Skittless Posted July 8, 2013 Share Posted July 8, 2013 Hey does anyone something about this program? I don't remember installing it which makes me think it is a virus that is claiming to be an antivirus program Oo How can I remove it? I tried to delete it from Control Panel, but I can't find it there?! Thanks. Link to comment Share on other sites More sharing options...
LittleNeutrino Veteran Posted July 8, 2013 Veteran Share Posted July 8, 2013 System Doctor 2014 is a variant of Win32/Winwebsec - a family of programs that claims to scan for malware and displays fake warnings of "malicious programs and viruses". They then inform you that you need to pay money to register the software to remove these non-existent threats. It may also terminate processes and services, modify security settings, and block access to websites. Source Link to comment Share on other sites More sharing options...
sc302 Veteran Posted July 8, 2013 Veteran Share Posted July 8, 2013 rkill to kill the processes malwarebytes to remove the infection Link to comment Share on other sites More sharing options...
Skittless Posted July 9, 2013 Author Share Posted July 9, 2013 Thank you for helping guys :) I searched for more info and this is what i found in google: http://www.bleepingcomputer.com/virus-removal/remove-system-doctor-2014http://www.americanpendulum.com/2013/07/08/system-doctor-2014-removal/ I am now downloading Malwarebytes as suggested in the first link and I really hope it does what it has to do. sc302, what kind of program is this rkill? :) Link to comment Share on other sites More sharing options...
nfiniti9 Posted July 9, 2013 Share Posted July 9, 2013 Malwarebytes has been sucking lately. I'd try eset online or emsisoft. I've seen MBAM miss quite a few files lately. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted July 9, 2013 Veteran Share Posted July 9, 2013 Mbam is not the end all be all to malware. It can't detect some because it isn't built into the engine. It is very specific to what it can and can't remove. I would not recommend it to be you one stop shop of prevention.Rkill is made by a programmer called Grinler. What exactly rkill does is terminate any known processes (processes that Grinler has determined) to cause issues with allowing antimalware programs to run as well as task manager. Rkill can be found on the bleeping computer site, do not download it from any other site. Rkill does not remove anything it just terminates or kills the process from running, a reboot will restart the process that was killed by rkill. When rkill is done you will get a summary of what it did. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted July 9, 2013 MVC Share Posted July 9, 2013 Here is a descriptions of what rkill is http://www.bleepingcomputer.com/forums/t/308364/rkill-what-it-does-and-what-it-doesnt-a-brief-introduction-to-the-program/ Its a very handy tool in dealing with this sort of thing - its quite possible that just booting into safe mode will not start some infections and allow you to clean. Also pskill is cmd line process killer from sysinternals (microsoft now) another option for cmd line is the builtin taskkill C:\Windows\System32>taskkill /? TASKKILL [/S system [/U username [/P [password]]]] { [/FI filter] [/PID processid | /IM imagename] } [/T] [/F] Description: This tool is used to terminate tasks by process id (PID) or image name. Parameter List: /S system Specifies the remote system to connect to. /U [domain\]user Specifies the user context under which the command should execute. /P [password] Specifies the password for the given user context. Prompts for input if omitted. /FI filter Applies a filter to select a set of tasks. Allows "*" to be used. ex. imagename eq acme* /PID processid Specifies the PID of the process to be terminated. Use TaskList to get the PID. /IM imagename Specifies the image name of the process to be terminated. Wildcard '*' can be used to specify all tasks or image names. /T Terminates the specified process and any child processes which were started by it. /F Specifies to forcefully terminate the process(es). /? Displays this help message. Filters: Filter Name Valid Operators Valid Value(s) ----------- --------------- ------------------------- STATUS eq, ne RUNNING | NOT RESPONDING | UNKNOWN IMAGENAME eq, ne Image name PID eq, ne, gt, lt, ge, le PID value SESSION eq, ne, gt, lt, ge, le Session number. CPUTIME eq, ne, gt, lt, ge, le CPU time in the format of hh:mm:ss. hh - hours, mm - minutes, ss - seconds MEMUSAGE eq, ne, gt, lt, ge, le Memory usage in KB USERNAME eq, ne User name in [domain\]user format MODULES eq, ne DLL name SERVICES eq, ne Service name WINDOWTITLE eq, ne Window title NOTE ---- 1) Wildcard '*' for /IM switch is accepted only when a filter is applied. 2) Termination of remote processes will always be done forcefully (/F). 3) "WINDOWTITLE" and "STATUS" filters are not considered when a remote machine is specified. Examples: TASKKILL /IM notepad.exe TASKKILL /PID 1230 /PID 1241 /PID 1253 /T TASKKILL /F /IM cmd.exe /T TASKKILL /F /FI "PID ge 1000" /FI "WINDOWTITLE ne untitle*" TASKKILL /F /FI "USERNAME eq NT AUTHORITY\SYSTEM" /IM notepad.exe TASKKILL /S system /U domain\username /FI "USERNAME ne NT*" /IM * TASKKILL /S system /U username /P password /FI "IMAGENAME eq note*" C:\Windows\System32> Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted July 9, 2013 MVC Share Posted July 9, 2013 If you can boot off a bartpe or live Linux disc or if the malware doesn't start in safe mode you can do this from safe mode as well. Use any one of those and browse through the file structure of your hard drive and you can find it pretty easy (at least for people who remove a lot of this stuff) If you do it from safe mode you will want to show hidden files and hidden system files. (tools / folder options) The locations it usually hides is c:\programdata c:\users\(username) c:\users\(username)\appdata\local c:\users\(username)\appdata\roaming c:\users\(username)\appdata\local\temp In those locations you will usually find recently created exe's living in the root of those folders. Sometimes they will be in a sub directory also recently created that has a strange name. So I would arrange by date. If you have another computer I would recommend downloading and creating yourself a kaspersky rescue CD and do a scan with that. if you are able to boot into safe mode I would also recommend downloading and running ccleaner as that will remove a LOT of temp files which will considerably speed up the scan of any program you use. Link to comment Share on other sites More sharing options...
Skittless Posted July 10, 2013 Author Share Posted July 10, 2013 thanks guys. Guess you can learn a new thing every day. I read everything you wrote and I will install rkill (from bleepingcomputer :happy: ) thank you again for helping, you are awesome :turned: Link to comment Share on other sites More sharing options...
sc302 Veteran Posted July 10, 2013 Veteran Share Posted July 10, 2013 Sorry it was grinler not subs that created rkill. Will correct later. Combofix is subs. Have to give credit where credit is due. Link to comment Share on other sites More sharing options...
Riggers Posted July 10, 2013 Share Posted July 10, 2013 Sorry it was grinler not subs that created rkill. Will correct later. Combofix is subs. Have to give credit where credit is due. Who in turn works for Malwarebytes, funny old world ;) Hope you got the problem sorted, any idea where you got it? Link to comment Share on other sites More sharing options...
Recommended Posts