Antimalware Doctor is a fake anti-spyware program that tries to trick users by various methods in order to get them to purchase a license for the software. This malware gets installed on a user’s system via Trojan viruses that get downloaded from websites with fake scanners and from spam email attachments. Once installed, this rogue program loads itself at user logon and performs a large number of fake scans on the system, which return results that state that the computer is heavily infected with non-existent malware. Antimalware Doctor will also display fake pop-up warnings from the Windows taskbar trying to warn the user that the system is under threat. Meanwhile, The virus tries to convince the user to pay for the ‘full’ version of the software by claiming that the currently installed ‘trial’ version is incapable of removing the detected false ‘threats’. However, it should be remembered that the so-called ‘full’ version of Antimalware Doctor is just as ineffective as the ‘trial’ version when it comes to cleaning any user’s system.
Antimalware Doctor
Antimalware Doctor Manual Removal Procedures
The first step you need to take in order to remove Antimalware Doctor is to stop ONE of the following process:
Antimalware Doctor.exe
070700Setup.exe
Random70700.EXE( We are getting reports of this virus mutating with this process as well. I would look for a six digit random number before setup.exe like in the example or the 707000.exe number in the file)
newsecureapp70700.exe Yet antoher file to look for
The location of the threat will varry but from the comments section and our continuious testing you may want to look at C:\Users\YOUR USE NAME\AppData\Roaming\DCE77BF8422D9E5F4DCD7434BF3CA642
The next step in Antimalware Doctor removal is to delete the following files and folders:
C:\Windows\System32\enemies-names.txt
C:\Windows\System32\Antimalware Doctor.exe
After these steps have been completed, your file system is safe from Antimalware Doctor.
Antimalware Doctor Registry Removal Procedures
File removal alone is not sufficient to completely remove Antimalware Doctor. It is necessary to delete the following keys and settings from the registry as well. You most likely only have a few of the below. The term "Antmaleare doctor" should be switched out with the EXE file name that you had in the above step.
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc\Antimalware Doctor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Antimalware Doctor.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "newsecureapp70700.exe
Now it is safe to say that your computer is completely safe from Antimalware Doctor. While this in most cases is true, it is still recommended to scan the entire PC using genuine antivirus software in order to make sure that no other malware reside on the operating system.
Delete Antimalware Doctor Directories:
No set directories to delete
Outside Resources:
http://www.bleepingcomputer.com/virus-removal/remove-antimalware-doctor
http://www.ehow.com/how_6067077_remove-antimalware-doctor-virus.html
I can’t find the registry files, the windows 32 files or the process,even while it was running. but i ran these in safe mode, do i need to find these while the computer in normal mode??
They will not be active while in normal mode. However that is a good thing. You should be able to easily delete them in normal mode.
As the guide states you should run a full scan with Spyware Doctor with Antivirus. Then simply manually delete the traces it finds.
The above file traces were the correct locations for the last few installs we found of this file. If it has changed for you, you can always right click on the Antimalware Icon on the desktop and under properties you will see the correct location of this file. However be sure to still run the scan.
Also report back your results of what worked best for you or if the above did not work for you.
and it found nothing. Should I now be okay even thou I can still see antimalware on the bottom toolbar…? I will be out of office now for several days but I’ll carry on with this when I’m back… Thanks for all your help!
Fake clients can NOT be uninstalled via the control panel.
Terminate the running process means you first need to stop that process before you can delete it.
Example Terminate XYZ.exe. That means you would need to first stop this process from running before you are able to delete it and stop the fake client.
Use the Windows Task Manager to terminate. If that is disabled then simply download the process killer tool we recommend at http://www.removevirus.org/process-killing-software-654. We also have a video on using the windows task manager at http://www.removevirus.org/how-terminate-a-running-process-625
You should ensure the SDA client is fully up to date. Also use Malwarebytes to double check you are clean.
Malwarebytes is a great free client and alternative to the SDA client we recommend. While it is not as good in my opinion at protecting you in the future it does often come out the quickest with new virus traces so it’s great to use if another client is not picking up the traces you currently have.
Worst case. You pay 89 bucks and have http://www.onlinecomputerrepair.org remove the threat for you. That is a great way to go for people who just can’t seem to do it themselves. However I think you are getting there so have another go at it first.
with no admin priviledges. But I think I now got rid of the antimalware! At least it has dissappeared from the folders and recent items list. I forgot to copy the path before I deleted it but it was in the C:users/… -file as with the other vista-user here. I found it when I wrote antimalware on search panel. Thank you ever so much! Bless you! 🙂
They look very suspicious!
What security scans have you ran so far? You need to. use Spyware Doctor with Antivirus ( Free scan / you have to pay to remove) and use MalwareBytes as well to double make sure you are no longer infected.
