1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Misleading App DoctorAdwarePro Activity

System Infected: Misleading App DoctorAdwarePro Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.


This signature detects activities of misleading application DoctorAdwarePro.

Additional Information

When DoctorAdwarePro is first executed, it performs the following actions:

1. Creates the following files:

* %UserProfile%\Desktop\Doctor Adware Pro.lnk
* %System%\fk.dll
* %UserProfile%\Start Menu\Programs\Doctor Adware Pro\Doctor Adware Pro.lnk
* %UserProfile%\Start Menu\Programs\Doctor Adware Pro\Uninstall.lnk
* %UserProfile%\Start Menu\Programs\Doctor Adware Pro\Website.lnk
* %ProgramFiles%\Doctor Adware Pro\Doctor Adware Pro.url
* %ProgramFiles%\Doctor Adware Pro\dradpro.exe
* %ProgramFiles%\Doctor Adware Pro\uninst.exe
* %ProgramFiles%\Doctor Adware Pro\Logs\debug.log
* %ProgramFiles%\Doctor Adware Pro\Logs\ObjectsFound.log
* %ProgramFiles%\Doctor Adware Pro\Logs\ObjectsRemoved.log
* %ProgramFiles%\Doctor Adware Pro\SpyWares\spydb.exe
* %ProgramFiles%\Doctor Adware Pro\SpyWares\Browser Hijack\helper.dll
* %ProgramFiles%\Doctor Adware Pro\SpyWares\[THREAT ARCHIVE FILES]

* %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
* %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
* %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

2. Creates the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\dradpro.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Doctor Adware Pro
HKEY_LOCAL_MACHINE\SOFTWARE\Mandel Enterprise\Doctor Adware Pro


  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows XP


The following instructions pertain to all Symantec antivirus products that support security risk detection.

1. Update the definitions.
2. Run a full system scan.
3. Delete any values added to the registry.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube