System Doctor 2014

[Skittless]

Hey does anyone something about this program? I don't remember installing it which makes me think it is a virus that is claiming to be an antivirus program Oo How can I remove it? I tried to delete it from Control Panel, but I can't find it there?! Thanks.

[LittleNeutrino Veteran]

System Doctor 2014  is a variant of Win32/Winwebsec - a family of programs that claims to scan for malware and displays fake warnings of "malicious programs and viruses". They then inform you that you need to pay money to register the software to remove these non-existent threats. It may also terminate processes and services, modify security settings, and block access to websites.

 

Source

[sc302 Veteran]

rkill to kill the processes

malwarebytes to remove the infection

[Skittless]

Thank you for helping guys :)

I searched for more info and this is what i found in google: http://www.bleepingcomputer.com/virus-removal/remove-system-doctor-2014
http://www.americanpendulum.com/2013/07/08/system-doctor-2014-removal/

I am now downloading Malwarebytes as suggested in the first link and I really hope it does what it has to do.

 

sc302, what kind of program is this rkill? :)

[nfiniti9]

Malwarebytes has been sucking lately.  I'd try eset online or emsisoft.  I've seen MBAM miss quite a few files lately.

[sc302 Veteran]

Mbam is not the end all be all to malware. It can't detect some because it isn't built into the engine. It is very specific to what it can and can't remove. I would not recommend it to be you one stop shop of prevention.

Rkill is made by a programmer called Grinler.  What exactly rkill does is terminate any known processes (processes that Grinler has determined) to cause issues with allowing antimalware programs to run as well as task manager. Rkill can be found on the bleeping computer site, do not download it from any other site. Rkill does not remove anything it just terminates or kills the process from running, a reboot will restart the process that was killed by rkill. When rkill is done you will get a summary of what it did.

[+BudMan MVC]

Here is a descriptions of what rkill is

 

http://www.bleepingcomputer.com/forums/t/308364/rkill-what-it-does-and-what-it-doesnt-a-brief-introduction-to-the-program/

 

Its a very handy tool in dealing with this sort of thing - its quite possible that just booting into safe mode will not start some infections and allow you to clean.

 

Also pskill is cmd line process killer from sysinternals (microsoft now) another option for cmd line is the builtin taskkill

C:\Windows\System32>taskkill /?

TASKKILL [/S system [/U username [/P [password]]]]
         { [/FI filter] [/PID processid | /IM imagename] } [/T] [/F]

Description:
    This tool is used to terminate tasks by process id (PID) or image name.

Parameter List:
    /S    system           Specifies the remote system to connect to.

    /U    [domain\]user    Specifies the user context under which the
                           command should execute.

    /P    [password]       Specifies the password for the given user
                           context. Prompts for input if omitted.

    /FI   filter           Applies a filter to select a set of tasks.
                           Allows "*" to be used. ex. imagename eq acme*

    /PID  processid        Specifies the PID of the process to be terminated.
                           Use TaskList to get the PID.

    /IM   imagename        Specifies the image name of the process
                           to be terminated. Wildcard '*' can be used
                           to specify all tasks or image names.

    /T                     Terminates the specified process and any
                           child processes which were started by it.

    /F                     Specifies to forcefully terminate the process(es).

    /?                     Displays this help message.

Filters:
    Filter Name   Valid Operators           Valid Value(s)
    -----------   ---------------           -------------------------
    STATUS        eq, ne                    RUNNING |
                                            NOT RESPONDING | UNKNOWN
    IMAGENAME     eq, ne                    Image name
    PID           eq, ne, gt, lt, ge, le    PID value
    SESSION       eq, ne, gt, lt, ge, le    Session number.
    CPUTIME       eq, ne, gt, lt, ge, le    CPU time in the format
                                            of hh:mm:ss.
                                            hh - hours,
                                            mm - minutes, ss - seconds
    MEMUSAGE      eq, ne, gt, lt, ge, le    Memory usage in KB
    USERNAME      eq, ne                    User name in [domain\]user
                                            format
    MODULES       eq, ne                    DLL name
    SERVICES      eq, ne                    Service name
    WINDOWTITLE   eq, ne                    Window title

    NOTE
    ----
    1) Wildcard '*' for /IM switch is accepted only when a filter is applied.
    2) Termination of remote processes will always be done forcefully (/F).
    3) "WINDOWTITLE" and "STATUS" filters are not considered when a remote
       machine is specified.

Examples:
    TASKKILL /IM notepad.exe
    TASKKILL /PID 1230 /PID 1241 /PID 1253 /T
    TASKKILL /F /IM cmd.exe /T
    TASKKILL /F /FI "PID ge 1000" /FI "WINDOWTITLE ne untitle*"
    TASKKILL /F /FI "USERNAME eq NT AUTHORITY\SYSTEM" /IM notepad.exe
    TASKKILL /S system /U domain\username /FI "USERNAME ne NT*" /IM *
    TASKKILL /S system /U username /P password /FI "IMAGENAME eq note*"

C:\Windows\System32>

[+Warwagon MVC]

If you can boot off a bartpe or live Linux disc or if the malware doesn't start in safe mode you can do this from safe mode as well. Use any one of those and browse through the file structure of your hard drive and you can find it pretty easy (at least for people who remove a lot of this stuff)

 

If you do it from safe mode you will want to show hidden files and hidden system files. (tools / folder options)

 

The locations it usually hides is

 

c:\programdata

c:\users\(username)

c:\users\(username)\appdata\local

c:\users\(username)\appdata\roaming

c:\users\(username)\appdata\local\temp

 

In those locations you will usually find recently created exe's living in the root of those folders. Sometimes they will be in a sub directory also recently created that has a strange name. So I would arrange by date.

 

If you have another computer I would recommend downloading and creating yourself a kaspersky rescue CD and do a scan with that. if you are able to boot into safe mode I would also recommend downloading and running ccleaner as that will remove a LOT of temp files which will considerably speed up the scan of any program you use.

[Skittless]

thanks guys. Guess you can learn a new thing every day.

I read everything you wrote and I will install rkill (from bleepingcomputer :happy: )

thank you again for helping, you are awesome :turned:

[sc302 Veteran]

Sorry it was grinler not subs that created rkill. Will correct later. Combofix is subs. Have to give credit where credit is due.

[Riggers]

Sorry it was grinler not subs that created rkill. Will correct later. Combofix is subs. Have to give credit where credit is due.

 

Who in turn works for Malwarebytes, funny old world ;)

 

Hope you got the problem sorted, any idea where you got it?