Need to check MD5 validity of ip6fw.sys file--it my copy for real or is iit viral?

Discussion in 'Anti-Virus' started by raylopez99, Apr 3, 2007.

  1. raylopez99

    raylopez99 Guest

    Hello--my Windows XP Pro Pentium PC is acting strange and despite my
    best efforts I may be infected with a trojan horse / rootkit called
    the Pushu-A virus (aka Rootkit.Win32.Agent.dp according to Webroot
    Spy Sweeper or Kaspersky, respectively.

    This virus, according to http://www.sophos.com/security/analyses/trojpushua.html
    , infects the drivers, in particular ip6fw.sys (used in firewalls by
    Windows OS)

    So I need to see if my copy of this file is genuine.

    Can somebody either (1) compare the below file * with a Microsoft
    genuine file of the same name or (2) do a MD5 "checksum" of this file*
    (it should be: 4448006B6BC60E6C027932CFC38D6855 *ip6fw.sys) and do a
    MD5 "checksum" of the genuine file (found in \system32\drivers) and
    upload the checksum for the genuine file so I can compare it?

    Thanks,

    RL

    * go here for the 'infected' file (I think it's corrupted). It's not
    an executable, but in any event keep in on a floppy or somewhere where
    you can delete it and not mix it by mistake with your good drivers:

    http://www.sendspace.com/file/bdy4xe (ip6fw.sys)
     
    raylopez99, Apr 3, 2007
    #1
    1. Advertisements

  2. raylopez99

    raylopez99 Guest


    Or, even easier, if you don't want to soil your hands downloading a
    possibly viral file: do a checksum (MD5) of your genuine copy of
    ip6fw.sys, and post the result here.

    Thanks!

    RL
     
    raylopez99, Apr 3, 2007
    #2
    1. Advertisements

  3. [dave@hodgins drivers]$ ll ip6*
    -rwxrwxrwx 1 root root 29056 Sep 7 2006 ip6fw.sys*
    [dave@hodgins drivers]$ md5sum ip6fw.sys
    4448006b6bc60e6c027932cfc38d6855 ip6fw.sys

    Note that while I'm currently using linux, the above is from
    a partition with XP Pro installed, which I usually boot about
    once a month, just to install M$'s extra patches.

    Looks like yours is ok.

    Regards, Dave Hodgins
     
    David W. Hodgins, Apr 3, 2007
    #3
  4. raylopez99

    raylopez99 Guest

    I take it MD5 is not case sensitive, like Unix is.

    In any event, I've also asked the volunteers at CastleCops (http://
    tinyurl.com/2rfxfp) to take a look.

    Thanks Dave! If I could send you money I would!

    RL

    (System sure is acting strange...I still think I have a virus but I
    have to keep digging to find it)...
     
    raylopez99, Apr 3, 2007
    #4
  5. From: "raylopez99" <>

    | Hello--my Windows XP Pro Pentium PC is acting strange and despite my
    | best efforts I may be infected with a trojan horse / rootkit called
    | the Pushu-A virus (aka Rootkit.Win32.Agent.dp according to Webroot
    | Spy Sweeper or Kaspersky, respectively.
    |
    | This virus, according to http://www.sophos.com/security/analyses/trojpushua.html
    | , infects the drivers, in particular ip6fw.sys (used in firewalls by
    | Windows OS)
    |
    | So I need to see if my copy of this file is genuine.
    |
    | Can somebody either (1) compare the below file * with a Microsoft
    | genuine file of the same name or (2) do a MD5 "checksum" of this file*
    | (it should be: 4448006B6BC60E6C027932CFC38D6855 *ip6fw.sys) and do a
    | MD5 "checksum" of the genuine file (found in \system32\drivers) and
    | upload the checksum for the genuine file so I can compare it?
    |
    | Thanks,
    |
    | RL
    |
    | * go here for the 'infected' file (I think it's corrupted). It's not
    | an executable, but in any event keep in on a floppy or somewhere where
    | you can delete it and not mix it by mistake with your good drivers:
    |
    | http://www.sendspace.com/file/bdy4xe (ip6fw.sys)

    The file is a legitimate Microsoft Driver file and is NOT the suspected RootKit file.

