Nordsys

[Ace]

May I ask a couple of (probably supid) questions regarding subject
nordsys.exe and McAfee software?

Background: My neighbor's desktop pc (Dell with Winxp) was having a lot of
hard drive activity, so I had him look at task manager, which showed about
90 % cpu usage when he was not doing anything, and one of the active
processes was Nordsys.

I found same in his registry and changed extension to abc which did stop it
from causing all the activity.

Is this a virus/trojan and how can it be removed?

With removal in mind, he bought the latest version of McAfee and installed.
Was not able to go on line for updates because his ISP 'Peopleonlinepc'
crashed the machine as soon as it connected. It seems there is a problem
with the 'mfehidk.sys' file but I was unable to connect to a link with the
supposed patch.

Then somewhat related, assuming he will eventually get some AV installed,
will all the user accounts he has setup under winXP be protected. Not sure
of correct terminology, but upon bootup, there are three users, of which he
is one, and they are all password protected. In other words, though he
receives no e-mail, can one of the other users receive an infected e-mail
which would affect the entire system. For that matter, would each user have
to set up their own preferences for spam filtering, etc?

Thanks in advance,

Ace

 

[Virus Guy]

one of the active processes was Nordsys.

http://www.bleepingcomputer.com/startups/NORDSYS.EXE-16550.html

Added by the WORM_NUWAR.PO worm (renamed to WORM_NUWAR.JO)

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NUWAR.JO

This worm is part of a complex attack initiated by the NUWAR family.
The attack employs multiple components that work together to achieve a
common goal. Read a comprehensive description of the malware family
here: War Against NUWAR: Fighting the Latest Profit-driven,
Multi-component, Focused Attack.

http://www.trendmicro.com/vinfo/sec...rofit-driven,+Multi-component,+Focused+Attack

 

[David H. Lipman]

From: "Ace" <[email protected]>

| May I ask a couple of (probably supid) questions regarding subject
| nordsys.exe and McAfee software?
|
| Background: My neighbor's desktop pc (Dell with Winxp) was having a lot of
| hard drive activity, so I had him look at task manager, which showed about
| 90 % cpu usage when he was not doing anything, and one of the active
| processes was Nordsys.
|
| I found same in his registry and changed extension to abc which did stop it
| from causing all the activity.
|
| Is this a virus/trojan and how can it be removed?
|
| With removal in mind, he bought the latest version of McAfee and installed.
| Was not able to go on line for updates because his ISP 'Peopleonlinepc'
| crashed the machine as soon as it connected. It seems there is a problem
| with the 'mfehidk.sys' file but I was unable to connect to a link with the
| supposed patch.
|
| Then somewhat related, assuming he will eventually get some AV installed,
| will all the user accounts he has setup under winXP be protected. Not sure
| of correct terminology, but upon bootup, there are three users, of which he
| is one, and they are all password protected. In other words, though he
| receives no e-mail, can one of the other users receive an infected e-mail
| which would affect the entire system. For that matter, would each user have
| to set up their own preferences for spam filtering, etc?
|
| Thanks in advance,
|
| Ace
|


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *