Introduction
This is a very simple way to remove the Soundmix virus in three simple steps. When I find out I should pay $29.99 for an antivirus and that the antivirus won't fix the aftermath of the virus, I started thinking what I could do about it and I wrote this article from what I learned in the process.
Background
This virus targets USB removable flash. Whenever you plug a USB stick in, the virus creates an autorun.inf file and creates a folder name "RECYCLER", then copies itself in it and then hides them all. Every time you plug it in to another computer, it autorun executes the virus and infects the computer to make these files:
%System%\dllcache\zipexr.dll
%System%\soundmix.exe
This virus works in two life cycles: one is harmless and just infects other computers and makes a lot of harmful exe files with the icon of a folder, but it is fatal virus if you double click on it. It makes your computer reboot and every time your Windows logs in, it executes and causes a reboot. Terrible experience!
The soundmix.exe injects some code in the Windows shell system such that every time Windows wants to run an application, soundmix.exe interferes and does the process, so if you remove it, you will not be able to run any .exe file or application. You will need a tool to fix this issue. I found something on the internet, a COM application; I don't know what it does, but it works!
The third step is to remove the fatal virus that is spread through your computer with your directory names, so we have to search your hard disk for applications with the same size and delete them.
There is just one more thing that remains, and that is you will not be able to see hidden files; if anyone knows how to fix it, post a comment.
Using the code
What I did was write a very simple application in three simple steps:
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Windows.Forms;
using System.Collections.ObjectModel;
using System.IO;
namespace WindowsFormsApplication1
{
public partial class Form1 : Form
{
public Form1()
{
InitializeComponent();
}
private void button1_Click(object sender, EventArgs e)
{
DirectoryInfo di = new DirectoryInfo(textBox1.Text);
FileInfo [] fii = di.GetFiles();
for (int i = 0; i < fii.Length; i++)
{
fii[i].Attributes = FileAttributes.Normal;
}
DirectoryInfo [] dii = di.GetDirectories();
for (int i = 0; i < dii.Length; i++)
{
if (dii[i].Name == "RECYCLER")
{
dii[i].Attributes = FileAttributes.Normal;
fii = dii[i].GetFiles();
for (int ii = 0; ii < fii.Length; ii++)
{
fii[ii].Attributes = FileAttributes.Normal;
fii[ii].Delete();
}
dii[i].Delete();
}
}
System.Diagnostics.Process[] p = System.Diagnostics.Process.GetProcesses();
for (int i = 0; i < p.Length; i++)
{
if (p[i].ProcessName == "soundmix")
{
p[i].Kill();
p[i].WaitForExit();
System.IO.FileInfo fi = new
System.IO.FileInfo(@"C:\WINDOWS\system32\soundmix.exe");
fi.Attributes = System.IO.FileAttributes.Normal;
fi.Delete();
fi = new System.IO.FileInfo(@"C:\WINDOWS\system32\dllcache\zipexr.dll");
fi.Attributes = System.IO.FileAttributes.Normal;
fi.Delete();
System.IO.File.Delete(@"C:\WINDOWS\system32\dllcache\zipexr.dll");
System.IO.File.Delete(@"C:\WINDOWS\system32\soundmix.exe");
}
}
}
private void process1_Exited(object sender, EventArgs e)
{
}
private void button2_Click(object sender, EventArgs e)
{
string s = Application.StartupPath + "\\exefix_xp.com";
if (File.Exists(s))
System.Diagnostics.Process.Start(s);
}
private void button3_Click(object sender, EventArgs e)
{
recursiveScan(new DirectoryInfo(@"D:\"));
}
public void recursiveScan(DirectoryInfo di)
{
DirectoryInfo [] dii = di.GetDirectories();
for (int ii = 0; ii < dii.Length; ii++)
{
if (dii[ii].Name == "System Volume Information")
continue;
FileInfo[] fi = dii[ii].GetFiles("*.exe",
SearchOption.AllDirectories);
long size = (long)numericUpDown1.Value;
for (int i = 0; i < fi.Length; i++)
{
if (fi[i].Length == size)
{
fi[i].Attributes = FileAttributes.Normal;
fi[i].Delete();
}
}
}
}
}
}
