Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Saturday, December 4, 2010

How to remove HDD Scan (Removal Guide)

Tell your friends:
HDD Scan is a piece of malware that installs itself without user permission and pretends to be system defragmentation and optimization software. This rogue program is from the same family as Win Defragmenter, Win HDD, Check Disk and numerous other misleading applications. NOTE: there is a legitimate freeware utility for hard drive diagnostics called HDDScan (http://hddscan.com) from a Moscow-based company called R.LAB Data Recovery. It's not the same program, do not confuse it with the rogue program.
Once installed. HDD Scan will pretend to scan your computer for hard drive disk and registry errors. After the fake scan it will state "11 Errors detected! Defragmentation is reguired". Some examples of the fake errors and problems it detects:
  • Drive C initializing error
  • Bad sectors on hard drive or damaged file allocation table
  • Read time of hard drive clusters less than 500 ms
  • Hard drive doesn't respond to system commands
  • Registry Error - Critical Error


HDD Scan reports 11 problems on every infected computer either it's Windows XP or Windows Vista. This fake program was created to scare you into thinking that your computer has serious problems so that you will purchase the program. It's a typical rip-off rogue, do not purchase it! If your computer got infected with HDD Scan malware, please follow the removal instructions below to remove it either manually or with reputable and safe anti-malware applications.

While HDDScan is running, it will constantly display fake error messages and notifications from your Windows taskbar. Examples of some of the fake alerts you will encounter while the rogue program is running are:
Critical Error
Hard Drive not found. Missing hard drive.
Critical Error
RAM memory usage is critically high. RAM memory failure.
Critical Error
Windows can't find hard disk space. Hard drive error
Just like the false scan results these fake alerts were made to scare you into thinking that there is something wrong with your computer. But don't worry, HDD Scan is just a very annoying piece of malware, it's not so dangerous and it won't delete your files or steal sensitive information. Last, but not least, HDD Scan will block task manager, certain programs and system utilities on your computer. If you attempt to run a program it will block it and state that the program or hard drive is corrupted. The fake error message reads:
Windows detected a hard drive problem.
A hard drive error occurred while starting the application.
Windows cannot find [program name]. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.
However, if you attempt to run a program enough times it will eventually work. Probably the easiest way to remove this rogue program from your computer is to reboot the system in safe mode and do a system restore. Then download anti-malware software and remove the remains of this virus or related malware. Unfortunately, this method may not work in all cases, especially if the rogue program comes bundled with other malicious software. We had one computer with HDD Scan malware and a rootkit from TDSS family. For more information, please read TDSS, Alureon, Tidserv, TDL3 removal instructions using TDSSKiller utility. Step by step HDD Scan removal instructions are given below. Also, you should contact your credit card provider and dispute the charges if you have purchased this bogus and useless program. If you have any questions or additional information about HDD Scan malware, please leave a comment. Good luck and be safe online!


Quick removal:

1. Use debugged registration key and fake email to register HDD Scan malware. This will allow you to download and run any malware removal tool you like and restore hidden files and shortcuts. Choose to activate "HDD Scan" manually and enter the following email and activation code:

mail@mail.com
15801587234612645205224631045976 (new code!)

mail@mail.com
1203978628012489708290478989147 (old code, may not work anymore)



2. Download TDSSKiller and run a system scan. Remove found rootkits as shown in the image below. Reboot your computer if required.

3. Download recommended anti-malware software and run a full system scan to remove this virus from your computer.


Alternate HDD Scan removal instructions:

1. Open Internet Explorer. If the shortcut is hidden, pelase Select Run... from the Start Menu or just hit the key combination CTRL+R on your keyboard. In the Open: field, enter iexplore.exe and hit Enter or click OK.



2. Download and run this utility to restore missing icons and shortcuts.

3. Now, please download TDSSKiller and run a system scan. Remove found rootkits as shown in the image below. Reboot your computer if required.



Please note that your computer might be rootkit free, not all version of HDD Scan comes bundled with rootkits. Don't worry if TDSSKiller didn't find a rootkit.

4. Finally, download recommended anti-malware software and run a full system scan to remove this virus from your computer.

5. HDD Scan virus should be gone. If certain icons and shortcuts are still missing, please use restoresm.zip.



HDD Scan associated files and registry values:

Files:
  • %Temp%\[SET OF RANDOM NUMBERS]
  • %Temp%\[SET OF RANDOM NUMBERS].exe
  • %Temp%\dfrg
  • %Temp%\dfrgr
  • %Temp%\[SET OF RANDOM CHARACTERS].dll
  • %UserProfile%\[SET OF RANDOM CHARACTERS].DAT
  • %UserProfile%\Desktop\HDD Scan.lnk
  • %UserProfile%\Start Menu\Programs\HDD Scan\
  • %UserProfile%\Start Menu\Programs\HDD Scan\HDD Scan.lnk
  • %UserProfile%\Start Menu\Programs\HDD Scan\Uninstall HDD Scan.lnk
%Temp% refers to:
C:\Documents and Settings\[UserName]\Local Settings\Temp (in Windows 2000/XP)
C:\Users\[UserName]\AppData\Local\Temp (in Windows Vista & Windows 7)

%UserProfile% refers to:
C:\Documents and Settings\[UserName]\ (in Windows 2000/XP)
C:\Users\[UserName]\ (in Windows Vista & Windows 7)

Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\USE FORMSUGGEST = Yes
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Internet Settings\WARNONZONECROSSING = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Internet Settings\Zones\3\1601 = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\[SET OF RANDOM NUMBERS] = %TEMP%\[SET OF RANDOM NUMBERS].exe
Share this information with other people:

31 comments:

Courtney said...

