Trying to get rid of Trojan.fakeavalert and need help desperately!!
I'm trying to fix a friend's computer that had Trojan.fakeavalert; as the virus is blocking his internet access, I'm using my computer for access. He has Symantec's anti-virus corporate edition. I have been following Symantec's directions as found here:
http://www.symantec.com/norton/security_response/w...
and also the forum discussion re this virus
https://www-secure.symantec.com/connect/forums/vir...
The virus was quarantined except for one file C:\windows\system32\lsp.dll, which I managed to delete, so a system scan now shows no virus
At this point, access to the internet was still blocked so I went into the registry to check entries as per Symantec's list. I corrected some, a lot were not listed (I assume the virus does not delete entries?), and a few I was unsure of so I left them alone, but I did keep a detailed list of what I did or didn't do.
I checked the hosts file, but couldn't find any of the listed entries. I then tried to reboot the computer and it won't fully boot; I can't get past the point where the wallpaper pops up - nothing else loads, no taskbar no nothing! Please help... I'm totally lost and praying I haven't ruined my friend's computer.
Comments
See if you go into safe mode
See if you go into safe mode and download malwarebytes and see if it finds anything.
See if you go into safe mode
See if you go into safe mode and download malwarebytes and see if it finds anything.
malwarebytes
Where do I find malwarebytes, and as access to the internet is still blocked, is it something I can download onto a flash drive from my computer and then install on the sick computer?
http://malwarebytes.org/ Yes,
http://malwarebytes.org/
Yes, It can be downloaded to a flash drive and then installed on the sick computer.
Since you are not able to
Since you are not able to acess the internet on the infected computer, You can download the file on a diffrent computer , copy that on a flash drive and then use it on the infected computer.
Prachand Kumar MCSE-2003 Symantec Technical Specialist (SCTS)
Can't access Flash drive
I downloaded the program on a flash drive and plugged into the sick computer which is in safe mode, but nothing popped up. How can I open the flash drive?
Sorry I'm not too savvy about all of this but what an education I'm getting.
Thanks so much for your patience!
malwarebytes
Duh! I figured out how to open the flash drive, installed the program and it's scanning now - I'll let you know what happens!
Okay, malwarebytes found 7
Okay, malwarebytes found 7 infected items, successfully removed them, and told me to restart computer to complete process which I did. Unfortunately, the computer still does not complete the start up - stops at wallpaper and nothing else; and when I used tassk manager to see if I could access the internet, it's still blocked!
Any more ideas please? And how can I get it to completely boot up?
In safe mode, go to Start >
In safe mode, go to Start > Run > msconfig, Startup tab, uncheck all and see if that helps.
Log into the machine with
Log into the machine with safe mode with networking and Run NSS
ftp://ftp.symantec.com/misc/tools/nss/NortonSecuri...
Prachand Kumar MCSE-2003 Symantec Technical Specialist (SCTS)
In task manger Kill these
In task manger Kill these process:
system.exe
autorun.exe
printer.exe
WinAvXX.exe
Remove the files:
%UserProfile%\Start Menu\Programs\Startup\system.exe
C:\Documents and Settings\All Users\ Start Menu\Programs\Startup\autorun.exe
%System%\printer.exe
%System%\WinAvXX.exe
Prachand Kumar MCSE-2003 Symantec Technical Specialist (SCTS)
Need more specifics please
Prachand, Thanks for the suggestions, but I need more details. I can go in to safe mode with networking, but how do run NSS - I don't know how to get to an ftp site as I can't access the internet on that computer.
I did look for those processes in task manager but none were listed. As for the files, how and where do I look for them as I have no taskbar and no start button on the screen and I'm not very good at remembering keyboard short cuts.
Thanks
You can download NSS in the
You can download NSS in the same way you downloaded malwraebytes. Download it on a diffrent machine and copy it on the flash drive and get it on the infected machine.
create a new foler say Norton on the desktop
Unzip the files in this folder
Run NSS.exe
Prachand Kumar MCSE-2003 Symantec Technical Specialist (SCTS)
So when your computer boots
So when your computer boots up it comes till wallpaper right..
then you are also able to open task manager..
So it means Shell is not loading...
Open task manager - Click on File -> New Task (run..) --type explorer.exe
ClickOK.
If everything comes up then fine..if not let us know the error
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
Still Blocked
Vikram - After reading your suggestion, I got the idea to go back and check the registry, there was one item I had changed from the Symantec list on removing the virus that I was unsure of, so I went in and changed it back to the original value data of just "Explorer.exe" and now it starts up fine...
Prachand, I ran NSS off of a flash drive, but it said it does not have the latest definitions, so the scan (which only found one tracking cookie) was inaccurate and I should make sure I'm on the internet and rerun it which of course I cannot do. Earlier I had run symrapidreleasedefsi32.exe off of the flash drive, but I guess that wasn't right.
Where do I go now?
Looks like deleting isp.dll
Looks like deleting isp.dll causing this issue.
Found this after searching for this issue ..it might help..http://www.cexx.org/lspfix.zip
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
How to run NSS without
How to run NSS without Internet acess
On the computer where you can connect to the internet , extract the files to C:\NSS and launch NSS.exe.
The Virus definitions will download to the local machine here: C:\Program Files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\<date.rev>).
In the C:\NSS folder, create a folder called "VirusDef" (example C:\NSS\VirusDef)
Copy all the virus definition folder content from \<date.rev> folder (example:20080725.003) into the VirusDef folder
Copy the entire VirusScan folder to a thumb drive.
Now you can start NSS.exe from the thumb drive. It may complain about definition might not be the latest, but you can skip that message.
Prachand Kumar MCSE-2003 Symantec Technical Specialist (SCTS)
Hmm... You can try these
Hmm...
You can try these commands to see if it will bring internet access back to the machine.
Open a Command Prompt-
Start->Run..->Type in: cmd
Click OK
At the command prompt type in the following commands:
netsh int ip reset resetlog.txt
Hit the <Enter> key.
ipconfig /flushdns
Hit the <Enter> key.
netsh winsock reset catalog
Hit the <Enter> key.
Reboot the computer and see if you have internet connectivity back.
Hope that helps!
Repair Utility
I ran the above utility and it says
Problems found in LSP chain.
Keep:
mswsock.dll
winrnr.dll
rsvpsp.dll
Remove:
lsp.dll
As it has that semi-threatening "I know what I'm doing (or enjoy re-installing my operating system)" check box, I thought I'd ask before I click on finish...
Do I go ahead and remove the protocol handler lsp.dll?
"" When "Finish" is pressed,
"" When "Finish" is pressed, the undesired entries are removed, and the remaining entries in the registry are renumbered to make them consecutive. The total module counts are then updated. Finally, the program will display a summary of the changes that were made.
I haven't found a place where it says ISP.dll is a good file..and currently it has corrupted your winsock.
and since the isp.dll is already on the right hand box (remove) you can procede..there are ways of coming back even it doesn't work without re-installing the whole OS.
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
I'M IN!!!!!!!
THANK YOU ALL SO VERY VERY MUCH!!!
I'm back on the internet and I'll run another scan just to be sure that bloody virus is all gone, but as of this moment I'm thrilled and will send you all the best of wishes.
Thank you, thank you, thank you for all your patience, guidance, and advice!
cheers, Audrey
That great !! I was eagerly
That great !!
I was eagerly waiting for your reply i would have refreshed this page atleast 10 time after posting my comment ..
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
Would you like to reply?
Login or Register to post your comment.