Win32_PSW.Agent.NDP trojan - Autorun.inf

Discussion in 'NOD32 version 2 Forum' started by Peter Ho, Sep 26, 2007.

Thread Status:
Not open for further replies.
  1. Peter Ho

    Peter Ho Registered Member

    Joined:
    Sep 26, 2007
    Posts:
    5
    Dear Sir,

    3 of our company's PCs are infected by the captioned trojan. NOD32 has detected and deleted the trojan continuously since the PCs has started up in this morning.

    :mad: o_O

    Could you please kindly help. Thanks.

    B. rgds,
    Peter Ho.
     
  2. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Try to perform a full scan in Safe Mode.
    Which is the exact location NOD32 finds the virus ?
     
  3. Peter Ho

    Peter Ho Registered Member

    Joined:
    Sep 26, 2007
    Posts:
    5
    Dear pykko,

    Thank you for the instruction.

    It's in vain.

    The problem was overcome by a solution offered by NOD32 local agent.

    Anyhow, thank you for your help.

    B. rgds,
    Peter Ho.
     
  4. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Hi

    Trojan was probably written in registry and he created his own renewal. Or he is still downloaded via some TrojanDownloader. The best is insertion HijackThis log. And somebody will check that.:thumb:

    //: I cannot check logs, because I am not moderator or similarly.
     
  5. Peter Ho

    Peter Ho Registered Member

    Joined:
    Sep 26, 2007
    Posts:
    5


    Dear aviro901,

    Thank you for the suggestion. This morning, I've phoned the users whose PC were infected yesterday.

    They told me NOD32 hadn't displayed alert messages continuously this morning. So, I think the trojan was deleted by the tool offered from NOD32 Taiwan agent.

    B. rgds,
    Peter Ho.
     
  6. jftuga

    jftuga Registered Member

    Joined:
    Mar 9, 2007
    Posts:
    64
    Location:
    Athens, GA
    Peter_Ho,

    Would you mind sharing the solution offered by your NOD32 local agent so that others may benefit from your experience?

    Thanks,
    -John
     
  7. Peter Ho

    Peter Ho Registered Member

    Joined:
    Sep 26, 2007
    Posts:
    5


    Unfortunately, the trojan appears again.

    I'm still finding solution. Sorry.

    B. rgds,
    Peter Ho.
     
  8. andy2008

    andy2008 Registered Member

    Joined:
    Sep 21, 2007
    Posts:
    33
    This trojan/virus (either the Win32/Pacex virus or the Win32/PSW.Agent.NDP trojan) that uses ntde1ect.com and autorun.inf files. Here is how you can get rid of them:

    1) Open up Task Manager (Ctrl-Alt-Del)
    2) If wscript.exe is running, end it.
    3) If explorer.exe is running, end it.
    4) Open up “File | New Task (Run)” in the Task manager
    5) Run cmd
    6) Run the following command on all your drives by replacing c:\ with other drives in turn (note: if you have autorun.inf files that you think you need to backup, do so now):

    del c:\autorun.* /f /a /s /q

    7) Go to your Windows\System32 directory by typing cd c:\windows\system32

    8 ) Type dir /a avp*.*

    9 ) If you see any files names avp0.dll or avpo.exe or avp0.exe, use the following commands to delete each of them:

    for avpo.exe run the following:

    attrib -r -s -h avpo.exe
    del avpo.exe

    for avp0.exe run the following:

    attrib -r -s -h avp0.exe
    del avp0.exe

    for avp0.dll run the following:

    attrib -r -s -h avp0.dll
    del avp0.dll


    10) Use the Task Manager’s Run command to fire up regedit

    11) Navigate to HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run (as usual, take a backup of your registry before touching it!)

    12) If there are any entries for avpo.exe, delete them.

    13) Do a complete search of your registry for ntde1ect.com and delete any entries you find.

    14) Restart your computer.

    regards - Andy
     
  9. Peter Ho

    Peter Ho Registered Member

    Joined:
    Sep 26, 2007
    Posts:
    5
    Dear Any,

    First of all, we don't have avp*.* in our machines. Anyhow, we had KAVO*.*/MMVO*.*

    The machines which were infected by KAVO*.* are controlled by MMVO*.* now. KAVO*.* disppears without knowing its reason.

    Before I followed your instruction, I made a test.

    I used the following command to unhide and delete MMVO*.*

    attrib -a -s -h -r c:\windows\system32\mmvo*.*

    MMVO*.* were deleted under the Explorer windows in the safe mode.

    I restarted the machine at 20:08. I didn't run Windows Explorer to browse Internet.

    At 20:41, I rechecked and found MMVO*.* came back.

    Very strangely.

    ----

    Finally, I followed your suggestion to delete all Autorun.* from C:/D: drive. at 21:21

    I deleted MMVO*.* again.

    (MMVO*.* can't be created in Registry. Because recently I installed Spybot S&D.)

    At 21:39, MMVO*.* hasn't come back. I need to check it tomorrow.

    I want to go home. Anyhow, thank you for your instruction.

    B. rgds,
    Peter Ho.
     
Thread Status:
Not open for further replies.