I can't seem to find the [RANDOMNUMBERS].exe in my task manager. Is there another name by which it might go under Processes?
Thanks.

Admin said...

Hello Courtney,

It could be something like this:
vBrfNDzNxt.exe
2154789531.exe

If you can't find it, then restart your computer in safe mode and restore the system to an earlier date. Then restart in normal mode and scan your computer with Malwarebytes Antimalware. Good luck!

Anonymous said...

@author: thanksssssss alot. After reading your post I was able to remove this malware easily.
1 more thing, I followed manual steps, now It's removed. Still I need to scan using anti-malware or do regedit?

Admin said...

I'm pleased to hear you're sorted. Yes, you still should scan your computer with MalwareBytes Anti-Malware, SUPERAntispyware or any other software from the list. No need to ro regedit, unless unless you're comfortable with that. Good luck!

Anonymous said...

I can't find my computer directory?

Admin said...

What do you mean? You can't find C:\Documents and Settings\[UserName]\Local Settings\Temp ?

Erik Grotz said...

I understand how to remove this, but how on earth does it get delivered? I'm scanning my customer's emails now but can't find any rogue links. IE history is clean. I'm baffled!

Admin said...

It could be a Drive-by download http://en.wikipedia.org/wiki/Drive-by_download

Anonymous said...

Hello, When I do a (Ctrl+Alt+Delete)it doesn't show the option to open Task Manager, it goes to Shut Down when I try to exit out of it.
Any help???

Admin said...

Hello,

Restart your computer in safe mode and restore the system to an earlier date. Then restart the computer in normal mode and scan your computer with Malwarebytes Antimalware. Good luck!

Anonymous said...

I can't find my directory either.

Anonymous said...

I cant find documents and settings. Only c:\docs

Admin said...

Well, then just stop the rogue process using Task Manager and download anti-malware program from the list above. Don't look for its files. Anti-malware program will find them and remove.
Also, try the alternate removal guide in safe mode with networking. Some users managed to remove HDD Scan in safe mode after they did system restore.

Anonymous said...

Hello, do I have to delete all the files and directories within this temp folder?

Thanks

Admin said...

Yes, delete all files and folders within Temp folder.

Candance said...

Thought I would pop in here with an update. My laptop got hit with it this afternoon. I managed to stop the process, but when it came to deleting the items in the folder, the program has now masked the items as components of other things (eg attached to something used by other software) and when you try to delete it, it pops up saying that item is "in use" so you shouldn't delete it.

Also, I did a system restore attempting to go back to yesterday, and that did absolutely no good. It simply started back up with HDD Scan still there.

Courtney said...

Thanks for your help! A system restore worked perfectly!

Anonymous said...

There are two files that will not delete in the Temp Folder, what do I need to do? The files are
named DvdCEPYorb and UITMJylaFo.dll

Anonymous said...

Can you use the scanner from Windows? or does it have to be the ones you mentioned?

Admin said...

Q: Can you use the scanner from Windows? or does it have to be the ones you mentioned?

A: You should use the ones I mentioned.

Admin said...

Q: There are two files that will not delete in the Temp Folder, what do I need to do? The files are
named DvdCEPYorb and UITMJylaFo.dll

A: These files are related to HDD Scan. Go back to task manager and terminate all processes similar to "DvdCEPYorb". If you still can't delete those files then skip this step and scan your computer with anti-malware software.

Admin said...

Candance,

If you can't delete some files then just skip this step and downlaod anti-malware software. Run a full system scan and remove malicious files. Good luck!

Anonymous said...

We just ran spyware doctor and it found the malware. It now asks us to pay $29.95 to fix the computer. Is that what we are supposed to do? Thanks for your help!

Admin said...

No, not nescecary. You don't need to buy Spyware Doctor. You can use Malwarebytes Anti-Malware, SUPERAntispyware or Hitman Pro instead. All these programs are free. Spyware Doctor is the only paid one. So, its up to you. Good luck!

Anonymous said...

After reading your post I was able to remove this malware easily. thanks..

Anonymous said...

I ran Malwarebytes, it did its thing. the files in the temp folder dont appear to exist, yet it still pops up everytime. it has gotten to where my desktop wont even show up. The system say it failed to restore evrytime I try. How can I get rid of this thing?

Anonymous said...

At the point of deleting local temp files I get a popup that says destination folder access denied. I hit try again and it does nothing. Skip and Cancel are my other options

Anonymous said...

Thanks. We ran Hitman Pro, it detected a trojan horse, and other things, it got rid of these things. It's definitely not as potent as it was in the beginning but it still continues to send the same fake messages. We're at our wit's ends, and not sure what else to do. Any other suggestions?

Peter said...

Great information on your site here! You might want to mention that SpyHunter is malicious software/malware posing as anti-virus software. My mother was fooled into downloading HDD Diagnostic malware **and** SpyHunter malware.

Anonymous said...

Thank you so much for sharing this, it was realy realy helpful. GOD bless you. thanks again.

Anonymous said...

Many thanks for this. I used most of this to get rid of it.

It seemed to also affect System Restore as would hang when trying to run it normally. Under 'Safe Mode', all my restore points disappeared and didnt return.

Thanks again.


Mr Opinion