Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ip6fw.sys Downloader.agent (reinstalls On Internet Connection)


  • This topic is locked This topic is locked
3 replies to this topic

#1 Computer Headache

Computer Headache

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 23 August 2007 - 04:49 PM

Hello everyone. The other day, Tuesday, I turned on my home computer to find my Comodo firewall's monitors had been shut off permanently and the internet not responsive. Comodo suggested to re-install. After uninstalling Comodo I found the internet to be working. When I re-installed Comodo, however, after reboot, the same three Comodo firewall monitors had been turned off and the internet once again inaccessible. So, I figured Comodo was to blame.

I later found out on installation of ZoneAlarm's firewall that there is a trojan on my system that is disabling my firewalls. (On reboot, after ZA installed, its monitors were also shut down because Windows XP alerted me to my firewall being turned off.)

Several, several scans later, I am still trying to find the culprit. I have run Avast Anti-Virus, which I downloaded and installed after the trojan got on my system. I've also ran AVG-Anti-Spyware and Ad-Aware. Plus, the BitDefender online scan. I also patched up my Sun Java, which hadn't been updated in, possibly, over a year, and ran Windows Update, which also hadn't been run in a long time (there were 36 security patches to download and install).

My last two attempts, patching up Sun Java and Windows, seems to have helped but the virus continues to re-install itself on connection to the internet, not in reboot. I know this for sure because I've ran Avast's boot scan; and because I've noticed when I disconnect and reconnect my home computer from the internet Avast goes crazy and tells me I have a trojan. (I have broadband with an ethernet plug.) After a reboot, if I leave the ethernet cord connected, nothing happens; but as soon as something like Avast (for updates) or IE try to go on the internet, I get a virus detection alert. I believe the virus has hidden itself as something like qttask.exe (Quicktime) or another similar application because I monitor my task manager very closely and have found a small surge of old .exe's that had been disabled months, if not years, ago. Below I've provided a copy-and-paste from Avast's log when the virus first connects to the internet from the past few days. And also, what AVG Anti-Spyware found the last time I ran it, which was around four today (Eastern Time). (I know the tracking cookies are negligible.)


AVAST LOG
08/21/2007 7:11:18 PM SYSTEM 1280 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
08/21/2007 7:11:18 PM SYSTEM 1280 An error has occured while attempting to update. Please check the logs.
08/21/2007 8:06:20 PM SYSTEM 1144 Sign of "Win32:Small-EPJ [Trj]" has been found in "http://62.72.1243.static.theplanet.com/s_49_1165318068?m=3&a=1&r=1&hdd=36303135314a5746314139383839&gen=8&os=940000000500000001000000280a00000200000053657276696365205061636b2032" file.
08/21/2007 11:16:23 PM Main 3068 Sign of "Win32:CTX" has been found in "C:\WINDOWS\system32\ActiveScan\pskavs.dll" file.
08/22/2007 12:15:15 AM SYSTEM 1548 Sign of "Win32:Small-EPJ [Trj]" has been found in "http://221041.ds.nac.net/s_49_0?m=3&a=1&r=1&hdd=36303135314a5746314139383839&gen=b&proc=vsmon.exe&os=940000000500000001000000280a00000200000053657276696365205061636b2032" file.
08/22/2007 12:15:36 AM SYSTEM 1548 Sign of "Win32:Small-EPJ [Trj]" has been found in "http://62.72.1243.static.theplanet.com/s_49_1165318068?m=3&a=1&r=1&hdd=36303135314a5746314139383839&gen=b&proc=vsmon.exe&os=940000000500000001000000280a00000200000053657276696365205061636b2032" file.
08/22/2007 4:31:37 AM SYSTEM 1596 Sign of "Win32:Small-EPJ [Trj]" has been found in "http://221041.ds.nac.net/s_49_1165318068?m=3&a=1&r=1&hdd=36303135314a5746314139383839&gen=c&proc=vsmon.exe&os=940000000500000001000000280a00000200000053657276696365205061636b2032" file.
08/22/2007 4:31:51 AM SYSTEM 1596 Sign of "Win32:Small-EPJ [Trj]" has been found in "http://62.72.1243.static.theplanet.com/s_49_1165318068?m=3&a=1&r=1&hdd=36303135314a5746314139383839&gen=c&proc=vsmon.exe&os=940000000500000001000000280a00000200000053657276696365205061636b2032" file.
08/22/2007 11:29:23 AM SYSTEM 1456 Sign of "Win32:Small-EPJ [Trj]" has been found in "http://62.72.1243.static.theplanet.com/s_49_1165318068?m=3&a=1&r=1&hdd=36303135314a5746314139383839&gen=d&proc=vsmon.exe&os=940000000500000001000000280a00000200000053657276696365205061636b2032" file.
08/22/2007 7:53:59 PM SYSTEM 1348 Sign of "Win32:Small-EPJ [Trj]" has been found in "http://66.246.252.213/s_49_0?m=3&a=1&r=1&hdd=36303135314a5746314139383839&gen=e&proc=vsmon.exe&os=940000000500000001000000280a00000200000053657276696365205061636b2032" file.
08/22/2007 7:54:25 PM SYSTEM 1348 Sign of "Win32:Small-EPJ [Trj]" has been found in "http://616959.ds.nac.net/s_49_1165318068?m=3&a=1&r=1&hdd=36303135314a5746314139383839&gen=e&proc=vsmon.exe&os=940000000500000001000000280a00000200000053657276696365205061636b2032" file.
08/23/2007 3:24:01 AM Main 1456 Sign of "Win32:Small-EPJ [Trj]" has been found in "C:\DOCUME~1\Main\LOCALS~1\Temp\165093.exe" file.


