System Doctor spyware

bulletkid · Feb 4, 2007

Anyone encountered this before? It starts when you're surfing the net and suddenly your browser will re-direct itself to its homepage, a fake system window will pop-up before that saying something like your computer is infected and you need to run a scan using System Doctor.

I figured this is actually Malware after googling it.

Take note this is not Spyware Doctor. The interface of the website and logos are almost the same to Spyware Doctor's tho so don't be tricked.

Sad thing is I think I'm infected after the popup came up just now and I want to know of any solutions to its removal. I know it stores itself deep in the registry and i figured i might crap something up down there if i do it manually...there is an automatic remover called XoftSpySE, is this legit? I claims to deep cover spyware but I dunno if this is real or just another spyware, can someone confirm?

chaslang · Feb 4, 2007

No don't install XoftSpySE! You have to pay for it to do anything useful, and we don't find it to be that useful. In additon, you don't need to buy anything to get these infections removed.

I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.

STEP 1: Complete this procedure completely including attaching the requested log before doing the second procedure.

Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Note:process.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/proc...processutil.htm

IMPORTANT: Do NOT run any other options until you are asked to do so!
Click to expand...

ATTACH THE FIRST LOG NOW BEFORE CONTINUING OR YOU WILL OVERWRITE IT!!!! And then immediately continue on to the below steps.

STEP 2: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.

Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. Again, if there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer into Safe Mode : Starting your computer in Safe mode

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Now reboot into normal mode and attach this new rapport.txt log here.
Click to expand...

How are things working now?

In reality, you really should run all of the below steps now since infections like this typically do not come alone!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, renaming, running, and posting HijackThis logs as attachments.

Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis
Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.

When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:

CounterSpy

AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy

Bitdefender - from step 6

Panda Scan - from step 6

runkeys.txt - the log from GetRunKey.bat

newfiles.txt - the log from ShowNew.bat

HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

bulletkid · Feb 5, 2007

Thx for replying, googled for XoftSpySE and its actually legit but I didn't download it tho...thx for the update anyway.

Well here's the attachment to the first step (followed it 100% as u said); don't really know what to look out for tho...confused

chaslang · Feb 5, 2007

bulletkid said: ↑

Thx for replying, googled for XoftSpySE and its actually legit but I didn't download it tho...thx for the update anyway.
Click to expand...

I know it's legit. I just said we don't recommend it and the trial will not do anything to help you. In addition, I don't think it works to fix all the Smitfraud family of infections anyway.

bulletkid said: ↑

Well here's the attachment to the first step (followed it 100% as u said); don't really know what to look out for tho...confused
Click to expand...

You don't need to look for anything. Just complete step 2 now so we can see whether this was able to remove the problem or not. If not we may require manual procedures which were given after step 2.

bulletkid · Feb 5, 2007

thx again for the rply, just got home from work...I'll get back to step 2 tomorrow (its been a long day:cry ).

btw if you're guessing why i'm not in such a rush, it's because I haven't seen any symptoms of infection YET. I hope my com's still clean...gd nite.

chaslang · Feb 5, 2007

bulletkid said: ↑

btw if you're guessing why i'm not in such a rush, it's because I haven't seen any symptoms of infection YET. I hope my com's still clean...gd nite.
Click to expand...

If you did not even do step 2 from the SmitFraudFix, no fixes were even attempted. Step 1 is only a scan and does not fix anything.

Log in or Sign up

System Doctor spyware

bulletkid Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

bulletkid Private E-2

Attached Files:

rapport.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

bulletkid Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member