    The question is what do you mean by... "Windows XP Pro Pentium PC is acting strange"
    Please supply facts and details.
     
    David H. Lipman, Apr 3, 2007
    #5
  6. From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>


    |
    | The file is a legitimate Microsoft Driver file and is NOT the suspected RootKit file.
    |
    | The question is what do you mean by... "Windows XP Pro Pentium PC is acting strange"
    | Please supply facts and details.
    |

    PS: I asked nosirrah to look into your CC thread for you. :)
     
    David H. Lipman, Apr 3, 2007
    #6
  7. md5sum is case sensitive, but only regarding the contents
    of the file. While using linux, the case of the filename
    must be correct, whereas with windows case is (usualy) ignored.

    Regards, Dave Hodgins
     
    David W. Hodgins, Apr 3, 2007
    #7
  8. raylopez99

    raylopez99 Guest

    Dave!

    Just printed out your list, which I will study religiously tommorrow--
    it's 3 AM in SE Europe where I'm posting from (I've spent the entire
    day today [actually a couple of hours] boning up on viruses..so much
    to learn...I also program for fun in C++ and C#.NET).

    Now, you are undoubtably the master of this subject. I tip my hat.
    Below are some musings I posted at CastleCops; your thoughts are
    welcome. Right now I'm leaning towards thinking Webroot's
    'find' (every time I boot up) of the PushU-A rootkit/virus is a FP
    (False Positive), and that--here's my thinking--if I disinstalled
    Webroot and installed another such 'malware scanner' (feel free to
    recommend one) then the 'problem' of the FP would go away--what do you
    say? Pls recommend another 'similar' product to Webroot SS and I'll
    see if installing that will 'solve' the problem. In other words:
    what you don't know cannot hurt you, right? I'm sick of these Webroot
    'scares' (but then again, what if they are right? That is the
    issue.)

    PS--to answer your question, I notice that certain threads seem to
    take a lot of CPU time and 'bog down' my system seemingly more than
    before--but then again, my PC is 4 years old--and it's probably (?)
    time for a cleaning (of the PC arteries) aka a "clean reinstall of
    WIndows XP", no?

    RL

    [my belwo post to Castlecops' nosirrah, which encapsulates the entire
    drama of the last few days--March 31st is when I got hit with both
    trojans, with PushU seeming stuck in the bowels of my PC and 'bobax'
    trojan dying in the bit bucket.]

    http://www.castlecops.com/p920461-Infected_MD5_4448006B6BC60E6C027932CFC38D6855_ip6fw_sys.html#920461

    Tx for the scan. But, I have some further questions (in fact three
    questions, Q#1, and Q#2 below and #3). BTW I am running Webroot Spy
    Sweeper (which seems to give the false positive) and Kaspersky AV6 on
    a Pentium 4, 4 yrs old, running Windows XP Pro.(Pentium 4, 1GB RAM,
    DSL modem)

    Issue: I thought I had a virus PushU-A (Rootkit.Win32.Agent.dp)
    (which BTW was discovered a few days ago at the same time the trojan
    'bobax' was discovered and deleted (permanently--unlike PushU-A, the
    'bobax' trojan disappeared in that it never again was 'found' by
    Webroot) by Webroot--and the day BEFORE I did a disk image Ghost
    backup so my backup is also 'infected' (maybe). But, I'm not sure
    now--I think Webroot is giving a false positive. See here for a
    description of the 'virus' PushU (rootkit):
    http://www.sophos.com/security/analyses/trojpushua.html?_log_from=rss

    And note see this :
    http://www.castlecops.com/t175256-Slow_Computer_Check_here_first_it_may_not_be_malware.html

    This thread is on the hunt for the (phantom) virus at the Kaspersky
    forum (I'm technically not a customer of theirs, just using an
    evaluation copy for 30 days, hehehe):
    http://forum.kaspersky.com/index.php?showtopic=35184&st=0

    Note this strange fact:
    Before Webroot Spy Sweeper runs, this entry exists in the Registry
    (but after the sweep it disappears--why?):
    --

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_IP6FW]
    "NextInstance"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_IP6FW\0000]
    "Service"="Ip6Fw"
    "Legacy"=dword:00000001
    "ConfigFlags"=dword:00000000
    "Class"="LegacyDriver"
    "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    "DeviceDesc"="IPv6 Windows Firewall Driver"
    "Capabilities"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_IP6FW
    \0000\LogConf]
    --

    After Webroot Spy Sweeper runs, this entry above completely
    disappears! Note the ip6FW.sys file is the one that the rootkit virus
    'PushU-A' corrupts.