Run both and report back the results.
Glad you got the file. Another tip for people reading this is to right click on the antimalware icon on the desktop and select properties. You should see the full file path of this threat and be able to then follow that path.
Be SURE to run a scan using Spyware Doctor with Antivirus or / and Malwarebyes. This will show you if you have other viruses or traces left over.
but it’s still there. When I go to control panel to unistall the program it won’t let me do it. All other programs I’m able to uninstall but not he antimalware. Have you any idea why? I deleted the file on C: but what else do I need to do? For exampl what do you mean with “terminating the running process” I’m sorry for all the questions but I’m not that smart with computers… That’s probably why I got myself in this mess in the first place… :/
After removing the files in the system32 folder I had some problems finding der regs.
I was able to delete these regs:
– HKEY_CURRENT_USER\Software\Antimalware Doctor Inc\Antimalware Doctor
– HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor
But I didn’t find:
-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Antimalware Doctor.exe”
-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “gotnewupdate.exe”
Instead of them I found the regs of the nugot.exe and teuvq.exe in the folder: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run .
The exes are situated in:
C:\users\\appdata\Ycuv\nugot.exe
C:\users\\appdata\Ibryy\teuvq.exe
… they’ve also been in the startup (but that’s just logical, when the regs are in the “Run” folder^^) … and i couldn’t find any information on other sites.
My questions: Are these dangerous applications? Mby being part of the Antimalware Doctor?
While I was able to delete the two files:
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc\Antimalware Doctor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor
the others were not there. I am running Vista, and so I checked the other comments and the folders were not located at c;\users\\appdata\roaming\55ED31C83F4EB1276D68ED4FAB0510F7\gotnewupdate000.exe
but I did manage to find setupupdater0000.exe at C:\Users\AppData\Roaming\7F270CDEC6AC00AAE5DB3D97247
Could this be the same file, should I remove it to remove Antimalware Doctor? Thank you for your help.
That definetly looks like a rogue file trace. Run a full scan using the Spyware Doctor with Antivirus client to verify it is a virus then delete it if it is.
You can also uncheck this process in the start-up manager to ensure it is no longer running. Another option is to re-name the file to something like “OLDetupupdater0000.exe” and re-boot. If something goes wrong you can always just change the file name back.
The next step in Antimalware Doctor removal is to delete the following files and folders:
C:\Windows\System32\enemies-names.txt
C:\Windows\System32\Antimalware Doctor.exe
–> I cannot find these files?
but when trying to delete the program says I need permission to continue and won’t allow me to delete. What permission?
Are you using an account with admin privileges? If not boot into safe mode and login as admin.
Also what is the path to the file you are trying to delete? Are you able to re-name the file? You may also right click on the file and select properties then under security you can attempt to take ownership of the file.
regardless report back with the full path of the file you are trying to remove.
I should also add that you can NOT delete a file while it is in use. If you are being told that the file is in use or may be in use than that is your problem. You must first terminate the running process and then you will be able to remove it.
You trace may be different than the version we have. Run a quick scan with Spyware Doctor with Antivirus to locate the file names.
When I try to run regedit this pops up: Registry editing has been disabled by your administrator. However, I am the administrator. How can I fix this so I can use the registry?
Try to boot into safe mode and go that route.
Chances are the virus may of disabled this feature for you. If that is the case then any decent security client and re-set this.
You can also merge a fix into the registry but the correct code depends on your operating system. The easiest solution is to use a security client.
You may also be able to use system restore to get this function back but it’s not recommended because more often than not the restore points have been corrupted.
I deleted the virus myself (15) but i now get pop-ups everwhere. i managed to track the file to a computer program on the net which at first glance said to be a downloader engine type thing. I have spybot which is a very useful programme which tracks spyware and i used AVG to run a scan and i wondered weather this was enough to find the virus remains? I have also successfully removed Security tool by myself and i also wondered weather i should be worried about more significant threats. fr instance more dmaging viruses.
Your website was a good help though to find a more conventional route to deleting viruses.
Congrats on being able to remove the threat.
If it’s the free version of AVG then no it’s not good enough. The free version like most free clients offers ZERO protection. They only kick in after the infection hits. Spybot S&D is also a good but even with the tea timer function you are not getting the full protection your computer realy needs.
Best option is to use a paid client like Spyware Doctor with Antivirus. Being protected in the first place so you don’t get infected is the name of the game. Other then that I like Malwarebytes and the new Microsoft Security Essentials.
Your proxy issue is an easy fix. watch the bottom video at http://www.removevirus.org/av-security-suite-759
You got infected in the first place because you were using the FREE AVG. Pay the piper and get real protection so you do not get infected again.
