Clear the pfcexkt.exe1_hmbduoj.exe Virus
Yesterday, a computer encountered the following symptoms:
- The installed anti-virus software cannot run.
- You can only enter a fixed number of digits when entering the password in IE, which is normal in the past.
- I downloaded her computer, and each root directory had a pfcexkt.exe executable file (which can basically tell if the virus is infected)
- In addition, what makes me strange is that the antivirus folder on my mobile hard disk is automatically disabled on her computer, and other folders are okay.
- When you double-click the disk drive letter to open it, it will flash, while opening other folders is normal.
- Enter the Security Mode
It is basically poisoned, so find a solution. (This virus seems simple but powerful. I retried the system for her, only the system disk, and double-click another disk to open it again)
No detailed report of the virus is found on the internet, but there are also some materials:
The source files created by the virus are as follows:
Full path size of virus files (in bytes)
C: \ Program Files \ meex.exe 36,219
C: \ Program Files \ common files \ microsoft shared \ gvdetru. inf 169
C: \ Program Files \ common files \ microsoft shared \ tygxhqb.exe 36,219
C: \ Program Files \ common files \ System \ gvdetru. inf 169
C: \ Program Files \ common files \ System \ hmbduoj.exe 36,219
All other partitions: \ autorun. inf 169
All other partitions: \ pfcexkt.exe 36,219
All other partitions: \ niu.exe 30,625
To be skeptical, check whether the task manager has tygxhqb.exe and (or )hmbduoj.exe processes. If so, congratulations!
This virus is a trojan program. If you have used online banking, QQ, or online games, you have to be careful. Maybe all your passwords have been stolen. The following symptoms are obvious after the virus:
- Anti-virus software cannot run
- The process includes the tygxhqb.exe and (or )hmbduoj.exe processes.
- When you double-click the drive letter to open the disk, it will flash.
- When you open a file or folder with the words "virus", "Antivirus", "Rising", and "Antivirus" in its name, the file or folder is automatically closed. When you search for these words on the webpage, the file or folder is immediately closed.
How to eliminate the virus and solve its sequelae:
Copy the following code, save it as a bat file, that is, a batch file, and double-click it to run it. If you have any questions, please leave a message in my Baidu space. Another 163 blog is http://yankong5945.blog.163.com.
@ Echo off
Title Yi Lin Zi
Color 0a
Echo was too busy to handle too many issues, too many issues were reported. bytes
Echo.
Echo the virus data
Echo rising has no report
Echo.
Echo the source files created by the virus are as follows:
Echo.
ECHO virus file full path size (in bytes)
Echo c: \ Program Files \ meex.exe 36,219
Echo c: \ Program Files \ common files \ microsoft shared \ gvdetru. inf 169
Echo c: \ Program Files \ common files \ microsoft shared \ tygxhqb.exe 36,219
Echo c: \ Program Files \ common files \ System \ gvdetru. inf 169
Echo c: \ Program Files \ common files \ System \ hmbduoj.exe 36,219
Echo all other partitions: \ autorun. inf 169
Echo all other partitions: \ pfcexkt.exe 36,219
Echo all other partitions: \ niu.exe 30,625
Echo.
Echo autorun. inf and gvdetru. INF files
Echo.
Echo [Autorun]
Echo opentracing pfcexkt.exe
Echo Shell \ open = open (^ & O)
Echo Shell \ open \ command1_pfcexkt.exe
Echo Shell \ open \ default = 1
Echo Shell \ release E = Resource Manager (^ & X)
Echo Shell \ cmde \ command1_pfcexkt.exe
Echo.
Echo the consequences of the virus:
Echo your anti-virus software won't be able to be opened. In addition, if your file name contains viruses, viruses, rising stars, and other viruses.
When you open this file, the words related to echo will be immediately closed. When you search for these words on the web page, the words will be immediately closed.
Echo may have other situations, which I will not detail here.
Echo.
Echo was too busy to handle too many issues, too many issues were reported. bytes
Echo.
Set/p tmp = the above is the virus information. If you want to clear the virus, enter the Enter key to start antivirus...
Rem ends the virus Process
For % d in (
Tygxhqb.exe,hmbduoj.exe
Pfcexkt.exe,meex.exe
) Do (
Taskkill/IM % d/F 2> NUL
)
Rem removes the system, hidden, and read-only attributes of virus source files and then deletes them.
