SystemDoctor/vacac.dll Manual Removal

SystemDoctor/vacac.dll Manual Removal
11-09-06

SystemDoctor/vacac.dll is another of those pesky parasite/virus programs that is almost impossible to get rid of.

It is also related to the WinFixer virus.

General symptoms

It runs in Windows Safe Mode
It does not allow you to remove it from the registry
It automatically opens a web page that says that your system may be infected and that you can have it fixed if you pay money (ie, extortion)
It monitors what you are doing and prohibits certain actions
Most of the code is encrypted so it can't be read

Because no legitimate company would ever go to such extremes to make sure that infected computers can not be cleaned until you pay your protection money

I call this a virus
I call SystemDoctor/vacac.dll a type of terrorism
I request the the US federal government get involved to protect us

(Funny, I said that same things about WinFixer ... there seems to be a pattern.)

Damage to the System

The infected system was running Windows XP Home and TeaTimer (supposed to protect the registry ... not this time, but it did popup when the virus tried to infect Internet Explorer).

These are the main files

c:\windows\addins\vacac.dll    669 KB  This is the executable, it has no windows resources
c:\windows\addins\cacav.ini  1,377 KB  binary data, current date and time, frequently written

Since cacav.ini appears to be encrypted, it presumably contains a payload to be sent to the home computer.

This is the main related registry key

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vacac

I was not able to delete vacac.dll because it was in use - it was being executed via both winlogon.exe and explorer.exe.

Of course, the primary damage is caused by web browser opening adds (in a new tab using Mozilla Firefox).

As with WinFixer, this virus causes every program on YOUR system to run slower.

A search of the internet found no hits for either vacac.dll or cacav.ini (which is the main reason that I wrote this page). searches for SystemDoctor provided no useful information - this infection is significantly different than any that I was able to find.

As a result, I had to figure out all this how to uninstall this virus without any outside help.

The Antivirus Crowd

Don't waste your time, not only was Symantec not able to find anything, it was running on the system when it got infected.

Corporation ID

Registrant:
 SystemDoctor
 PO Box 143, Y Felinheli
 Wales, NA LL56 4WQ
 GB

 Domain name: SYSTEMDOCTOR.COM

 Administrative Contact:
    Hostmaster, SystemDoctor  hostmaster@systemdoctor.com
    PO Box 143, Y Felinheli
    Wales, NA LL56 4WQ
    GB
    +380 39 294 6731
 Technical Contact:
    Hostmaster, SystemDoctor  hostmaster@systemdoctor.com
    PO Box 143, Y Felinheli
    Wales, NA LL56 4WQ
    GB
    +380 39 294 6731

tracert

I use tracert to track the physical locations of web sites (it will not give you a gps location, but it will tell you in which country a site is hosted).

This trace was made 11-09-06

tracert systemdoctor.com

Tracing route to systemdoctor.com [66.244.254.63]
   ...  The first few hops are omitted - they add no useful information
 15    12 ms    15 ms    13 ms  rx0as.vx.shawcable.net [68.86.88.126]
 16    18 ms    17 ms    17 ms  rc2hu-pos7-0.ny.shawcable.net [66.163.77.49]
 17    17 ms    19 ms    17 ms  rc1hu-ge4-0-0.ny.shawcable.net [66.163.74.5]
 18    27 ms    28 ms    28 ms  rc1sh-pos12-0.mt.shawcable.net [66.163.76.13]
 19    27 ms    28 ms    29 ms  ra1sh-ge3-3.mt.shawcable.net [66.163.66.33]
 20    30 ms    27 ms    28 ms  rx0sh-set-up-a-host.mt.bigpipeinc.com [66.244.223.98]
 21    47 ms    28 ms    28 ms  rr-grp1.yyz1.cl1.setupahost.net [66.244.254.63]

Trace complete.

Please notice the similarity to the last 2 entries of the WinFixer trace

Tracing route to winfixer.com [66.244.254.63]
   ...  The first 19 hops are omitted - they add no useful information

 20    34 ms    33 ms    32 ms  rx0sh-set-up-a-host.mt.bigpipeinc.com [66.244.223.98]
 21    33 ms    32 ms    33 ms  winfixer.com [66.244.254.63]

Please notice that the IP addresses are the same.

Registry Settings

This key executes the parasite when your system boots

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vacac

This registers the dll

[HKEY_CLASSES_ROOT\CLSID\{F514988F-C67F-4F35-87F3-2E3BE36BC9C1}]

Additional keys are used to infect IE via Browser Helper Objects, but I don't have those.

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\
 Browser Helper Objects\{.....}]

Uninstall

The goal here is to simply kill and delete

c:\windows\addins\vacac.dll

To remove this parasite, you will first need ProcessExplorer (from sysinternals) - it allows you to stop any program or thread.

Make sure that FireFox (the Mozilla web browser) and Internet Explorer are not running.

Execute Process Explorer (procexp.exe) and locate and kill all instances of the virus - there were 2 programs on the system, each with 3 infected threads.

Winlogon
Explorer

Because Winlogon was infected, you will actually have to stop the vacac.dll threads without actually stopping the Winlogon program.

One at a time, right click each of the 2 programs, select Properties..., and display the Threads tab. Select each of the vacac.dll threads and click the kill button.

Display the Winlogon handles (its a menu selection) and select Close Handle.

After all the threads are killed and the handle is deleted, you will still not be able to delete the file until you reboot the system. However, you will be able to rename it - you MUST rename the file before rebooting the system.

I know that there is additional trash in the registry - but it does not appear to matter.

Problem Debug

********
11-08-06

c:\windows\addins
vacac.dll   no windows parts - resources
cacav.ini   binary data, current date and time

neither file is found via google

the system is infected with a virus - mozilla firefox links to

  http://85.12.25.85/trafc-2/rfe.php? ........

{F514988F-C67F-4F35-87F3-2E3BE36BC9C1}

This starts the program

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vacac

this runs under winlogon.exe and explorer.exe

regsvr32 /u vacac.dll

same date and time
\windows\system32\nqlogvfr.exe   probable installer

****************

Author: Robert Clemenzi