Video Screencast Help

Virus Found! but cannot be quarantined, cleaned or deleted. How can I get rid of it?

Created: 20 Jul 2009 • Updated: 30 Sep 2010 | 28 comments
This issue has been solved. See solution.

Symantec Antivirus found a virus called Trojan.Fakeavalert on my computer.   It is located at C:\windows\system32 and is file C:\windows\system32\sp.dll.   The filescan found it, but "clean failed.  Quarantine failed. Access denied."  I went into Windows and tried to delete it but could not.  Any suggestions to get rid of it?  It is preventing my browser from connecting to the internet.
Thanks!

Comments 28 CommentsJump to latest comment

Vikram Kumar-SAV to SEP's picture

Download latest rapid release from ftp.symantec.com/AVDEFS/symantec_antivirus_corp/rapidrelease/symrapidreleasedefsi32.exe
Disconnect this computer from internet.Run the rapidrelease definitions.
Reboot in safe mode  
Run Full Scan.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

Baccus500's picture

Thanks for your fast reply!

The virus is blocking my browser from connecting to the internet, so I can't download directly.  Would this latest release fit on a flash drive?

Baccus500's picture

I tried running the rapid release instructions I got yesterday, but the virus was not removed.  I added the program, rebooted, and ran the full scan.  It found the virus but still gave the same messages that it could not clean, quarantine or delete the virus.
How can I get rid of it?
Thanks!

Download latest rapid release from ftp.symantec.com/AVDEFS/symantec_antivirus_corp/rapidrelease/symrapidreleasedefsi32.exe
Disconnect this computer from internet.Run the rapidrelease definitions.
Reboot in safe mode
Run Full Scan.

Vikram Kumar-SAV to SEP's picture

Did you run the scan in safe mode or normal mode?
You need to run the scan in safe mode.

What is the name of the threat that is getting detected.. 

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

Baccus500's picture

The information which I think answers the threat questions is that when the window that pops up, it says:
Scantype Realtime Protection Scan
Event: Virus Found!
Virus Name: Trojan.Fakeavalert
File: C:\Windows\System32\lsp.dll
Location: C:\Windows\System32

When I run the full scan, it says:
Action Taken:  Clean failed.  Quarantine Failed. Access denied

How do I know if I am running the safe mode or the normal mode?

Thanks!

Robert

 

Peterpan's picture

I guess you need to upgrade your scan engine to the latest version, I also encountered that issue on our old version of Symantec after successfully upgraded the virus was successfully quarantined.

May I ask what is the version of your scan engine?

:-)

Baccus500's picture

I am not sure what version it is, since I am not in front of that computer right now.   How would I find the version number?
Thanks,
Robert

Vikram Kumar-SAV to SEP's picture

Start computer in safe mode

http://www.microsoft.com/resources/documentation/w...

Which Fake AV is installed on this computer do you get any pop-up like System2009 ,XP Antivirus 2009 or anything like that ?

But i beleive scanning in safe mode should resolve your issue.Remember to disconnect your computer from internet while doing this scan

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

Jason1222's picture

If you know the location of the file, in this case, SP.DLL, unregistrer it from the system. 

regsvr32 /u C:\windows\system32\sp.dll from a command prompt.

Once the file is no longer registered with the system, it should no longer be in use and you should be able to remove, quarantine or whatever you choose to do to the file. 

Alternatively, you can run your scan in safe mode, where the module itself has not been loaded into memory/system and thus can be removed.

Hope that helps.

Baccus500's picture

Vikram and Jason,]
Thanks for the tips.  I will go try them and let you know how it works out.
Thanks,
Robert

Peterpan's picture

if you are using symantec endpoint protection you can see the version of your AV from help and support then about

:-)

Baccus500's picture

I ran the Antivirus scan in the safe mode as directed, but got the same result - can't quarantine, can't clean, access denied.

