My solution to the recent and rampant sxs.exe Virus

In view of the above symptoms, I first went online to find relevant information. First, I needed to show hidden files.

Here: HKEY_LOCAL_MACHINESoftwareMicrosoftwindowsCurrentVersionexplorer

AdvancedFolderHiddenSHOWALL: Change the CheckedValue to 1.

It is still useless. hidden files are still not displayed. Observe carefully and find that the virus has a more powerful Trick: after it modifies the Registry to hide files, for the sake of security, delete the valid DWORD Value CheckedValue, create an invalid string value CheckedValue, and change the key value to 0 ()! In this way, you think that changing 0 to 1 will make everything better, but the fault is still so! It is no wonder that the above phenomenon has emerged.

The correct method is: first check whether the CheckedValue type is REG_DWORD. If not, delete "Li Gui" CheckedValue (for example, in this "case, delete the CheckedValue of Type REG_SZ ). Right-click "new" --> "Dword Value", name it "CheckedValue", and modify its key value to 1, so that you can select "show all hidden files ".

After some operations, we can see the hidden files on my computer. If the above method is invalid, it may be that the data of hkey_local_machinesoftwaremicrosoftwindowscurrentversionpoliceradvancedfolderhidden is lost or damaged. In this case, find Hidden on the Windows XP installation disc. reg, double-click it, and click "OK" to add the complete registry data to the registry of the current system. (Note: The XP installation CD on my hand does not have this thing. If you encounter this situation unfortunately, you can try this method: Find a computer with no problems

Hkey_local_machinesoftwaremicrosoftwindowscurrentversionpoliceradvancedfolderhidden to export the branch (if it is named 1.reg), back up the Registry branch of the problematic computer, and import 1. reg to check whether the problem can be solved. I have never tried, so I don't know if there will be any accidents. Good luck! If someone can find this on the XP installation CD, copy the content in the file to the comment and indicate whether the XP installation CD has been SP1 or SP2. Thank you !)

I have seen the autorun.infand sxs.exe files in my D: E: F: Here (in addition to the C drive), deleted and regenerated. These two files are also displayed when the USB flash drive is inserted. Sorry, I will give it to you. Let's have a try!

You have modified the ROSE virus.
The SXS process can be deleted. Remember, right click to enter the hard disk.
At the same time, press Ctrl + Shift + Esc to open the windows task manager.
Select the "process" tab
Find "“sxs.exe" under the " name, But click it and select "End Process"
Define all sxs.exe Processes
Open my computer and click "Folder Options" under the tool menu"
Click the view tab
Uncheck this option before "Hide protected operating system files (recommended )"
And select the "show all files and folders" option below.
Click OK"
Right-click drive C (you cannot double-click it !) Select "open"
Delete the autorun. inf and “sxs.exe files under drive C.
Right-click disk D and select "open"
Delete the "autorun. inf" file and the "sxs.exe.pdf" file under drive D (A file exists, and the file is also deleted by A. EXE file)
......
Similarly, delete the AUTORUN. INF file and ecliprose.exe file on all disks.
Click Start and select "run" and enter "regedit" (no quotation marks). Press enter.
Expand my computer on the left of the Registry Editor> HKEY_LOCAL_MACHINE> SOFTWARE> Microsoft> Windows> CurrentVersion> Run
Delete the ROSE (c: windowssystem32SXS.exe) project in the Run item.
Disable Registry Editor
Then restart the computer.
Delete the hard disk as ROSE:
Press shift to insert the USB flash drive until the computer prompts "new hardware is available"
Open my computer
In this case, right-click the USB flash drive icon and choose "open" (do not play it automatically or double-click it !)
Delete the SXS.exe and autorun. inf files.

I mentioned above that this method is useless to me! Sxs.exe is not used for virus killing. Currently, only the registry can be used for virus killing.

Open regedit in the Registry and find HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun.

Some netizens say that the ROSE (c: windowssystem32SXS.exe) project in the Run item is deleted.

I did not find this Run project, but I have checked that there are two "SoundMam" in the Run project, and the values below are different. One is for "C: \ WINDOWS \ system32 \ SVOHOST.exe "and" SOUNDMAN. EXE "I think you have also found out, and there must be a problem. I have looked at it. Only one of the following is correct. The other is the" automatic playback server "program of Haojie super solution, it seems that the virus is added to this file and spread everywhere through automatic playback! Sorry, I used Jiangmin's website. He had an unknown virus scan, where he could find out that he was a hard disk worm. just delete it, I wanted to take a screenshot for you. Unfortunately, I restarted and did not copy the screenshot. Which of the following is my friend's suggestion! Thank you!

There is still autorun. inf, you can delete it directly to each hard disk, and then clear the recycle bin. Others are normal, and some netizens may have some problems, for example, the "automatic playback server" of Haojie super solution cannot be used. My suggestion is: don't use it, it's just a bad thing! Reinstall it if you have! Finally, restart. OK!