This malware is around for a few months...
Whenever a pen drive is plugged on to the infected system,
it copies itself into a new hidden folder "RECYCLER" as autorun.exe.

It also creates an autorun.inf file in the root directory of the thumb drive.

The autorun.in cotains the following text



Now the pen drive is infected and where ever we plug it, the system
gets infected.

On the system, it copies as soundmix.exe in the system32 folder.
It also creates a zipexr.dll file in the system32\dllcache folder.

The soundmix.exe registers for autolaunch at startup in the registry.
Even if we change it using msconfig or regedit, it is created back
at the very instant.

soundmix.exe shows up in the task manager>process...
But trying to end it using end process/ end process tree commands
will spawn a new instance of it.

It is not possible to delete soundmix.exe as it is running...
Even in safe mode it is unable to delete it.


Though some of the anti virus finds the virus, but most cant remove it
if the anti virus was installed after infection.

I searched through out the internet but couldn't find a single tip on
removing the virus manually...

__________________
SanS

You are not able to delete the soundmix.exe because it is running.

Use Security Task Manager (trial version free to use) to end the running instace of soundmix.exe and then delete the other files...

I tried using Security Task Manager, but the soundmix.exe instance
is recreated each time I end task the application using STM...

I tried even in safe mode but with no success

__________________
SanS

Well then...
The virus creator was smart enough to think of all the possibilities....

Now you can try this method...

Insert the Windows XP boot CD and restart the system,
Boot from the CD and Press R for repair when asked...

Press the appropriate number (usually 1) when volume prompt is asked...
Enter the administrator password...
now you get a command promt

now type


cd \
cd windows\system32
attrib -r soundmix.exe
del soundmix.exe
cd dllcache
attrib -r zipexr.dll
del zipexr.dll
exit

now the system will get restarted and you can boot from you hard drive...

Most probably, the virus infection is removed....

Best of luck...

Thanks for the instructuion...
I am taking a print out of this page...
I will have to connect a CD drive as I
dont have one connected to my PC now...
I will try this now and get back......

__________________
SanS

I have tried it....

I think the virus is now removed.....
But another major problem just started....

Now I am not able to run any of my applications...
When I try to run Zone Alarm or MS Outlook,
an "Open With" dialog appears....

I think I have to clean format the system now...

I am not even able to take backup of my mails in outlook now

__________________
SanS

Hei Dont panic....

You wont have to format your PC...

When the dialog box is asking for open with,
try specifying c:\windows\explorer.exe....

That must help you to atleast launch Outlook and take a backup of your
mails before a clean format....

No that's not working...

I tried Explorer.exe but it says unable to find the exe file...

I think I need a format now....

__________________
SanS

Just try this method..

Start Menu > Run > type Command.com

then u will get the prompt...

type cd \windows

then type

copy regedit.exe regedit.com
now type regedit.com
now u will get the registry editor...

Navigate to

HKEY_CLASSES_ROOT \ exefile \ shell \ open \ command


there you will see that the value has been changed by the virus to

soundmix.exe "%1" %*


change it to

"%1" %*


(delete soundmix.exe)

exit regedit and try clicking your outlook.....

Everything will be back to normal.....

Hope this helps......

Wow... It worked... The system is back to Perfectly normal....

I thought I will have to do a hell of repair
around the registry to solve it....

This is for sure the only doc in the entire internet that
teaches how to remove the pen drive virus manually....

Anyway, the virus AGENT.PGV is also named as

Troj/Agent-FJS
Troj/Agent-FXA
WORM_SILLY.CF

and many more names...

All they have the common autorun.inf, RECYCLER\autorun.exe, soundmix.exe and zipexr.dll in common.....

I wonder why would someone waste his time on making these kind of viruses....

__________________
SanS

Now I have another small issue...

I have a pen drive that i know is infected with the virus...

If i plug it into the USB, my cleaned system will again get infected...


So is there an alternative other than installing an anti virus on my PC to remove the virus from the Pen Drive ?

__________________
SanS

Ofcourse you have..

You need to insert the USB pendrive while you hold down the shift key...

Now autorun will be disabled...

Now you need to goto my computer, find the drive letter assaigned to your pendrive,
type it in address bar of the my computer window....
now delete the RECYCLER folder (hidden) and the autorun.inf file...

Congrats... you have removed the virus from your pen drive

Hi,

I tried to delete the RECYCLER folder, but it says access denied,
So I formatted the Pen drive, now the virus gone and working perfect.

__________________
SanS

Hi,

I tried to delete the RECYCLER folder, but it says access denied,
So I formatted the Pen drive, now the virus gone and working perfect.

__________________
SanS

If you have inserted the pendrive into the PC without pressing the
SHIFT key, you must have possibly infected the system again.....
So Sad.....

I use my pendrive in a lot of computers where I may not be sure whether the system is infected or not....

Is there any way to avoid my pendrive getting infected even if i am plugging it on to a system which is infected by a virus ?

__________________
SanS

I know exactly what you are asking for....
You are asking for a firewall or antivirus for your pendrive.
But unfortunately, PenDrive is a passive device and it is not possible
to actually 'install' something into it.

We can hope for some one to come up with some idea in the future.

How ever, for the Agent.PGV virus can be stopped from infecting your pendrive from a system already infected with that virus.

You need to first prepare your pendrive on a clean pc.

open the pendrive root folder
create a directory RECYCLER
copy c:\windows\system32\calc.exe into that directory
rename the exe file to autorun.exe
Make the file read only

This will fool the virus that the system is already infected
and will not be infected again.

The autorun.inf file may be created when you insert it on an
infected pc.

But the virus will not be infected

Wow... It worked... The system is back to Perfectly normal....

I thought I will have to do a hell of repair
around the registry to solve it....

This is for sure the only doc in the entire internet that
teaches how to remove the pen drive virus manually....

Anyway, the virus AGENT.PGV is also named as

Troj/Agent-FJS
Troj/Agent-FXA
WORM_SILLY.CF

and many more names...

All they have the common autorun.inf, RECYCLER\autorun.exe, soundmix.exe and zipexr.dll in common.....

I wonder why would someone waste his time on making these kind of viruses....

__________________
SanS

Now I have another small issue...

I have a pen drive that i know is infected with the virus...

If i plug it into the USB, my cleaned system will again get infected...


So is there an alternative other than installing an anti virus on my PC to remove the virus from the Pen Drive ?

__________________
SanS