Endpoint Protection

 View Only
Expand all | Collapse all
  • 1.  virusdoctor

    Posted Jan 04, 2010 12:26 PM
    Greetings

    One user may have downloaded accidentaly through a web link a virus called virusdoctor  (pcf71d.exe)
    although the symantec A.V. claims it found it ...it seems it can not do anything about it and can not delete...it is taking over the PC
    I have disconnected the user from the network ...

    Any ideas ..appreciate your help

    Joe


  • 2.  RE: virusdoctor

    Posted Jan 04, 2010 12:40 PM
     If it is detecting it thn i would suggest..update the definition ( rapidrelease) and run full scan in safe mode.As in safe mode 3rd party apps and services doesn't start so it will remove the virusdoctor


  • 3.  RE: virusdoctor

    Posted Jan 04, 2010 01:18 PM
    Can you tell us the threat name it showed when it detected... 


  • 4.  RE: virusdoctor

    Posted Jan 04, 2010 01:35 PM
    Thank you Vikram ... Yes this is where it is getting me confused ...although A.V. is updated and did detect the file A.V. can not remove it ...I will try again with the safe mode...I am in contact meanwhile with the support to get the rapidrelease  ...not sure how to do this myself

    Joe


  • 5.  RE: virusdoctor



  • 6.  RE: virusdoctor



  • 7.  RE: virusdoctor

    Posted Jan 04, 2010 01:48 PM
    Risk Name
    VirusDoctor
    Security Risk

    Entry file : pcf71d.exe

    Hope this helps

    Joseph


  • 8.  RE: virusdoctor

    Posted Jan 04, 2010 01:49 PM


  • 9.  RE: virusdoctor



  • 10.  RE: virusdoctor

    Posted Jan 04, 2010 01:57 PM
    thank you ...uploaded the rapidfile and doing a full scan ...will let you know

    Appreciate your help

    Joe


  • 11.  RE: virusdoctor

    Posted Jan 04, 2010 02:25 PM
    The above steps are all good. If you are looking for a quicker analysis; you can try submitting the file to ThreatExpert.com. This site will send you back a report with the File Hash, whether it was recognized as a threat from a seperate submission and will break down what the file in question is attempting to do. This will be a great assistance to manually deal with a threat until you have deployed definitions that will remediate the threat for you.


  • 12.  RE: virusdoctor

    Posted Jan 04, 2010 03:07 PM
    NO Good news from the Rapid Release ...while it only caught couple of small cookies ...it passed as if it OK meanwhile the PC evolved again. This time we have found the right problem ,...it is a FAKE A.VIRUS called Internet-Security 2010 as in

    www.im-infected.com/rogue/internet-security-2010.html

    Trying to remove it as per that site instructions ..no luck ...I hope Symantec can clear it for me !!!!!

    Joe


  • 13.  RE: virusdoctor
    Best Answer

    Posted Jan 04, 2010 03:13 PM
    Submit and delete these files

     c:\WINDOWS\system32\41.exe

    c:\WINDOWS\system32\winhelper86.dll
    c:\WINDOWS\system32\winlogon86.exe
    c:\WINDOWS\system32\winupdate86.exe

    c:\Program Files\InternetSecurity2010
    c:\Program Files\InternetSecurity2010\IS2010.exe

    %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk
    %UserProfile%\Desktop\Internet Security 2010.lnk
    %UserProfile%\Start Menu\Internet Security 2010.lnk 

    Remove These Internet Security 2010 Registry Values:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “winupdate86.exe” 
    HKEY_CURRENT_USER\Software\IS2010
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Internet Security 2010″



  • 14.  RE: virusdoctor

    Posted Jan 04, 2010 03:46 PM
    After applying the last change and did the final reboot hoping it removed them...no wi am getting this behaviour ...when I loggin ...it quickly log me out

    Appreciate your reply


  • 15.  RE: virusdoctor

    Posted Jan 04, 2010 03:59 PM
     What was the last change you did and are you able to log in in safe mode ?


