Encounter qfgsw. sys/Trojan-Downloader.Win32.Agent.bbb/Trojan. win32.agent. BVl, etc.

Encounter qfgsw. sys/Trojan-Downloader.Win32.Agent.bbb/Trojan. win32.agent. BVl, etc.

EndurerOriginal
December1Version

Last night, a netizen said that the NOD32 in his computer was reported recently:

/---
Time module object name virus operation User Name Information
21:30:22 Amon file C:/Windows/system32/Drivers/qfgsw. sysWin32/trojandownloader. Agent. bbbTrojan has been deleted (the next time it is re-enabled). An event occurs when nt authority/system tries to access the file: C:/Windows/system32/svchost.exe.
---/

I cannot restart it, so I can use QQ for remote assistance.

Download pe_xscan to scan logs and analyze the logs. The following suspicious items are found:

/=
Pe_xscan 07-08-30 by Purple endurer
2007-9-16 21:31:36
Windows XP Service Pack 2 (5.1.2600)
Administrator user group

O2-bho ff class-{FAAAC0F6-94BE-4466-934B-7C53666A2F41}-C:/Windows/system32/ba71.dll

O23-service: 3a452d83 (3a452d83)-C:/Windows/system32/24e9f3bc. exe-K (disabled)

O23-service: aea6eaec (aea6eaec)-C:/Windows/system32/2dd519ed. exe-P (disabled)

O23-service: b302ec43 (b302ec43)-C:/Windows/system32/75d23be4. exe-D (disabled)

O23-service: fb000e3a (fb000e3a)-C:/Windows/system32/f77b20d5. exe-K (disabled)

O23-service: Investor (Event Service)-C:/Windows/system32/svchost.exe-K netsvcs-> C:/Windows/system32/eatxt. dll (automatic)

O23-service: kusn33sd (kusn33sd)-C:/Windows/system32/kusn33sd.exe-J (disabled)

O23-service: Messager (Messager)-C:/temp/svchost.exe (disabled)

O23-service: qfgsw (qfgsw)-system32/Drivers/qfgsw. sys (pilot)

O23-service: ws2ifsl (Windows Socket 2.0 non-ifs service provider support environment)-C:/Windows/system32/Drivers/ws2ifsl. sys | MICROSOFT? Windows? Operating System | 5.1.2600.0 | Winsock2 ifs layer |? Microsoft Corporation. All Rights Reserved. | 5.1.2600.0 (xpclient000017-1148) | Microsoft Corporation |? | Ws2ifsl. sys | ws2ifsl. sys (system)
===/

Download fileinfo and bat_do to the http://purpleendurer.ys168.com. Use fileinfo to extract the file information and use bat_do to package the backup.

File Description: C:/Windows/system32/ba71.dll
Attribute: ---
Language: Chinese (China)
File version: 1.0.0.1
Note: Todo: <file description>
Copyright: Todo: (c) <Company Name>. All rights reserved.
Note:
Product Version: 1.0.0.1
Product Name: Todo: <Product Name>
Company Name: Todo: <Company Name>
Legal trademark:
Internal name: dbho. dll
Source File Name: dbho. dll
Creation Time: 13:46:11
Modification time: 22:35:17
Access time: 23:26:34
Size: 126976 bytes, 124.0 KB
MD5: aca6a3c9d5a4155d2717682fa63d203f
Hsa1: dcd87e2f87372d224f45669b03a06b1a6a25c7c9

Kapsersky reportsNot-a-virus: adware. win32.dm. YThe rising report isAdware. win32.dm. Y

Qfgsw. sys indicates that the file cannot be opened.

Download icesword to the http://endurer.ys168.com, copy A to D:/, or cannot be extracted, nor can it be packaged backup or sent through QQ. After the processing is complete, even if the real-time monitoring of NOD32 is disabled, it still cannot be transmitted. Finally, it is sent back only when a netizen starts in secure mode with a network connection.

File Description: C:/Windows/system32/Drivers/qfgsw. sys
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 23:31:12
Access time: 23:35:30
Size: 10240 bytes, 10.0 kb
MD5: c3138e0cd862f4a2e82b8b24db346094
Hsa1: 47b567b995b217e14c1082cae7db84024162aad6
Kapsersky reportsTrojan-Downloader.Win32.Agent.bbbThe rising report isTrojan. win32.agent. BVl

Scanned file: qfgsw. sys-infected

Qfgsw. sys-infected by Trojan-Downloader.Win32.Agent.bbb

Other files do not exist.

Right-click the two files in icesword and select force delete from the pop-up menu.

Download and install the rising Kaka Security Assistant and delete the startup items of these two items.

Use WinRAR to delete windows temporary folders, ie temporary folders, and files and folders that can be deleted in D:/Windows/prefetch.