Well first of all, what happened to me is that when I realized that this fake spyware was being installed, I shut down. So I think it never installed completely. So when I start my laptop I get a warning ”Error loading hntxquhn.dll
Now I followed the advices above, the problem seems not to be cured completely, but additionally, it does not allow me to get ino Motzilla or Internet explorer (although I am connected , for example I can talk through skype). It says ‘The proxy server is refusing connections’.
Do you know how can I fix that? Note that I have Zone alarm, and AVG (the free edition). How can I enable Motzilla?
Thanks
Running Vista 64. Hit with Antimal Doctor yesterday. Main effect was popups PLUS Google and other search engines are redirected to marketing pages. They are unusable.
Norton tech ran Norton Power Eraser and NAV 2010 full scan. Checked the registry entires and only found 1 HKEY file and removed. Both System 32 files were not there, BUT search engines are still not usuable and unchanged.
Any suggestions for this problem?
Thanks
I ran spyware doctor with anti-virus. Cannot download malwarebytes (I think the virus is blocking it). I also deleted the first two reg keys but cannot find •HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Antimalware Doctor.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “gotnewupdate.exe”
Everything keeps locking up on me, and I cannot even do a ctraltdel. I’m forced to manually shut down and then it appears the virus has reloaded everything including the deleted keys. Any suggestions?
My laptop keeps notifying me saying i have vista anti-malware doctor and my friend told me to look for ways to remove it on the internet, but unfortunatley vista anti-malware has kept me from being able to get on the internet. So i have no way of downloading any software to remove it. Do you have any idea of what i could possibly do?
Re-set your browser and delete the extra addons that you are not using or don’t need.
We have a re-set tool in the side bar for IE. Also run a scan using the SDA client to ensure you got everything.
Boot into safemode with networking and manually remove the executables.
Sounds like your Windows Hosts file is also corrupt. Re-set it with the re-set hosts tool found in the side bar
Watch our proxy re-set video http://www.removevirus.org/remove-antispyware-soft-735 . It’s closer to the bottom of the guide. My guess is you have proxy on under IE. This should be turned off.
Following our manual removal guide will also go a long ways to kill this threat.
Thanks. I did the safe mode thing but the executables were not there. I did the reset host step and that went fine. I ran another anti-spyware doctor scan and it is still finding 40 to 50 threats and infections. Once I cleaned those found, I tried to run another full scan……I was immediatly BOMBARDED with the “blocked bad website message (I mean 100’s of them) from antispyware doctor. I kept hitting the block button but they just kept coming. I stopped the scan and turned the laptop off altogether because it seemed to be going nowhere and I was afraid that something was going to get access. I did try going back in to safe mode after that just to look around to see if I saw anything weird and I got a message about the spyware being disabled and to reset the firewall (or something close to that effect). I turned the whole thing off and haven’t touched it since. Any suggestions as to what I may be missing or what I should try next? Thanks for your help.
run the scan in safe mode. It is disabled by default in safe mode but you can still open the program and run the scan. Go that route. I would also scan using malwarebytes in safe mode. Sounds like the root of your problem lies in a hidden rootkit trojan that is re-installing the programs on you.
Another program you can use is Combofix.exe. However in about 3% of all cases the program can actually do damage to the OS so it’s at your own risk. This program is an almost guarantee that it will find the rootkit and destroy it.
If all else fails for you then consider http://www.onlinecomputerrepair.org. As of today the price is 89.99 for a full virus removal online. However they sent me an e-mail a few weeks back telling me they are raising the price 10 bucks very soon.
Please report back your results and what you ended up doing. We may need to take another look at this virus if others start to have the same problem and can not remove it. Please also report the virus strains that the SDA client picks ups.
Ok, so i uninstalled the virus but i’m still getting tons of website popups. help?
You have a secondary infection. Did you not follow the guide and run a full scan using Spyware Doctor with Antivirus? If you did then you should now know what the secondary infection is and were it is located on your computer.
You should start your own thread on not post off of someone elses. This just helps to keep things clean. No harm done.
What did you already do in the guide? We show you the EXACT file paths were this virus is. Did you go into that folder and re-name the file / delete the file? If not that is one of the first steps we tell people to do. watch the video again if you have not watched it yet or just browse down to the folder paths that we show in the guide.
Let us know the results.
Hi-
I got this virus yesterday and can’t run regedit, even as administrator in safemode. i downloaded malwarebytes but it shows a runtime error every time I try to run it (as administrator in safe mode) I can’t run any of my regular virus software (McAfee) or or CRTL-ALT-DELETE…what else can I do?!!
Tried to purchase the virus scan twice but it never went anywhere. Very poor.
Antimalware Doctor is a scam product. You should not try to purchase it. It’s most likely not going anywhere because the vendor account was shut done. This is a old threat.