This is a discussion on How to manually remove Agent.PGV PenDrive Trogen/Worm/Virus within the Operating Systems forums, part of the Computer Hardware/Software and Networking category; This malware is around for a few months... Whenever a pen drive is plugged on to the infected system, it ...
| |||||||
| Register | FAQ | Members List | Calendar | Mark Forums Read |
| |||
| This malware is around for a few months... Whenever a pen drive is plugged on to the infected system, it copies itself into a new hidden folder "RECYCLER" as autorun.exe. It also creates an autorun.inf file in the root directory of the thumb drive. The autorun.in cotains the following text Code: [autorun] open= shell\open=打开(&O) shell\open\Command=RECYCLER\autorun.exe -OpenCurDir shell\open\Default=1 shell\explore=资源管理器(&X) shell\explore\Command=RECYCLER\autorun.exe 朎xploreCurDir Now the pen drive is infected and where ever we plug it, the system gets infected. On the system, it copies as soundmix.exe in the system32 folder. It also creates a zipexr.dll file in the system32\dllcache folder. The soundmix.exe registers for autolaunch at startup in the registry. Even if we change it using msconfig or regedit, it is created back at the very instant. soundmix.exe shows up in the task manager>process... But trying to end it using end process/ end process tree commands will spawn a new instance of it. It is not possible to delete soundmix.exe as it is running... Even in safe mode it is unable to delete it. Though some of the anti virus finds the virus, but most cant remove it if the anti virus was installed after infection. I searched through out the internet but couldn't find a single tip on removing the virus manually...
__________________ SanS |
| Sponsored Links |
| |||
| You are not able to delete the soundmix.exe because it is running. Use Security Task Manager (trial version free to use) to end the running instace of soundmix.exe and then delete the other files... |
| |||
| Quote:
I tried using Security Task Manager, but the soundmix.exe instance is recreated each time I end task the application using STM... I tried even in safe mode but with no success ![]()
__________________ SanS |
| |||
| Well then... The virus creator was smart enough to think of all the possibilities.... Now you can try this method... Insert the Windows XP boot CD and restart the system, Boot from the CD and Press R for repair when asked... Press the appropriate number (usually 1) when volume prompt is asked... Enter the administrator password... now you get a command promt now type cd \ cd windows\system32 attrib -r soundmix.exe del soundmix.exe cd dllcache attrib -r zipexr.dll del zipexr.dll exit now the system will get restarted and you can boot from you hard drive... Most probably, the virus infection is removed.... Best of luck... |
| |||
| Quote:
I am taking a print out of this page... I will have to connect a CD drive as I dont have one connected to my PC now... I will try this now and get back......
__________________ SanS |
| |||
| I have tried it.... I think the virus is now removed..... But another major problem just started.... Now I am not able to run any of my applications... When I try to run Zone Alarm or MS Outlook, an "Open With" dialog appears.... I think I have to clean format the system now... I am not even able to take backup of my mails in outlook now ![]()
__________________ SanS |
| |||
| Quote:
Hei Dont panic.... You wont have to format your PC... When the dialog box is asking for open with, try specifying c:\windows\explorer.exe.... That must help you to atleast launch Outlook and take a backup of your mails before a clean format.... |
| |||
| Just try this method.. Start Menu > Run > type Command.com then u will get the prompt... type cd \windows then type copy regedit.exe regedit.com now type regedit.com now u will get the registry editor... Navigate to HKEY_CLASSES_ROOT \ exefile \ shell \ open \ command there you will see that the value has been changed by the virus to soundmix.exe "%1" %* change it to "%1" %* (delete soundmix.exe) exit regedit and try clicking your outlook..... Everything will be back to normal..... Hope this helps...... |
| |||
| Wow... It worked... The system is back to Perfectly normal.... I thought I will have to do a hell of repair around the registry to solve it.... This is for sure the only doc in the entire internet that teaches how to remove the pen drive virus manually.... Anyway, the virus AGENT.PGV is also named as Troj/Agent-FJS Troj/Agent-FXA WORM_SILLY.CF and many more names... All they have the common autorun.inf, RECYCLER\autorun.exe, soundmix.exe and zipexr.dll in common..... I wonder why would someone waste his time on making these kind of viruses....
__________________ SanS |
| |||
| Now I have another small issue... I have a pen drive that i know is infected with the virus... If i plug it into the USB, my cleaned system will again get infected... So is there an alternative other than installing an anti virus on my PC to remove the virus from the Pen Drive ?
__________________ SanS |
| |||
| Quote:
Ofcourse you have.. You need to insert the USB pendrive while you hold down the shift key... Now autorun will be disabled... Now you need to goto my computer, find the drive letter assaigned to your pendrive, type it in address bar of the my computer window.... now delete the RECYCLER folder (hidden) and the autorun.inf file... Congrats... you have removed the virus from your pen drive |
| |||
| Hi, I tried to delete the RECYCLER folder, but it says access denied, So I formatted the Pen drive, now the virus gone and working perfect.
__________________ SanS |
| |||
| Hi, I tried to delete the RECYCLER folder, but it says access denied, So I formatted the Pen drive, now the virus gone and working perfect.
__________________ SanS |
| |||
| Quote:
SHIFT key, you must have possibly infected the system again..... So Sad..... |
| |||
| I use my pendrive in a lot of computers where I may not be sure whether the system is infected or not.... Is there any way to avoid my pendrive getting infected even if i am plugging it on to a system which is infected by a virus ?
__________________ SanS |
| |||
| Quote:
You are asking for a firewall or antivirus for your pendrive. But unfortunately, PenDrive is a passive device and it is not possible to actually 'install' something into it. We can hope for some one to come up with some idea in the future. |
| |||
| How ever, for the Agent.PGV virus can be stopped from infecting your pendrive from a system already infected with that virus. You need to first prepare your pendrive on a clean pc. open the pendrive root folder create a directory RECYCLER copy c:\windows\system32\calc.exe into that directory rename the exe file to autorun.exe Make the file read only This will fool the virus that the system is already infected and will not be infected again. The autorun.inf file may be created when you insert it on an infected pc. But the virus will not be infected |
| |||
| Wow... It worked... The system is back to Perfectly normal.... I thought I will have to do a hell of repair around the registry to solve it.... This is for sure the only doc in the entire internet that teaches how to remove the pen drive virus manually.... Anyway, the virus AGENT.PGV is also named as Troj/Agent-FJS Troj/Agent-FXA WORM_SILLY.CF and many more names... All they have the common autorun.inf, RECYCLER\autorun.exe, soundmix.exe and zipexr.dll in common..... I wonder why would someone waste his time on making these kind of viruses....
__________________ SanS |
| |||
| Now I have another small issue... I have a pen drive that i know is infected with the virus... If i plug it into the USB, my cleaned system will again get infected... So is there an alternative other than installing an anti virus on my PC to remove the virus from the Pen Drive ?
__________________ SanS |
![]() |
| Thread Tools | |
| Display Modes | |
| |
LinkBacks (?)
LinkBack to this Thread: http://www.discussweb.com/operating-systems/3875-how-manually-remove-agent-pgv-pendrive-trogen-worm-virus.html | |||
| Posted By | For | Type | Date |
| autorun_exe - Blog Search Engine | This thread | Refback | 12-18-2007 06:03 AM |
| autorun_exe - Blog Search Engine | This thread | Refback | 12-12-2007 10:47 AM |