Endpoint Protection

I'm trying to fix a friend's computer that had Trojan.fakeavalert; as the virus is blocking his internet access, I'm using my computer for access.  He has Symantec's anti-virus corporate edition.  I have been following Symantec's directions as found here:
http://www.symantec.com/norton/security_response/writeup.jsp?docid=2007-101013-3606-99&tabid=3

and also the forum discussion re this virus
https://www-secure.symantec.com/connect/forums/virus-found-cannot-be-quarantined-cleaned-or-deleted-how-can-i-get-rid-it

The virus was quarantined except for one file C:\windows\system32\lsp.dll, which I managed to delete, so a system scan now shows no virus

At this point, access to the internet was still blocked so I went into the registry to check entries as per Symantec's list.  I corrected some, a lot were not listed (I assume the virus does not delete entries?), and a few I was unsure of so I left them alone, but I did keep a detailed list of what I did or didn't do.

I checked the hosts file, but couldn't find any of the listed entries.  I then tried to reboot the computer and it won't fully boot; I can't get past the point where the wallpaper pops up - nothing else loads, no taskbar no nothing!  Please help... I'm totally lost and praying I haven't ruined my friend's computer.

See if you go into safe mode and download malwarebytes and see if it finds anything.

See if you go into safe mode and download malwarebytes and see if it finds anything.

Log into the machine with safe mode with networking and Run NSS

ftp://ftp.symantec.com/misc/tools/nss/NortonSecurityScan.exe

In task manger  Kill these process:
system.exe
autorun.exe
printer.exe
WinAvXX.exe

Remove the files:

%UserProfile%\Start Menu\Programs\Startup\system.exe
C:\Documents and Settings\All Users\ Start Menu\Programs\Startup\autorun.exe
%System%\printer.exe
%System%\WinAvXX.exe

Where do I find malwarebytes, and as access to the internet is still blocked, is it something I can download onto a flash drive from my computer and then install on the sick computer?  

http://malwarebytes.org/

Yes, It can be downloaded to a flash drive and then installed on the sick computer.

Since you are not able to  acess the internet on the infected computer, You can download the file on a diffrent computer , copy that on a flash drive and then use it on the infected computer.

Prachand,  Thanks for the suggestions, but I need more details.  I can go in to safe mode with networking, but how do run NSS - I don't know how to get to an ftp site as I can't access the internet on that computer.

I did look for those processes in task manager but none were listed.  As for the files, how and where do I look for them as I have no taskbar and no start button on the screen and I'm not very good at remembering keyboard short cuts.

Thanks

I downloaded the program on a flash drive and plugged into the sick computer which is in safe mode, but nothing popped up.  How can I open the flash drive?

Sorry I'm not too savvy about all of this but what an education I'm getting.

Thanks so much for your patience!

Duh!  I figured out how to open the flash drive, installed the program and it's scanning now - I'll let you know what happens!

Okay, malwarebytes found 7 infected items, successfully removed them, and told me to restart computer to complete process which I did.  Unfortunately, the computer still does not complete the start up - stops at wallpaper and nothing else; and when I used tassk manager to see if I could access the internet, it's still blocked!

Any more ideas please?  And how can I get it to completely boot up?

So when your computer boots up it comes till wallpaper right..
then you are also able to open task manager..
So it means Shell is not loading...
Open task manager - Click on File -> New Task (run..) --type explorer.exe
ClickOK.

If everything comes up then fine..if not let us know the error

You can download NSS in the same way you downloaded malwraebytes. Download it on a diffrent machine and copy it on the flash drive and get it on the infected machine.

create a new foler say Norton on the desktop
Unzip the files in this folder
Run NSS.exe

In safe mode, go to Start > Run > msconfig, Startup tab, uncheck all and see if that helps.

Vikram - After reading your suggestion, I got the idea to go back and check the registry, there was one item I had changed from the Symantec list on removing the virus that I was unsure of, so I went in and changed it back to the original value data of just "Explorer.exe" and now it starts up fine...

Looks like deleting isp.dll causing this issue.
Found this after searching for this issue ..it might help..http://www.cexx.org/lspfix.zip

Hmm...

You can try these commands to see if it will bring internet access back to the machine.

Open a Command Prompt-

Start->Run..->Type in: cmd
Click OK

At the command prompt type in the following commands:

netsh int ip reset resetlog.txt
Hit the <Enter> key.

ipconfig /flushdns
Hit the <Enter> key.

netsh winsock reset catalog
Hit the <Enter> key.

Reboot the computer and see if you have internet connectivity back.

Hope that helps!

How to run NSS without Internet acess

On the computer where you can connect to the internet , extract the files to C:\NSS and launch NSS.exe.

The Virus definitions will download to the local machine here: C:\Program Files\Common Files\Symantec Shared\SymcData\virusdefs-2.5-e\<date.rev>).

In the C:\NSS folder, create a folder called "VirusDef" (example C:\NSS\VirusDef)

Copy all the virus definition folder content from \<date.rev> folder (example:20080725.003) into the VirusDef folder

Copy the entire VirusScan folder to a thumb drive.

Now you can start NSS.exe from the thumb drive. It may complain about definition might not be the latest, but you can skip that message.

I ran the above utility and it says

Problems found in LSP chain.

Keep:
                               
mswsock.dll                   
winrnr.dll
rsvpsp.dll

Remove:

lsp.dll

As it has that semi-threatening "I know what I'm doing (or enjoy re-installing my operating system)" check box, I thought I'd ask before I click on finish...

Do I go ahead and remove the protocol handler lsp.dll?

"" When "Finish" is pressed, the undesired entries are removed, and the remaining entries in the registry are renumbered to make them consecutive. The total module counts are then updated. Finally, the program will display a summary of the changes that were made.

THANK YOU ALL SO VERY VERY MUCH!!!

I'm back on the internet and I'll run another scan just to be sure that bloody virus is all gone, but as of this moment I'm thrilled and will send you all the best of wishes.

Thank you, thank you, thank you for all your patience, guidance, and advice!

cheers, Audrey

That great !!
I was eagerly waiting for your reply i would have refreshed this page atleast 10 time after posting my comment ..