Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Doctor Infection (but No Installation)


  • Please log in to reply
7 replies to this topic

#1 Lukage

Lukage

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 03 July 2007 - 10:23 PM

I opened what seemed to be a harmless EXE and I've gotten a barrage of "System Doctor" pop-ups. I checked around to sites like this and found only walkthroughs on removing the installation of this infection. I checked the files and such and found no traces of the trojans that have been added after the infection. I did a HijackThis and found no System Doctor connections as listed in the help for this product. I'm confident I have it infecting my machine, but I have no clue how to remove it. I'm computer savvy, so there's no need to be extremely specific on details for the fix for this issue. Thanks in advance for any help!

BC AdBot (Login to Remove)

 


#2 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:01:36 AM

Posted 03 July 2007 - 10:46 PM

Have you tried this self-help tutorials:
How To Remove Systemdoctor 2006
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#3 Lukage

Lukage
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 03 July 2007 - 10:57 PM

Have you tried this self-help tutorials:
How To Remove Systemdoctor 2006


Yes, that is the one that I'm talking about. The files/installation are not there. It seems though that those pop-ups are going away, but other system features (right clicking, copying, misc. things) are going bad.

#4 Lukage

Lukage
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 03 July 2007 - 11:10 PM

I set up the proxy server address for the VPN in Internet Explorer to try to prevent it from downloading content to IE (as that's where the trojans keep appearing in the cache), but it seems the stuff keeps popping up there despite IE being "blocked."

AVG is still turning up nothing else other than these Temporary files that I keep removing.

#5 buddy215

buddy215

  • Moderator
  • 13,260 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:36 AM

Posted 04 July 2007 - 09:38 AM

You have other infections that were accompanied with the System Doctor. Follow the directions below.

Install Super Antispyware. Run it in safe mode. Allow it to quarantine whatever it finds.
http://www.superantispyware.com/

Run the online scan for Bit Defender in normal mode. Allow it to quarantine whatever it finds.
http://www.bitdefender.com/scan8/ie.html

--------------------------------------------------------------------------------

Post a Hijack This log in the Hijack This Forum by following the directions in the link below if the programs above have not removed ALL malware. DO NOT post the log in this forum.
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
--------------------------------------------------------------------------------

How To start Windows in Safe Mode
http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#6 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:36 AM

Posted 04 July 2007 - 11:42 AM

Hi Lukage,

I second buddy215's recommendations. Super Antispyware alone will likely remove any remnants of System Doctor. And it is free. However, malware comes in bunches and changes constantly so having your HijackThis log examined by some one familiar with the latest developments is the best way to go.

Giedrius M, I've removed your post because of the link to your website's "tutorial". Altho the instructions themselves are accurate, the paragraphs leading up to those are misleading and seem to me to be intended to sell SpywareDoctor. You give several reasons to discourage the use of SmitfraudFix (SF), even implying that it is little better than a beta, because it is free it is not very good, and that is should have realtime protection, when it is no more than a specialized removal tool--and a very good one at that. You don't really want people to use SF, do you? It looks to me that you want them to purchase SpywareDoctor so you can get a commission.

I've seen you make some intelligent and helpful posts. But are you here to be helpful or just to try to rake in commissions? Any links to your site pushing SD will be removed until I'm convinced otherwise.

The thing about people

is they change

when they walk away.--Mipso


#7 Giedrius M

Giedrius M

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 05 July 2007 - 02:25 AM

Papakid, but these paragraphs are true as they are: smithfraudfix is cure for symptoms, not to the fact that there are trojans installed which can download new version of parasites. I hate advocating pushing a cure for symptoms without checking HOW you got any parasite in the first place. Yes, I want people to use smithfraudfix as long as they CHECK how they got infected, duh.
My blog majauskas.com

#8 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:36 AM

Posted 06 July 2007 - 01:41 AM

Ah, Giedrius M, but you didn't answer the question.

