Antimalware Doctor is a fraudulent software posing as a legitimate security program to scam money out of gullible users. Multiple Windows system alerts about non-existent malware infections are frequently displayed by this scareware. This rogue adds a Windows Security Center look-a-like named Antimalware Doctor Protection Center, where all the links trigger the software activation window. Whenever a program is executed, this scareware pops up a fake warning message about the executed program being infected. This variant did not block execution any program or system tasks.
Antimalware Doctor is commonly installed when users are redirected to fake online scanner pages or fake ‘video codec required’ pages distributed through out the Web by cyber criminals using blackhat SEO techniques, Spam and Malicious flash advertisements.
A rogue security software such as Antimalware Doctor belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. They need to be removed immediately from your system.
Users should not fall for the false alerts of system infection and buy the scareware to ‘clean’ the system. If you purchased one by entering your credit card number at a rogue software website, it would be prudent to:
- Immediately contact the bank that issued the card and dispute the charges.
- Request them to not allow any further transaction and cancel the card. You may also request them to issue a new card with a different number.
Antimalware Doctor Aliases
The trojan dropper file was named setupapp7070010.exe (942 KB). It was detected by 9/39 (23.08%) of the antivirus engines available at VirusTotal.
This scareware is known by the following aliases:
- a variant of Win32/Adware.AntimalwareDoctor.AA
Typical Antimalware Doctor Scare Messages
Warning! Removed attack detected! Antimalware Doctor has detected that somebody is trying to block your computer remotely via Trojan.win32.Agent.azsy. Transfer for your private data via internet will start in 10.
Warning! Your system is infected! 34 dangerous objects have been found during last system scan. You need registered version of Antimalware Doctor to remove these infections.
Infections on your PC can cause: system slowdown and crash, unwanted advertising displaying, loss of internet connections, lost documents and settings, major data loss.
Warning! Hidden file transfer to remote host was detected. Antimalware Doctor has detected that somebody is trying to transfer your private data via internet.
Desktop Spy threat has been detected. This threat module advertises websites with explicit content. Be advised of such content being possibly illegal.
Antimalware Doctor Associated Files and Folders
- C:\Documents and Settings\malwarehelp.org\My Documents\New Folder\setupapp7070010000.exe
- C:\Documents and Settings\malwarehelp.org\My Documents\New Folder\enemies-names.txt
- C:\Documents and Settings\malwarehelp.org\My Documents\New Folder\hookdll.dll
Some of the file names may be randomly generated. The term malwarehelp.org or malwarehelp in the above entries denotes the name of the Windows user account in the test machine.
Antimalware Doctor Associated Registry Values and Keys
- HKEY_CURRENT_USER\Software\Antimalware Doctor Inc
- HKEY_CURRENT_USER\Software\Antimalware Doctor Inc\Antimalware Doctor
- HKEY_CURRENT_USER\Software\Antimalware Doctor Inc\Antimalware Doctor\datarl1=KRoAGVdOQwQVExEoAAIQQRsl
- HKEY_CURRENT_USER\Software\Antimalware Doctor Inc\Antimalware Doctor\datarl2=KRoAGVdOQwQVExE3BAYNQRsl
- HKEY_CURRENT_USER\Software\Antimalware Doctor Inc\Antimalware Doctor\datarlA=KRoAGVdOQwQVExEoAAIQQRsl
- HKEY_CURRENT_USER\Software\Antimalware Doctor Inc\Antimalware Doctor\install_time=4/12/2010 3:48:12 AM
- HKEY_CURRENT_USER\Software\Antimalware Doctor Inc\Antimalware Doctor\database_version=256
- HKEY_CURRENT_USER\Software\Antimalware Doctor Inc\Antimalware Doctor\virus_signatures=62171
- HKEY_CURRENT_USER\Software\Antimalware Doctor Inc\Antimalware Doctor\affid=7070010000
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\setupapp7070010000.exe=C:\Documents and Settings\malwarehelp.org\My Documents\New Folder\setupapp7070010000.exe
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor\DisplayIcon=C:\Documents and Settings\malwarehelp.org\My Documents\New Folder\setupapp7070010000.exe,0
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor\DisplayName=Antimalware Doctor
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor\UninstallString=C:\Documents and Settings\malwarehelp.org\My Documents\New Folder\setupapp7070010000.exe /uninstall
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor\InstallLocation=C:\Documents and Settings\malwarehelp.org\My Documents\New Folder\
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor\NoModify=1
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor\NoRepair=1
- HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\malwarehelp.org\My Documents\New Folder\setupapp7070010000.exe=
The term malwarehelp.org or malwarehelp in the above entries denotes the name of the Windows user account in the test machine.
Antimalware Doctor Removal (How to remove Antimalware Doctor)
MalwareBytes’s Anti-Malware (mbam-setup.exe Direct download) was able to remove this infection.
- Download MalwareBytes’s Anti-Malware (mbam-setup.exe Direct download). Double-click mbam-setup.exe to start the installation. Proceed with installation following the prompts. Make sure that the following options are checked when you finish the installation:
- Update Malwarebytes’ Anti-Malware
- Launch Malwarebytes’ Anti-Malware
Once the update is completed, select Perform full scan in the Scanner tab. When the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
You should now be clean of this rogue.
The full version of Malwarebytes’ Anti-Malware performs brilliantly against scareware such as Antimalware Doctor. The real-time component of the paid version would have cautioned you before the rogue software could install itself. Please consider purchasing the Malwarebytes’ Anti-Malware Full version for additional protection.
If you are unable to get rid of this scareware, please visit one of the recommended forums for malware help and post about your problem.
Antimalware Doctor Scareware — Screenshots
Antimalware Doctor Scareware — Video
Note: The Antimalware Doctor installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.