Comments on: 清除pfcexkt.exe、hmbduoj.exe病毒 http://www.wangchengxi.com/blog/2007/10/14/clear-pfcexktexe-hmbduojexe-virus.html My Blog, But Simple! Tue, 06 Jan 2009 21:02:18 +0000 http://wordpress.org/?v=2.7 hourly 1 By: 程鹏 http://www.wangchengxi.com/blog/2007/10/14/clear-pfcexktexe-hmbduojexe-virus.html/comment-page-1#comment-869 程鹏 Tue, 23 Oct 2007 04:55:43 +0000 http://www.wangchengxi.com/blog/2007/10/14/post_165.html#comment-869 这个好像是AV终结者的变种吧 看起来感染了挺麻烦,幸好我还没遇到 这个好像是AV终结者的变种吧
看起来感染了挺麻烦,幸好我还没遇到

]]> By: 黎明前的黑 http://www.wangchengxi.com/blog/2007/10/14/clear-pfcexktexe-hmbduojexe-virus.html/comment-page-1#comment-864 黎明前的黑 Sat, 20 Oct 2007 00:44:41 +0000 http://www.wangchengxi.com/blog/2007/10/14/post_165.html#comment-864 哈,你講得不就是AV終結者麼. 我上次也中了,不過早被我弄好了.呵呵 這里強烈向你推薦一款殺毒軟件.360安全衛士. 哈,你講得不就是AV終結者麼.
我上次也中了,不過早被我弄好了.呵呵
這里強烈向你推薦一款殺毒軟件.360安全衛士.

