Knowledge Base:  
You are here: Knowledge Base >
kxvo.exe, hbq.exe error for studio pc.
Last Updated: 02/26/2008
http://wlalng.wordpress.com/

How to remove Trojan that uses an autorun.inf file
February 20, 2008 � 2 Comments

Lately we discover a new Trojan/virus that uses autorun.inf to infect other drive. Most of the time it infect any removable media (external HDD or Flash Drive) that is connected to the infected unit. You will not notice it since the script runs at startup.

Note: This procedure is applicable to all Trojan/virus that uses a .inf file, but will use �hbq.exe� for this example:

Here is how you can get rid of them:

- Open Task Manager and in Processes tab end explorer.exe and wscript.exe process

- Open up File �> New Task (Run) in the Task manager

- Type cmd and hit Enter

Type
del /a:h /f c:\autorun.*

if you have multiple drive/partition, repeat this step to all drive/partition, make replacing �C:� with the appropriate drive letter.

- Go to your Windows\System32 directory by typing cd c:\windows\system32

Type dir /a:h /f hbq*.*

- If you see any files named hbq0.dll or hbq0.exe or hbo.exe, use the    

Del /a:h /f avp*.exe
Del /a:h /f avp*.dll

to delete.

- Open up File �> New Task (Run) in the Task manager, Type regedit

- Navigate to:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

If there are any entries for kxvo.exe, delete them. Also delete all suspicious items

- Do a complete search of your registry for ntdelect.com or hbq.exe or kxvo.exe and delete any entries you find.

- To Restore Folder Options (�Show hidden files & folders�) Settings, Navigate to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
         Explorer\Advanced\Folder\Hidden\SHOWALL

- Look at the �CheckedValue� key� This should be a DWORD key. If it isn�t,  delete the key. Create a new key called �CheckedValue� as a DWORD (hexadecimal) with a value of 1. The �Show hidden files & folders� check box should now work normally.

Was this article helpful?

Comments: