Clear the rampant Sxs.exe virus _ virus killing

For the symptoms, I first went online to find the relevant information, first, to show hidden files
In this: Hkey_local_machine\software\microsoft\windows\currentversion\explorer\
Advanced\folder\hidden\showall, modify the CheckedValue key value to 1
Still no use, hidden files or no display, careful observation found that the virus it has a more ruthless way: it in the modified registration to hide the purpose of the file, in order to be safe, the original valid DWORD value CheckedValue deleted, a new invalid string value CheckedValue , and change the key value to 0 (figure)! So you think that 0 to 1 will be all right, but the fault is still the case! It is no wonder that the above phenomenon has occurred.
The correct method is: first check whether the type of CheckedValue is REG_DWORD, if not then delete "Li Ghost" checkedvalue (for example, in this "case", the type should be REG_SZ CheckedValue deleted). Then right-click "New"--〉 "DWORD value" and name it CheckedValue, then modify it with a key value of 1 so that you can select Show all hidden files.
After just a few operations, my computer hidden files can be seen, if the above method is invalid, then it may be hkey_local_machine\software\microsoft\windows\currentversion\explorer\ Advanced\folder\hidden data is missing or corrupted, please find Hidden.reg on the Windows XP installation CD, double-click it, and then click OK to add the complete registry data to the current system's registry. (Note: But I do not have the XP installation CD to find this thing, if you unfortunately encounter this situation, you can try to use this method: Find a computer without problems, the
Hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden this branch to export (if named 1.reg) And then back up the registry branch of the computer that has the problem, and finally the 1.reg import to see if it solves the problem. I have not tried so I do not know if there will be any accidents, good luck! If someone can find this thing in the XP installation CD, please copy the contents of the file into the comment and indicate whether the XP installation disc has been SP1 or SP2, thank you!)
I see in my d:e:f: these disks (except the C disk) have Autorun.inf and sxs.exe two files, deleted and regenerated. And the USB stick goes in and it also appears in these two files. At this time antivirus software has been unable to start, I have to change the Jinshan jiangmin, or useless, it seems that the virus limited the operation of anti-virus software, so the first to the automatic operation of the virus turned off, I also found the information on the Internet, but I tried, no use, can not find Rous.exe, I provide to you, to try to see yourself!
You're a modified rose virus.
Can end SxS process deletion, remember, right mouse button into the hard drive
Press Ctrl+shift+esc three keys at the same time to open Windows Task Manager
Select the "Process" tab inside
Look for "Sxs.exe" under "Image name" but click on it and select "End Process"
Be sure to end all the "sxs.exe" processes
Open My Computer Click Folder Options under the Tools menu
Click the View tab to set the
"Hide protected operating system files (recommended)" Check in front of the cancellation
and select the "Show All Files and folders" option below
Click "OK"
With the right mouse button point C disk (can not double-click!) Select Open
Delete "Autorun.inf" Files and "Sxs.exe" files under C disk
Select "Open" with the right mouse button on the D disk.
Delete the "Autorun.inf" file and the "Sxs.exe" file under D disk (another file is also, an. exe deleted it)
......
And so on, delete all the AUTORUN on the disk. INF files and "Rose.exe" files
Click Start Select "Run" enter "regedit" (no quotes), carriage return
Expand the Registry Editor to the left of my computer >hkey_local_machine>software>microsoft>windows>currentversion>run
Delete the ROSE (C:\windows\system32\SXS.exe) item in the Run item
Close Registry Editor
And then restart the computer
Remove the hard drive is Rose:
Press the SHIFT key to insert the USB drive until the computer prompts "new hardware to use"
Turn on My Computer
At this point on the U disk icon on the right mouse button to choose "Open" (not important to play automatically or double-click!)
Delete SXS.exe and Autorun.inf files The virus is gone.
Above I said this method to me no use!sxs.exe not kill, now only through the registry antivirus
Open registry "regedit" to find HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Some netizens said to delete the ROSE (C:\windows\system32\SXS.exe) project in the Run item
I looked for a moment to find the run project, but I saw two "Soundmam" in run, and the following values were different, one for "C:\\windows\\system32\\svohost.exe" and the other for "soundman." EXE "I think we also found that there must be a problem, I looked, only the back one is correct, the former is a hero Super Jie Ba" AutoPlay Server "program, it seems that the virus is added to this inside, with the help of automatic playback spread everywhere! (This is what I think, I don't know right) so I deleted this item, exit the registry, open antivirus software, you can use, just in general antivirus, or can't find Sxs.exe, I used is jiangmin, he has an unknown virus scan, where can be found, he is a "hard disk worm", Delete on the line, originally I want to cut screen for everyone to see, but I restarted, did not copy down, which friend to add in the following! Thank you!
That is left Autorun.inf, directly to each hard drive to delete it, and then empty the Recycle Bin can be, the other is normal, there may be some users of the system may have some problems, such as hero Super Jie Ba "AutoPlay Server" can not use, my advice is: Do not use, is his bad things! If you want to use it, reload it! Finally reboot, OK!
