• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs

Not what you are looking for? Ask the experts!

Kudos0

tcpip.sys virus

This morning I turned on the laptop, checked my Yahoo email (did not click on any link or download any file), and went off to have breakfast. When I came back NIS said I had to reboot to get rid of threats it had found. I rebooted and looked at the history. It siad it found a high risk virus and it the details it gave were: tcpip.sys and ws.malreware.2.

There was also a red warning sign on the NIS systray icon saying email attachments were not being scanned, so I clicked on "Fix Now" (several times)  but it wouldn't fix it.

The problem is that my internet connection on the laptop is gone. The wireless appears connected (ie it would appear that it can get as far as the router) but I cannot access anything on the internet.

I tried restoring the tcpip.sys file from quarantine and I even copied it onto the system32/drivers folder, but no joy. I did a Windows xp disk cleanup, rebooted, and even disbled NIS, still no joy.

I had done a version update of NIS 2 days ago and I suspect this is NIS messing up and wreaking havoc with my system.

What should I do now, given that I do not have my Win XP CD. Should I download the TCP IP file from somewhere else and try to copy it back to where it belongs ?

Replies

Kudos0

Re: tcpip.sys virus

I did a "netsh int ip reset tcpip.sys" command and this has restored my internet connection. Not only that but now NIS is not complaining that my email attachements are not being scanned.

Out of curiosity, I right clicked on the "restored" tcpip.sys file in the system32,drivers folder and scanned it with NIS; no problems. However, the original tcpip.sys file which I have a copy of on the desktop still comes up as a WS.Malware.2 on NIS.

Should I just do a full system scan and forget about the other stuff that happened (the email attachement issue which appears to have been resolved for now, and the tcpip.sys file) ?.

I am especially interested to know if the netsh int ip reset command resets the file to an uncorrupted version, or could it still have viruses ?

Thank you

Kudos0

Re: tcpip.sys virus

in fact I suspect this may have something to do with another issue I had with NIS a couple of days ago:

http://community.norton.com/t5/Norton-Internet-Security-Norton/3048-3-reucurring/m-p/1071353/highlight/true#M251340

I think it's a bug in NIS, I mean this business of "Support" "Get Support"

Kudos0

Re: tcpip.sys virus

Did a full system scan with NIS, came up clean. Then, I did an individual scan of a copy of the (supposedly) corrupted tcpip.sys file which I had placed in the windows;system32 folder, and this time NIS flagged it as a virus. It asked for a reboot, which I did.

what is going on ?

1 - How come NIS did not catch the suspect file with the full system scan but it caught it in the individual file scan immediately afterwards ?

2 - Is that tcpip.sys file really corrupted ?

3 - Following from point 1, does NIS really work ?

I am at a loss here !

Kudos0

Re: tcpip.sys virus

Hi kooduav:

I see from your other thread that you are using NIS v. 21.0.1.18, but could you please post back and let us know your Windows OS as well?

The technical details here show that WS.Malware.2 is a low risk generic detection and state that "These security risks do not meet the definitions of spyware, adware, hacktool, or other security risk categories, but may present a risk to a computer and its data, an unwanted nuisance to the user, or exhibit other unexpected results."  This detection was likely a false positive but there are a few things you can do to ensure the tcpip.sys flagged by NIS is a legitimate Microsoft file.

First, could you please check the properties of both tcpip.sys files (i.e., the file on your desktop as well as in C:\Windows\system32\drivers).  Browse to each file from Windows Explorer, right-click on the file name, and choose Properties from the pop-up context menu.  My OS is 32-bit Vista so your file tcpip.sys properties might be slightly different, but can you click on the Digital Signatures tab confirm that both files are digitally signed by Microsoft?

Then submit both files to VirusTotal at www.VirusTotal.com for analysis - click Choose File, browse to the location of the tcpip.sys file, and then click the Scan it! button.  Does an analysis of the SHA256 hash tag show that both files are safe?  In my case my C:\Windows\system32\drivers\tcpip.sys file has a detection rate of 0/28 and is deemed safe.

------------
MS Windows Vista Home Premium 32-bit SP2 * Firefox 26.0 * IE 9.0 * NIS 2013 v. 20.4.0.40
HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400M GS

Kudos0

Re: tcpip.sys virus

Hi Imacri and thank you for your reply.

I am using XP Service Pack 3.

I submitted the file in system32;drivers to virustotal.com and it says it is probably safe (0/45 detection ratio). The copy that was on the desktop is in the NIS quarantine now.

I also ran the Windows File Signature Verification utility and the file in question was not in the list of files without digital signatures.

I think you're right that it was a false positive, but it sure scared and inconvenienced me (and all the board members who were kind enough to reply).

Still I cannot fathom what made it pop up; and even more seriously, why did NIS not pick it up in the Full System Scan, while picking it up in the individual file scan.

Anyway, if you think that no more need be done then I'm fine with that.

Kudos2

Re: tcpip.sys virus

My guess is that Full System scan uses the virus def's locally on your system, while Norton Sonar Protection and Norton Insight Protection use an online database as well.

Windows 7 Home Premium x64 SP1 *** Norton 360 v21.6.0.32
Kudos1

Re: tcpip.sys virus


kooduav wrote:

I did a "netsh int ip reset tcpip.sys" command and this has restored my internet connection. Not only that but now NIS is not complaining that my email attachements are not being scanned.

Out of curiosity, I right clicked on the "restored" tcpip.sys file in the system32,drivers folder and scanned it with NIS; no problems. However, the original tcpip.sys file which I have a copy of on the desktop still comes up as a WS.Malware.2 on NIS.


Hi kooduav:

I'm not a networking specialist but it sounds like the netsh command you used was sufficient to re-install and reset your TCP/IP protocol driver.  Monitor your system for a few more days and post back if you think you still have problems.

Since the tcpip.sys file that was on your desktop is now in quarantine I can't tell you if it was corrupted, but it's always possible that NIS thought it was a suspicious file because it was not located in the normal C:\Windows\system32\drivers folder where NIS expected it to be.  Krusty13's comment in message # 7 about virus definitions that are stored locally vs. those hosted in the "cloud" on the Symantec servers might make more sense, though, since WS.Malware.2 is a cloud-based detection that hasn't been updated since September 2011.

In future if you'd like to check the status of your Windows system files, there are diagnostic tools in Windows XP like ChkDsk (chkdsk /f /r) and System File Checker (sfc /scannow) - see my post here for further details.  Even if you don't have a Win XP CD, System File Checker can often use a backup copy of important system files that Windows stores in a hidden folder to repair damaged system files.  Simply copying important system files like the tcpip.sys driver to a folder often causes problems unless the file is properly registered and configured in the Windows registry, which is probably what your netsh command accomplished.

------------
MS Windows Vista Home Premium 32-bit SP2 * Firefox 26.0 * IE 9.0 * NIS 2013 v. 20.4.0.40
HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400M GS

Kudos3

Re: tcpip.sys virus

Hello

I think it was flagged as suspicious when the file was on the desktop. That is not the normal location for that file, so therefore it was flagged as  suspicious. When the same file is in it's proper location, then it would not be suspicious and therefore not flagged by your Norton product.. That's my idea.

Success always occurs in private and failure in full view.

Replies are locked for this thread.