Removing sxs.exe worm
September 25, 2006 | Posted in Tutorials |Removing sxs.exe worm
Man.. this virus is running wild… jumping from pc to pc via usb drive… here is a quick guide to remove it.
How do you know you have this virus?
1. Your browser will open some porn site from china everytime you start it. BAD
2. In your task manager, you have this SVOHOST.EXE running… BAD
First thing. Follow the instruction below. Follow it precisely or you can’t continue to the second step.
0. Press Ctr-Alt-Delete > Processes > locate “SVOHOST.EXE” and click End Process.
Removing Autostart Entry from the Registry
Removing the autostart entry from the registry prevents the malware from executing at startup.
If the registry entry below is not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.
1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>Run
3. In the right panel, locate and delete the entry: SoundMam = “%System%\SVOHOST.exe”
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP and Server 2003.)
Restoring Modified Entries from the Registry or you can skip these steps by restoring the registery value from this file (The file only available for 90 days. Email me if the link fail). Just unzip it and double click all file.
1. Still in Registry Editor, in the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>Explorer>
Advanced>Folder>Hidden>SHOWALL
2. In the right panel, locate the entry:CheckedValue = “0″
3. Right-click on the value name and choose Modify. Change the value data to: 1
4. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>srservice
5. In the right panel, locate the entry: Start = “dword:00000004″
6. Right-click on the value name and choose Modify. Change the value data to: 2
7. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>wscsvc
8. In the right panel, locate the entry: Start = “dword:00000004″
9. Right-click on the value name and choose Modify. Change the value data to: 2
10. Close Registry Editor.
The second step. Now you should be able to unhide your files.
Go to My Computer.
Locate the toolbar, click: Tools>Folder Option>View
>check “Show hidden files and folder”
>unchecked “Hide protected operating system files (Recommended)”
Click Apply.
And you are ready to delete the sxs.exe and autorun.inf in your USB drive, external hardisk, floppy disk or any other infected removal drive.
Step 3: Deleting the winscok.dll file.
1. Go to My computer.
2. Paste the following into the Address bar (without the quotation mark) “C:\WINDOWS\system32”
3. Locate the file winscok.dll in that folder.
4. Delete it use Shift+Delete.
Step 4: Deleting sxs.exe and autorun.inf safely
1. Open My Computer.
2. Locate the infected drive. Let say drive K:. DO NOT DOUBLE-CLICK IT .
3. Right-click and choose Open
4. You should able to view your drive K: root directories now.
5. Locate sxs.exe and autorun.inf.
6. Delete them without mercy. Use Shift+Delete
That damn worm should not bother you anymore.
Cheers… 
Disclaimer: This method works for me but I don’t know whether it will work for you.
Translated in my own way from this source:
http://www.newzgc.com/bbs/showdoc.asp?bid=39&id=13188
KEYWORD: removing, worm_delf, sxs.exe, winscok.dll, svohost.exe, virus, stupid virus.
For more info and tool, please visit the links below. ;
svchost.exe or svohost.exe????
Comment by Guruh Roy — September 28, 2006 @ 5:59 pm
Guruh Roy: svohost.exe, NOT svchost.exe. If you end process svchost.exe then your window will restart :p
Comment by fred — September 28, 2006 @ 8:36 pm
i dunno what or where i went wrong but i cant display hidden files…
i’v just got infected
am trying to delete another file…
gdiplus
i think it has something to do with sxs.exe
so sad… my final year projects are all in my laptop
and i dont want to repeat my final year studies!!!
Comment by kerina — October 3, 2006 @ 1:53 pm
Hi i used your advice and it worked for me
but just wanted to say that in the part where you say to change the value:
“”HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>Explorer>Advanced>Folder>Hidden>SHOWALL
2. In the right panel, locate the entry:CheckedValue = “0″ “”
Just wanted to say that you forgot to say that we must delete this value an create a new one but of type DWORD with name CheckedValue and value = 1 because if you only change value for 1 and the type is still numeric it wont work.
thanks
Comment by mario — October 5, 2006 @ 3:52 am
kerina: I reply in your email
mario: Would you like to help and write up what you did for that part. I used another registery value backup to do that part that I attached above. that is why I skipped that part. Thanks for the info.
