Virus Doctor is a rogue application, which is distributed by one or more sites such as virus-doctor.com The important thing about it is that it creates a folder with a random alphanumeric name, thus creating different foolders and files on each infected computer, therefore all the manual removal instructions listing the folders and files created by this malware are useless, because you will never find those files/ folders on another computer. After installing the malware several times, i saw a definite pattern in the names, that will help you to identify it. The initial symptom is of course presence of a shortcut, an icon in the taskbar resembling the "Windows Defender" icon. And a scanner page similar to windows defender window. The main folder that it creates on an infected computer is under "C:\Documents and Settings\All Users\Application Data". Application Data is a hidden folder. Therefore you have to first enable to view it .
After that browse to the folder, and then try to read the folders in it. You will be easily able to identify the folders belonging to the programs on your computer. Anything that you can't recongize is suspicious. You can always make sure if that folder belongs to any legitimate program on your computer, as you will find them listed inside the Add/Remove in Control panel. So it you can identify the folder created by VirusDoc, delete it. One way to make sure is to see if there is a sub folder named "System Data Configuration" in it, and also a file named VDoc###.exe. Delete that folder if found. The next folder is again "System Data Configuration" inside the Application Data folder, delete that too. Now use the windows search utility and search for "Virus Doctor" and delete all the instances found.
This is the major removal process, but you have to do it in a certain sequence, as follows. [All the tools/ software mentioned in this article are fully functional free software]
Trojan Removers: As you might be aware that this malware could be installed by a Trojan, you will need to remove that Trojan as well. Try these free tools (for windows XP and prior) if your antivirus application has not been successful in detecting and removing this trojan. Vista users should rely on their antivirus applications for removing the trojan.
SmitFraudFix Tool: You can download this free tool from this link. It is advised to run this tool in safe mode of windows. This tool is for XP and prior windows. Below are the steps to use this tool. Double-click SmitfraudFix.exe Select 2 and press Enter to delete infect files. You will be prompted: Do you want to clean the registry ? answer Y (yes) and press Enter to remove the Desktop background and clean infected registry keys . The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and press Enter to restore a clean file. A reboot may be needed to finish the cleaning process.
VundoFix : This tool is probably for XP and prior windows. You can download this tool from this link. Double-click VundoFix.exe to run it. When VundoFix opens, click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will reboot your computer, click OK.
Malwarebytes Antimalware : This is another great software to remove the malware infection. Unlike the Antivirus softwares it is geared more towards removing the rogue security application. It has a free version which can be downloaded from malwarebytes.org. With some luck this software may reduce your trouble substantially. Download , install , Update and Perform Quick Scan. The full scan takes several hours to complete. After the scan is over, press the "Remove selected" button.
Preparation
Search for and keep the windows operating system disk ready, if you got one with your computer. Or check if there is a Restore Partition on your hard disk, in that case you won't require an extra disk. It is advisable to have a functioning antivirus application on your computer. You will also need to install CCleaner, and a Firewall application, you can choose one of the firewall applications listed at the end of this article.
Turn System Restore On/ Off
Turn system restore off :This is necessary in order to remove the virus files that may be stored inside the system restore backup files, you can turn it back to ON after the computer is cleaned
in XP : start > all programs > accessories > system tools > system restore > system restore settings , uncheck the box that says "turn system restore off" Press Apply, press ok.
in Vista : type system in the search box, select the system option, click on system protection tab. Uncheck the system restore on the C drive, press Apply , Press ok (it will prompt you that you are turning system protection off , press that button to do so)
Removing the process/es from Task Manager
Press Ctrl Shift Esc to open Task Manager. See in the list of the processes for a process named VDoc###.exe select if found and press the End Process button. It will prompt you , say yes, and then close the Task Manager. There may be more processes belonging to this malware.
Using System Configuration Utility
To open the system configuration utility in xp In XP - Click on Start > run In Vista - Use the open box Type msconfig, Press OK .After the system configuration utility window is open, Click on the Startup tab, that will list all the programs that are scheduled to start when you turn your computer On. Expand the middle column using your mouse pointer so that you can see the path of the program on the hard disk, that will give you a clear idea, what program that is.Locate and uncheck the entries if found "VDoc###.exe" Uncheck the boxe in front of these entries. Also look at other entries, if you find an entry of any of the malware files listed in this article, uncheck that too. This step is very important. The further cleaning depends on cleaning this list. Press Apply , Press Close/Ok , at the next prompt select "Restart the computer".
Searching and Deleting Folders and Files on the hard disk
You have to first enable to view hidden files and folders. In XP and Vista , click on Control panel (classic view)> Folder options > View > locate an entry of "Hidden files and folders" select "View hiddden files and folders" , press Apply, press ok.
After restarting the computer, use the windows search utility to search for"Virus Doctor". This search will find all its folders on the hard disk , delete the folders from the hard disk. You may find the folder in more than one location. Delete its all instances.There are some more files other than this directory.