  • 16.  RE: virusdoctor

    Posted Jan 04, 2010 04:02 PM
    we removed the exe as per your list ...and unfortunately same behavior in safe mode

    Joe


  • 17.  RE: virusdoctor

    Posted Jan 04, 2010 04:11 PM
     Hope you din't delete winlogon.exe...
    try connect to open registry of this computer from a remote computer and check what is the value of userinit in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon


  • 18.  RE: virusdoctor

    Posted Jan 04, 2010 04:32 PM
    I hope Vikram above is right in that you did not delete the wrong Reg Keys.

    Are you logging into a domain or the local machine when this happens- getting logged out right away?

    Either way, connect to the machine remotely.

    rename any user profiles currently stored on the machine.  Add something like old_ before the name or something.  Anything to force the system to create a new acount and locally stored credentials.

    Than try logging into the machine.

    Works?  There are some residual data in the user profile that needs to be removed or cleaned.

    Does not work?  You will need to repair your Windows installation in order to recreate the proper registry keys and values (if applicable).




  • 19.  RE: virusdoctor

    Posted Jan 04, 2010 04:35 PM

    FYI ...I was able to remotely edit the registry through a small network (hub of 2 Pcs) and fixed a registry entry userinit thathas the winlogon86 ,..and now I am able to log back in again ...tough one but we did it

    so all seems fine except I am not sure though why symantec did not see this virus  mmmm !
    I will keep the PC off the network for tonight and run another A.V. tomorrow

    Joe



  • 20.  RE: virusdoctor

    Posted Jan 04, 2010 04:43 PM
     Cool..I knew that would be the trick it would have used as its old virus trick to load the virus before user profile loads..
    It happens that sometimes AV misses the detection or detects few of bunch of the files because of which it keeps re-infecting your system..


  • 21.  RE: virusdoctor

    Posted Jan 05, 2010 09:49 AM
    Is it safe now to put the PC back on the network. ?
    A- Note that Symantec did not detected , neither the rapid-release ...although it is cleaned manually ...will Symantec has plans to add this one to their list
    B- quick application question - how do I clear the logs in the Management console ..it mentions to clear the status ...I need to go to the Computer Status Logs page ...when I go there I can build new report etc ...but how do I clear them


  • 22.  RE: virusdoctor

    Posted Jan 05, 2010 01:54 PM
    We need to submit the files to security for them create definitions for it.
    This time since you have already deleted the files and removed it manually next time if there is an infection and symantec does not detect all the files do remember to submit the suspected files. 

    To clear the still infected status follow this
    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007111913145448


  • 23.  RE: virusdoctor

    Posted Jan 05, 2010 03:58 PM
    I will put this in my mind to submit bad files in future before deleting them..but was unsure..I will put a reminder to send them to security .
    Meanwhile thank you for the note regarding clearing the Status.

    Since I have not heard from Symantec and (did not as well get a chance to call them) ...I have decided to put the Suppose-to-be-cleaned-now  PC back on the network ...the good news that no new virus claims ...however the user reported that only Admin can login ...the user himself can not login with the non-admin accounts ...have you seen this behavior before ...



  • 24.  RE: virusdoctor

    Posted Jan 05, 2010 04:52 PM
     The pc is clean however there might have been some side affects due to registry hooking..
    However i am not sure about Users not able to login..that should not be a problem..


  • 25.  RE: virusdoctor

    Posted Jan 05, 2010 04:53 PM
     However I would recommend download the latest rapidrelease and run a full scan again before putting it back to production..


  • 26.  RE: virusdoctor

    Posted Jan 06, 2010 09:43 AM
    Rapid Release did not help ...ran kaspersky and found 2 virus ...gave it back to user ... will see


  • 27.  RE: virusdoctor

    Posted Jan 06, 2010 09:48 AM
     Anyways now its clean so you can put it production. For next time do remember to submit these types of files...
    Due to high amount of malwares written daily its always a possibility that the malware can get you before that Antivirus company can get to it..