Trojan Remote control victim Computer Please pay attention to password security
Zhongguancun
Author: Zhongguancun Sheyin
CNET China. Zol October 8 reported: Beijing Information Security Evaluation Center, Jinshan poison PA Joint Release October 8, 2006 popular virus.
Today, users are reminded to pay special attention to the following viruses: "Grey pigeon variant IR" (Hack.Huigezi.ir) and "Downloader variant Cy" (TROJ.DOWNLOADER.CY).
"Grey Pigeon Variant IR" (Hack.Huigezi.ir) hacker virus, connect remote host 8000 port waiting for hacker command.
"Download variant cy" (Troj.Downloader.cy) Trojan virus, timed pop-up Web page and download plugin run.
According to the rising Global anti-virus monitoring network introduced today, two viruses are particularly noteworthy, they are: "Missim Ma variant kev (Trojan.PSW.Misc.kev)" and "secretive release variant Bqo (DROPPER.DELF.BQO)" Virus. "Missim Horse Variant Kev" is the stolen Trojan horse, can steal a variety of network Games account number and password, to bring loss to the game player. The "secretive release mutant Bqo" virus releases other viruses and malicious programs that can pose a threat to users ' information security.
http://db.kingsoft.com/(Jinshan poison PA), http://www.rising.com.cn (rising)
Jinshan Popular virus Today:
"Grey Pigeon Variant IR" (Hack.Huigezi.ir) Threat Level: ★
According to Jinshan Poison PA anti-virus engineer introduced, the virus is a hacker virus. The virus replicates itself to%systemroot%hacker.com.cn.ini and runs, deletes the original virus file, modifies the registry to add it to the Windows Update system service, and sets it to boot. The infected host can connect to the remote host's 8000 port waiting for the hacker command, so that the user host is completely controlled by the hacker.
"Download variant cy" (TROJ.DOWNLOADER.CY) Threat Level: ★
According to Jinshan Poison PA anti-virus engineer introduced, the virus is a Trojan virus. After the virus runs, it releases iexp1ore.exe to the%system% directory to disguise itself. The virus by modifying the registry, adding Serviceremote system services to achieve power-on from boot. After the virus runs, it downloads a profile from the network and periodically ejects the page and downloads the plugin.
Jinshan Anti-Virus Engineer recommends:
1. Please do not easily run from the Internet after downloading without anti-virus software processing files, it is strongly recommended that you use the latest virus library of the poison PA to scan, and then decide whether to run.
2. When the operator controls the user's computer, it can directly cause the user's information to be leaked, for your system and personal information security, experts advise users to open a strange file, please use the latest virus to kill soft scan.
Rising this day hot virus:
"Missim Horse variant Kev (Trojan.PSW.Misc.kev)" Virus: Vigilance degree ★★★, pilfer the Trojan horse, spreads through the network, the dependence system: WIN 9x/nt/2000/xp.
This is a Trojan horse, after running it will copy itself into the system directory, while modifying the registry startup project to enable automatic running with system startup. The theft Trojan will run in the background, and try to steal the network game "legend", "Legendary World", "Warcraft" and other accounts and passwords, to bring losses to gamers.
"Secretive release mutant Bqo (DROPPER.DELF.BQO)" Virus: Alert degree ★★★, virus release, spread through the network, dependent system: WIN9X/NT/2000/XP.
Virus files are released from the body after it is started. Other viruses released by the virus may steal user's bank card accounts, passwords, and other information. Infected computers can also be remotely controlled by hackers, such as adding deleted files, restarting computers, and so on.
Rising anti-virus experts recommend:
1, the establishment of good security habits, do not open suspicious mail and suspicious sites;
2, a lot of viruses to use the spread of vulnerability, must be timely to the system to play patches;
3, the installation of professional anti-virus software upgrade to the latest version, and open real-time monitoring program;
4, install with "Trojan Wall" function of personal firewall software, to prevent the loss of passwords.
Stay away from danger, teach you to use LAN "invisibility"
As the saying goes, "self-protection", in the local area network really to their own information security poses a threat is not remote hacker, but their own side of the "people." Because the network Neighborhood shared files are widely used in the local area network, in order to better protect themselves, we need invisibility help to prevent internal malicious attacks when sharing files.
Primary hidden hidden shared folder
Do not think that the password for the shared folder can guarantee security, Windows is a lot of vulnerabilities, the Internet is easy to download to the "Password cracker." It's much safer if people don't see your shared folders from their online neighbors. It's easy to do this: Right-click the folder you want to hide the share, click the "Share" option, fill in the name of the shared folder in the share name, and then add the dollar "$", for example "Shared file $", and then fill in the password. If someone else wants to access your shared files, you must enter the "\ Computer name (or IP address) \ Shared file $, carriage return, and fill in the password confirmation to access your folder."
