 |
 | TCPIP.SYS Trojan Agent |  |
|
dshuman552
|
|
Symptom around 26000 packets sent and 1 recieved intermittently immediately after startup sent me searching for an infection -- not found by Norton Internet Security. ClamWin reports the following:
These are the errors I am attempting to understand and resolve. C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys: Trojan.Agent-9056 FOUND C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys: Trojan.Agent-9060 FOUND C:\WINDOWS\system32\dllcache\tcpip.sys: Trojan.Agent-9061 FOUND C:\WINDOWS\system32\drivers\tcpip.sys: Trojan.Agent-9061 FOUND I realize the last one or two are the ones affecting my system and the preceding two are historical backups from Service Packs and hot fixes. |
|||||||||||
|
|||||||||||||
 |
| |
|
alch
Site Admin
|
|
could you scan C:\WINDOWS\system32\drivers\tcpip.sys file on https://www.virustotal.com and let us know what other scanners think about it?
|
|||||||||||
|
|||||||||||||
|
| |
|
dshuman552
|
|
I believe this indicates the file appears to be clean.
Antivirus Version Last Update Result AhnLab-V3 2007.11.14.0 2007.11.13 - AntiVir 7.6.0.34 2007.11.13 - Authentium 4.93.8 2007.11.14 - Avast 4.7.1074.0 2007.11.13 - AVG 7.5.0.503 2007.11.13 - BitDefender 7.2 2007.11.14 - CAT-QuickHeal 9.00 2007.11.13 - ClamAV 0.91.2 2007.11.14 - DrWeb 4.44.0.09170 2007.11.14 - eSafe 7.0.15.0 2007.11.13 - eTrust-Vet 31.2.5293 2007.11.13 - Ewido 4.0 2007.11.13 - FileAdvisor 1 2007.11.14 - Fortinet 3.11.0.0 2007.10.19 - F-Prot 4.4.2.54 2007.11.14 - F-Secure 6.70.13030.0 2007.11.14 - Ikarus T3.1.1.12 2007.11.14 - Kaspersky 7.0.0.125 2007.11.14 - McAfee 5162 2007.11.13 - Microsoft 1.3007 2007.11.12 - NOD32v2 2656 2007.11.13 - Norman 5.80.02 2007.11.13 - Panda 9.0.0.4 2007.11.14 - Prevx1 V2 2007.11.14 - Rising 20.18.11.00 2007.11.13 - Sophos 4.23.0 2007.11.14 - Sunbelt 2.2.907.0 2007.11.14 - Symantec 10 2007.11.14 - TheHacker 6.2.9.127 2007.11.14 - VBA32 3.12.2.4 2007.11.11 - VirusBuster 4.3.26:9 2007.11.13 - Webwasher-Gateway 6.0.1 2007.11.13 - Additional information File size: 359808 bytes MD5: 1dbf125862891817f374f407626967f4 SHA1: a502d0d6c3a4dd995a3554347b04fbb51dd05901 |
|||||||||||
|
|||||||||||||
|
| |
|
GuitarBob
|
|
I had the same trojan notice today with tcpip.syswhen I did my c:\Windows scan with ClamWin. I uploaded it to Jotti, but no AV found anything--including Clam on Jotti. I submitted a file to Clam with an explanation. I just noticed that they didn't do anything with it according to a recent signature update report. I have rescanned my Windows directory a couple of times since then with ClamWin, and t doesn't find anything, so something has changed.
I did a ClamWin signature update just prior to scanning the first time, and Jotti probably doesn't update as often as I do, so that might be why Jotti's version of Clam missed the file I uploaded. At any rate, my problem appears to have been corrected. I wonder if the Clam people re-tuned their signature without saying so. I suggest you rescan your files in which ClamWin previously found malware and see what the status is now. It's probably okay. If it isn't, send the Clam people a message--maybe to Luca Gibelli. I think you will get an answer from him. Regards, |
|||||||||||
|
|||||||||||||
|
| |
|
drgoa.r
|
|
it seems that we talk about patched tcpip.sys, right?
i uploaded mine and also the backup of the original file: on patched one ClamAV found the troyan (om virustotal site). anyway - it seems that something went wrong with the last updates, because i patched my tcpip.sys many months ago, and ClamAV/WIN did not find anything since now. database used: till daily-4764 after update - tcpip.sys not reported anymore |
|||||||||||
|
|||||||||||||
|
| |
|
GuitarBob
|
|
I think you are right about the patched file, dr... I did my Windows update yesterday just before I ran the first scan where I saw the infected tcip.sys. And there could have been other files patched too--one patch I didn't need. Looks like Clam adjusted something since then--don't get any infected message now.
Regards, |
|||||||||||
|
|||||||||||||
|
| |
|
dshuman552
|
|
Clamwin quarantined the files (tcpip.sys) - 4 versions. I am rescanning the quarantined files instead of the active ones with https://www.virustotal.com. I believe quarantined files are skipped in subsequent scans so it is not surprising the problem is not found in subsequent scans.
|
|||||||||||
|
|||||||||||||
|
| |
|
GuitarBob
|
|
I only scanned the Windows directory, so there was only one file to worry about. I wouldn't quarantine anything. I prefer to keep a suspect file where it is and upload it to Jotti/VirusTotal for confirmation. If you get a false positive on an important system file and quarantine it, you will lose access to Windows--it happened to me once.
Anyway, the problem has been fixed because subsequent scans don't show any infection since the original infection notice. Regards |
|||||||||||
|
|||||||||||||
|
| |
|
drgoa.r
|
|
yes, i can confirm it too: after few daily db updates - tcpip.sys is no more detected as troyan.
|
|||||||||||
|
|||||||||||||
|
 | TCPIP.SYS Trojan Agent | |
|
||
|
|
|
Powered by phpBB © phpBB Group
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.