False Positive or Lightning fast drive-by?

[emc_2]

As soon as this I clicked on this link http://ipt.czechbattlefield.info/ (Site is a fansite for EA games Battlefield Play4Free. It lists prices for the items in game) and the page loaded I had an alert box pop up saying my tcpip.sys file was infected with "Win32:Malware-gen". Seeing as I have Avast scanning hourly via the screensaver scan, I believe this was the result of a drive-by attack.

Running in safe mode I was able to upload the file to VirusTotal and this was the result: https://www.virustotal.com/file/21eb48314d6a96334dca69390c9e1d36be28d396a24db94e72b8baeac9cb601a/analysis/1354728316/

Running normally the file was locked and the md5 hash could not be calculated (returned a string of zeroes and would not upload to VT). I downloaded and ran MBAM in safe mode and there were no results, then ran TDSSKiller and it did turn a few results including tcpip.sys. Here's the TDSSKiller logfile (result is at line #593): http://pastebin.com/Rv7pbLz4 (wasn't sure whether or not I should long file in my post)

If I can provide anymore information please tell me what is desired and I'll post it.

[Pondus]

the VT result seems like FP

First seen by VirusTotal
 2009-03-03 12:47:55 UTC ( 3 years, 9 months ago )

I downloaded and ran MBAM in safe mode and there were no results,

malwarebytes is designed to work best in normal mode.....only use safe mode if it does not run

[essexboy]

Looking at the TDSSKiller results all it is saying is that the TCPIP.sys is not a microsoft file, so it may be a specific one for one of your programmes

[emc_2]

the VT result seems like FP

First seen by VirusTotal
 2009-03-03 12:47:55 UTC ( 3 years, 9 months ago )

But why would Avast be alerting me now- after over 4 months with no incidents, and at the exact time I click on a strange link?

I downloaded and ran MBAM in safe mode and there were no results,

malwarebytes is designed to work best in normal mode.....only use safe mode if it does not run

Looks like I'll be rebooting into normal and re-scanning then 

[emc_2]

Ran MBAN in normal mode, no results. I checked for other tcpip.sys and it seems I have 4 total...



I keep getting alerts to block or delete tcpip, blocking works for 2 minutes and then the cycle begins anew. Moving to quarantine does nothing. Think it would be possible to delete the "infected" file and replace with another, assuming there's a hash match?

[essexboy]

Could you run aswMBR for me please

Download aswMBR.exe ( 4.5mb ) to your desktop.
 Double click the aswMBR.exe to run it  Click the "Scan" button to start scan 




On completion of the scan click save log, save it to your desktop and post in your next reply

THEN

Download OTL  to your Desktop
Secondary link

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
TCPIP.*
/md5stop
CREATERESTOREPOINT

• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Post  both logs

[emc_2]

The aswMBR scan won't work. PC crashes within 2 seconds of the scan beginning. Happened 3 times over.

The Extras.txt doesn't seem to be anywhere, so I'll re-scan and post in a few when it's done. I've attached the OTL.txt.

EDIT: Re-ran the scan again and the extras file won't generate. 100% positive now that it is a FP.

[essexboy]

[2008/06/20 05:51:12 | 000,361,600 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\tcpip.sys very suspicious, now whether it is related to peerblock I am not sure

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
 

[emc_2]

Ninja'ed see my above edit

[essexboy]

OK I am just going to flash up my XP to check it out

[essexboy]

Running a system 32 scan on my XP now

[essexboy]

Just completed nothing detected, so maybe not an FP 

[emc_2]

Is Your XP vanilla (SP2/SP3 with no subsequent updates installed)? Could be that an update somewhere along the road made tcpip suspicious to Avast.

I think it is a FP though, I mean... What are the chances of multiple people around the world having an infected tcpip on the same day from different areas of the world.

[essexboy]

No it is fully updated even if it is a VM

[emc_2]

Hmm. This is rather odd. I'll give it a few days though to see if anything untoward happens. As it is now I'm not seeing any out of place disk reads or network usage and my PC hasn't slowed down.

If anything goes wonky then I shall run combofix or just nuke it using the recovery partition.

Thanks for all your help so far (hope Avast is paying You  )