Windows Disk

Windows Disk is nothing but a fake hard drive optimization tool. Typical scam web sites will spread a copy of this rogue software. Windows Disk virus also uses a Trojan to help extend infection on other computers by means of Internet. Moreover, people who frequently download programs from unsecured server have the tendency to acquire the same. Once installed on the computer, Windows Disk will begin to disseminate false information regarding errors and system malfunction. Posting of fake alert and simulated virus scan brings more uncertainty to the victim. Its malicious intent will begin to surface as it continues to promote self as protection software. Each move of Windows Disk equates in attempting to persuade users into getting the registration key of this rogue application.

Never believe what this rogue program is trying to prove. Every action of Windows Disk is just an scare tactics and aims to scam computer users. Later on, it will oblige users to pay for the program by redirecting them to a website where credit card transaction is the only means of payment. Not only that victim be charge for an indicated amount. The site also collects information such as credit card details and personal data that are useful for other online unlawful doings.

Screen Shot Image:

Image of Windows Disk Virus

Alias: WindowsDisk

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7

Windows Disk Removal Procedures

Manual Removal:
1. Press Ctrl+Alt+Del on keyboard to stop process associated to “Windows Disk”. When Windows Task Manager opens, go to Processes Tab and find and end the following process:
(random characters).exe

2. You need to update your installed antivirus application to have the latest database.

3. Thoroughly scan the computer and any detected threats must be removed. If removal is prohibited, it is best to quarantine the infected item. Manually locating and deleting of malicious files should also be performed. Please see files below that are related to Windows Disk Virus.

4. Registry entries created by Windows Disk must also be remove from the Windows system. Please refer below for entries associated to the rogue program.
– For Windows 2000/XP: Go to Start > Run, type “regedit” on dialog box then press Enter on keyboard.
– For Windows Vista/7: Go to Start > Search Program and Files, type “regedit” and press Enter.

5. Exit registry editor.

6. Get rid of Windows Disk start-up entry by going to Start > Run, type msconfig on the “Open” dialog box. A windows containing System Configuration Utility will be launched. Go to Startup tab and uncheck the following Start-up item(s):
(random characters).exe

7. Click Apply and restart Windows.

Windows Disk Removal Tool:
In order to completely remove the threat, click here to download and run Malwarebytes Anti-Malware. Sometimes, Trojans will block the downloading and installation of MBAM. If this happens, download it from a clean computer and rename the executable file before executing on the infected machine.

Using Portable SuperAntiSpyware:
To thoroughly remove the virus, it is best to do a separate scan of another security program so that other infected files not detected by anti-virus application can be remove as well. Click here to download and run SAS Portable Scanner.

Technical Details and Additional Information:

If Windows Disk is installed, it will begin to display fake alerts as an scare tactics to mislead victims:

Critical Error
A critical error has occurred while indexing data stored on hard drive. System restart required.

Low Disk Space
You are running very low disk space on Local Disk (C:).

Malicious Files Added by Windows Disk:
%AllUsersProfile%\[random].dll
%AllUsersProfile%\[random].exe
%AllUsersProfile%\[random]
%UserProfile%\Desktop\Windows Disk.lnk
%UserProfile%\Start Menu\Programs\Windows Disk\
%UserProfile%\Start Menu\Programs\Windows Disk\Uninstall Windows Disk.lnk
%UserProfile%\Start Menu\Programs\Windows Disk\Windows Disk.lnk

File Location for Windows Versions:

  • %UserProfile% for Vista/7 user is C:\Users\<Current User> for Windows Vista/7, for Windows XP/2000 this is C:\Documents and Settings\<Current User>.
  • %AllUserProfile% for Vista/7 user is C:\Users\<Current User> for Windows Vista/7, for Windows XP/2000 this is C:\Documents and Settings\<Current User>.

Windows Disk Registry Entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run “.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run “”
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\Associations “LowRiskFileTypes” = ‘/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/ fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:’
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\Attachments “SaveZoneInformation” = ‘1’
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = ‘no’
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main “Use FormSuggest” = ‘yes’

You may also like...

8 Responses

  1. jOHN says:

    So I somehow got this virus. I went through and found and deleted all files listed, however– the files listed below were no where to be found.