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 5:21:09 PM 08/23/2007
+ Scan result:
C:\System Volume Information\_restore{5E43129A-E506-4A47-919B-2796B586561C}\RP908\A0199442.sys -> Downloader.Agent.acl : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drivers\ip6fw.sys -> Downloader.Agent.acl : Cleaned with backup (quarantined).
:mozilla.42:C:\Documents and Settings\Main\Application Data\Mozilla\Firefox\Profiles\ms1dbi6a.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.43:C:\Documents and Settings\Main\Application Data\Mozilla\Firefox\Profiles\ms1dbi6a.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.44:C:\Documents and Settings\Main\Application Data\Mozilla\Firefox\Profiles\ms1dbi6a.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.45:C:\Documents and Settings\Main\Application Data\Mozilla\Firefox\Profiles\ms1dbi6a.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.46:C:\Documents and Settings\Main\Application Data\Mozilla\Firefox\Profiles\ms1dbi6a.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.41:C:\Documents and Settings\Main\Application Data\Mozilla\Firefox\Profiles\ms1dbi6a.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.49:C:\Documents and Settings\Main\Application Data\Mozilla\Firefox\Profiles\ms1dbi6a.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.56:C:\Documents and Settings\Main\Application Data\Mozilla\Firefox\Profiles\ms1dbi6a.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.57:C:\Documents and Settings\Main\Application Data\Mozilla\Firefox\Profiles\ms1dbi6a.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Main\Cookies\main@guide.real[2].txt -> TrackingCookie.Real : Cleaned.
C:\Documents and Settings\Main\Cookies\main@real[1].txt -> TrackingCookie.Real : Cleaned.
::Report end



A few more notes:
I had believed the loss of internet to be Comodo's fault because I was fairly new to the firewall. I had only installed it a week ago, but was loving it. The loss of the internet was actually Comodo's fault but that's just because it was preventing the trojan from "calling back home" over the internet. ZoneAlarm (free version) was not only disabled by the trojan but also allowed it to call home.

At the end of that aforementioned week, I was not running anti-virus for a period of two days, Sunday and Monday, because I had a very awful corporate version of an AV, which had been barely protecting my system for much too long. (I only believe it to be good because it had the word, "corporate" attached to it.) I believed Comodo would be sufficient enough protection for a couple of days.

I installed Avast because I run that on my laptop.

And I turned to ZA after uninstalling Comodo because I had been using ZA for years until I heard the free version suffered from some invulnerabilities.

In conclusion, the trojan virus obviously entered my system during the two days I was without AV. I am now working from my laptop computer. The home one is at present disconnected from the internet, but if the need arises can be easily reconnected.

Urgency of Dilemma:
This home computer is a family computer, which means not only do I use it but so do my brother, father and mother. I will be moving in two days and taking my laptop with me but leaving, of course, the home computer. I would really like if they had a working computer with no worries or annoyances; so please if anyone can help, I will never forget you and be forever in debt to you and these forums.

Thank you,
Gene

Edited by Computer Headache, 23 August 2007 - 05:12 PM.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:15 PM

Posted 23 August 2007 - 05:28 PM

Post a Hijack This log in the Hijack This forum. DO NOT post the log in this forum. Instructions in link below.
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Good luck to you!
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 Computer Headache

Computer Headache
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 23 August 2007 - 06:38 PM

Posted a fresh HJT log and attached a HJT Startup list here: http://www.bleepingcomputer.com/forums/t/105524/hjt-log-ip6fwsys-downloaderagent-reinstalls-on-internet-connection/ .

#4 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:09:15 PM

Posted 23 August 2007 - 10:29 PM

Computer Headache,

Now that you have an open HJT log posted in the HijackThis Logs and Analysis forum, you shouldn't make any changes to your system.
Doing so, could change the results of the posted log, making it difficult to properly clean your system.

At this point, the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

I'm closing this topic until you are cleared by the HJT Team.
If, after your log has been cleaned, you still need help, please PM a Moderator and we will re-open this topic.

If you have any questions, don't hesitate to send me a PM.
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users