Jump to content
mihailsolovey

HEUR:Trojan.Win32.Generic [Solved]

Recommended Posts

Appreciate the posts with detailed instructions. Unfortunately it did not work for us. The connection remained x'd. Was able to restore to a restore point from 22nd and back in.

Of course AV was back at it complaining again but now know to ignore run update first - in progress.

Hopefully after that and a reboot we will be back on-line

 

Oh - the update bar is stuck. About 80% done (1.2 MB) and sitting there for about 10 minutes

Share this post


Link to post
I've had success fixing broken machines with the following steps. Restoring the file did not work, nor did netsh:

 

1. Uninstall or disable Kaspersky.

2. Open Control Panel > Network and Sharing Center > Manage Network Connections *or* Change Adapter Settings

3. Right click an adapter and click "Properties"

4. Click "Install"

5. Select "Protocol" and click "Add"

6. Click "Have Disk" at the driver installation window (you probably will only see the Reliable Multicast Protocol driver when the window first opens)

7. Enter "C:\windows\inf" in the "Copy manufacturer's files from:" text box

8. Click "OK"

9. Select "Internet Protocol Version 4 (TCP/IPv4)" from the protocol list and click "OK"

10. The protocol will install

11. Close the Networking window and reboot the computer

12. Re-enable Kaspersky with the proper exclusions

 

My edit button went missing so I'm making a reply to my first post.

 

I tried to replicate this deletion manually to make sure my results were consistent and I wasn't giving a bad solution. I found on my virtual machine that if I delete tcpip.sys manually and try to repair the protocol with the quoted process, it does not get repaired completely (tcpip.sys did not get copied to \drivers and I don't know why). Found a fix to this by locating another copy of tcpip.sys on my system and then copying it to c:\windows\system32\drivers before rebooting after step 10.

 

This extra step did not seem to be necessary for a system with the false positive. Anyway, in the event that the installation of the IPv4 protocol doesn't seem to work, copying a tcpip.sys file into the \drivers directory might help.

 

The tcpip.sys file that I copied into c:\windows\system32\drivers to replace the deleted file was found at C:\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.17603_none_b52f4dc5c4a121e0\tcpip.sys

 

Also be sure to reboot, release, and renew after all the restorations are done.

Share this post


Link to post
My edit button went missing so I'm making a reply to my first post.

 

I tried to replicate this deletion manually to make sure my results were consistent and I wasn't giving a bad solution. I found on my virtual machine that if I delete tcpip.sys manually and try to repair the protocol with the quoted process, it does not get repaired completely (tcpip.sys did not get copied to \drivers and I don't know why). Found a fix to this by locating another copy of tcpip.sys on my system and then copying it to c:\windows\system32\drivers before rebooting after step 10.

 

This extra step did not seem to be necessary for a system with the false positive. Anyway, in the event that the installation of the IPv4 protocol doesn't seem to work, copying a tcpip.sys file into the \drivers directory might help.

 

The tcpip.sys file that I copied into c:\windows\system32\drivers to replace the deleted file was found at C:\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.17603_none_b52f4dc5c4a121e0\tcpip.sys

 

Also be sure to reboot, release, and renew after all the restorations are done.

 

Had no luck with this one, so still going through every machine 1 by 1 doing restore. Going to be a long weekend :-(

Share this post


Link to post
Had no luck with this one, so still going through every machine 1 by 1 doing restore. Going to be a long weekend :-(

 

Dang. Looks like a hit or miss fix then. I'm still having luck with it so I'll keep working with this fix.

 

The only other thing I did was run "netsh int ip reset" from the command prompt in an attempt to restore the registry entries for the IP stack. I visited a client with this problem after making my 2nd post on this topic and repeated the fixes with success again.

 

I did find that one machine's adapter came back to life but only with IP connectivity. DNS wasn't working, but I could use nslookup to resolve things. Pinging various addresses worked.

Share this post


Link to post

Found this thread after rebooting the computer in question (multiple times). What is the first thing you try to do when evaluating a computer problem? Restart it. Sigh.

