Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Antimalware Doctor Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg |

Antimalware Doctor is a fraudulent software posing as a legitimate security program to scam money out of gullible users. Multiple Windows system alerts about non-existent malware infections are frequently displayed by this scareware. This rogue adds a Windows Security Center look-a-like named Antimalware Doctor Protection Center, where all the links trigger the software activation window. Whenever a program is executed, this scareware pops up a fake warning message about the executed program being infected. This variant did not block execution any program or system tasks.

Antimalware Doctor is commonly installed when users are redirected to fake online scanner pages or fake ‘video codec required’ pages distributed through out the Web by cyber criminals using blackhat SEO techniques, Spam and Malicious flash advertisements.

Antimalware Doctor Rogue Security Software

A rogue security software such as Antimalware Doctor belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. They need to be removed immediately from your system.

Users should not fall for the false alerts of system infection and buy the scareware to ‘clean’ the system. If you purchased one by entering your credit card number at a rogue software website, it would be prudent to:

  • Immediately contact the bank that issued the card and dispute the charges.
  • Request them to not allow any further transaction and cancel the card. You may also request them to issue a new card with a different number.

Antimalware Doctor Aliases

The trojan dropper file was named setupapp7070010.exe (942 KB). It was detected by 9/39 (23.08%) of the antivirus engines available at VirusTotal.

This scareware is known by the following aliases:

  • Trojan.Fakealert.14374
  • Rogue:W32/AntiMalwareDoctor.B
  • a variant of Win32/Adware.AntimalwareDoctor.AA

Typical Antimalware Doctor Scare Messages

Warning! Removed attack detected! Antimalware Doctor has detected that somebody is trying to block your computer remotely via Trojan.win32.Agent.azsy. Transfer for your private data via internet will start in 10.

Warning! Your system is infected! 34 dangerous objects have been found during last system scan. You need registered version of Antimalware Doctor to remove these infections.

Infections on your PC can cause: system slowdown and crash, unwanted advertising displaying, loss of internet connections, lost documents and settings, major data loss.

Warning! Hidden file transfer to remote host was detected. Antimalware Doctor has detected that somebody is trying to transfer your private data via internet.

Desktop Spy threat has been detected. This threat module advertises websites with explicit content. Be advised of such content being possibly illegal.

Antimalware Doctor Associated Files and Folders

  • C:\Documents and Settings\\My Documents\New Folder\setupapp7070010000.exe
  • C:\Documents and Settings\\My Documents\New Folder\enemies-names.txt
  • C:\Documents and Settings\\My Documents\New Folder\hookdll.dll

Some of the file names may be randomly generated. The term or malwarehelp in the above entries denotes the name of the Windows user account in the test machine.

Antimalware Doctor Associated Registry Values and Keys

  • HKEY_CURRENT_USER\Software\Antimalware Doctor Inc
  • HKEY_CURRENT_USER\Software\Antimalware Doctor Inc\Antimalware Doctor
  • HKEY_CURRENT_USER\Software\Antimalware Doctor Inc\Antimalware Doctor\datarl1=KRoAGVdOQwQVExEoAAIQQRsl
  • HKEY_CURRENT_USER\Software\Antimalware Doctor Inc\Antimalware Doctor\datarl2=KRoAGVdOQwQVExE3BAYNQRsl
  • HKEY_CURRENT_USER\Software\Antimalware Doctor Inc\Antimalware Doctor\datarlA=KRoAGVdOQwQVExEoAAIQQRsl
  • HKEY_CURRENT_USER\Software\Antimalware Doctor Inc\Antimalware Doctor\install_time=4/12/2010 3:48:12 AM
  • HKEY_CURRENT_USER\Software\Antimalware Doctor Inc\Antimalware Doctor\database_version=256
  • HKEY_CURRENT_USER\Software\Antimalware Doctor Inc\Antimalware Doctor\virus_signatures=62171
  • HKEY_CURRENT_USER\Software\Antimalware Doctor Inc\Antimalware Doctor\affid=7070010000
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\setupapp7070010000.exe=C:\Documents and Settings\\My Documents\New Folder\setupapp7070010000.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor\DisplayIcon=C:\Documents and Settings\\My Documents\New Folder\setupapp7070010000.exe,0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor\DisplayName=Antimalware Doctor
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor\UninstallString=C:\Documents and Settings\\My Documents\New Folder\setupapp7070010000.exe /uninstall
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor\InstallLocation=C:\Documents and Settings\\My Documents\New Folder\
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor\NoModify=1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor\NoRepair=1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\\My Documents\New Folder\setupapp7070010000.exe=

