Resolved - Partial Connectivity Issues after blocking Trojan

[Armstrong 1st MRB]

Name: Ben Armstrong

Rank: TSgt.

Type of issue: Not Sure (May be software)

Brief Description of Issue: Yesterday after trying to download a link a friend sent me, my Kapsersky Labs anti-virus notified me that the link contained a Trojan, I blocked and quarantined the thing before deleting it...and it promptly took out part of my internet with it. Let me specify:

Skype still works perfectly, (I chatted to a friend in Finland about it the whole time)

My wireless internet connection still appears to be perfect,

Steam still runs without saying it is in offline mode or no connection (though the store page says error 102- unable to connect),

GoG can still come on but it won't connect either,

Teamspeak still works

I assume Vent still works but I haven't tried yet

What doesn't work:

Razer Comms

Internet Explorer (not even basic pages like Google or Yahoo will load, they all say cannot connect to page)

Google Chrome (same deal)

I rooted around through Kapsersky's system reports and it showed odd behaviour going on with one of my drivers after removing the Trojan (asking for file requests multiple times every second every couple seconds, more info below), I have since sent both potentially affected drivers to the recycle bin but haven't deleted them yet. I've reset IE on default settings to no effect, and I've tried to see if my connectivity was an issue by restarting both my wireless and landline modems to no affect. I doubt there is an issue with my internet connectivity, I personally think there is some sort of corruption or issue with certain elements related to the connection on my PC end of things.

I have since disconnected my PC from the internet and kept the potentially bad drivers in recycling until I can have people (you guys included give me some help).

The affected drivers I removed are these:

swsedrvr_vt_1_10_0_25.sys (From C:\windows\system32\drivers)

Kapsersky says in Event: Detected: not-a-virus:NetTool.Win64.NetFilter.l

Reason: Information

It also says "Request for file, which contains a legal software that can be used by criminals for damaging your computer or personal data"

swsedrvr_vw_1_10_0_25.sys (This one wasn't showing up in Kapsersky as anything wrong, but I wasn't taking any chances)

As for what Kapsersky claims to have caught, it caught 3 Trojans and 1 Adware, even though only one Trojan was caught and rendered inactive in my detailed reports (HEUR:Trojan-Downloader.Win32.Generic) I can post up the link of the actual Trojan object if you wish to dissect it, but IDK if that's necessary.

It has really stressed me out that I haven't been able to find much that could fix this issue so far.

***Medical Supply Staff ONLY Below this line***

Current Status: Resolved

Researching

Pending Reply

Resolved

Unresolved

Main Technician: TSgt. J. Hill

Supporting Technician:

Edited October 18, 2015 by J. Hill 1st MRB

[J. Hill]

The main priority right now is to get you back online. The best thing to do right now is to restore your computer to a time before you opened the infected file. Not a complete restore yet, just to an earlier time. Under Accessories, system tools, there should be a restore function. Just pick a date somewhere before the file was opened. It will restore the computer to a time before it became infected. After you run that, go to kapersky's website and have it run a check if you can get online. If it detects anything, see if they have the removal tool to get it out of your system. MAKE SURE you write down the name of the virus or trojans it detects. If its not on Kapersky's sight, then go to Symantic and see if they have a removal tool. If you cannot get online after you do a restore, let me know. We can try and work from there.

[Armstrong 1st MRB]

Alright so I opened system restore:

Currently its only showing under "Restore your computer to the state it was in before the selected event" one restore point: 17/10/2015 12:19:53 AM Automatic Restore Point Type System

This is today, there is no earlier one, even if I click the check for show more restore points. Is that normal and should I proceed?

[J. Hill]

should show earlier restore points. was the time shown before or after you opened the file that infected the computer? If it was before, it should be safe. If it was after, we may have a bigger problem. What version of Windows are you using by the way?

[Armstrong 1st MRB]

Windows 7 Home Premium, to be exact. The only time shown was one from today, which was long after the file infected the computer and my anti-virus responded. I know exactly when the file hit (thanks to Kaspersky's event logs, but I cannot select a restore point before that time as there is only the one showing)

I've been discussing with a couple other computer engineer friends of mine, they seem to think something happened with the firewall of my anti-virus on port 80 that's causing those particular issues with the internet connections for particular things, but I cannot find the reason why yet.