 

Applied exclusion on the server and turned off File Anti-Virus after finding this thread. Fortunately, I have only one computer reporting this problem. Unfortunately, I have spent most of my day trying to figure out how to fix the problem.

 

FYI - Based upon the suggestions elsewhere, I had tried to copy a tcpip.sys file from another computer. Before attempting to get it in the right folder, I had copied it to a backup location on the local C:\ drive, but as soon as I tried to copy it from the backup location the Kaspersky client on the problem computer identified this file as a Trojan, just as it had the other ones (in their original %windir% locations).

 

Any ideas when a fix will be available that does not involve system restore? For reasons unknown, system restore is not working on this computer.

Share this post


Link to post

Please be informed that we are trying to find a remedy for the post-detect problems. Please post in this topic and PM me if you still were not able to resolve this issue.

 

Best regards,

Kaspersky Lab Technical Support.

Share this post


Link to post
Please be informed that we are trying to find a remedy for the post-detect problems. Please post in this topic and PM me if you still were not able to resolve this issue.

 

Best regards,

Kaspersky Lab Technical Support.

 

 

The fix is to restore the tcpip.sys the Tcpip and Tcpip6 keys from a backup, which can be found in C:\Windows\System32\config\RegBack. You have to do the restore from a bootdisk though as the files are in use inside of Windows. This is a problem however and I'm trying to figure out how to restore functionality to the deleted registry keys without using the boot disk method. Obviously if you have another registry backup this becomes much easier as you'd simply just import the keys. There are standard keys online, but since they're lacking some build specific strings, it doesn't fully restore connectivity. Long story short, pull the keys from the SYSTEM hive, restore the sys file and it will work. But getting the keys from the hive is going to be a challenge without a bootdisk, which is obviously going to be very time consuming. Not to be that guy, but Kaspersky needs to appreciate how big of a f__ up this is. You've managed to completely disable all network connectivity for large amounts of users in one swift motion. I feel bad for the people that are getting chewed out for bringing 100+ endpoint networks down. Huge financial burden.

Share this post


Link to post
Please be informed that we are trying to find a remedy for the post-detect problems. Please post in this topic and PM me if you still were not able to resolve this issue.

 

Best regards,

Kaspersky Lab Technical Support.

 

 

We have over 100 systems affected by this and none of the proposed fixes seem to work for us.

 

We shut down most of our 1200+ as soon as we realized something was going on - not knowing if it was a virus or what we figured this was the safest path to take. So we really do not know how many systems... Most that we know for sure are Windows 7 Pro ... as far as we can tell so far, no Win xp systems were affected.

Please provide fix asap because if computers are not online by Monday am we are in deep trouble.

We already have folks expecting to be able to work in the am.

Edited by dstacbsu

Share this post


Link to post

My only solution was to uninstall Kaspersky and then do system restore. These machines don't have anti-virus currently now. I am worried about reinstalling and getting the same problem again.

 

Is there anyway to fix this without removing Kaspersky or doing system restore?

 

Are the new updates fixed where it won't detect tcpip.sys as a false positive?

 

Is there a fix to install without having to remove or reverting?

Share this post


Link to post
My only solution was to uninstall Kaspersky and then do system restore. These machines don't have anti-virus currently now. I am worried about reinstalling and getting the same problem again.

 

Is there anyway to fix this without removing Kaspersky or doing system restore?

 

Are the new updates fixed where it won't detect tcpip.sys as a false positive?

 

Is there a fix to install without having to remove or reverting?

 

I can confirm that the updates from 16:34 onwards to day have not detected had the false positive issue, although we have also put TCPIP.sys in the exclusion list for good measure. As for getting the updates out we have just making sure we force an update before they pickup the file again, which the exclusion helps with as the policy updates take effect quicker than the definitions.

 

 

Share this post


Link to post
My only solution was to uninstall Kaspersky and then do system restore. These machines don't have anti-virus currently now. I am worried about reinstalling and getting the same problem again.