I don't know how to get a command prompt for Jason's directions to unregister it from the system or Peterpan's suggestion about seeingthe version from help.

Thanks again,
Robert
 

Vikram Kumar-SAV to SEP's picture

Manually delete these files..follow this article on how to find suspected threat on your computer..this will definitely help.
http://www.symantec.com/connect/articles/how-find-suspected-threats-your-computer 

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

SOLUTION
Jason1222's picture

For Windows XP:

go to START -> RUN
In the RUN box, type:  CMD  and press enter. 

This will open up a Black Screen with a blinking cursor which will allow you to type.

For Windows Vista

go to START -> SEARCH
in the SEARCH box, type: CMD  and press enter.

This will open up a Black Screen with a blinking cursor which will allow you to type.
* * * * * *

The black window is known as a COMMAND PROMPT

Baccus500's picture

I followed the directions to open the command prompt and got it without a problem.  However, when I entered regsvr32/u, I received a response saying:
'regsur32/u'  is not recognized as an internal or external command.
Did I do it wrong?
Thanks,
Robert

Vikram Kumar-SAV to SEP's picture

There is spce between regsvr32 and /u
regsvr /u 

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

Jason1222's picture

You need to put in a space between REGSVR32 and the /u

imagebrowser image

regsvr32 /u C:\windows\system32\sp.dll

ahill's picture

Hi Robert,

I realize this thread is for Symantec however there are a couple of 3rd party removal programs out there that can get rid of this particular nasty.

I wont post links, but do a search for:

Malwarebytes Anti-Malware
Super Anti-Spyware

They both remove these types of malware/trojans painlessly.

Moderator: if you need to kill this post, i understand.  No hard feelings  :)

Baccus500's picture

I went back and ran it with the spelling correct, including the space between the regsvr32 and /u.  It returned the message," regsvr32 is not recognized as an internal or external command".
I am running Windows XP, version 5.1.2600.
Any suggestions?
Robert

Paul Mapacpac's picture

Hi Baccus500, pls start regedit and find all instances of the file "lsp.dll" or "sp.dll" and delete it. restart again on safemode then delete the file. registry might still be referring to this file.

You could also try to run Load Point Diagnostic tool and post the logs here, we can then see what processes is still accessing the file.

You can download the tool here;

http://service1.symantec.com/SUPPORT/ent-security....

Alternatively, you can use the unlocker tool to unlock the dll if you cannot manually delete the file.

you can download the unlocker here;

http://ccollomb.free.fr/unlocker/

Baccus500's picture

What is "regedit" and how do I get there?

I tried going into the windows files and deleting with a right click, as suggested above.  The response I got was "access denied".

My browser is unable to access the internet since this virus was detected, so I will have to download the files to a flash drive and run them.  I tried that with another file, but the message I got was that the computer was unable to connect to the internet and could not run the program.

Thanks for your help,
Robert
 

Nel Ramos's picture

Symantecs Recommendations:
The link found below:

http://www.symantec.com/security_response/writeup.jsp?docid=2007-101013-3606-99&tabid=2

RecommendationsSymantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
For further information on the terms used in this document, please refer to the Security Response glossary.

Nel Ramos

ben_cSEPticons_secured's picture

sir vikram was right, get into safe mode, and then try to remove it in your startup programs using  MSCONFIG will do, restart again, then find the dll file, delete... 

Peterpan's picture

Find the file on the registry editor to open registry go to run then type regedit then click F3 then try to search the particular dll file then reboot your system

:-)

claudel's picture

I had the same problem with the virus trojan.fakeavalert - and went through almost all the above suggestions.  Deleted the lsp.dll file where the problem was and turned system restore back on and did another scan in safe and normal mode and no virus.  Problem is I still cannot access the internet.  It shows connected to the wireless network, but even connecting directly to the router with an ethernet cable doesn't work. 

I did not go through the register entries because I didn't quite understand how and what to do.  Is that the problem?