Manually scan and kill svohost. EXE files...

This morning, I am going to continue to help the customer export the webpage table to excel.

The result is that the Tomcat server of JSP is enabled. If an error occurs, the server fails to be started. I thought it was a problem with tomcat, and then I started another server of JSP, resin, port 8080 cannot be found ....
The problem is serious now... If neither server can be started, it is definitely not a server problem, but a computer problem. Then we find that the CPU usage is 100% high.
Look for suspicious processes and find a process named svohost. EXE, apparently a bad guy who wants to pretend to be SVCHOST ..

Open Baidu and search for svohost. EXE to find out that it was a Trojan of Wuhan boys' variant .. Then I thought about CPU usage when I got off work yesterday. At that time, I didn't pay attention to it. I thought it was a small problem in windows. After I restarted it, I turned it off and went home... Now, when I was searching for information on the internet yesterday, the advertisements on those websites jumped out randomly .... Sweat...

Because I do not like to Install antivirus software on my computer, I decided to manually kill it ..

So I tried to find and kill svohost on Baidu. EXE method, found that the method is to delete C:/Windows/system32/svohost in safe mode. EXE, and then delete the startup project in the startup Item.

According to the method .. But I found that I had it again soon... Open regedit, search for svohost, and delete all related items... The result is still useless... I began to admire the overlord and power of this trojan ....

Nnd, regardless of the S, decided to use the ghost to recover the system. Back up the system before, and it quickly recovered.

System Recovery, OK, relaxed mood...

Prepare to open the Elastic Block Storage (edisk) and install the following software that has not been installed after the backup... Cannot open! Disk D and disk F cannot be opened... A little problem. Restart, OK, go in, complete the entire recovery system, and then open the task manager... I am dumb... Svohost. EXE is coming soon... Why? Is it useless to reinstall the system? This thing...
Then I immediately thought about the failure of drive D, drive E and drive F ....
It seems that the Autorun file has been added for automatic playback.

In this case, I will use ghost to recover drive C. Let's take a good look at how we can take this Trojan horse to a gun... Hey, you are arrogant, and I am not weak ..

After the system is restored, You do not dare to double-click drive D, drive E, and drive F to open the disk. Right-click the disk and find that there is an auto in the right-click menu, which means automatic playback... If this option is not selected, open it directly. after entering the drive letter, set to show hidden files and find files without autorun. inf !! Impossible... Then let's see if it is not set .. Set it again .. When all files and folders are explicitly displayed, the options are changed to hidden files and folders... It seems that even the settings are hidden by this trojan... Strong...

The last method is to try it from command ..

Run CMD and enter F: disk. Enter Dir and Dir/a to view and compare all files and folders (including hidden files) in the directory. Haha... I finally saw it.

After the Dir/a command, two files are hidden .. Sxs.exe and autorun. inf appear to be the culprit. In this case, you can delete these two files here ..

Run the attrib-a-s-h-r sxs.exe command after F:/>.
Run the attrib-a-s-h-r autorun. inf command to cancel the hidden attributes of the two files.
Input del sxs.exe and del autorun. inf to delete the two files.

Haha, delete the D and E disks as well. OK, the anti-virus operation is successful. Open the f disk and try again...
A prompt box is displayed for selecting the program to open the file ..

Depressed, the virus is so bad ....

Tnnd

Run regeditand search for sxs.exe. the sxs.exe information is found under the following three registration table information ..
HKEY_CURRENT_USER/software/Microsoft/Windows/CurrentVersion/Explorer/mountpoints2/{e94c3814-d758-11da-8647-806d6172696f}
HKEY_CURRENT_USER/software/Microsoft/Windows/CurrentVersion/Explorer/mountpoints2/{e94c3815-d758-11da-8647-806d6172696f}
HKEY_CURRENT_USER/software/Microsoft/Windows/CurrentVersion/Explorer/mountpoints2/{e94c3816-d758-11da-8647-806d6172696f}
These three settings are different from those for the startup function of the dashboard on my computer. The setting is in sxs.exe format, and you can find them by opening their subdirectories ..

Delete these three records .. Open three more disks .. Hoho ~~ And finally completely recovered...

To be honest, we have also manually killed a lot of viruses before .. But for the first time, we met such a tenacious virus .. They also admire the virus makers... Even if the system is reinstalled with such a virus, it will not help... Ah

Here we will summarize the methods for killing this virus:
1. First open the task manager and end the svohost. EXE process.
2. My computer, tools> file plus Options> View> remove the hooks before "Hiding protected operating system files (recommended )"
3. Right-click drive C> open, and delete svohost. EXE under C:/Windows/system32. This cannot be searched because it cannot be searched .. You can only find them with your own eyes .. Khan
4. Start> RUN msconfig> Start> cancel the svohost. EXE startup Item
5. Start> RUN cmd> use the command of DIR/a to check whether all files sxs.exe and autorun. inf exist. If yes, delete all files using the methods I mentioned above.
6. last step (if the drive D, E, and F can be opened smoothly after the first five steps, this step is not required ), start> Run regedit> Find the table information under the Registry HKEY_CURRENT_USER/software/Microsoft/Windows/CurrentVersion/Explorer/mountpoints2 directory, such as {e94c3812-d758-11da-8647-806d6172696f}, {e94c3813-d758-11da-8647-806d6172696f}, and delete it.

Some friends cannot find svohost. EXE in step 3. This is because the system displays hidden files and is forbidden. Here are several methods:
1. Try to use the WinRAR compressed package to find and delete it.
2. Use the method similar to Step 5 in cmd to locate the svohost and delete it.
3. reinstall the system, and then proceed directly from Step 5.
4. check the reply from a friend on the fifth floor of this article (Thank you). His reply makes up for the shortcomings in this article, that is, to restore the system to display hidden files, therefore, this step can also be used to display svohost that is invisible to the system.