Are the new updates fixed where it won't detect tcpip.sys as a false positive?

New updates are fixed.

 

Is there anyway to fix this without removing Kaspersky or doing system restore?

Is there a fix to install without having to remove or reverting?

Please check my next post.

 

Best regards.

Share this post


Link to post

Dear Kaspersky Lab customers.

 

Please accept my apologies for the inconvenience with the false positive detection of the tcpip.sys.

 

May I ask you to check if the special recovery utility, prepared by our specialists, will work for you?

 

In case you will be willing to check if it works for you - please find the utility here (alternative link: ftp://client:Rm3gl8dMezPU52@data14.kasper..._TcpIp_Fix.zip) - archive password is "kaspersky" without quotes. An instruction for the utility - can be found here (alternative link: ftp://client:Rm3gl8dMezPU52@data14.kasper...nstruction.txt).

 

Please note that this utility should be at first applied on a small amount of machines (or even one) – to test if it will work in your environment.

 

Please report results of usage of this utility in this topic.

 

Best regards,

Kaspersky Lab Technical Support.

Share this post


Link to post
My only solution was to uninstall Kaspersky and then do system restore. These machines don't have anti-virus currently now. I am worried about reinstalling and getting the same problem again.

 

Is there anyway to fix this without removing Kaspersky or doing system restore?

 

Are the new updates fixed where it won't detect tcpip.sys as a false positive?

 

Is there a fix to install without having to remove or reverting?

 

Ajit - See Igor's message above. He can help.

Share this post


Link to post
Dear Kaspersky Lab customers.

 

Please accept my apologies for the inconvenience with the false positive detection of the tcpip.sys.

 

May I ask you to check if the special recovery utility, prepared by our specialists, will work for you?

 

In case you will be willing to check if it works for you - please find the utility here - archive password is "kaspersky" without quotes. An instruction for the utility - can be found here.

 

Please note that this utility should be at first applied on a small amount of machines (or even one) – to test if it will work in your environment.

 

Please report results of usage of this utility in this topic.

 

Best regards,

Kaspersky Lab Technical Support.

 

Thanks a lot. It works just fine

Share this post


Link to post
Thanks a lot. It works just fine

Thank you very much for informing us. Once again - please accept my apologies for the inconvenience caused.

Share this post


Link to post
Hi

I am not clear how to run "regextr.exe" in the utility. Anyone can help?

Hello!

 

Please kindly clarify what exactly is not clear in the instruction?

You can check attached screenshot.

 

Thank You!

post-438482-1382770315_thumb.jpg

Share this post


Link to post

i cannot download utility from ftp. idont know the username and password for your ftp servers. can anyone help me?

Share this post


Link to post
Hello!

 

Please kindly clarify what exactly is not clear in the instruction?

You can check attached screenshot.

 

Thank You!

 

We have been using a batch file that contains the following:

 

kaspersky_tcpip_fix.exe

regextr.exe %windir%\system32\config\Regback\SYSTEM c:\output.reg

regedit c:\output.reg

 

 

This will prompt you if you want to import the reg file just click yes. We have combined this with Xcopy and psexec for the machines we can still get to remotely.

Edited by imperimus

Share this post


Link to post
i cannot download utility from ftp. idont know the username and password for your ftp servers. can anyone help me?

Hello,

 

I've just sent links to you via PM.

 

Best regards,

Kaspersky Lab Support

Share this post


Link to post
Hello,

 

I've just sent links to you via PM.

 

Best regards,

Kaspersky Lab Support

 

thank you Evgeny. got it.

Share this post


Link to post

Hi all,

 

I can not download utility from ftp. I don't know the login and pwd for your ftp servers. Can anyone help me please?

 

Thanks

Share this post


Link to post
Hi all,

 

I can not download utility from ftp. I don't know the login and pwd for your ftp servers. Can anyone help me please?

 

Thanks

Hello!

 

Login and password were sent via PM.

 

Thank you!

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.