# IP protocol malware



## Heritagefarm (Feb 21, 2010)

I have malware that has hijacked the computer's IP protocol. Avast antivirus has identified the file tcpip.sys as infected, but cannot do anything about it. It keeps asking me if I want to delete it. I tell it yes, it then says it cannot delete it. I've tried safe mode, it stills works there. It has blocked Spybot S&D from opening, and will not allow me to download spyware or malware programs. There is also another file in DRIVERS called tcpip6.sys. Otherwise, I cannot figure out what to do since it will not let me download any spyware programs. It also redirects me all over the place, on search engines.


----------



## arabian knight (Dec 19, 2005)

Have you tried a "System Restore"? And set the computer back in time before it started acting up?


----------



## Nevada (Sep 9, 2004)

Heritagefarm said:


> I have malware that has hijacked the computer's IP protocol. Avast antivirus has identified the file tcpip.sys as infected, but cannot do anything about it. It keeps asking me if I want to delete it. I tell it yes, it then says it cannot delete it. I've tried safe mode, it stills works there. It has blocked Spybot S&D from opening, and will not allow me to download spyware or malware programs. There is also another file in DRIVERS called tcpip6.sys. Otherwise, I cannot figure out what to do since it will not let me download any spyware programs. It also redirects me all over the place, on search engines.


Boot into safe mode and login as administrator. Then see if Avast can remove it.


----------



## Heritagefarm (Feb 21, 2010)

I tried safe mode, and the malware still worked. I did not try deleting the file. I did, however, use command prompt and type "netsh int ip reset resetlog.txt"
to rewrite the TCP/IP driver. I could do a system restore.


----------



## Kari (Mar 24, 2008)

Heritagefarm said:


> I tried safe mode, and the malware still worked. I did not try deleting the file. I did, however, use command prompt and type "netsh int ip reset resetlog.txt"
> to rewrite the TCP/IP driver. I could do a system restore.



Sorry to tell you, resetting the TCP/IP stack does not re-write the tcip.sys driver.

If you can get the pc into safe mode without networking try renaming the file as on normal bootup, Window should replace the file from it's cache.._only if this is a legit Windows file and not a imposter file._

Once the pc is running, you probably will not to be able to get to any legit website with IE as the malware may of installed an IE add-on that is preventing normal web browsing. What happens with Firefox if you have it installed?

Also the hosts file may of been hi-jacked/edited. Look at c:\windows\system32\drivers\etc\hosts.

Typically this file looks like:

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
#	127.0.0.1 localhost


If this file has anything else but, but paste the contents here.


----------



## Heritagefarm (Feb 21, 2010)

Hi,
The malware works with Chrome, IE, and firefox. I haven't tried Safari yet. (I have a lot of browsers.) However, and WOW, the HOSTS file is scary; evidently it hijacked Spybot:
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
# Start of entries inserted by Spybot - Search & Destroy
127.0.0.1	www.007guard.com
127.0.0.1	007guard.com
127.0.0.1	008i.com
127.0.0.1	www.008k.com
127.0.0.1	008k.com
127.0.0.1	www.00hq.com
127.0.0.1	00hq.com
127.0.0.1	010402.com
127.0.0.1	www.032439.com
127.0.0.1	032439.com
127.0.0.1	www.0scan.com
127.0.0.1	0scan.com
127.0.0.1	1000gratisproben.com
127.0.0.1	www.1000gratisproben.com
127.0.0.1	1001namen.com
127.0.0.1	www.1001namen.com
127.0.0.1	100888290cs.com
127.0.0.1	www.100888290cs.com
127.0.0.1	www.100sexlinks.com
127.0.0.1	100sexlinks.com
127.0.0.1	10sek.com
127.0.0.1	www.10sek.com
127.0.0.1	www.1-2005-search.com
127.0.0.1	1-2005-search.com
127.0.0.1	123fporn.info
127.0.0.1	www.123fporn.info
127.0.0.1	123haustiereundmehr.com
127.0.0.1	www.123haustiereundmehr.com
127.0.0.1	123moviedownload.com
127.0.0.1	www.123moviedownload.com
127.0.0.1	123simsen.com
127.0.0.1	www.123simsen.com
127.0.0.1	123topsearch.com
127.0.0.1	www.123topsearch.com
127.0.0.1	125sms.co.uk
127.0.0.1	www.125sms.co.uk
127.0.0.1	125sms.com
127.0.0.1	www.125sms.com
127.0.0.1	132.com
127.0.0.1	www.132.com
127.0.0.1	1337crew.info
127.0.0.1	www.1337crew.info
127.0.0.1	www.1337-crew.to
127.0.0.1	1337-crew.to
127.0.0.1	www.136136.net
127.0.0.1	136136.net
127.0.0.1	150freesms.de
127.0.0.1	www.150freesms.de
127.0.0.1	www.163ns.com
127.0.0.1	163ns.com
127.0.0.1	171203.com
127.0.0.1	17concepts.info
127.0.0.1	www.17concepts.info
127.0.0.1	17-plus.com
127.0.0.1	www.1800searchonline.com
127.0.0.1	1800searchonline.com
127.0.0.1	180searchassistant.com
127.0.0.1	www.180searchassistant.com
127.0.0.1	180solutions.com
127.0.0.1	www.180solutions.com
127.0.0.1	181.365soft.info
127.0.0.1	www.181.365soft.info
127.0.0.1	1987324.com
127.0.0.1	www.1987324.com
127.0.0.1	1-domains-registrations.com
127.0.0.1	www.1-domains-registrations.com
127.0.0.1	www.1sexparty.com
127.0.0.1	1sexparty.com
127.0.0.1	www.1sms.de
127.0.0.1	1sms.de
127.0.0.1	www.1spybot.com
127.0.0.1	1spybot.com

127.0.0.1	download.antispywarebot.com
# This list is Copyright 2000-2008 Safer Networking Limited
# End of entries inserted by Spybot - Search & Destroy


And so on and so forth. The list is several thousand links long.


----------



## Kari (Mar 24, 2008)

Those 127.0.0.1 entries are fine and are designed to prevent your pc from visiting malicious websites. It could be that the hosts file is still hi-jacked with other entries.Try renaming the file to hostsold, close out of an browser then re-open for example, Firefox.

Can you now get to a proper website such as Malwarebytes. If so, download then run this legit anti-Malware program. Also download then install MS Security Essentials.


----------



## Heritagefarm (Feb 21, 2010)

I've downloaded Malwarebytes. It won't open.


----------



## Kari (Mar 24, 2008)

With some Malware, programs such as Malwarebytes gets blocked from running. Did you try MS Security Essentials yet? Another program to try is SUPERAntiSpyware


----------



## Heritagefarm (Feb 21, 2010)

Well, no, because last time I ran 2 antiviruses at the same time they tangled up and crashed the computer.








I've also got Spybot, which won't open. When I reset the TCP/IP, though, I was able to download the Malwarebytes program. Thanks for the help!


----------



## Heritagefarm (Feb 21, 2010)

It will not install Superantispyware. Irk, this is getting very annoying. :hrm:


----------