]]> By: 刘三宏 http://www.wangchengxi.com/blog/2007/10/14/clear-pfcexktexe-hmbduojexe-virus.html/comment-page-1#comment-854 刘三宏 Wed, 17 Oct 2007 01:11:19 +0000 http://www.wangchengxi.com/blog/2007/10/14/post_165.html#comment-854 @echo off title 忆林子 color 0a echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ echo. echo 该病毒资料 echo 瑞星对此暂无报告 echo. echo 该病毒建立的包括的源文件如下: echo. echo 病毒文件全路径 大小(字节) echo C:\Program Files\meex.exe 36,219 echo C:\Program Files\Common Files\Microsoft Shared\gvdetru.inf 169 echo c:\Program Files\Common Files\Microsoft Shared\tygxhqb.exe 36,219 echo c:\Program Files\Common Files\System\gvdetru.inf 169 echo C:\Program Files\Common Files\System\hmbduoj.exe 36,219 echo 其它所有分区:\autorun.inf 169 echo 其它所有分区:\pfcexkt.exe 36,219 echo 其它所有分区:\niu.exe 30,625 echo. echo autorun.inf和gvdetru.inf文件里的内容 echo. echo [AutoRun] echo open=pfcexkt.exe echo shell\open=打开(^&O) echo shell\open\Command=pfcexkt.exe echo shell\open\Default=1 echo shell\explore=资源管理器(^&X) echo shell\explore\Command=pfcexkt.exe echo. echo 该病毒的后果: echo 你的杀毒软件会无法打开,另外只要你的文件名中如果是"病毒","杀毒","瑞星"等和病毒. echo 有关的字眼时,你这个文件打开之后会马上被关闭.网页中一搜索这些字眼也会马上关闭. echo 可能还有其它的情况,我这里就不详细说明了. echo. echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ echo. set /p tmp=以上是该病毒的信息,如果要清除该病毒,请回车键开始杀毒... rem 结束病毒进程 for %%d in ( tygxhqb.exe,hmbduoj.exe pfcexkt.exe,meex.exe ) do ( taskkill /im %%d /f 2>nul ) rem 去除病毒源文件的 系统、隐藏、只读 属性,然后删除它们。 for %%d in (meex.exe) do if exist "C:\Program Files\%%d" ( attrib -s -h -r "C:\Program Files\%%d" del "C:\Program Files\%%d" /q ) for %%d in (tygxhqb.exe,gvdetru.inf) do ( if exist "C:\Program Files\Common Files\Microsoft Shared\%%d" ( attrib -s -h -r "C:\Program Files\Common Files\Microsoft Shared\%%d" del "C:\Program Files\Common Files\Microsoft Shared\%%d" /q ) ) for %%d in (hmbduoj.exe,gvdetru.inf) do ( if exist "C:\Program Files\Common Files\System\%%d" ( attrib -s -h -r "C:\Program Files\Common Files\System\%%d" del "C:\Program Files\Common Files\System\%%d" /q ) ) for %%f in (autorun.inf,pfcexkt.exe,niu.exe) do ( for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do if exist %%d:\%%f ( attrib -s -h -r %%d:\%%f del %%d:\%%f /q ) ) rem 添加进入安全模式的注册表项 reg add "HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /ve /d DiskDrive /f reg add "HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /ve /d DiskDrive /f reg add "HKLM\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /ve /d DiskDrive /f reg add "HKLM\SYSTEM\ControlSet003\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /ve /d DiskDrive /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /ve /d DiskDrive /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /ve /d DiskDrive /f rem 添加被病毒删除的注册表项 reg add "HKLM\SYSTEM\ControlSet003\Services\kmixer\Enum" /v 0 /d "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}" /f reg add "HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum" /v 0 /d "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}" /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum" /v 0 /d "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}" /f rem 添加显示隐藏文件的注册表项 reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL" /v CheckedValue /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL" /v CheckedValue /t reg_dword /d 1 /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /d 1 /f reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden" /v Type /d checkbox /f rem 删除由病毒添加的启动项 reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v pfcexkt /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v gvdetru /f rem 删除病毒在注册表中添加的关联 if exist test.忆林子 del test.忆林子 reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options">test.忆林子 for /f "tokens=* delims= skip=4" %%j in (test.忆林子) do ( reg delete "%%j" /v debugger /f cls if exist test.忆林子 del test.忆林子 echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ echo. echo 正在清除由病毒添加的注册表项,请稍候... echo. echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ ) if exist test.忆林子 del test.忆林子 reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path" /v Debugger /d "ntsd -d" /f cls color a0 echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ echo. echo 病毒清除完毕,按回车键开始解决分区无法双击打开的问题. echo. echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ set /p test= cls @echo off title 忆林子--解决分区无法打开 color a0 rem 删除引起磁盘无法双击打开的autorun.inf文件 for /d %%i in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do if exist %%i:\autorun.inf ( cacls %%i:\autorun.inf /c /e /p everyone:f attrib -s -h -r %%i:\autorun.inf del %%i:\autorun.inf /q ) rem 进行磁盘检查,恢复双击打开功能 for /d %%i in (d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do if exist %%i: chkdsk %%i: /f /x cls color ec echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ echo. echo 操作结束,按回车键退出该程序... echo. echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ set /p temp= :exit exit @echo off
title 忆林子
color 0a
echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
echo.
echo 该病毒资料
echo 瑞星对此暂无报告
echo.
echo 该病毒建立的包括的源文件如下:
echo.
echo 病毒文件全路径 大小(字节)
echo C:\Program Files\meex.exe 36,219
echo C:\Program Files\Common Files\Microsoft Shared\gvdetru.inf 169
echo c:\Program Files\Common Files\Microsoft Shared\tygxhqb.exe 36,219
echo c:\Program Files\Common Files\System\gvdetru.inf 169
echo C:\Program Files\Common Files\System\hmbduoj.exe 36,219
echo 其它所有分区:\autorun.inf 169
echo 其它所有分区:\pfcexkt.exe 36,219
echo 其它所有分区:\niu.exe 30,625
echo.
echo autorun.inf和gvdetru.inf文件里的内容
echo.
echo [AutoRun]
echo open=pfcexkt.exe
echo shell\open=打开(^&O)
echo shell\open\Command=pfcexkt.exe
echo shell\open\Default=1
echo shell\explore=资源管理器(^&X)
echo shell\explore\Command=pfcexkt.exe
echo.
echo 该病毒的后果:
echo 你的杀毒软件会无法打开,另外只要你的文件名中如果是"病毒","杀毒","瑞星"等和病毒.
echo 有关的字眼时,你这个文件打开之后会马上被关闭.网页中一搜索这些字眼也会马上关闭.
echo 可能还有其它的情况,我这里就不详细说明了.
echo.
echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
echo.
set /p tmp=以上是该病毒的信息,如果要清除该病毒,请回车键开始杀毒...

