Click on screenshot to zoom
Danger level 9
Type: Rogue Anti-Spyware
Common infection symptoms:
  • Connects to the internet without permission
  • Slow internet connection
  • Annoying Pop-up's
  • Slow Computer


The continued success of destructive rogue defragmenter HDDoctor can be contributed to various factors. These include its sophisticated UIs, its effective distributing and infection methods and overhyped online marketing campaigns. But it is important to realize that these and many other factors work together in tandem to achieve HDDoctor’s continued success, and that no one aspect can work well in isolation. HDDoctor, like its fellow closely related rogue Think Point have both garnered reputations as very tough and resilient parasites with a flair for avoiding detection and removal. This, along with the destructive traits and qualities of the rogue has made industry professionals and users alike sit up and take notice of HDDoctor, and why the destruction of this rogue remains imminent.

As mentioned earlier, the popularity of the HDDoctor infection seems only to be on the rise, if current infection statistics are anything to go by. There are various websites littering the Internet which makes money from sales of HDDoctor. These websites are responsible for spreading the Trojans which roots the HDDoctor infection on host PCs. They have also been known to offer free movies and videos, on condition of the user downloading and installing codecs to view it. This type of user interaction is precisely what makes roguewares such as HDDoctor thrive, as it won’t be able to infect a PC without some type of action required on the part of the user.

The websites selling HDDoctor also hosts online payment portals which they claim to be safe and secure. These payment portals are only there to facilitate the sale of HDDoctor, and should never be trusted. Users who perform transactions through these payment portals will not only receive a dud for their money but will be handing over their sensitive billing information to ruthless and reckless cyber criminals. This may lead to further victimisation in the form of identity theft and credit card fraud.

As with all rogueware, HDDoctor makes use of fake security messages to inform the user that his PC is suffering from critical errors, and that it is not performing optimally. Where HDDoctor differs slightly from other roguewares is that it does not use generic or copied fake alerts. All of HDDoctor’s fake security messages have been written specifically for this rogue, and pertains personalised information such as screen shots and names of HDDoctor. This is all done in an effort to further cement HDDoctor’s legitimacy in the prospective mark’s mind. Some of these outlandish fake security messages reads as follows:

“The system will reboot in xx seconds
Windows can not continue operating due to fatal system error.
Windows was forced to restart.
All unsaved data will be lost.”

Furthermore, the following will be reported:

“Can not find : xx
File may be deleted or corrupt.
Is is strongly recommanded to scan the disk for errors.”

“The system disk contains a large number of critical errors.
Windows could not fix most of them.
You can install install trial version of the third party software “HDD doctor” to fix found bugs. Install “HDD Doctor” now?”

HDD doctor detected an error on your hard drive when trying to access a file
C:Program FilesInternet Exploreriexplore.exe
Perform data recovery now?”

“Disk Error
Can not find file: C:Program FilesMessengermsmsgs.exe
File may be deleted or corrupt.
It is strongly recommended to check the disk for errors.”

“Serious system error
The system will reboot in 37 seconds
“Windows can not continue operating due to fatal system error.
Windows was forced to restart.
All unsaved data will be lost.”

The system disk contains a large number of critical errors.
Windows could not fix most of them.
You can install install trial version of the third party software "HDD doctor" to fix found bugs.
Install "HDD doctor" now?”

Your hard drive contains a lot of critical errors!
All your data including installed programs, documents, email, etc. are at risk of irreversible corrupt.
The trial version does not have low-level access module needed to fix the errors found.
It is strongly recommended to activate the full version software with necessary modules. Activate full version now?”

Users are urged to take note of all the grammatical and syntax and spelling mistakes in these fake messages. Surely a professional, genuine security tool would present its alerts in proper English? This is only another clue as to the true nature of the sinister HDDoctor.

To help with HDD Doctor removal you can register using this code with any email C51ECA4062FA.

At the end of the day, HDDoctor is a fake security application which does not offer any benefit to an infected PC. It will be best to get rid of HDDoctor, and protect your PC against the imminent threat posed by this outrageous rogue. Invest in a powerful security application which will permanently erase HDDoctor from the system, and protect your PC against future threats.

Download Spyware Removal Tool to Remove* HDDoctor
  • Quick & tested solution for HDDoctor removal.
  • 100% Free Scan for Windows

How to manually remove HDDoctor

Files associated with HDDoctor infection:

%UserProfile%\Start Menu\Programs\HDD Doctor.lnk
%UserProfile%\Application Data\hdddoctor.exe
%UserProfile%\Application Data\install_hdd
%UserProfile%\Desktop\HDD Doctor.lnk

HDDoctor processes to kill:


Remove HDDoctor registry entries:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon /V "Shell" = '%UserProfile%\Application Data\hdddoctor.exe'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnOnPost"='0'
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = '%UserProfile%\Application Data\hdddoctor.exe'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnOnPostRedirect" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0'

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.