This is a discussion on How to manually remove Agent.PGV PenDrive Trogen/Worm/Virus within the Operating Systems forums, part of the Computer Hardware/Software and Networking category; This malware is around for a few months... Whenever a pen drive is plugged on to the infected system, it ...
| |||||||
| Register | FAQ | Members List | Calendar | Mark Forums Read |
|
#1
| |||
| |||
| This malware is around for a few months... Whenever a pen drive is plugged on to the infected system, it copies itself into a new hidden folder "RECYCLER" as autorun.exe. It also creates an autorun.inf file in the root directory of the thumb drive. The autorun.in cotains the following text Code: [autorun] open= shell\open=´ò¿ª(&O) shell\open\Command=RECYCLER\autorun.exe -OpenCurDir shell\open\Default=1 shell\explore=×ÊÔ´¹ÜÀíÆ÷(&X) shell\explore\Command=RECYCLER\autorun.exe –ExploreCurDir Now the pen drive is infected and where ever we plug it, the system gets infected. On the system, it copies as soundmix.exe in the system32 folder. It also creates a zipexr.dll file in the system32\dllcache folder. The soundmix.exe registers for autolaunch at startup in the registry. Even if we change it using msconfig or regedit, it is created back at the very instant. soundmix.exe shows up in the task manager>process... But trying to end it using end process/ end process tree commands will spawn a new instance of it. It is not possible to delete soundmix.exe as it is running... Even in safe mode it is unable to delete it. Though some of the anti virus finds the virus, but most cant remove it if the anti virus was installed after infection. I searched through out the internet but couldn't find a single tip on removing the virus manually...
__________________ SanS |
|
#2
| |||
| |||
| You are not able to delete the soundmix.exe because it is running. Use Security Task Manager (trial version free to use) to end the running instace of soundmix.exe and then delete the other files... |
|
#3
| |||
| |||
| Quote:
I tried using Security Task Manager, but the soundmix.exe instance is recreated each time I end task the application using STM... I tried even in safe mode but with no success ![]()
__________________ SanS |
|
#4
| |||
| |||
| Well then... The virus creator was smart enough to think of all the possibilities.... Now you can try this method... Insert the Windows XP boot CD and restart the system, Boot from the CD and Press R for repair when asked... Press the appropriate number (usually 1) when volume prompt is asked... Enter the administrator password... now you get a command promt now type cd \ cd windows\system32 attrib -r soundmix.exe del soundmix.exe cd dllcache attrib -r zipexr.dll del zipexr.dll exit now the system will get restarted and you can boot from you hard drive... Most probably, the virus infection is removed.... Best of luck... |
|
#5
| |||
| |||
| Quote:
I am taking a print out of this page... I will have to connect a CD drive as I dont have one connected to my PC now... I will try this now and get back......
__________________ SanS |
|
#6
| |||
| |||
| I have tried it.... I think the virus is now removed..... But another major problem just started.... Now I am not able to run any of my applications... When I try to run Zone Alarm or MS Outlook, an "Open With" dialog appears.... I think I have to clean format the system now... I am not even able to take backup of my mails in outlook now ![]()
__________________ SanS |
|
#7
| |||
| |||
| Quote:
Hei Dont panic.... You wont have to format your PC... When the dialog box is asking for open with, try specifying c:\windows\explorer.exe.... That must help you to atleast launch Outlook and take a backup of your mails before a clean format.... |
|
#8
| |||
| |||
| No that's not working... I tried Explorer.exe but it says unable to find the exe file... I think I need a format now....
__________________ SanS |
|
#9
| |||
| |||
| Just try this method.. Start Menu > Run > type Command.com then u will get the prompt... type cd \windows then type copy regedit.exe regedit.com now type regedit.com now u will get the registry editor... Navigate to HKEY_CLASSES_ROOT \ exefile \ shell \ open \ command there you will see that the value has been changed by the virus to soundmix.exe "%1" %* change it to "%1" %* (delete soundmix.exe) exit regedit and try clicking your outlook..... Everything will be back to normal..... Hope this helps...... |
|
#10
| |||
| |||
| Wow... It worked... The system is back to Perfectly normal.... I thought I will have to do a hell of repair around the registry to solve it.... This is for sure the only doc in the entire internet that teaches how to remove the pen drive virus manually.... Anyway, the virus AGENT.PGV is also named as Troj/Agent-FJS Troj/Agent-FXA WORM_SILLY.CF and many more names... All they have the common autorun.inf, RECYCLER\autorun.exe, soundmix.exe and zipexr.dll in common..... I wonder why would someone waste his time on making these kind of viruses....
__________________ SanS |
![]() |
| Thread Tools | |
| Display Modes | |
| |
Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| what is virus chest or virus vault? | jegan | Computer Hardware | 1 | 04-16-2008 02:25 AM |
| secure from Mobile worm | amansundar | The Lounge | 8 | 01-20-2008 07:32 AM |
| Pendrive in linux | bluesky | Operating Systems | 0 | 12-23-2007 06:14 AM |
| SQL Agent 2005 won't start ? | arjkhanna | Server Management | 6 | 11-06-2007 05:02 AM |
| Info on Get Mobile User Agent using PHP | Jeyaseelansarc | PHP Programming | 0 | 07-17-2007 02:39 AM |
Our Partners |