Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FSS flags TCPIP.sys , TDSS Killer OK's it


  • Please log in to reply
6 replies to this topic

#1 john_incircuit

john_incircuit

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:31 PM

Posted 29 May 2012 - 07:27 PM

On both of my Vista / WIN 7 PCs, the Farbar FSS scanner shows that TCPIP.sys has an incorrect MD5, but the Kaspersky TDSS Killer OK's the TCPIP.sys driver. Is this just a false positive from FSS?

PCs are all up to date, they all work OK, no redirects, no files flagged in Norton.

John

====

Farbar Service Scanner Version: 27-05-2012
C:\Windows\system32\Drivers\tcpip.sys [2012-05-11 08:40] - [2012-03-30 08:39] - 0905600 ____A (Microsoft Corporation) 27D470DABC77BC60D0A3B0E4DEB6CB91

====

TDSS rootkit removing tool 2.7.38.0 May 25 2012

11:48:48.0607 5724 Tcpip
(27d470dabc77bc60d0a3b0e4deb6cb91) C:\Windows\system32\drivers\tcpip.sys

11:48:48.0701 5724 Tcpip - ok

11:48:48.0716 5724 Tcpip6
(27d470dabc77bc60d0a3b0e4deb6cb91) C:\Windows\system32\DRIVERS\tcpip.sys

11:48:48.0763 5724 Tcpip6 - ok
====

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:03:31 PM

Posted 29 May 2012 - 09:15 PM

FSS doesnt flag tcpip.sys as infected,it is clear from FSS log that tcpip.sys is clean

A (Microsoft Corporation) 27D470DABC77BC60D0A3B0E4DEB6CB91

Edited by narenxp, 29 May 2012 - 09:16 PM.


#3 john_incircuit

john_incircuit
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:31 PM

Posted 29 May 2012 - 09:42 PM

FSS doesnt flag tcpip.sys as infected,it is clear from FSS log that tcpip.sys is clean

A (Microsoft Corporation) 27D470DABC77BC60D0A3B0E4DEB6CB91



Thanks for the quick reply. Why wouldn't FSS just list the TCPIP driver as "MD5 is legit"?

#4 john_incircuit

john_incircuit
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:31 PM

Posted 29 May 2012 - 10:39 PM

OK, think I found the answer. Here is what Farbar wrote at http://www.bleepingcomputer.com/forums/topic441075.html

"The tool has a database that will be updated from time to time to make a judgment if a MD5 is legit. The newest legit version of a file or the very old version (on a CD or DVD) are intentionally left out from the database. The old ones are left out to emphasize the need for updating to be safe and the newest ones are not yet studied to establish that their MD5 is legit. So listing MD5 instead of reporting a file doesn't necessarily mean it is not legit. But a file without company name is always a bad file."

#5 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:03:31 PM

Posted 29 May 2012 - 11:11 PM

So listing MD5 instead of reporting a file doesn't necessarily mean it is not legit. But a file without company name is always a bad file

."

:thumbup2:

Edited by narenxp, 29 May 2012 - 11:12 PM.


#6 john_incircuit

john_incircuit
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:31 PM

Posted 30 May 2012 - 09:08 AM

Thanks for the clarification --- John

#7 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:03:31 PM

Posted 30 May 2012 - 10:15 AM

You're welcome :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users