Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

system care antivirus


  • This topic is locked This topic is locked
32 replies to this topic

#1 jhauge

jhauge

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 15 June 2013 - 02:13 PM

Some how this got down loaded to my desktop pc. I think I got it from an email.  This system is running xp w/sp3.  I can only operate the system in safe mode. I have tried to run the DDs program and all it gives me on the screen is a message "2 logs shall be created on your desktop".  The pc just hangs there and does nothing else.  after an hour I shut the system down.  I tried running combofix and the same thing happens.

Edited by Orange Blossom, 15 June 2013 - 03:00 PM.
Moved to log forum. ~ OB


BC AdBot (Login to Remove)

 


#2 JHMcG

JHMcG

  • Members
  • 242 posts
  • OFFLINE
  •  
  • Local time:02:44 PM

Posted 15 June 2013 - 02:25 PM

Not sure it will help, but you could try running "Killbits" before you run "Combofix". The function of "Killbits" is to disable that part of a virus that prevents your antivirus from running properly.



#3 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,071 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:07:44 PM

Posted 15 June 2013 - 02:39 PM

Just so you know...

No one should be using ComboFix unless specifically instructed to do so by a Malware Removal Expert who can interpret the logs. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expertUsing this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. When issues arise due to complex malware infections, possible false detections, problems running ComboFix or with other security tools causing conflicts, experts are usually aware of them and can advise what should or should not be done while providing individual assistance. Those attempting to use ComboFix on their own do not have such information and are at risk when running the tool in an unsupervised environment. Please read the pinned topic ComboFix usage, Questions, Help? - Look here.

As a general policy, Bleeping Computer does not offer advice on how to run ComboFix unless we asked someone to run it or there is a problem with the computer caused by running it. This is because people should not be using ComboFix without being advised to do so by a trained expert who is assisting a member deal a malware issue on that system. Further, more information is needed by using tools like DDSOTLRSIT which create comprehensive logs with specific details about a computer's system, files, folders and registry keys which may have been modified by malware infection BEFORE deciding if ComboFix should be used.

 

 

xXToffeeXx~


Edited by bloopie, 15 June 2013 - 03:24 PM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#4 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:02:44 PM

Posted 15 June 2013 - 03:26 PM

Hello jhauge, and welcome to Bleeping Computer!

 

Have you read our removal guide and followed the steps there? http://www.bleepingcomputer.com/virus-removal/remove-system-care-antivirus

 

Does your screen match the one in the link above? If so, give those steps a try, and let me know if you have any problems!

 

bloopie



#5 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:02:44 PM

Posted 19 June 2013 - 06:02 PM

Hello again,

Are you still with me? :)

This is a Topic Bump! It has been several days since my last post. If you still wish to receive help please follow the instructions in my last post.

If you do not respond in another 48 hours, I will be forced to close this topic!

bloopie



#6 jhauge

jhauge
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 20 June 2013 - 10:00 AM

Yes this thing is gone.  Your expertise solved that problem.  Now I notice that my system seems to be running slow.  Windows seem to take a long time to load.  Screen refresh is slow and some pages are a lot slower than othes.  It is not like it was before.  This PC was really fast and now is really slow.  I timed Quickbooks loading and it took 4 min to load. Any suggestions?  Sorry about not getting back to you sooner.  Thanks Jim



#7 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:02:44 PM

Posted 20 June 2013 - 06:24 PM

Hello again,

There may be more than meet's the eye. Let's get a closer look in your machine:

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
bloopie

#8 jhauge

jhauge
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 20 June 2013 - 08:41 PM

here are the two files you requested.  I am also getting these two errors when trying to shut down.  filling drilling tool is not responding and minimanger is not responding.  I can only shut down by holding the on off button.  I cannot access the web in normal mode only in safe mode. I will not be able to answere you after tonight till monday morning.  thanks for all the help so far.   Jim

Attached Files



#9 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:02:44 PM

Posted 22 June 2013 - 09:10 AM

Hello again Jim,

Not only was your machine infected with the scareware "system care antivirus", it is also still infected with a nasty rootkit called ZeroAccess. So I must issue you a warning:
 
Warning!
 
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
 
Should you still wish to continue with the cleaning process, then please continue with the below.
 
==========

Step :step1:
 
Download the file Attached File  fixlist.txt   1.38KB   10 downloads and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Step :step2:

Run FRST and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please copy and paste it to your next reply.

Note: If the tool warned you about the outdated version please download and run the updated version.
 
==========

Step :step3:
 
After doing the above, please let me know if you are able to access internet in normal boot mode! Also, please let me know how the computer is running now!
 
Please do not run any other tools unless instructed to do so! You may use the computer just to test if it's working correctly, or if old problems still persist, until I give you the "all clean".

bloopie



#10 jhauge

jhauge
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 24 June 2013 - 07:02 PM

System seems to load normally.  I can access the internet and all programs seem to load as they should.  I was not able to download the updated version.  I kept getting and error, so I told it no and ran the current version on my desktop.



#11 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:02:44 PM

Posted 24 June 2013 - 09:44 PM

Hello again,

 

That's good news, but I will need to see the Fixlog.txt from the fix run above. I need to see what happened when you ran the fix.

 

bloopie



#12 jhauge

jhauge
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 24 June 2013 - 09:50 PM

I thought I had posted the file for you but maybe something happened so here it is again.

Attached Files



#13 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:02:44 PM

Posted 24 June 2013 - 10:15 PM

Hi again,
 
Okay, thanks for that! I got it now and it looks like it was successful!
 
Next order of business is to run CF:
 
Run Combofix

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out here or here

Combofix may need to reboot your computer more than once to do its job...this is normal.

You can download Combofix from one of these links.

  • Close any open browsers or any other programs that are open.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you C:\Combofix.txt. Please include that in your next reply.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

 

bloopie



#14 jhauge

jhauge
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 24 June 2013 - 11:30 PM

Hi again  Tried to run combofix.  It updated the recovery console. Then opened a lot of files.  Then it said it was attempting to run combofix and it seems to be doing nothing.  same screen no change just a blinking cursor,  after an hour.  Now what next.



#15 jhauge

jhauge
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 25 June 2013 - 11:36 AM

left it alone all night and the next morning still just a blinking cursor.  Redownloaded combofix and tried again and still same thing.  I checked  to make sure nothing else was running.  everything else is turned off. 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users