Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Monday, November 1, 2010

How to remove HDD Defragmenter (Uninstall Guide)

Tell your friends:
HDD Defragmenter is a fake defragmentation and system optimization program from the same family as Smart Defragmenter and System Defragmenter. This rogue program hijacks the computer, blocks legitimate software and displays numerous error messages to make you think that your computer has some serious problems. HDD Defragmenter then prompts the user to pay for a full version of the program to fix a variety of errors. This program is nothing more but a scam. Please don't buy it. It won't make your computer run faster and it won't fix the supposedly found problems simply because they don't even exist. It goes without saying that you should remove HDD Defragmenter from your computer. If you got infected with this rogue program then please follow the removal instructions below.




(Thanks to rogueamp)

HDD Defragmenter comes from fake online scanners, compromised web Ads and infected web pages. It is also promoted through the use of Trojans and other malicious software. Once installed, it will display a fake system error message claiming that a certain exe file is corrupted and cannot be run. Hard drive scan required.
System Error!
Exe file is corrupted and can't be run. Hard drive scan required.
Scan Hard Drive


When you click the Scan Hard Drive button, HDD Defragmenter will pop-up and pretend to scan your computer for hard drives and memory for problems. It displays the same problems for all victims so obviously it can't be legitimate and you can't trust it. Some examples of the fake problems it detects on your computer are:
Requested registry access is not allowed. Registry defragmentation required
Read time of hard drive clusters less than 500 ms
Bad sectors on hard drive or damaged file allocation table
Drive C initializing error
Hard drive does not respond to system commands
Registry Error - Critical Error
Furthermore, it will display fake warnings from your Windows taskbar. The fake warnings read:
Critical Error
Hard Drive not found. Missing hard drive.
Critical Error
A critical error has occurred while indexing data stored on hard drive. System restart required.
Critical Error!
Damaged hard drive clusters detected. Private data is at risk.
Finally, it will prompt you to defragment your computer. It will even display a fake Safe Mode screen to trick you into thinking that you are actually in Safe Mode right now. However, it's only a black background with words "Safe Mode" in each corner of the screen. As you can see, HDD Defragmenter is a scam. This malicious program should be removed from the system as soon as possible. It will blocks task manager and other program but if you attempt to run a program enough times it will eventually work. HDD Defragmenter stores its files in the Windows Temp folder. The Temp folder refers to C:\Documents And Settings\[User Name]\Local Settings\Temp for Windows 2000/XP, and C:\Users\[User Name]\AppData\Local\Temp for Windows Vista and Windows 7. Go ahead and delete all files from the Temp folder. Then download anti-malware software and run a full system scan. Please see the removal instructions below.

Last, but not least, if you have already purchased it then please contact your credit card company and dispute the charges. If you have any questions or additional information about HDD Defragmenter, please leave a comment. Good luck and be safe online!


HDD Defragmenter removal instructions using HijackThis or Process Explorer (in Normal mode):

1. Download Process Explorer and end HDD Defragmenter process(es):
  • winsp1up.exe
  • [SET OF RANDOM CHARACTERS].exe, e.g. 154874.exe
2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


HDD Defragmenter removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


HDD Defragmenter associated files and registry values:

Files:
  • %UserProfile%\Start Menu\Programs\HDD Defragmenter
  • %UserProfile%\Desktop\HDD Defragmenter.lnk
  • %Temp%\[SET OF RANDOM CHARACTERS]
  • %Temp%\[SET OF RANDOM CHARACTERS].bmp
  • %Temp%\[SET OF RANDOM CHARACTERS].exe
  • %Temp%\winsp1up.exe
  • %Temp%\winsp1upd.dll
%UserProfile% refers to:
C:\Documents and Settings\[UserName]\ (in Windows 2000/XP)
C:\Users\[UserName]\ (in Windows Vista & Windows 7)

%Temp% refers to:
C:\Documents and Settings\[UserName]\Local Settings\Temp (in Windows 2000/XP)
C:\Users\[UserName]\AppData\Local\Temp (in Windows Vista & Windows 7)

Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "winsp1up.exe"
Share this information with other people:

18 comments:

Anonymous said...

Thanks for posting this info. Just ran across a client with this exact infection. Help out tremendously!

cul said...

Yep...same here...first time I've seen this one. Annoying, but pretty weak and inelegant compared to some. I killed it prior to getting here, but Thanks for the backup info.

Anonymous said...

Thanks so much for this. I had all those errors above and some saying RAM errors and some errors would restart my computer(vista). Only Differece was when i clicked the scan hard drive button, nothing would happen(no program opened).
My AVG program(full version) did not pick it up.
I used the MalwareBytes(full scan about 1hr) from above.
Thanks again, now i can resume study and stop freaking out.

Anonymous said...

I tried running an rkill program from a different site to stop any malware that was operating and then i ran malwarebytes anti-malware, it found infected items and removed them but it's still on my desktop after deletion and and it's still in my system folder as well. I can't get on the internet anymore either, what am i doing wrong?

Admin said...

Restart your computer in safe mode and delete the HDD Defragmenter files listed above.

Anonymous said...

The Process Explorer Thing will not download on my computer. Help!!

Anonymous said...

Thanks a bunch! Man, I was kinda worried there for a minute.

Anonymous said...

Thanks so much for this! This helped tremendously.

Anonymous said...

Thanks! Was a big help.

Anonymous said...

Can not find any winsp1up.exe related files.

%Temp%\winsp1up.exe
%Temp%\winsp1upd.dll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "winsp1up.exe"

can't be found. What am I doing wrong? Help?!

Admin said...

They have probably changed file names. Look for:
%Temp%\1254789541.exe
%Temp%\dYhdrFksdRs.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "1254789541.exe"

NOTE: the process name will be different in your case, but it should be similar to 1254789541.exe, [random characters].exe

Good luck!

LaShon James-Major said...

Thanks for the info. I thought my computer was dying for a minute. I was greatly stressed.

Anonymous said...

Hello, i thought i killed it, but i still cant see my desktop items (but i see it in my computer) and i cannot acces to the processes running in task manager. Only see the graphics, no other tabs. could someone advise? thanks

Admin said...

There is a new version of this virus called HDD Plus. You can find updated removal instructions here: How to Remove HDD Plus (Removal Guide)

Anonymous said...

Anonymous said...

Hello, i thought i killed it, but i still cant see my desktop items (but i see it in my computer) and i cannot acces to the processes running in task manager. Only see the graphics, no other tabs. could someone advise? thanks
December 8, 2010 5:01 PM

Right click desktop, arrange icons, show desktop icons.

Anonymous said...

I got this virus and now I cant see any files in my c drive also all my desktop icons are gone. I get...volume in drive c has no label. This happened before I used malware to remove it. I went to administration account and no volume in drive c again. Tried safe mode and I have no volume. Since I can run windows xp pro and go on the internet you would think the HDD is good. Any idea on how to recover my lost files?

Admin said...

You didn't lose yout files. This rogue program hides some of the files on the infected computer to convince you into thinking that your hdd is fried. Please follow the first two steps in this removal guide to recover your files. Good luck!

Anonymous said...

whew! I was able to unhide all my files after following the steps. TDSSKiller was not able to find rootkit. A little concerning, but maybe I didn't have the full blown virus? Anyways, I feel like my laptop will never be the same after this. Its like getting surgery from a MD. I'll probably end up backing up important files and nuke my laptop. Thanks!