    Question #1: Why? Why does Webroot SS delete this above Registry
    entry? And why doesn't Windows crash when the entry is deleted from
    the Registry? After all, is not Ip6Fw important? (ifpFW.sys
    certainly is--if you delete it you get Windows telling you to
    reinstall it from the Windows CD!)

    I grant you Question #1 is best answered by the Webroot people who
    understand their software, but your guess is welcome. For the life of
    me I cannot figure out why. Speculation appreciated. But it's a minor
    point.

    Question #2: I appreciate your cite to the Castlecops FAQ:
    http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Overview

    BUT, the one *big* issue I have with this is (and I have a lot of
    these tools already), even if I go through the checklist, there's a
    chance (good chance?) that I will not delete any rootkit. Why?
    Because apparently I can't "see" it (!), and neither can Kaspersky AV,
    only Webroot SS 'sees' it, but it's not clear where it is?! (I scanned
    for ip6fw.sys and only found one copy--actually two, one is in the
    \dllcache directory but it's identical in D5 checksum to the clean
    copy--if there was another, viral, copy of ip6fw.sys somewhere in
    'TEMP' subdir or elsewhere (I scanned all my drives), why didn't I see
    it? Or why didn't Kaspersky?)

    Question #3--I'm squeezing one more in!--given that the excellent
    checklist Castlecops has is very arduous to complete (but good), isn't
    it nearly as much work to do a clean reinstall of Windows XP? Forget
    the cost and the fact that probably I'll have to rebuy at least one
    program or two (like Webroot). Just think of the time spent, and the
    fact once I nuke the HD of all the junk (using a "HD wipe" utility),
    it will run faster (since this use to be an NT machine coverted to
    Windows XP). Your candid opinion is sought.

    Thanks nosirrah!

    RL
    :p
     
    raylopez99, Apr 4, 2007
    #8
  9. raylopez99

    raylopez99 Guest

    Makes sense Dave. If I get too many more of these viruses, rootkits
    or False Positives (it's interesting that a FP essentially is the same
    as a rootkit or a virus, in that you have to go through the same
    steps, and if anything, as I try to convey in this thread, it's even
    more aggrevating with a FP since you cannot "kill" a FP like you can a
    'real' virus)...if I get many more I'm switching to Linux! (I also 10
    years ago dual booted Linux with NT).