rem 结束病毒进程
for %%d in (
tygxhqb.exe,hmbduoj.exe
pfcexkt.exe,meex.exe
) do (
taskkill /im %%d /f 2>nul
)

rem 去除病毒源文件的 系统、隐藏、只读 属性,然后删除它们。
for %%d in (meex.exe) do if exist "C:\Program Files\%%d" (
attrib -s -h -r "C:\Program Files\%%d"
del "C:\Program Files\%%d" /q
)

for %%d in (tygxhqb.exe,gvdetru.inf) do (
if exist "C:\Program Files\Common Files\Microsoft Shared\%%d" (
attrib -s -h -r "C:\Program Files\Common Files\Microsoft Shared\%%d"
del "C:\Program Files\Common Files\Microsoft Shared\%%d" /q
)
)

for %%d in (hmbduoj.exe,gvdetru.inf) do (
if exist "C:\Program Files\Common Files\System\%%d" (
attrib -s -h -r "C:\Program Files\Common Files\System\%%d"
del "C:\Program Files\Common Files\System\%%d" /q
)
)

for %%f in (autorun.inf,pfcexkt.exe,niu.exe) do (
for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do if exist %%d:\%%f (
attrib -s -h -r %%d:\%%f
del %%d:\%%f /q
)
)

rem 添加进入安全模式的注册表项
reg add "HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /ve /d DiskDrive /f
reg add "HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /ve /d DiskDrive /f
reg add "HKLM\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /ve /d DiskDrive /f
reg add "HKLM\SYSTEM\ControlSet003\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /ve /d DiskDrive /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /ve /d DiskDrive /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /ve /d DiskDrive /f

rem 添加被病毒删除的注册表项
reg add "HKLM\SYSTEM\ControlSet003\Services\kmixer\Enum" /v 0 /d "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}" /f
reg add "HKLM\SYSTEM\ControlSet001\Services\kmixer\Enum" /v 0 /d "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\kmixer\Enum" /v 0 /d "SW\{b7eafdc0-a680-11d0-96d8-00aa0051e51d}\{9B365890-165F-11D0-A195-0020AFD156E4}" /f

rem 添加显示隐藏文件的注册表项
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL" /v CheckedValue /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL" /v CheckedValue /t reg_dword /d 1 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden" /v Type /d checkbox /f

rem 删除由病毒添加的启动项
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v pfcexkt /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v gvdetru /f

rem 删除病毒在注册表中添加的关联
if exist test.忆林子 del test.忆林子
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options">test.忆林子
for /f "tokens=* delims= skip=4" %%j in (test.忆林子) do (
reg delete "%%j" /v debugger /f
cls
if exist test.忆林子 del test.忆林子
echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
echo.
echo 正在清除由病毒添加的注册表项,请稍候...
echo.
echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
)
if exist test.忆林子 del test.忆林子
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path" /v Debugger /d "ntsd -d" /f

cls
color a0
echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
echo.
echo 病毒清除完毕,按回车键开始解决分区无法双击打开的问题.
echo.
echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
set /p test=
cls
@echo off
title 忆林子--解决分区无法打开
color a0
rem 删除引起磁盘无法双击打开的autorun.inf文件
for /d %%i in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do if exist %%i:\autorun.inf (
cacls %%i:\autorun.inf /c /e /p everyone:f
attrib -s -h -r %%i:\autorun.inf
del %%i:\autorun.inf /q
)
rem 进行磁盘检查,恢复双击打开功能
for /d %%i in (d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do if exist %%i: chkdsk %%i: /f /x
cls
color ec
echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
echo.
echo 操作结束,按回车键退出该程序...
echo.
echo ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
set /p temp=
:exit
exit

]]>