Win32_PSW.Agent.NDP trojan - Autorun.inf

[Peter Ho]

Dear Sir,

3 of our company's PCs are infected by the captioned trojan. NOD32 has detected and deleted the trojan continuously since the PCs has started up in this morning.



Could you please kindly help. Thanks.

B. rgds,
Peter Ho.

[pykko]

Try to perform a full scan in Safe Mode.
Which is the exact location NOD32 finds the virus ?

[Peter Ho]

Dear pykko,

Thank you for the instruction.

It's in vain.

The problem was overcome by a solution offered by NOD32 local agent.

Anyhow, thank you for your help.

B. rgds,
Peter Ho.

[Kosak]

Hi

Trojan was probably written in registry and he created his own renewal. Or he is still downloaded via some TrojanDownloader. The best is insertion HijackThis log. And somebody will check that.

//: I cannot check logs, because I am not moderator or similarly.

[Peter Ho]

Quote:

Originally Posted by aviro901

Hi

Trojan was probably written in registry and he created his own renewal. Or he is still downloaded via some TrojanDownloader. The best is insertion HijackThis log. And somebody will check that.

//: I cannot check logs, because I am not moderator or similarly.

Dear aviro901,

Thank you for the suggestion. This morning, I've phoned the users whose PC were infected yesterday.

They told me NOD32 hadn't displayed alert messages continuously this morning. So, I think the trojan was deleted by the tool offered from NOD32 Taiwan agent.

B. rgds,
Peter Ho.

[jftuga]

Peter_Ho,

Would you mind sharing the solution offered by your NOD32 local agent so that others may benefit from your experience?

Thanks,
-John

[Peter Ho]

Quote:

Originally Posted by jftuga

Peter_Ho,

Would you mind sharing the solution offered by your NOD32 local agent so that others may benefit from your experience?

Thanks,
-John

Unfortunately, the trojan appears again.

I'm still finding solution. Sorry.

B. rgds,
Peter Ho.

[andy2008]

This trojan/virus (either the Win32/Pacex virus or the Win32/PSW.Agent.NDP trojan) that uses ntde1ect.com and autorun.inf files. Here is how you can get rid of them:

1) Open up Task Manager (Ctrl-Alt-Del)
2) If wscript.exe is running, end it.
3) If explorer.exe is running, end it.
4) Open up “File | New Task (Run)” in the Task manager
5) Run cmd
6) Run the following command on all your drives by replacing c:\ with other drives in turn (note: if you have autorun.inf files that you think you need to backup, do so now):

del c:\autorun.* /f /a /s /q

7) Go to your Windows\System32 directory by typing cd c:\windows\system32

8 ) Type dir /a avp*.*

9 ) If you see any files names avp0.dll or avpo.exe or avp0.exe, use the following commands to delete each of them:

for avpo.exe run the following:

attrib -r -s -h avpo.exe
del avpo.exe

for avp0.exe run the following:

attrib -r -s -h avp0.exe
del avp0.exe

for avp0.dll run the following:

attrib -r -s -h avp0.dll
del avp0.dll


10) Use the Task Manager’s Run command to fire up regedit

11) Navigate to HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run (as usual, take a backup of your registry before touching it!)

12) If there are any entries for avpo.exe, delete them.

13) Do a complete search of your registry for ntde1ect.com and delete any entries you find.

14) Restart your computer.

regards - Andy

[Peter Ho]

Dear Any,

First of all, we don't have avp*.* in our machines. Anyhow, we had KAVO*.*/MMVO*.*

The machines which were infected by KAVO*.* are controlled by MMVO*.* now. KAVO*.* disppears without knowing its reason.

Before I followed your instruction, I made a test.

I used the following command to unhide and delete MMVO*.*

attrib -a -s -h -r c:\windows\system32\mmvo*.*

MMVO*.* were deleted under the Explorer windows in the safe mode.

I restarted the machine at 20:08. I didn't run Windows Explorer to browse Internet.

At 20:41, I rechecked and found MMVO*.* came back.

Very strangely.

----

Finally, I followed your suggestion to delete all Autorun.* from C:/D: drive. at 21:21

I deleted MMVO*.* again.

(MMVO*.* can't be created in Registry. Because recently I installed Spybot S&D.)

At 21:39, MMVO*.* hasn't come back. I need to check it tomorrow.

I want to go home. Anyhow, thank you for your instruction.

B. rgds,
Peter Ho.