This malware is around for a few months...
Whenever a pen drive is plugged on to the infected system,
it copies itself into a new hidden folder "RECYCLER" as autorun.exe.

It also creates an autorun.inf file in the root directory of the thumb drive.

The autorun.in cotains the following text



Now the pen drive is infected and where ever we plug it, the system
gets infected.

On the system, it copies as soundmix.exe in the system32 folder.
It also creates a zipexr.dll file in the system32\dllcache folder.

The soundmix.exe registers for autolaunch at startup in the registry.
Even if we change it using msconfig or regedit, it is created back
at the very instant.

soundmix.exe shows up in the task manager>process...
But trying to end it using end process/ end process tree commands
will spawn a new instance of it.

It is not possible to delete soundmix.exe as it is running...
Even in safe mode it is unable to delete it.


Though some of the anti virus finds the virus, but most cant remove it
if the anti virus was installed after infection.

I searched through out the internet but couldn't find a single tip on
removing the virus manually...

__________________
SanS

You are not able to delete the soundmix.exe because it is running.

Use Security Task Manager (trial version free to use) to end the running instace of soundmix.exe and then delete the other files...

I tried using Security Task Manager, but the soundmix.exe instance
is recreated each time I end task the application using STM...

I tried even in safe mode but with no success

__________________
SanS

Well then...
The virus creator was smart enough to think of all the possibilities....

Now you can try this method...

Insert the Windows XP boot CD and restart the system,
Boot from the CD and Press R for repair when asked...

Press the appropriate number (usually 1) when volume prompt is asked...
Enter the administrator password...
now you get a command promt

now type


cd \
cd windows\system32
attrib -r soundmix.exe
del soundmix.exe
cd dllcache
attrib -r zipexr.dll
del zipexr.dll
exit

now the system will get restarted and you can boot from you hard drive...

Most probably, the virus infection is removed....

Best of luck...

Thanks for the instructuion...
I am taking a print out of this page...
I will have to connect a CD drive as I
dont have one connected to my PC now...
I will try this now and get back......

__________________
SanS

I have tried it....

I think the virus is now removed.....
But another major problem just started....

Now I am not able to run any of my applications...
When I try to run Zone Alarm or MS Outlook,
an "Open With" dialog appears....

I think I have to clean format the system now...

I am not even able to take backup of my mails in outlook now

__________________
SanS

Hei Dont panic....

You wont have to format your PC...

When the dialog box is asking for open with,
try specifying c:\windows\explorer.exe....

That must help you to atleast launch Outlook and take a backup of your
mails before a clean format....

No that's not working...

I tried Explorer.exe but it says unable to find the exe file...

I think I need a format now....

__________________
SanS

Just try this method..

Start Menu > Run > type Command.com

then u will get the prompt...

type cd \windows

then type

copy regedit.exe regedit.com
now type regedit.com
now u will get the registry editor...

Navigate to

HKEY_CLASSES_ROOT \ exefile \ shell \ open \ command


there you will see that the value has been changed by the virus to

soundmix.exe "%1" %*


change it to

"%1" %*


(delete soundmix.exe)

exit regedit and try clicking your outlook.....

Everything will be back to normal.....

Hope this helps......

Wow... It worked... The system is back to Perfectly normal....

I thought I will have to do a hell of repair
around the registry to solve it....

This is for sure the only doc in the entire internet that
teaches how to remove the pen drive virus manually....

Anyway, the virus AGENT.PGV is also named as

Troj/Agent-FJS
Troj/Agent-FXA
WORM_SILLY.CF

and many more names...

All they have the common autorun.inf, RECYCLER\autorun.exe, soundmix.exe and zipexr.dll in common.....

I wonder why would someone waste his time on making these kind of viruses....

__________________
SanS