False Positive or Lightning fast drive-by?

As soon as this I clicked on this link http://ipt.czechbattlefield.info/ (Site is a fansite for EA games Battlefield Play4Free. It lists prices for the items in game) and the page loaded I had an alert box pop up saying my tcpip.sys file was infected with “Win32:Malware-gen”. Seeing as I have Avast scanning hourly via the screensaver scan, I believe this was the result of a drive-by attack.

Running in safe mode I was able to upload the file to VirusTotal and this was the result: https://www.virustotal.com/file/21eb48314d6a96334dca69390c9e1d36be28d396a24db94e72b8baeac9cb601a/analysis/1354728316/

Running normally the file was locked and the md5 hash could not be calculated (returned a string of zeroes and would not upload to VT). I downloaded and ran MBAM in safe mode and there were no results, then ran TDSSKiller and it did turn a few results including tcpip.sys. Here’s the TDSSKiller logfile (result is at line #593): http://pastebin.com/Rv7pbLz4 (wasn’t sure whether or not I should long file in my post)

If I can provide anymore information please tell me what is desired and I’ll post it.

the VT result seems like FP

First seen by VirusTotal
2009-03-03 12:47:55 UTC ( 3 years, 9 months ago )

I downloaded and ran MBAM in safe mode and there were no results,
malwarebytes is designed to work best in normal mode.....only use safe mode if it does not run

Looking at the TDSSKiller results all it is saying is that the TCPIP.sys is not a microsoft file, so it may be a specific one for one of your programmes

Looks like I’ll be rebooting into normal and re-scanning then :slight_smile:

Ran MBAN in normal mode, no results. I checked for other tcpip.sys and it seems I have 4 total…

http://i.imgur.com/s6qRZ.png?1

I keep getting alerts to block or delete tcpip, blocking works for 2 minutes and then the cycle begins anew. Moving to quarantine does nothing. Think it would be possible to delete the “infected” file and replace with another, assuming there’s a hash match?

Could you run aswMBR for me please

Download aswMBR.exe ( 4.5mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRScan.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

THEN

Download OTL to your Desktop
Secondary link

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
TCPIP.*
/md5stop
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

The aswMBR scan won’t work. PC crashes within 2 seconds of the scan beginning. Happened 3 times over.

The Extras.txt doesn’t seem to be anywhere, so I’ll re-scan and post in a few when it’s done. I’ve attached the OTL.txt.

EDIT: Re-ran the scan again and the extras file won’t generate. 100% positive now that it is a FP.

http://i.imgur.com/n2WTa.png?1

[2008/06/20 05:51:12 | 000,361,600 | ---- | M] b Unable to obtain MD5[/b] – C:\WINDOWS\system32\drivers\tcpip.sys very suspicious, now whether it is related to peerblock I am not sure

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Ninja’ed see my above edit :stuck_out_tongue:

OK I am just going to flash up my XP to check it out

Running a system 32 scan on my XP now

Just completed nothing detected, so maybe not an FP

Is Your XP vanilla (SP2/SP3 with no subsequent updates installed)? Could be that an update somewhere along the road made tcpip suspicious to Avast.

I think it is a FP though, I mean… What are the chances of multiple people around the world having an infected tcpip on the same day from different areas of the world.

No it is fully updated even if it is a VM

Hmm. This is rather odd. I’ll give it a few days though to see if anything untoward happens. As it is now I’m not seeing any out of place disk reads or network usage and my PC hasn’t slowed down.

If anything goes wonky then I shall run combofix or just nuke it using the recovery partition.

Thanks for all your help so far (hope Avast is paying You ;D)

OK it was confirmed an FP and the next streaming update will rectify it

Well that didn’t take too long.

PC crashed earlier and when I rebooted, the Web and Mail shield were down along with Windows built in firewall. Couldn’t turn the shields back on so I uninstalled and the Windows firewall wouldn’t turn on either.

Rebooted again and peerblock wasn’t able to start (couldn’t load packet filtering driver) tried the fix described here: http://answers.microsoft.com/en-us/windows/forum/windows_xp-networking/windows-cannot-display-firewall-settings-xp-sp3/1e829738-9bd2-4f5d-95b4-467d3945930a and apparently the DLL’s are missing (even though a search turns them up :o )

Rebooted again and now I have no internet connection. The system can’t detect the NIC even though it’s enabled and visible in Device Manager.

Looks like it’s time to fire up a my puppy linux live CD and try to backup over the network rolls eyes.

A fix has been released http://www.avastantivirus.ro/files/avastfix.zip