Removing sxs.exe worm

Man.. this virus is running wild… jumping from pc to pc via usb drive… here is a quick guide to remove it.

How do you know you have this virus?
1. Your browser will open some porn site from china everytime you start it. BAD
2. In your task manager, you have this SVOHOST.EXE running… BAD

First thing. Follow the instruction below. Follow it precisely or you can’t continue to the second step.

0. Press Ctr-Alt-Delete > Processes > locate “SVOHOST.EXE” and click End Process.

Removing Autostart Entry from the Registry
Removing the autostart entry from the registry prevents the malware from executing at startup.
If the registry entry below is not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.

1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>Run
3. In the right panel, locate and delete the entry: SoundMam = “%System%\SVOHOST.exe”
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP and Server 2003.)

Restoring Modified Entries from the Registry or you can skip these steps by restoring the registery value from this file (The file only available for 90 days. Email me if the link fail). Just unzip it and double click all file.
1. Still in Registry Editor, in the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>Explorer>
Advanced>Folder>Hidden>SHOWALL
2. In the right panel, locate the entry:CheckedValue = “0″
3. Right-click on the value name and choose Modify. Change the value data to: 1
4. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>srservice
5. In the right panel, locate the entry: Start = “dword:00000004″
6. Right-click on the value name and choose Modify. Change the value data to: 2
7. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>wscsvc
8. In the right panel, locate the entry: Start = “dword:00000004″
9. Right-click on the value name and choose Modify. Change the value data to: 2
10. Close Registry Editor.

The second step. Now you should be able to unhide your files.

Go to My Computer.
Locate the toolbar, click: Tools>Folder Option>View
>check “Show hidden files and folder
>unchecked “Hide protected operating system files (Recommended)

Click Apply.

And you are ready to delete the sxs.exe and autorun.inf in your USB drive, external hardisk, floppy disk or any other infected removal drive.

Step 3: Deleting the winscok.dll file.

1. Go to My computer.
2. Paste the following into the Address bar (without the quotation mark) “C:\WINDOWS\system32”
3. Locate the file winscok.dll in that folder.
4. Delete it use Shift+Delete.

Step 4: Deleting sxs.exe and autorun.inf safely

1. Open My Computer.
2. Locate the infected drive. Let say drive K:. DO NOT DOUBLE-CLICK IT .
3. Right-click and choose Open
4. You should able to view your drive K: root directories now.
5. Locate sxs.exe and autorun.inf.
6. Delete them without mercy. Use Shift+Delete

That damn worm should not bother you anymore.

Cheers… :)

Disclaimer: This method works for me but I don’t know whether it will work for you.

Translated in my own way from this source:
http://www.newzgc.com/bbs/showdoc.asp?bid=39&id=13188

KEYWORD: removing, worm_delf, sxs.exe, winscok.dll, svohost.exe, virus, stupid virus.

For more info and tool, please visit the links below. ;