell key should just contain explorer.exe, and all the files specified in ITEM A should be gone by now.

That's all. This procedure works for me :D.
How to remove Kbdrv16.com, Lsass.exe, USB-HI.EXE How to remove Kbdrv16.com, Lsass.exe, USB-HI.EXE Reviewed by czetsuya on Wednesday, March 11, 2009 Rating: 5


girion said...

I am not a techie,programmer. I have the same prob as you. searched the inet for solutions and found about 4 including yours. i think i got it from my nieces usb, calamba source. will try your out first. ty


Anonymous said...

tnx czetsuya
it worked for me too


Mari said...

I was able to remove it after reading your blog. I used Process Explorer and Autoruns in safe mode. Disabled system restore then I used Process Explorer first, killed the tree running false microsoft lsass.exe then it came up with a count down that will shut off the system in a minute. I rushed deleting all the usb-hi.exe and fearghus and kbdrv16.com entries using Autoruns. Restart. Now its clear.

czetsuya said...

If you ever encounter that shut off message again just type this in the command prompt

shutdown -a

czetsuya said...

If you ever encounter that shutdown message again just type this in command.exe

shutdown -a

Dennison Uy said...

It works! I've been wondering what was wrong with my computer. Thanks!!!

sigyo said...

Thank you for bring up this information.

Anonymous said...

hi. thanks a lot for the information. this is a big help for me.

any idea what this malware is intended to do?

so far i haven't seen it spread via network... only sharing of usb.

pj said...

thanks for the info....but still
cant remove it,when i try to delete as you have in instructed..a pop-up message says "cant be remove it is being used by other....etc"...
need help pls...

Anonymous said...

Hi, did you restart your pc in safe mode? If it was the same virus I had, I'm sure it doesn't run in that mode.

jampochi said...

hello sir, can you please email me what sd and cd means in your instructions? everytime i try to delete fearghus, it says application is running. :(

Thanks a lot. :)


czetsuya said...

For your information:

1.) To successfully delete the trojan file, your pc should be in safe mode.

2.) As for cd and rd, they are commands to be executed in the shell command line. cd stands for change directory; while rd means remove directory.

3.) To execute these commands you should run cmd in Start->Run type cmd and press enter.

Homer said...

my computer screen went black after acquiring those viruses? does it happen to you also? thanks

czetsuya said...

Fortunately, it doesn't. I've just notice those weird files and processes that runs on my pc.

If you've boot successfully try scanning your system with:

comodo registry/system scanner

Note: These softwares are free.

Or try booting in safe mode. See if it works.

Powered by Blogger.