System Doctor may also install a rogue security software called Messenger Blocker. Messenger Blocker is a program that supposed protects you from popups to the Windows Messenger service. After its 7 day trial, though, it will actually turn on your Messenger service if it was already off, and spam advertisements to it. The files you need to remove for this addition have been added to the guide as well.
A screenshot of SystemDoctor can be seen below.
System Doctor 2006
Symptoms in a HijackThis Log:
O4 - HKLM\..\Run: [SystemDoctor 2006 Free] C:\Program Files\SystemDoctor 2006 Free\sd2006.exe -scan
O4 - HKLM\..\Run: [dc6_check] C:\Program Files\SystemDoctor 2006 Free\dcmon.exe
O4 - HKLM\..\Run: [USDR6cw] C:\Program Files\SystemDoctor 2006 Free\USDR6cw.exe -c
O4 - HKLM\..\Run: [cmonitor] C:\Program Files\SystemDoctor 2006 Free\pasmon.exe
O4 - HKCU\..\Run: [AdwareProtector] C:\Program Files\SystemDoctor 2006\AdwareProtector.exe
O4 - HKLM\..\Run: [System Doctor Free] C:\Program Files\System Doctor Free\systemdoc.exe -scan
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\System Doctor\dcmon.exe"
O4 - HKLM\..\Run: [InternetService] C:\Program Files\Common Files\System\isvc.exe
O4 - HKLM\..\Run: [SystemDoctor Free] C:\Program Files\System Doctor Free\systemdoc.exe /min
O4 - HKLM\..\Run: [WindowsExplorer] C:\Program Files\Common Files\System\csrss.exe
O4 - HKLM\..\Run: [SystemData] C:\Program Files\MBlocker\MBlocker.exe -c
O4 - HKLM\..\Run: [WindowsFirewall] C:\Program Files\Common Files\System\lsass.exe
Revision History
11/13/06 - Added new symptoms from a HJT log.
10/11/07 - Updated for new version and MessengerBlocker
Removal Instructions: In order to remove this infection we will need to use HijackThis to manually remove the infection:
- Print out these instructions as we will need to shutdown every window that
is open later in the fix..
- Follow the instructions found in this guide. When done, come back and finish the rest of these steps: How To Remove The Smitfraud / Generic Zlob Infections
- Enter the Windows Control Panel and double-click on Add/Remove Programs.
- When the installed programs list appears, double-click on the entry for
SystemDoctor 2006
if it exists and allow it to uninstall. Then exit the Add/Remove Programs
screen and the Control Panel.
- Download HijackThis from here and extract it to c:\hijackthis.
- Close all windows, even this Internet Explorer window.
- Navigate to the c:\hijackthis directory and double-click on HijackThis.exe
- When the program starts, click on the Scan button.
- Put a checkmark next to the following entry (There may be more than
one of each):
O4 - HKLM\..\Run: [SystemDoctor 2006 Free] C:\Program Files\SystemDoctor 2006 Free\sd2006.exe -scan
O4 - HKLM\..\Run: [dc6_check] C:\Program Files\SystemDoctor 2006 Free\dcmon.exe
O4 - HKLM\..\Run: [USDR6cw] C:\Program Files\SystemDoctor 2006 Free\USDR6cw.exe -c
O4 - HKLM\..\Run: [cmonitor] C:\Program Files\SystemDoctor 2006 Free\pasmon.exe
O4 - HKCU\..\Run: [AdwareProtector] C:\Program Files\SystemDoctor 2006\AdwareProtector.exe
O4 - HKLM\..\Run: [System Doctor Free] C:\Program Files\System Doctor Free\systemdoc.exe -scan
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\System Doctor\dcmon.exe"
O4 - HKLM\..\Run: [InternetService] C:\Program Files\Common Files\System\isvc.exe
O4 - HKLM\..\Run: [SystemDoctor Free] C:\Program Files\System Doctor Free\systemdoc.exe /min
O4 - HKLM\..\Run: [WindowsExplorer] C:\Program Files\Common Files\System\csrss.exe
O4 - HKLM\..\Run: [SystemData] C:\Program Files\MBlocker\MBlocker.exe -c
O4 - HKLM\..\Run: [WindowsFirewall] C:\Program Files\Common Files\System\lsass.exe
- Then click the Fix button
- Put a checkmark next to the following entry (There may be more than
one of each):
- Exit HijackThis.
- Reboot your computer into Safe
Mode
- Delete the following files if they exist:
C:\Program Files\SystemDoctor 2006 Free\
C:\Program Files\System Doctor Free\
C:\Program Files\MBlocker\
C:\Program Files\Common Files\System Doctor\
C:\Program Files\Common Files\System\isvc.exe
C:\Program Files\Common Files\System\csrss.exe
C:\Program Files\Common Files\System\lsass.exe
C:\Program Files\Common Files\System\svchost.exe
- Reboot your computer back to normal mode.
This is a self-help guide. Use at your own risk.
BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can post a HijackThis log in our HijackThis Logs and Analysis forum.
If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you.