Lately we discover a new Trojan/virus that uses autorun.inf to infect other drive. Most of the time it infect any removable media (external HDD or Flash Drive) that is connected to the infected unit. You will not notice it since the script runs at startup.
Note: This procedure is applicable to all Trojan/virus that uses a .inf file, but will use “hbq.exe” for this example:
Here is how you can get rid of them:
– Open Task Manager and in Processes tab end explorer.exe and wscript.exe process
– Open up File –> New Task (Run) in the Task manager
– Type cmd and hit Enter
del /a:h /f c:\autorun.*
if you have multiple drive/partition, repeat this step to all drive/partition, make replacing “C:” with the appropriate drive letter.
– Go to your Windows\System32 directory by typing cd c:\windows\system32
Type dir /a:h /f hbq*.*
– If you see any files named hbq0.dll or hbq0.exe or hbo.exe, use the
Del /a:h /f avp*.exe
Del /a:h /f avp*.dll
– Open up File –> New Task (Run) in the Task manager, Type regedit
– Navigate to:
If there are any entries for kxvo.exe, delete them. Also delete all suspicious items
– Do a complete search of your registry for ntdelect.com or hbq.exe or kxvo.exe and delete any entries you find.
– To Restore Folder Options (“Show hidden files & folders”) Settings, Navigate to
– Look at the “CheckedValue” key… This should be a DWORD key. If it isn’t, delete the key. Create a new key called “CheckedValue” as a DWORD (hexadecimal) with a value of 1. The “Show hidden files & folders” check box should now work normally.
NOTE: I Also included a “Script Killer” in my download section for those very hard kill autoruns & vbs script. You need WinRar to extract these files