Comment by fred — October 5, 2006 @ 9:30 am
thanx fred for your help
but by now i’ve formatted my laptop
n thanx to my friend Nizam for his efforts
in retrieving my final year project
you guys are real heroes
3 cheers!! hip-hip hurrah!!
Comment by kerina — October 9, 2006 @ 6:02 pm
hey! i read about ur solution. but i cannot locate svohost.exe in my processes, however i do have 2 svchost.exe and i cannot get rid of the sxs.exe.. any suggestions?? thanks for your help so far dude
Comment by zr — November 2, 2006 @ 4:14 am
It shouldn’t be a sxs.exe virus then, are you 100% sure it’s a sxe.exe virus?
The proper name of the virus is “Worm.Pabug.f”
Comment by Mr.Fantasy — November 15, 2006 @ 4:49 pm
well sir, the virus/worm have a lot of variant, checked with the AV sites… the one I check was given delf.dar …something like that…. I named it sxs.exe worm/virus because it is the easiest way to identify it. I bet the name you give is the same thing but another variant..
the name sxs.exe is just a reference name for me..
cheers
Comment by fred — November 16, 2006 @ 1:05 am
i was having a headache with this virus that infected not only my thumbdrive,external harddisk and now it infected my pc at home too..thanks godness i found your site and now i’m able to clear away e virus and need not format my com. thank u so much!
Comment by alice — November 16, 2006 @ 11:43 pm
Thanks a lot
it works
Comment by Masoud — June 19, 2007 @ 3:08 am
Deleted the sxs.exe and autorun.inf files, however i wasn’t able to locate the winscok.dll … My problem now is, everytime i doubleclick on my local drives (eg D:/).. it redirects me to an “Open with” window.. any help would be very much appreciated.. thanks
Comment by Ellsworth — July 27, 2007 @ 11:25 am
Deleted the sxs.exe and autorun.inf files, however i wasn’t able to locate the winscok.dll … My problem now is, everytime i doubleclick on my local drives (eg D:/).. it redirects me to an “Open with” window.. any help would be very much appreciated.. thanks
Comment by Ellsworth — July 27, 2007 @ 11:25 am
thanks a lot… it works gosbless
Comment by Denver — November 27, 2007 @ 11:38 am
I GOT 5 SVCHOST.EXE IN MY TASK MANAGER PROCESSES.. SO HOW???
Comment by sITI — February 6, 2009 @ 8:41 pm
sITI: read the text correctly and you will know.
Comment by fred — February 7, 2009 @ 5:01 pm
But i found in the net that SCVHOST is not somthing bad. It is meant to run some programs.. AM I RIGHT??
Comment by sITI — February 9, 2009 @ 6:43 pm
the virus is SVOHOST not SVCHOST. and high probablilty you have the new variants.
Comment by fred — February 10, 2009 @ 9:30 am
Is this the same as this virus?
http://www.symantec.com/security_response/writeup.jsp?docid=2006-092516-5127-99&tabid=2
It has a removal tool but I’m still trying to figure out which virus I have.
Comment by Joe — July 24, 2009 @ 11:44 pm
well when we double click it opens in new drive i have solution for it
its all because of autorun.exe
open cmd
go the the drive
like c: or d:
type attrib s d -a -r -s -h
then u see a file autorun.inf this it the file which activates the virus see the content in notepad
open=*
this value will trigger the file
delete the file
open task manager find explorer.exe in process kill it and then click on file>new program>explorer.exe u are done
Comment by ketan — July 30, 2009 @ 11:08 pm