Yesterday, my wife called to tell me something was wrong with her computer. I told her to shut it off and I’d look when I got home. What I found when I got home was software called Antimalware Doctor reporting fake trojans and slowing down her whole computer. My wife had called because she was immediately suspicious, but so many are easily tricked by software like this that looks credible.
What Is Antimalware Doctor?
Over the years, the threat of getting a virus or trojan on your computer went from rare to pretty damn scary. The fear of a virus is how software like this works. It disguises itself as legitimate ant-virus software, pretending to help. It will pop up and appear to scan for and then find various threats on your computer. The goal is to make you believe that there is a threat so imminent that you should act right away. I’ve written about scare tactics like this before because they seem to work. You think you have a virus and need to take care of it right away, so you take the suggested action, which leads you to spending money on this horrible software. It’s like finding a burglar in you home, dressed like a cop, and taking him out to dinner to thank him because he says he scared away some burglars.
Not only does the software pretend to scan and find things, but it is horribly annoying, popping up fake warnings every time you do anything that it thinks might be steps to remove it. Every time I opened the Control Panel, for example, something similar to the image above would appear. Each time, I just used the ALT + F4 key combination to make it go away.
Antimalware Doctor Removal
Programs like this rely on you being stuck with them, so they often do whatever it takes to get installed on your computer and stay there. Usually, you’re enticed into downloading some seemingly harmless software and Antimalware Doctor is bundled with it and installs secretly. Because of this, just uninstalling from your Control Panel will not do the trick. You have to be just as diligent in the removal of this rogue software as the jerks who set it loose on your computer were.
To start, you’ll need to find out where the program is running from. I found its location with the following steps:
1. Press the CTRL, ALT, and DELETE keys at the same time. Then View the Task Manager.
2. In the Task Manager, click the Applications tab and find the Antimalware Doctor application.
3. Right-click on the Antimalware Doctor application in the list and click “Go to Porcess”
4. In the process list, right-click on the process (it should be highlighted) and click “Open File Location”
In the folder with it were two additional files, enemies-names.txt and local.ini. enemies-names.txt contained a list of “offending” software and cookie threats and local.ini contained a bunch of program settings.
Most malware will have another background process that watches for anything trying to remove it. Usually, if you remove the malware executable, it will revive the file from another location immediately. To fool this logic, I opened it in Notepad++ and simply changed the binary contents so that the executable name and location would remain in tact while breaking the program. To do this, I simply added a bunch of random characters a couple lines into the file. In our case, the file was db70virstup.exe. I was not able to save the file until I closed the running process, so I closed it and then saved the file quickly.
The program also sets up some registry keys. You can really mess up your computer if you change the wrong stuff in your registry, but if you’re careful and know what you’re editing, you should be OK. To view and edit registry keys, go to the Start menu and type “regedit” in the search field and hit ENTER. Once in the registry editor, head to HKEY_CURRENT_USER -> Software -> Antimalware Doctor Inc -> Antimalware Doctor. There, you can see all the registry keys it added, but you really want to just delete the whole HKEY_CURRENT_USER -> Software -> Antimalware Doctor Inc tree.
After removing the registry keys, just delete the folder that the files were found in and you should be all set.
The steps taken above worked for me, but they may not completely remove the software from your computer. Other guides like the one from wiki-security.com have different methods of detection and removal and sometimes even list additional files and/or registry keys to remove.
I don’t remove software threats for a living, nor do I edit my registry often. Any steps listed above are taken at you own risk.
If I missed something or you have questions, just use the comment form below and I’ll be sure to respond.