Under C:\Documents and Settings\All Users\Application Data\ - a folder with a random alphanumeric name - a folder named "System Data Configuration" Delete all the above folders if found.
Manually Editing Registry
You can edit the registry by using the windows built in registry editor. Click on Start > Run to open the run command box in XP, whereas in Vista the box is already open. type regedit and press Enter or Ok , that will open the registry editor. Now Click on Edit > Find. You can use this box to find a particular registry key/ value. In order to do that, copy the last part of the registry keys if they are inside curly braces {}, after the last / (forward slash) and then paste it into this box, or type in the name of the malware in the box and press "Find Next", if the search stops , you should either see a message saying "Finished searching through the registry"or it will stop at that key found. The found item will be displayed in blue selection. You can delete the entire key, that is the entry in the left side of the panel, once you confirm yourself that this key belongs to the malware by looking at the entire key and comparing it with the ones listed here, and by looking at the values that it has created in the right side of the panel. In case you are not sure if you want to remove the key, you can remove the values in the right side panel instead, that will also cripple the functioning of the malware. To delete a key/ value, use the mouse pointer to select it first, then right click on it to see a menu and select delete from it, then say yes to the confirmation alert. Alternately you can press the delete key on the keyboard to delete the selected entry. You can also use the names of the files / folders created by the malware to search for their associated keys in the registry.
Once you have deleted an entry, press the F3 key on the keyboard to search for the next occurance of the entry, do this till you reach the end of the registry. Now copy the second rgistry key and repeat the above procedure. This is a tedious process and takes time and effort, but there is no better way to make sure the malware is out of your computer.
These registry entries may be found on an infected computer. Delete them if found.
Install CCleaner : CCleaner is a freeware temp files and registry cleaner. We need to use this type of software because almost all the infection that occur through internet, come through the temp files, and unfortunately windows does not remove temp files automatically. The best way to manage this is to install ccleaner (from ccleaner.com or from one of the several download links provided on their sites, such as filehippo.com etc) - set it so that it runs automatically with windows start
(options > settings> Run Ccleaner when computer starts)
-add recycle bin Cleaner > Advanced > check the box "Custom files and folders" Options > Include > Add Folder browse and select C:\RECYCLER or C:\RECYCLED in XP or C:\$Recycle Bin (in Vista)
(adding the recycle bin to the ccleaner helps a great deal, that will automatically remove the files from the recycle bin, it is necesary for your protection, because the latest security threats add virus files inside the recycle bin which are executed when the computer restarts. )
Run the Cleaner and the registry menus in CCleaner. One thing to be pointed here is that the automatic running of ccleaner, runs only one menu in it , that is the Cleaner. You will also need to run the second menu called Registry once in a while, particularly if you are trying to remove a virus from your computer.
Using System File Checker
Follow this step if you notice trouble in the normal functioning of windows. Click on start > run , type cmd , press Ok. That should open the command prompt Now type sfc /scannow and press enter. If you do not have a restore partiton it will prompt you to insert the windows installation/ operating system disk, you need to use only the disk that came with your computer, or the one that you used to installed windows on your computer, other disks will be rejected, and also if you have installed SP3 on xp , then you will see that several files are missing, in that case go on pressing Ignore each time you get a "file missing" prompt.
This utility will check and replace the damaged/ altered or missing system files. It is a necessary step.
Sites Inaccessible
- It can happen if your Hosts file has been altered. To repair/ edit the hosts file. Login as administrator. open the following file in notepad C:\ WINDOWS \system32 \drivers \etc \hosts remove anything other than 127.0.0.1 Localhost, and save and close the file. In some cases there may be entries created by you or some security application installed on your computer to block malicious sites on your computer, but there is no reason for security related sites to be in this list.
- if possible use another computer to download the software needed for repairing your computer, and then copy and transfer it to the infected computer using any available means like a pen drive. - if you are using only internet explorer, and if it is blocked from visiting some of the security related sites, try to download/ install Firefox browser, and see if you can use it for the same purpose.
Use Firewall to block access to malicious sites After installation it establishes a connection to "64.86.17.9-TCP" on port 80. Block its access if you find it in your firewall.
Virus Doctor is a rogue application, which is distributed by one or more sites such as virus-doctor.com The important thing about it is that it creates a folder with a random alphanumeric name, thus creating different foolders and files on each infected computer, therefore all the manual removal instructions listing the folders and files created by this malware are useless, because you will never find those files/ folders on another computer. After installing the malware several times, i saw a definite pattern in the names, that will help you to identify it.
Search for and keep the windows operating system disk ready, if you got one with your computer. Or check if there is a Restore Partition on your hard disk, in that case you won't require an extra disk. It is advisable to have a functioning antivirus application on your computer. You will also need to install CCleaner, and a Firewall application, you can choose one of the firewall applications listed at the end of this article.