Advanced hide no share flag sharing
Using the method described above, other people can not see the folder you share through the Internet, but if one day he finds that there is a shared folder on your computer (the shared folder has a special logo, there is a small hand behind it, and the General folder has a distinct difference), And from the network of the neighbors can not see the folder you share, then he is likely to play their own spirit of study, to do everything possible to open the folder you share. If you can remove the small hand sign of the shared folder, so that the shared folder and the common folder, so that others can not see it is shared, the security is more secure. The following is an example of sharing D-disk without shared flags to discuss the specific approach: first, using the primary invisibility introduced at the beginning of this article--Hiding shared folders by setting D disk for hidden shares, and then opening Registry Editor, turn on "hkey_local_machine\software\ microsoft\windows\currentversion\network\lanman\d$ "(You can also use the lookup function of the registry to find the primary key" d$ "directly). To change the key value of the DWORD value "Flags" from "192" to "302", restarting Windows will take effect. If you want to access, just enter "\ Computer name \d$" in the address bar to see the D-Disk shared content. At this point, you will find that even if the resource browser in this computer can not see the D disk is shared, is it amazing? Besides yourself, who else knows that your D-disk is shared?
360 security guards to increase the level of the Hundred dog killing 39/40 weeks
360 Security Center (http://www.360safe.com) Released: Before and after the National Day holiday, the domestic malicious software market is relatively smooth, in September 2 June-October 8th between two weeks no significant "epidemic", 360 security guards in addition to intercept the 3721.*. DLL Variant, linkmedia two new malicious software and targeted treatment, but also on the current public opinion of the Hundred Dog software to kill the level of adjustment, from the previous plug-in level to the killing of the malicious software level, Yahoo software to uninstall 1.4 million times a week top.
Data from the 360 Security Center operation and maintenance team show that the current 360 security guards cumulative installation capacity of more than 5.8 million, affected by the national day during the installation of Internet users slightly slower, is expected to be in the section with 360 security Guards 2.0 official version of the release, there is a new round of rapid growth.
In this we suggest that the vast number of netizens to establish a good software installation habits, installation download software as far as possible to the official website and download the regular download station, timely security patches to the system, regular use of 360 security for your computer to do a check.
"Key Malware Broadcast"
Hundred Dogs
Malicious software name: Hundred Dog
Danger level: ★★★★
Malicious software type: Browser hijacking
Affiliated Company: www.baigoo.com
Malicious behavior: Force install
Route of transmission: bundled installation
3721.*.dll var.
Malicious software name: 3721.*.dll var.
Danger level: ★★★★★★
Malicious software type: Trojan
Owning Company: Unknown
Malicious behavior: Forced installation, cannot be completely deleted, add favorites, automatic deformation
Route of transmission: bundled installation
Linkmedia
Malicious software name: Linkmedia
Danger level: ★★★★★★
Malware Type: Advertising software
Owning Company: Unknown
Malicious behavior: Forced installation, pop-up ads, cannot be completely deleted
Route of transmission: bundled installation
"User killing malicious software TOP10 broadcast"
Yahoo Assistant
Malicious software name: Yahoo Assistant
Danger level: ★★★★★★
Company: Yahoo China
User's own weekly uninstall capacity: 707423
Network real name
Malicious software name: Network real names
Danger level: ★★★★★★
Company: Yahoo China
User's own weekly uninstall capacity: 699885
CNNIC Chinese Internet
Malicious software name: cnnic Chinese Internet
Danger level: ★★★★★★
Company: China Internet Network Information Center
User's own weekly uninstall capacity: 608226
Cnnic worry-free internet access tool bar
Malicious software name: cnnic Internet Access Tool bar
Danger level: ★★★★★★
Company: China Internet Network Information Center
User's own weekly uninstall capacity: 555081
Baidu Super Search PA
Malicious software name: Baidu Super Search PA
Danger level: ★★★★★★
Affiliated Company: Baidu
User's own weekly uninstall capacity: 439444
u1.sky99.cn
Malicious software name: u1.sky99.cn
Danger level: ★★★★★★
Owning Company: Unknown
User's own weekly uninstall capacity: 291021
Ebay Shopping button
Malicious software name: ebay Shopping button
Danger level: ★★★★
Owning Company: ebay
User's own weekly uninstall capacity: 271056
Baidu Search Companion
Malicious software name: Baidu Search Companion
Danger level: ★★★★★★
Affiliated Company: Baidu
User's own weekly uninstall capacity: 256091
Search in the Address bar
Malicious software name: Search in the Address bar
Danger level: ★★★★★★
Affiliated Company: Search in
User's own weekly uninstall capacity: 247445
Dmcast Desktop Media/ie-bar
Malicious software name: Dmcast Desktop Media/ie-bar
Danger level: ★★★★★★
Affiliated Company: Thousand Oak
User's own weekly uninstall capacity: 242774