I've deleted the potentially affected drivers and intend to have windows reinstall them to see what happens, as that's what one of them suggested.

[Armstrong 1st MRB]

Brief update, after looking up on Malpedia, turns out those affected "drivers" were malware masquerading as drivers. I've since removed them and stopped them from doing whatever they were trying to do.

Now the issue is that the internet connectivity issues are still there for IE, Chrome, and Steam etc. Search results still come up as "Page cannot be displayed" on any page I try after thinking on it for a really long while with the standard 3 suggestions for fixing it and fix connection problems button.

Steam still works outside of the store page which is still showing error 103, Skype works fine, and Razer comms is still down.

Edited October 17, 2015 by Armstrong 1st MRB

[J. Hill]

I suggest you open your firewall and check and make sure that access is allowed for the programs affected. I would check their first. If access does not say allowed for the programs you trust, then enable it so they are. It should be under settings and then Firewall, Accessibility. Look for the programs that are affected. Are you using a router or is it a modem router combo?

[J. Hill]

Did you try the Fix connection button? Did it correct the problem with the connection?

Did you disable connection by stopping all connections through the firewall, or just unplug it. If you disabled it in the AV program, you will need to re enable it.

Edited October 17, 2015 by J. Hill 1st MRB

[Armstrong 1st MRB]

Fix connections didn't work, it couldn't identify the problem.

Looking in windows firewall allowed programs, only four programs are allowed to communicate through windows firewall:

Core Networking (Both Home and Public)

Network Discovery (Home)

Remote Assistance (Home)

Skype (Home)

Steam, IE, and chrome don't show up in there.

[J. Hill]

that may be the problem. All programs that need internet access that you trust should be listed there and enabled. May be why your skype works and the others don't. Is it able to scan your computer for the programs?

[J. Hill]

you may need to reinstall IE and Chrome if it cannot scan for those programs. You should be able to reinstall IE from windows. Add windows programs. Can';t do anything else without the access to the net.

Edited October 17, 2015 by J. Hill 1st MRB

[Armstrong 1st MRB]

That may be it, I'm gonna try uninstalling and reinstalling IE to see what happens, neither it or Chrome showed up in Windows firewalls unless they are under different names.

Also gonna try and get the firewalls in Kaspersky to allow for the other programs, if they are there.

[J. Hill]

I can search for programs that require internet access with Norton, you should be able to with kapersky also. Try reinstalling IE, if that doesn't work, try and search for the programs in the Firewall access permission.

[Armstrong 1st MRB]

I can search for programs that require internet access with Norton, you should be able to with kapersky also. Try reinstalling IE, if that doesn't work, try and search for the programs in the Firewall access permission.

Roger. BTW how long should "Preparing to configure windows" take after uninstalling IE and restarting the computer take? I started it about 10 minutes ago and its still going.

[J. Hill]

not sure how long it takes, but it should not be that long.

[Armstrong 1st MRB]

not sure how long it takes, but it should not be that long.

Well, it took about an hour to be exact. Windows Internet Explorer 8 is now the default. Still not working, it'll say: "website found, waiting for reply" on the loading bar, but then it'll cut out with some kind of error for a split second as it advances to show: "Internet explorer cannot display the webpage". Troubleshooting still cannot identify the problem.

Firewall settings don't appear to be making an applicable difference, but I'm still not sure if i'm doing them right.

[J. Hill]

can you log into Vent? I am on vent right now.

[Armstrong 1st MRB]

Another update from our vent conversation, looks like you were right, Hill. Its was Kaspersky causing the internet connectivity issues, uninstalling it opened the web pages right back up.

Installed Malwarebytes as a replacement and it wiped out the maleware on my PC perfectly. IE and Chrome work fine, the Steam Store page opens up, Razer Comms work, and GoG is able to connect. Just have to update IE back to its original status and we're back to normal.

Thanks for the help and time, looks like this one is taken care of.

[J. Hill]

Glad to have been of assistance. Ticket closed and marked as resolved.