    %AllUsersProfile%\[random].dll
    %AllUsersProfile%\[random].exe
    %AllUsersProfile%\[random]

    Here is the contents of my C:\Documents and Settings\All Users (listed, since I won’t go through the trouble of a screenshot):
    —–
    Application Data (FOLDER)
    Desktop (FOLDER)
    DRM (FOLDER)
    Favorites (FOLDER)
    Shared Documents (FOLDER)
    Start Menu (FOLDER)
    Templates (FOLDER)
    ntuser.pol
    —– (With hidden files viewable)
    Nevertheless, I believe the virus is gone. Running a virus scan anyways

  2. Wayne says:

    Logging into another account and running malwarebytes was my fix

  3. zephyris says:

    I had this infect one of my computers. One extra thing it did was to disable task manager so I had to first reset this using the following registry change:

    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    “DisableTaskMgr”=-

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
    “DisableTaskMgr”=-

    Following this I was able to stop the program. The malicious programs “(randomcharacters).exe” etc. were in C:\ProgramData, I found them via msconfig and looking for unusual startup files.

  4. Brady says:

    I have the windows disk virus and its really bugging me as i can’t open any program. I can go into control panel but cant click on anything because it says its not found… HELP

  5. Rhiannon says:

    THANK YOU so much for this, it has allowed me to get rid of this (even though i have vista and is a different system to what you have said). i luckily managed to catch it as it first came about onto my computer as when the screen loaded i immediately pulled the battery out of my computer(i know the damage that that can do) and it had installed all of these malicious files. Although i DO need help on the fact that my internet security will not allow me to scan anymore, i now have to use windows defender. I do find it odd that the majority of these comment are from around the same date…

  6. BigStevie1973 says:

    Brady,

    I have just spent a couple of days getting rid of this from a neighbour’s laptop. First of all download AVG Free, Spybot S&D and Ad-aware Free – you will probably need to do this from another computer and make sure you download the latest INSTALLATION and DEFINITION files as you may not be able to acces the internet properly. Save these to a USB drive and then start up the infected computer in safe mode (hit eithere F3 or F8 as the computer is just about to boot – I can never remember which so I just keep hitting both until the screen comes up!) Once logged in as administrator in safe mode install the three pieces of software and run the scans. Run quick scans at first and then eventually the deep scans as I found some trojans even after the fourth scan! If you have trouble installing the software, go into control panel, users and create a new temporary account making sure it has administrator privileges and then reboot and log into that account as normal. Then install the software and run the scans as before. Once you have done all of this, you should then be able to follow the instructions at the top of the page and hopefully everything should be okay again.

    Good luck!

  7. Joshua "G" says:

    I have been a server/PC security analyst for some time.started when i was 12.simple said i was a hacker,but i wanted to solve exploits,bugs,viruses etc..Not attack others property.So i made a choice to be a (white hat hacker)..Using my skills to help the net,and all the people that surf!Any way iam getting big headed back to the windows fix disk virus..It is a fast virus and can leave you having to format your drives,if you don’t act fast.but no fear i found a very simple trick to solving the issue.
    (STEP 1)
    restart your computer and press “F8″ at the bios screen (most call it safe mode)..now a list appears with options like safemode,safemode network,and safemode with command prompt..YOU WANT TO CHOOSE THE ONE WITH COMMAND PROMPT!!!
    now simply log on under administrator(or whatever your admin name is)
    (STEP 2)
    at the command prompt you want to work your way to this

    ” c:\documents and settings/all users.windows/application data ”
    now once in this folder just type dir then press enter.a list will scroll with files that are in that folder.Look for ” 18407220.exe ”
    it might appear like ” ~18407220 ” thats the virus now simply type
    ” del ~18407220 ” (no qoutes) are del 18407220.exe …which ever you see.
    (STEP 3)
    now find ” yelHNrXgoh ” in the list.Now just delete that also.
    ” del yelHNrXgoh ” (no quotes) i think it is case sensetive so just type it how you see.
    now type “dir” once more the files should no longer appear in the list.
    (STEP 4)
    restart your computer and sign in…THATS IT!!,,its just two files that write malicious code to the registry..some people have trouble changing there desktop background..after the virus is gone.thats b/c the virus disabled the bckground..and even sometimes the task manager but thats another topic … :)

  8. Jack says:

    I actually thoughtit was legitimate andb tried to buy the advanced module. I quickly canceleld the credit card and applied a credit. However, I used reimagepcrepair.com to run an app to remove the virus, cost was $99. The app ran and I believe removed th evirus and then reset the systmes app list and asked me to reboot which I did. Then the systme would not reboot form the HD so they sent me a download program on my otgher computer which I copied to disk and tried the reboot that way and a no go. I tried HP restore as well but no luck. The system gets me to the Windows Flag page and then flashes a quick screen for about a 1/2 second which i cannot read and then recyles. I have asked reimage for solution but getting nothign credible back. Not sure if the virus destroyed anything or their program did but not getting anywhere. Considering getting W7 with XP mode and trying to load new OS on the machine but if my OD is not working then what…..!! Any suggestions??

Leave a Reply

Your email address will not be published. Required fields are marked *