    RL
     
    raylopez99, Apr 4, 2007
    #9
  10. From: "raylopez99" <>


    |
    | Dave!
    |
    | Just printed out your list, which I will study religiously tommorrow--
    | it's 3 AM in SE Europe where I'm posting from (I've spent the entire
    | day today [actually a couple of hours] boning up on viruses..so much
    | to learn...I also program for fun in C++ and C#.NET).
    |
    | Now, you are undoubtably the master of this subject. I tip my hat.
    | Below are some musings I posted at CastleCops; your thoughts are
    | welcome. Right now I'm leaning towards thinking Webroot's
    | 'find' (every time I boot up) of the PushU-A rootkit/virus is a FP
    | (False Positive), and that--here's my thinking--if I disinstalled
    | Webroot and installed another such 'malware scanner' (feel free to
    | recommend one) then the 'problem' of the FP would go away--what do you
    | say? Pls recommend another 'similar' product to Webroot SS and I'll
    | see if installing that will 'solve' the problem. In other words:
    | what you don't know cannot hurt you, right? I'm sick of these Webroot
    | 'scares' (but then again, what if they are right? That is the
    | issue.)
    |
    | PS--to answer your question, I notice that certain threads seem to
    | take a lot of CPU time and 'bog down' my system seemingly more than
    | before--but then again, my PC is 4 years old--and it's probably (?)
    | time for a cleaning (of the PC arteries) aka a "clean reinstall of
    | WIndows XP", no?
    |
    | RL
    |
    | [my belwo post to Castlecops' nosirrah, which encapsulates the entire
    | drama of the last few days--March 31st is when I got hit with both
    | trojans, with PushU seeming stuck in the bowels of my PC and 'bobax'
    | trojan dying in the bit bucket.]
    |
    | http://www.castlecops.com/p920461-Infected_MD5_4448006B6BC60E6C027932CFC38D6855_ip6fw_sys.html#920461
    |
    | Tx for the scan. But, I have some further questions (in fact three
    | questions, Q#1, and Q#2 below and #3). BTW I am running Webroot Spy
    | Sweeper (which seems to give the false positive) and Kaspersky AV6 on
    | a Pentium 4, 4 yrs old, running Windows XP Pro.(Pentium 4, 1GB RAM,
    | DSL modem)
    |
    | Issue: I thought I had a virus PushU-A (Rootkit.Win32.Agent.dp)
    | (which BTW was discovered a few days ago at the same time the trojan
    | 'bobax' was discovered and deleted (permanently--unlike PushU-A, the
    | 'bobax' trojan disappeared in that it never again was 'found' by
    | Webroot) by Webroot--and the day BEFORE I did a disk image Ghost
    | backup so my backup is also 'infected' (maybe). But, I'm not sure
    | now--I think Webroot is giving a false positive. See here for a
    | description of the 'virus' PushU (rootkit):
    | http://www.sophos.com/security/analyses/trojpushua.html?_log_from=rss
    |
    | And note see this :
    | http://www.castlecops.com/t175256-Slow_Computer_Check_here_first_it_may_not_be_malware.html
    |
    | This thread is on the hunt for the (phantom) virus at the Kaspersky
    | forum (I'm technically not a customer of theirs, just using an
    | evaluation copy for 30 days, hehehe):
    | http://forum.kaspersky.com/index.php?showtopic=35184&st=0
    |
    | Note this strange fact:
    | Before Webroot Spy Sweeper runs, this entry exists in the Registry
    | (but after the sweep it disappears--why?):
    | --
    |
    | Windows Registry Editor Version 5.00
    |
    | [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_IP6FW]
    | "NextInstance"=dword:00000001
    |
    | [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_IP6FW\0000]
    | "Service"="Ip6Fw"
    | "Legacy"=dword:00000001
    | "ConfigFlags"=dword:00000000
    | "Class"="LegacyDriver"
    | "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    | "DeviceDesc"="IPv6 Windows Firewall Driver"
    | "Capabilities"=dword:00000000
    |
    | [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_IP6FW
    | \0000\LogConf]

    I am a member of CC and I know nosirrah. He will make sure you are tended to well.

    I leave you in "trusted" and knowledable hands.
     
    David H. Lipman, Apr 4, 2007
    #10
  11. raylopez99

    Dustin Cook Guest

    Have you let BugHunter take a peek? I'd be interested in the results.


    --
    Dustin Cook
    Author of BugHunter - MalWare Removal Tool - V2.2
    web: http://bughunter.it-mate.co.uk - email:

    Pad: http://bughunter.it-mate.co.uk/pad.xml
     
    Dustin Cook, Apr 4, 2007
    #11
  12. raylopez99

    raylopez99 Guest


    Thanks Dustin; I tried BugHunter, and it caught three 'malware'/spam
    type programs the other programs missed, including Webroot SpySweeper,
    SuperAntiSpyware and Kaspersky AV6, but Webroot's SpySweeper still
    insists (and BugHunter failed to catch) there's a virus "trojan-pushu"
    as per the above thread.

    I'm probably going to do a complete reinstall of Windows XP. I believe
    perhaps Webroot's SS is giving a false positive, as no other program
    seems to find this virus, but for some reason it keeps deleting a
    Register entry that some program _is_ in fact making (upon reboot). A
    real mess. A clean reinstall is probably the least painful option at
    this point.

    RL
     
    raylopez99, Apr 4, 2007
    #12
  13. raylopez99

    raylopez99 Guest

    The current odds seem to indicate Webroot SpySweeper is giving a false
    positive, and Webroot will correct this within the week, see here:

    http://forum.kaspersky.com/index.php?showtopic=35184&st=20&p=315803&#entry315803

    Thanks for everybody's help.

    RL
     
    raylopez99, Apr 4, 2007
    #13
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.