Trojan that won't go away

Recently every time I start my computer I’m getting a virus notification from Symantec as Adware.Adpopup with the filename: C:\WINDOWS\config\tcpras.dll

I followed all the instructions on your Basic Spyware, Trojan And Virus Removal page, and while it deleted several viruses, it couldn’t get rid of tcpras.dll. Several programs detected the file as different types of trojans:
RAV called it Trojan:Win32/Vundo.B
Housecall called it Troj_AGENT.FZ
CWS reported it: BHO: [MSEvents Object] C:\WINDOWS\Config\tcpras.dll
a-squared called it Trojan.Win32.Agent.cs
BitDefender called it Trojan.Agent.CS
Adaware called it Trojan.Agent.CS (and identified 6 registry keys associated with it)
None of the other programs identified this file.

I downloaded the removal tools for Trojan.Vundo and Trojan.Vundo.B from Symantec’s website and ran them, but they both said there was no detection of the virus.

I went to the registry editor, both in normal and safe mode, and deleted the keys identified by Adaware. Whenever I would delete them, they would reappear immediately.

I downloaded and ran HijackThis and when I ran it, it identified tcpras.dll under the O2 and O20 categories. I also downloaded KillBox and chose the option to delete the file upon reboot, but it didn’t work.

I’m stumped at this point and would appreciate any help you can give.

Thanks in advance

Andrew

 

Please follow standard cleanup procedures as given below:

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps below:



http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Thanks for replying so quickly. I've attached my HJT log

 

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.


Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning and a list of forums to seek help at.
  it should look like this

• At this point press enter one time.
  
• Next you will see:

• At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\Config\tcpras.dll​

• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

• Next you will see:

• At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\Config\sarpct.*​

• Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
• The fix will run then HijackThis will open.
• In HiJackThis, please place a check next to the following items and click FIX CHECKED:

O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\Config\tcpras.dll
O20 - Winlogon Notify: tcpras - C:\WINDOWS\Config\tcpras.dll​

• After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
• Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
  
• Once your machine reboots please attach a fresh HJT log from normal mode.

 

That sure cleaned it out. Here's my new HJT log.

Thanks a lot, you guys are awesome

Andrew

 

Scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} -
O16 - DPF: {DAEB8818-608B-40D2-8AD6-193753623CEB} -
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} -

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

After you have completed the above steps, first be sure you have the viewing of hidden files and folders enable per the tutorial. Now I want you to navigate to the following directory:

C:\WINDOWS\Config

Let me know if anything exist in this folder as in exact filename. If any of the below exist, make a note and post them back in your next post then delete any that are found!

C:\WINDOWS\Config\sarpct.ini
C:\WINDOWS\Config\sarpct.ini2
C:\WINDOWS\Config\sarpct.bak
C:\WINDOWS\Config\sarpct.bak1
C:\WINDOWS\Config\sarpct.bak2
C:\WINDOWS\Config\sarpct.tmp
C:\WINDOWS\Config\tcpras.dll


After you complete the above, reboot and let me know how things are running and if your having any further problems.

 

Ok, I went through everything and both Spybot and Adaware came up clean. Also, the WINDOWS\Config folder is empty. Everything seems to be running fine.

Thanks again

 

Excellent!!!!!

You should see this article on How to Protect yourself from malware!