[SOLVED] C:\autorun.inf keeps on getting detected by Nod32 (W32/PSW.Agent. NDP trojan

**Wox** · 10-14-2007, 07:41 PM

This is happening on a XP laptop with Nod32 as antivirus (duh!)
A few minutes after logging on Nod pops up saying C:\autorun.inf is infected (Win32/PSW.Agent.NDP trojan).
I chose to delete the file and it pops back up.
Looks like either
[1] Nod is finding a sytem file (keeps on regenerating) as false positive
[2] I'm infected by a weird trojan

I would be doing some online scanning and stuff, will be creating a thread in HJT forum.
For now can someone tell me what they know please...

**Go The Power** · 10-14-2007, 08:20 PM

Hiya Wox

Here is some information:
http://www.sophos.com/security/analy...legmiraqk.html

**Wox** · 10-14-2007, 08:50 PM

Hi GTP, thanks for the info, but I still don't know how to get rid of it..

:

EDIT: I seemed to have found one.
Can anybody "review" the info that I found and tell me if that solves it?

Quote:

Originally Posted by alpha (simplified and translated by me)

1. Turn off System Restore.
2. Clean out all the temp files.
3. Using regedit, search for and delete all the entries for these- [c0nime.exe 、iexpl0re.exe 、winlog0n.exe, rundl132]
4. Delete the following files with Killbox-

Code:

C:\\DOCUME~1\\[user]\\LOCALS~1\\Temp\\Rav20.dll      
                                    C:\\DOCUME~1\\[user]\\LOCALS~1\\Temp\\Rav21.dll  
                                               C:\\DOCUME~1\\[user]\\LOCALS~1\\Temp\\Gjzo0.dll    
                                             C:\\DOCUME~1\\[user]\\LOCALS~1\\Temp\\LgSy2.dll   
                                              C:\\DOCUME~1\\[user]\\LOCALS~1\\Temp\\LgSy1.dll   
                                              C:\\DOCUME~1\\[user]\\LOCALS~1\\Temp\\rundl132.exe   
                                              C:\\DOCUME~1\\[user]\\LOCALS~1\\Temp\\c0nime.exe    
                                             C:\\DOCUME~1\\[user]\\LOCALS~1\\Temp\\iexpl0re.exe      
                                           C:\\DOCUME~1\\[user]\\LOCALS~1\\Temp\\winlog0n.exe

5. Reboot and re-enable System Restore.

Thanks

P.S. by "simplified and translated" I mean by removing all the instructions on downloading Killbox, turning off System Restore, running regedit, etc etc; then I translated it from Chinese to English.

**Wox** · 10-15-2007, 05:24 PM

Alright, no need to confirm that anymore you guys, cos it ain't working.
Seems like Nod32 is really worked up, today it found W32/Pacex.Gen on C:\ntdelect.com and www.microsofttw.com/gto/ubs.exe. Seems like some website is trying to feed me viruses?
Doing scans right now.

**Wox** · 10-15-2007, 06:09 PM

Jeez.. spent some 35 minutes on this issue and finally got it solved.
Turned out to be a Kavo virus, directions on solving here and the final Kava killer here..
Kava is also known to spread via USB drives, and the killer for that is here
Be nice to Chinese (and Taiwanese) people- they apparently know a lot..

**Wox** · 10-15-2007, 09:36 PM

This thread is solved, and I might write a short guide on using five important tools (that I gathered) to get rid of it... I just might.

10-14-2007, 07:41 PM	#1 (permalink)
Wox TSF Enthusiast Join Date: Jan 2007 Location: Seattle Posts: 638 OS: XP Pro SP2 My System	[SOLVED] C:\autorun.inf keeps on getting detected by Nod32 (W32/PSW.Agent. NDP trojan This is happening on a XP laptop with Nod32 as antivirus (duh!) A few minutes after logging on Nod pops up saying C:\autorun.inf is infected (Win32/PSW.Agent.NDP trojan). I chose to delete the file and it pops back up. Looks like either [1] Nod is finding a sytem file (keeps on regenerating) as false positive [2] I'm infected by a weird trojan I would be doing some online scanning and stuff, will be creating a thread in HJT forum. For now can someone tell me what they know please...

10-14-2007, 08:20 PM	#2 (permalink)
Go The Power Moderator, Microsoft Support Join Date: Mar 2007 Location: South Australia Posts: 10,981 OS: Windows XP Home SP2 Blog Entries: 1	Re: C:\autorun.inf keeps on getting detected by Nod32 (W32/PSW.Agent. NDP trojan) Hiya Wox Here is some information: http://www.sophos.com/security/analy...legmiraqk.html __________________

10-15-2007, 05:24 PM	#4 (permalink)
Wox TSF Enthusiast Join Date: Jan 2007 Location: Seattle Posts: 638 OS: XP Pro SP2 My System	Re: C:\autorun.inf keeps on getting detected by Nod32 (W32/PSW.Agent. NDP trojan) Alright, no need to confirm that anymore you guys, cos it ain't working. Seems like Nod32 is really worked up, today it found W32/Pacex.Gen on C:\ntdelect.com and www.microsofttw.com/gto/ubs.exe. Seems like some website is trying to feed me viruses? Doing scans right now.

10-15-2007, 06:09 PM	#5 (permalink)
Wox TSF Enthusiast Join Date: Jan 2007 Location: Seattle Posts: 638 OS: XP Pro SP2 My System	Re: C:\autorun.inf keeps on getting detected by Nod32 (W32/PSW.Agent. NDP trojan) Jeez.. spent some 35 minutes on this issue and finally got it solved. Turned out to be a Kavo virus, directions on solving here and the final Kava killer here.. Kava is also known to spread via USB drives, and the killer for that is here Be nice to Chinese (and Taiwanese) people- they apparently know a lot..

10-15-2007, 09:36 PM	#6 (permalink)
Wox TSF Enthusiast Join Date: Jan 2007 Location: Seattle Posts: 638 OS: XP Pro SP2 My System	Re: C:\autorun.inf keeps on getting detected by Nod32 (W32/PSW.Agent. NDP trojan) This thread is solved, and I might write a short guide on using five important tools (that I gathered) to get rid of it... I just might.