tcpac.exe malware

My Windows XP Pro system has been invaded by what appaears to be a Vundo variant. SpyBot finds ALTEvents (4 items) but can't fix them permanently. I have tried the Symantec Vundo tool with no luck. The task manager shows a process called tcpac.exe which is cycling between 0 and 90% of CPU. I cannot terminate it without it coming right back. It appears to be writing a file called capct.dat over and over. I have looked at some of the generic instructions in other threads but my version must be a mutated variant as I don't see the files or processes named in the instructions, on my machine. Any help would be appreciated. I have downloaded HijackThis. I am at the point where I'm ready to just reformat the HD (fortunately, all of my data is backed up).

Thanks,
Jim

 

Hi Jim,

Please acquaint yourself with this cleanup tutorial:

READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan and Virus Removal

Then, send us a HijackThis Log. Make sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.98.2) and MUST be extracted to its own safe folder - C:\Program Files\HijackThis!

If you need a Fresh Download of HJT, get it HERE: HijackThis 1.98.2

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I will try to take a look tonight when I get some free time.

Best luck
PP

 

Thanks (BTW, love the Opus). Hijackthis.log attached.

 

Hi Jim,

Opus suits my demeanor

Your log doesn't look too bad.

Is this legit? O4 - Startup: DOSshell.lnk = C:\WINDOWS\system32\cmd.exe

So happy I can Cut & Paste!!

This is my generic fix for Stopguard/Virtumundo-related malware infections. I have had a lot of success with it, but there have been some failures as well.

ALSO NOTE that the tough part is nailing that pesky running process that always springs back to life. To do this, I use the Delete a File on Reboot option in HijackThis. If you do this successfully, that process will be Deleted before it ever gets a chance to run! This should work every time. Please make sure to enter the correct path for the file to be deleted. If, for some reason, you are not able to delete the file in question, please try again before posting back.

ANYHOO:
Please print out these instructions so that you can operate with All Browser Windows CLOSED. Please follow the instructions very carefully - Do them in the exact order given.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

FIRST:
Look in C: > WINDOWS > PREFETCH & Delete tcpac.exe ( or any tcpac or capct entries) if found. If it is easier, you can go ahead and delete all of the files in the Prefetch Folder – It’s a good idea to do this every couple of months anyway. ( Do Not Delete The Prefetch Folder Itself )

ALSO: take a look inside the C:\WINDOWS\ServicePackFiles Folder for any backups (tcpac.bak & capct.bak etc. . . ) – Note that they will probably be Hidden Files – Delete the ones that allow you to do so.

NOW:
Run HijackThis and Check the Boxes for the Following:

O1 - Hosts: com
O1 - Hosts: com
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: d.com
O1 - Hosts: com

O2 - BHO: CATLEvents Object - {446CF8A5-617E-4D91-95AE-AE78CE0D06AF} - C:\DOCUME~1\jfiore\LOCALS~1\Temp\capct.dat

O4 - HKLM\..\Run: [*tcpac] C:\WINDOWS\ServicePackFiles\tcpac.exe

O4 - HKLM\..\RunOnce: [*tcpac] C:\WINDOWS\ServicePackFiles\tcpac.exe rerun

Click FIX and then, while still in HijackThis, look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, Enter (or navigate to the file in the HijackThis pane) C:\WINDOWS\ServicePackFiles\tcpac.exe and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8.

You may receive an error message after rebooting into Safe Mode that says Windows could not find the file you told it to delete. Just click OKAY and DO NOT REBOOT AGAIN.

THEN:
Use Windows Explorer to run a search of your computer for:

bkinst
tcpac
capct

and DELETE the related files. (We especially want to get rid of tcpac.ini & tcpac.dat & tcpac.bak AND capct.ini & capct.dat & capct.bak + any other related crap.) It is important that you be thorough with this search. These files seem to like to hide all over your computer and have a nasty habit of resurrecting themselves if you do not get them ALL. So, when you find them, search the associated folders carefully for any hidden remnants!

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Attach a fresh HJT log. How are things running? Let me know of any problems that you may have encountered with the above instructions. I'll try to check back tonight.

***You may want to try running the Symantec tool again, as well.

Best luck
PP

 

PhilliePan-

I think that's got it! I had to do some wacky little adjustments. Originally I could not delete tcpac.exe in Windows\ServicePackFiles nor capct.dat in Documents & Settings... I was told that I could not access them (I opened a cmd line and killed the HS flags but to no avail). It turned out the tcpac process was still running and it keeps rewriting these files (this was under the Safe Mode reboot). I figured if I was fast enough I might be able to kill the process and delete the files before it restarted, so I typed in the command to delete everything in the ServicePackFiles directory (only this crap was in there), typed in the 'Y' for the confirm (poised for the Enter key), selected tcpac.exe from TaskManager, and killed it, a split second later hitting my cmd line and the Enter key. It took two tries, but tcpac.exe disappeared from the TaskManager. I then purged everything else I could find (SpyBot finally worked now that the tcpac process was dead). I still couldn't get rid of capct.dat (again an access violation), so I re-ran HijackThis, selected capct.dat for deletion on reboot, and well, here I am. It seemed to work. I guess I'll know for sure within the next few days.

I think it would be useful if HijackThis could delete more than one file on reboot. That seemed to be part of my problem. Perhaps it can and I just didn't notice how. BTW, I'm a hold-over from long ago (Amiga, Unix, VMS even) and so the first thing I do is open a command line (in reference to your comment about "04 - StartupOSshell.lnk..."). I've just not had the time or inkling to chase down the inner workings of this malware crap.

I will be downloading Firefox shortly. I've used Mozilla at home for quite some time and am happy with it but here at work they have more or less settled on IE by default. I've wasted a lot of time with this problem.

Anyway, thanks again for your kind assistance.

Jim

 

Hi Jim,

You're welcome! Happy to help

This can sometimes be a pretty "hands on" removal process. Luckily, you seem better equipped than most to dive right in and go after the sucker!

As far as Deleting things goes, I like this little number myself: Pocket KillBox

Best regards,
PP