Jump to content
mihailsolovey

HEUR:Trojan.Win32.Generic [Solved]

Recommended Posts

Hi. Today our Kaspersky detected a virus HEUR:Trojan.Win32.Generic in c:\Windows\System32\drivers\tcpip.sys. Kaspersky couldn't do anything with it and placed virus in quarantine. After reboot, pc network card doesn’t work. Please help! Virus has already attacked a lot of computers in the network. Please HELP!!!

Edited by mihailsolovey

Share this post


Link to post

Hello!

Please be informed that this is not a virus, it is a false positive.

Please DO NOT REBOOT affected machines.

We will keep you updated.

Share this post


Link to post
Hello!

Please be informed that this is not a virus, it is a false positive.

Please DO NOT REBOOT affected machines.

We will keep you updated.

 

Thank you for quick answer! I'll wait!

Share this post


Link to post
Hi. Today our Kaspersky detected a virus HEUR:Trojan.Win32.Generic in c:\Windows\System32\drivers\tcpip.sys. Kaspersky couldn't do anything with it and placed virus in quarantine. After reboot, pc network card don’t work. Please help! Virus has already attacked a lot of computers in the network. Please HELP!!!

 

Hello,

 

I work for Kaspersky and I wanted to let you know that this is not a virus. Kaspersky has identified an issue and there is a workaround available. Also, the official fix will be released in an hour to an hour and a half.

 

Proposed workaround:

1) Create an exclusion for tcpip.sys for file AV

2) Disable “File antivirus”

3) Restore tcpip.sys from quarantine

 

 

If the TCPIP file was deleted, then you will need to restore the file locally after following steps 1-3 as listed above.

Share this post


Link to post

The exact same thing happened to me. I wish I would have seen this forum first. I already restarted the computer. Out of 40 computers on our network, this is the only one that had this message pop up, so I figured it was legitimate.

 

After I saw this, I restored the file from quarantine and disabled Kaspersky and restarted the computer again. The network card is still not working. Any idea what I can do to fix this.?

 

The workstation is a Dell OptiPlex 790 running 32bit Windows 7 Professional.

 

Any help would be appreciated.

 

Thanks!

Share this post


Link to post

PLEASE DO NOT REBOOT ANY AFFECTED COMPUTERS!

We will provide you with the new steps of the workaround/solution as soon as possible.

We are very sorry for the inconvenience.

Share this post


Link to post

Hello,

 

Please be advised of the change to the steps that were posted earlier for this workaround.

 

Proposed workaround:

1) Create an exclusion for tcpip.sys for file AV

2) Disable “File antivirus”

3) Restore tcpip.sys from quarantine

4) Re-enable File AV, at this point all should be ok

 

If the TCPIP file was deleted, then you will need to restore the file locally after following steps 1-3 as listed above.

 

** Please only perform this on one test machine prior to performing this across the network.

 

Share this post


Link to post
What applications are affected by this? KAV6, KES8, KES10?

At the moment we have information only about KAV WKS6. Should you have any additional information, please provide it to us as soon as possible.

Thank you in advance.

Share this post


Link to post
Hello,

 

Please be advised of the change to the steps that were posted earlier for this workaround.

 

Proposed workaround:

1) Create an exclusion for tcpip.sys for file AV

2) Disable “File antivirus”

3) Restore tcpip.sys from quarantine

4) Re-enable File AV, at this point all should be ok

 

If the TCPIP file was deleted, then you will need to restore the file locally after following steps 1-3 as listed above.

 

** Please only perform this on one test machine prior to performing this across the network.

 

Is this only a workaround, if you have not restarted your computer? I had restarted the computer before I saw this forum posted. I tried this workaround and it's still not working.

Share this post


Link to post
Is this only a workaround, if you have not restarted your computer? I had restarted the computer before I saw this forum posted. I tried this workaround and it's still not working.

 

Hello!

We are currently working on a solution for rebooted machines.

We will keep you updated.

Share this post


Link to post
Is this only a workaround, if you have not restarted your computer? I had restarted the computer before I saw this forum posted. I tried this workaround and it's still not working.