For % d in (meex.exe) do if exist "C: \ Program Files \ % d "(
Attrib-s-h-R "C: \ Program Files \ % d"
Del "C: \ Program Files \ % d"/Q
)
For % d in (tygxhqb.exe, gvdetru. inf) Do (
If exist "C: \ Program Files \ common files \ microsoft shared \ % d "(
Attrib-s-h-R "C: \ Program Files \ common files \ microsoft shared \ % d"
Del "C: \ Program Files \ common files \ microsoft shared \ % d"/Q
)
)
For % d in (hmbduoj.exe, gvdetru. inf) Do (
If exist "C: \ Program Files \ common files \ System \ % d "(
Attrib-s-h-R "C: \ Program Files \ common files \ System \ % d"
Del "C: \ Program Files \ common files \ System \ % d"/Q
)
)
For % F in (autorun.inf,pfcexkt.exe,niu.exe) Do (
For/d % d in (C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, s, T, U, V, W, X, Y, Z) do if exist % d: \ % F (
Attrib-s-h-R % d: \ % F
Del % d: \ % F/Q
)
)
Add the registry entry to security mode by Rem
Reg Add "HKLM \ System \ controlset001 \ Control \ safeboot \ minimal \ {4d36e967-e325-11ce-bfc1-08002be10318}"/ve/d diskdrive/F
Reg Add "HKLM \ System \ controlset001 \ Control \ safeboot \ Network \ {4d36e967-e325-11ce-bfc1-08002be10318}"/ve/d diskdrive/F
Reg Add "HKLM \ System \ controlset003 \ Control \ safeboot \ minimal \ {4d36e967-e325-11ce-bfc1-08002be10318}"/ve/d diskdrive/F
Reg Add "HKLM \ System \ controlset003 \ Control \ safeboot \ Network \ {4d36e967-e325-11ce-bfc1-08002be10318}"/ve/d diskdrive/F
Reg Add "HKLM \ System \ CurrentControlSet \ Control \ safeboot \ minimal \ {4d36e967-e325-11ce-bfc1-08002be10318}"/ve/d diskdrive/F
Reg Add "HKLM \ System \ CurrentControlSet \ Control \ safeboot \ Network \ {4d36e967-e325-11ce-bfc1-08002be10318}"/ve/d diskdrive/F
Rem adds the registry key deleted by the virus
Reg Add "HKLM \ System \ controlset003 \ Services \ kmixer \ Enum"/V 0/D "Sw \ {b7eafdc0-a680-11d0-96d8-00aa0051e51d} \ {9b365890-165f-11d0-a195-0020afd156e4}"/F
Reg Add "HKLM \ System \ controlset001 \ Services \ kmixer \ Enum"/V 0/D "Sw \ {b7eafdc0-a680-11d0-96d8-00aa0051e51d} \ {9b365890-165f-11d0-a195-0020afd156e4}"/F
Reg Add "HKLM \ System \ CurrentControlSet \ Services \ kmixer \ Enum"/V 0/D "Sw \ {b7eafdc0-a680-11d0-96d8-00aa0051e51d} \ {9b365890-165f-11d0-a195-0020afd156e4}"/F
Rem adds a registry key to display hidden files
Reg Delete "HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ showall"/V checkedvalue/F
Reg Add "HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ showall"/V checkedvalue/T REG_DWORD/D 1/F
Reg Add "hkcu \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced"/V showsuperhidden/D 1/F
Reg Add "HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ superhidden"/V type/d checkbox/F
Rem deletes the startup item added by the virus
Reg Delete "HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run"/V pfcexkt/F
Reg Delete "HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run"/V gvdetru/F
Rem deletes the association added by the virus in the registry.
If exist test. Yilin sub-del test. Yilin sub-
Reg query "HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution options"> test. Yilin sub-
For/F "tokens = * delims = skip = 4" % J in (test. Yilin sub) Do (
Reg Delete "% J"/V debugger/F
CLS
If exist test. Yilin sub-del test. Yilin sub-
Echo was too busy when there were too many attempts to handle too many problems.
Echo.
ECHO is clearing the registry key added by the virus. Please wait...
Echo.
Echo was too busy when there were too many attempts to handle too many problems.
)
If exist test. Yilin sub-del test. Yilin sub-
Reg Add "HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution options \ your image file name here without a path"/V debugger/D "ntsd-d"/F
CLS
Color A0
Echo was too busy when there were too many attempts to handle too many problems.
Echo.
After the ECHO virus is cleared, press enter to solve the problem that the partition cannot be opened by double-clicking.
Echo.
Echo was too busy when there were too many attempts to handle too many problems.
Set/P test =
CLS
@ Echo off
Title Yilin sub--- solve the problem that partitions cannot be opened
Color A0
The disk cannot be double-clicked to open the autorun. inf file due to REM deletion.
For/d % I in (C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, s, T, U, V, W, X, Y, Z) do if exist % I: \ autorun. INF (
Cacls % I: \ autorun. inf/C/E/P everyone: F
Attrib-s-h-R % I: \ autorun. inf
Del % I: \ autorun. inf/Q
)
Rem checks the disk and restores the double-click function.
For/d % I in (D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, t, U, V, W, X, Y, Z) do if exist % I: chkdsk % I:/F/X
CLS
Color EC
Echo was too busy when there were too many attempts to handle too many problems.
Echo.
Echo operation ended. Press enter to exit the program...
Echo.
Echo was too busy when there were too many attempts to handle too many problems.
Set/P temp =
: Exit
Exit
Install the 360 security guard and check the trojan. Several password-stealing Trojans will be found, and it will be OK if the computer is restarted.