I've seen you make some intelligent and helpful posts. But are you here to be helpful or just to try to rake in commissions?

I find your reply, both here and in your PM to me, to be disingenuous and some of it nonsensical. This is not a difference of opinion, let's deal with facts.

First I'll note that you appear to have edited the SmitfraudFix tutorial and some of your other webpages. I would like to think this is a step in the right direction, but I can't help but think otherwise. Nevertheless, that is speculation--here are he facts.

1.

smithfraudfix is cure for symptoms, not to the fact that there are trojans installed which can download new version of parasites.

It is untrue that SF does not deal with the trojans that install rogue removal programs. Just the opposite. The trojan is what shows the false warnings--it is essentially a desktop hijack. Most of these rogue programs that are trying to trick you into buying will include an uninstall string that will show up in Add/Remove to give it an air of legitimacy. That may remove only the Scanner Program, but not the false warnings that the trojan initiated.

The symptoms won't go away until the trojan that is causing them is fixed. So it is nonsense to say that curing the symptoms doesn't do the job. That is the primary goal of most end users--make the symptoms go away. It is true, as I've already stated, that there may be other trojans or malware on a person's system, but SF does not claim to be a general scanner. This is why the advice to post a HijackThis log, after running some free general scanners is sound, which you did not do.

For the most part, SF will remove all aspects of the Zlob trojan--all files and registry entries it knows about. Like most malware that we have to deal with today, this family of trojans changes file names and reg entries quite often so there is no guarantee that it will remove the symptoms in every case. Which is true of SpywareDoctor, SAS or any other general scanner that works on a set of definitions, whether anti-spyware or anti-virus. SF targets only certain families of SmitFraud, the developer works closely with the anti-malware community and therefore usually sees new variants earlier than others and updates the SF tool accordingly. I've seen it updated three times in one day. If you look at the tool's changelog you can see exactly what it fixes, and does it for free. Does SpwareDoctor show you every file and registry entry it will fix? If not, then it is speculation and inaccurate that it would be preferred as a means of removal over SF that is desgined for that specific job, which is what your tutorial implies.

2.

I hate advocating pushing a cure for symptoms without checking HOW you got any parasite in the first place. Yes, I want people to use smithfraudfix as long as they CHECK how they got infected, duh.

How a person got infected in the first place has nothing to do with it's removal. Even if you are saying the trojan responsible is still there and will download and install more if not removed--I've just proved that to be a false assumption because SF will remove it. Knowing how one got infected is useful to know to prevent future infections. If you check the bleepingcomputer Spyware and Malware Removal Guides you would see that how an infection got on a system in the first place is mentioned when known. For most of the latest variants, the trojan is part of a codec that the victim is told is needed in order to play a certain video.

The point here is that your SF guide is supposed to be a removal guide, not a prevention guide.

3. In your PM to me, you said, "I see people spamming everywhere that Smitfraud fix will fix this problem, and that problem." It is true that some people will recommend the wrong tool for the job. Some people are just guessing about how to fix a problem, I've seen a lot of people run CWShredder when there is no CWS on their system because they have either been told to try that or have seen it fix someone else's problem and will try anything in desperation. But to say SF is being spammed is just wrong. No one has anything to gain, either monetarily or otherwise by recommending a free tool in order to help someone.

Consider this. Lukage asked how to remove System Doctor. According to The SF Changelog, SmitfraudFix does not remove this rogue and all its files at this point in time. So by your own definition, you just spammed the board by recommending SmitfrauFix for this problem because it is not the tool for the job in this case.

I had much more I intended to go into but I have had other things to do. I just know that I've run into several websites just like yours. I have to admit that you are more honest than most by not hiding that you have registered the domain. Others who use the same affiliate scheme hide behind a proxied domain. You are welcome here to talk computers, but not to lead people in a subtle way to your site where you hope the end result will be that people will purchase a general scanner when we can help people with free tools.

The thing about people

is they change

when they walk away.--Mipso





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users