It's going to depend on the frequency of synchronizations you've set until the modified policy gets applied. The default is 15 min but you have the option to "Force synchronization".

Share this post


Link to post
It's going to depend on the frequency of synchronizations you've set until the modified policy gets applied. The default is 15 min but you have the option to "Force synchronization".

 

This does not apply to this issue.

 

This issue is the tcpip.sys getting removed which disables network connection abilities.

 

So if they rebooted the machine there will be NO way for an updated policy to be applied before the Kaspersky fix is released.

 

The above-mentioned workaround currently only works if they DO NOT reboot the machines once the issue occurs.

Share this post


Link to post
This does not apply to this issue.

 

This issue is the tcpip.sys getting removed which disables network connection abilities.

 

So if they rebooted the machine there will be NO way for an updated policy to be applied before the Kaspersky fix is released.

 

The above-mentioned workaround currently only works if they DO NOT reboot the machines once the issue occurs.

What I'm saying is if you create an exclusion for tcpip.sys in your policy it may take awhile for the policy to get distributed. So, if a client has not received the new policy, it will still detect tcpip.sys as a threat.

Share this post


Link to post

Hi,

 

if you create an exclusion for tcpip.sys in your policy it may take awhile for the policy to get distributed

Actually, this is not correct. Policy applies immediately.

Share this post


Link to post
What I'm saying is if you create an exclusion for tcpip.sys in your policy it may take awhile for the policy to get distributed. So, if a client has not received the new policy, it will still detect tcpip.sys as a threat.

 

Ah. My apologies. Your statement is correct.

 

I feel, however, that he was stating that the workaround in general didn't work... not just the policy enforcement. But I could be wrong (it has happened before).

Share this post


Link to post
Hi,

Actually, this is not correct. Policy applies immediately.

I stand corrected. Policy enforcement went pretty quickly but I don't know about immediately. :)

Share this post


Link to post

Well, it suppose to be instant, but it depends on number of PCs, network configuration etc.

To be honest, there is a possibility when policy will be applied during syncronization - it can happen when 1500 UDP is closed.

So please be awared of that fact.

Share this post


Link to post

I'm struggling with this too.

A few PCs that have been rebooted.

Exclusion has now been added. Networking is still not working.

Share this post


Link to post

Kav support just suggested I try a system restore. I'll come back and let you know if it worked.

 

 

I'm struggling with this too.

A few PCs that have been rebooted.

Exclusion has now been added. Networking is still not working.

 

Share this post


Link to post
I'm struggling with this too.

A few PCs that have been rebooted.

Exclusion has now been added. Networking is still not working.

 

If you rebooted the machine after the detection, please wait for the official fix.

 

You can also recover this file using System Restore if needed.

 

Another option (not tested) would be to take tcpip.sys from another machine and copy it to the machine with it missing. This will work in theory.

This is confirmed to be related to a registry issue - please disregard this recommendation.

Share this post


Link to post
If you rebooted the machine after the detection, please wait for the official fix.

Is there a fix planned ?

 

You can also recover this file using System Restore if needed.

I think yes

 

Another option (not tested) would be to take tcpip.sys from another machine and copy it to the machine with it missing. This will work in theory.

I don't think so, the problem is related to an registry entry ....

Share this post


Link to post
Is there a fix planned ?

 

As far as I know, and what I am being told, yes.

 

I think yes

 

YAY :)

 

I don't think so, the problem is related to an registry entry ....

 

You are correct, it appears to be a registry issue.

Share this post


Link to post
Is there a fix planned ?

Yes, we are working on it reight now.

 

I think yes

Please share your experience with us, that would be wonderful.

 

the problem is related to an registry entry ....

That is true. Problem is related to the registry entry.

Share this post


Link to post

I am having the same problem. Attempted to replace the tcpip.sys from working computer.

 

DO NOT REBOOT YOUR COMPUTER. I attempted also to restore from kaspersky backup the tcpip.sys and this did not work either.

 

Please find a fix asap!

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.