The term or malwarehelp in the above entries denotes the name of the Windows user account in the test machine.

Antimalware Doctor Removal (How to remove Antimalware Doctor)

MalwareBytes’s Anti-Malware (mbam-setup.exe Direct download) was able to remove this infection.

  • Download MalwareBytes’s Anti-Malware (mbam-setup.exe Direct download). Double-click mbam-setup.exe to start the installation. Proceed with installation following the prompts. Make sure that the following options are checked when you finish the installation:
  • Update Malwarebytes’ Anti-Malware
  • Launch Malwarebytes’ Anti-Malware

Once the update is completed, select Perform full scan in the Scanner tab. When the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.

You should now be clean of this rogue.

The full version of Malwarebytes’ Anti-Malware performs brilliantly against scareware such as Antimalware Doctor. The real-time component of the paid version would have cautioned you before the rogue software could install itself. Please consider purchasing the Malwarebytes’ Anti-Malware Full version for additional protection.

If you are unable to get rid of this scareware, please visit one of the recommended forums for malware help and post about your problem.

Antimalware Doctor Scareware — Screenshots

Antimalware Doctor Scareware — Video

Note: The Antimalware Doctor installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

{ 7 comments… read them below or add one }

Maksim Laitinen July 26, 2010 at 1:43 PM

Thank you so much. My first thought was that my bro had downloaded some virus style program to my computer. Then i tried to remove it. I couldnt make it. The “Antimalvare doctor” blocked all other antivir programs i had on my computer except AVG and Avira. I owe you guys so much you’re like the best possible people in whole damn earth..


Sam Smith August 18, 2010 at 6:28 PM

Thanks,this is the only program that identified the Antimalware Doctor software and removed it. Tryed Spyware doctor-no good couldn’t run Spybot search and Destry-not good didn’t even detect it. Many Thanks again


Joost Buitelaar September 4, 2010 at 4:05 PM

No need to buy any additional software (that will cost you just as much as the “Antimalware Doctor” you are trying to get rid of), or perform actions in your registry.

On startup, repeatedly push F7, and then select “start up in safe mode”. Now, simply perform a system restore to a point in time before the infectation. Done!


Mimi September 14, 2010 at 11:56 AM

Thanks a lot for the awesome advice! The Antimalware Doctor virus had blocked Microsoft Security Essentials from working. I also could not do a system restore because it had blocked all the restore time points before the infection. I’m so glad MalwareBytes was able to remove it!


Bebh September 14, 2010 at 9:18 PM

Thank you so much for this handy tip on getting rid of this nasty virus. As someone who knows virtually nothing about computers it was great to find such a simple tool to fix my computer. The virus was freezing my computer every few minutes and it was a great relief that the malwarebytes program could fix the problem!


Banichi September 16, 2010 at 12:13 AM

Thanks for your tips – MalwareBytes was the only thing that got rid of this piece of persistent garbage. I think the logo similar to the AVG logo fooled me for a short while, I thought it was legitimate until it would not uninstall or go away. Clearing the registry of entries referring to it did not get rid of it, so after a day and a half of looking for a solution I was glad to find your tips. I’m still dealing with the damage, but at least the sucker is gone. What a nightmare!


Vijay March 31, 2011 at 9:49 AM

Thank u so much..this reli appriciates cos its a headache since 3 dayz.. i did as u shown so its gone.
thanks again
Vijay Patel, Australia


Leave a Comment

Previous post:

Next post: