About the Sxs.exe,autorun.inf virus removal method

About the Sxs.exe,autorun.inf virus removal method

Key words: Trojan.PSW.QQPa Autorun.inf

Reference:

Features: Sxs.exe,autorun.inf files are automatically generated in each packing directory, and some are generated SVOHOST.exe or sxs.exe under Windowssystem32, and the file attributes are implied attributes. Disable antivirus software automatically.

Transmission path: Mainly through the U disk, mobile hard disk

Deceptive:

1, press CTRL del ALT view process, possibly more svohost process, and the system with the Svchost only one word

2, registry modification items concealed more strong, how to modify the following detailed description.

3, automatically modify the registry, so that the system "show all hidden files" function failure, so as to achieve the purpose of hiding their own virus files.

Removal method:

Recommended to Safe mode, online there are many netizens said direct search Sms.exe file deletion is not possible, because a delete, as long as you refresh immediately appear.

1, shut down the virus process

Ctrl Alt Del Task Manager, look for SxS or svohost in the process (not svchost, one letter), and then end it (not all systems show the process, skip this step).

2, restore the registry (some systems may be virus did not modify the registry, test method is, if your system can see hidden files so this step can be omitted, suggest everyone to see)

(remove virus from startup Item) Open registry Run--regedit

hkey_local_machine>; software>; microsoft>; windows>; currentversion>; Run

SVOHOST.exe or Sxs.exe

Find Soundmam (note not soundman, only one letter) key value, there may be two, delete the key value is C:windowssystem32svohost.exe (Show hidden system files)

Hkey_local_machinesoftwaremicrosoftwindowscurrentversionexploreradvancedfolderhiddenshowall, Modify the CheckedValue key value to 1

It should be noted here that the virus will be a valid DWORD value CheckedValue deleted, a new invalid string value CheckedValue, the type is REG_SZ, and the key value to 0! Changing this to 1 has no effect. CheckedValue after the type, the correct is "Red_dword" instead of "REG_SZ" (some of the virus variants will directly delete this checkedvalue, just like the following, you can build a new one on it)

Method: Delete the CheckedValue key value, right-click the new--dword value-named CheckedValue, and modify its key value of 1 so that you can select Show all hidden files and show system files. Set system files and hidden files to display in folder--Tools--Folder Options

3, delete the virus body file

Right-click on the partition disk-open and see that there are Autorun.inf and sxs.exe two files in each disk and directory and delete them.

The most radical way to remove it is to click Start--run--cmd OK, write the following command in DOS (general system disk and directory may not have virus files, but other disks should exist)