Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Care Antivirus (rogue) infection


  • Please log in to reply
6 replies to this topic

#1 AlgaeGreen

AlgaeGreen

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Phoenix, AZ
  • Local time:09:37 AM

Posted 16 April 2013 - 06:21 PM

My wife's computer was recently attacked by the "System Care Antivirus" program which launched the fake scanner and prevented Windows from:

 

Enabling Windows Firewall.

Visiting certain web sites (antivirus sites).

 

Also, Windows Security Essentials dissapeared.  Many "alerts" are popping up, saying that "program (program name).exe is infected".

 

I have done some reading about the System Care Antivirus infection and have attempted to run MalwareBytes without success. I have booted into Safe Mode and tried running "RootKill" without success.

 

What's next?

 

Alan

 



BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:37 PM

Posted 16 April 2013 - 08:03 PM

Welcome Alan

Let's try this...

Reboot into Safe Mode with Networking
How to enter safe mode(XP/Vista)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode with Networking using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.


Reboot into Safe Mode with Networking
How to start Windows 7 in Safe Mode



Please download Rkill by Grinler from one of the 4 links below (if one of them does not work try another...) and save it to your desktop:

Link 1
Link 2
Link 3
Link 4

•In order for Rkill to run properly you must disable your anti-malware software. Please refer to this page if you are not sure how.
•Double-click on Rkill. (If you are using Windows Vista, please right-click on it and select Run As Administrator)?Note: You may have to run Rkill a few times before it is successful. You may also have to download Rkill from a different link which will save it as a different file name.

•A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
•An Rkill.log will appear. Please copy and paste the contents in your reply (file also located at c:\rkill.log)
•Do not reboot your computer after running Rkill as the malware programs will start again. If your computer reboots, run Rkill again before continuing on to the next step.
•If nothing happens or if the tool does not run, please let me know in your next reply.



Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.



Please download AdwCleaner by Xplode onto your desktop.
•Close all open programs and internet browsers.
•Double click on adwcleaner.exe to run the tool.
•Click on Delete.
•Confirm each time with Ok.
•You will be prompted to restart your computer. A text file will open after the restart.
•Please post the contents of that logfile with your next reply.
•You can find the logfile at C:\AdwCleaner[S1].txt as well.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 AlgaeGreen

AlgaeGreen
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Phoenix, AZ
  • Local time:09:37 AM

Posted 17 April 2013 - 07:28 AM

Hi, boopme.

 

Thanks so much for your quick reply.  Unfortunately, I had already run ComboFix before posting to this forum  :blush: on the advice of one of the I.T. techs where I work.  Also (unfortunately), ComboFix did not finish.  It stalled near the end (at the deleting files phase) and just sat there doing nothing for hours.  I.T. guy (I'll call him "Tim" to protect his identity) told me to just exit and run a MalwareBytes scan. The quick scan ran through the night, and when I got up this morning to check on it, there was a blank window where the MBAM interface window used to be and when I clicked on the taskbar label, it said "Program Not Responding".

 

I ran Rkill in Safe Mode just before running ComboFix, and the log says, "Objects detected 0". 

 

Another issue that exists is I cannot enable Windows Automatic Update. And when I go directly to the Windows update site, click on "Express Install", I get an error message "Unable to open the requested page", which seems suspicious to me.

 

I had to leave for work, and have not had a chance to run AdwCleaner yet.  But I wanted to check in with you and let you know about ComboFix and see if that changes the order of steps I should take going forward.

 

Thank you.

Alan



#4 AlgaeGreen

AlgaeGreen
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Phoenix, AZ
  • Local time:09:37 AM

Posted 17 April 2013 - 12:55 PM

I just noticed the article on the home page about removing the System Care Antivirus crap.  I will follow those instructions and come back here if I have further questions.

 

Thanks again for your help and support. This is a great site!

 

Alan



#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:37 PM

Posted 17 April 2013 - 07:36 PM

OK,let me know.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 AlgaeGreen

AlgaeGreen
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Phoenix, AZ
  • Local time:09:37 AM

Posted 17 April 2013 - 10:16 PM

Since my wife didn't have much in the way of important files on this PC, I decided to just do a clean install of XP.  I couldn't seem to get any of the tools to work correctly, and it leads me to believe there was a serious problem.  So I'm just finising up installing her favorite programs (iTunes, etc.) and am going to purchase and install MalwareBytes Pro. It seems to be the preferred antivirus program these days. Plus, I like that I don't have to renew the subscription every year.  Other antivirus companies should take a lesson. 

 

Anyways... I really love this site and appreciate the help I received.  I will be coming back often.

 

All the best!

 

Alan


Edited by AlgaeGreen, 17 April 2013 - 10:18 PM.


#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:37 PM

Posted 17 April 2013 - 10:36 PM

A good choice Alan

 

2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... These are generally safe. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe/.scr/.htm/.html/.xml/.zip/.rar files as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

 

Thanks for visiting us.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users