As soon as this I clicked on this link http://ipt.czechbattlefield.info/ (Site is a fansite for EA games Battlefield Play4Free. It lists prices for the items in game) and the page loaded I had an alert box pop up saying my tcpip.sys file was infected with “Win32:Malware-gen”. Seeing as I have Avast scanning hourly via the screensaver scan, I believe this was the result of a drive-by attack.
Running normally the file was locked and the md5 hash could not be calculated (returned a string of zeroes and would not upload to VT). I downloaded and ran MBAM in safe mode and there were no results, then ran TDSSKiller and it did turn a few results including tcpip.sys. Here’s the TDSSKiller logfile (result is at line #593): http://pastebin.com/Rv7pbLz4 (wasn’t sure whether or not I should long file in my post)
If I can provide anymore information please tell me what is desired and I’ll post it.
Looking at the TDSSKiller results all it is saying is that the TCPIP.sys is not a microsoft file, so it may be a specific one for one of your programmes
I keep getting alerts to block or delete tcpip, blocking works for 2 minutes and then the cycle begins anew. Moving to quarantine does nothing. Think it would be possible to delete the “infected” file and replace with another, assuming there’s a hash match?
[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs
[2008/06/20 05:51:12 | 000,361,600 | ---- | M] b Unable to obtain MD5[/b] – C:\WINDOWS\system32\drivers\tcpip.sys very suspicious, now whether it is related to peerblock I am not sure
Download and Install Combofix
Download ComboFix from one of the following locations: Link 1 Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
Is Your XP vanilla (SP2/SP3 with no subsequent updates installed)? Could be that an update somewhere along the road made tcpip suspicious to Avast.
I think it is a FP though, I mean… What are the chances of multiple people around the world having an infected tcpip on the same day from different areas of the world.
Hmm. This is rather odd. I’ll give it a few days though to see if anything untoward happens. As it is now I’m not seeing any out of place disk reads or network usage and my PC hasn’t slowed down.
If anything goes wonky then I shall run combofix or just nuke it using the recovery partition.
Thanks for all your help so far (hope Avast is paying You ;D)
PC crashed earlier and when I rebooted, the Web and Mail shield were down along with Windows built in firewall. Couldn’t turn the shields back on so I uninstalled and the Windows firewall wouldn’t turn on either.