Disk Helper affects only one user account. It doesn't affect the entire computer. The rogue program does not show up in the Add/Remove program list. It resides in %AllUsersProfile%, meaning that you will find Disk Helper files in C:\Documents and Settings\All Users\Application Data\ folder if you run Windows XP on your computer. If you have Windows Vista/7 then you will find its files in C:\ProgramData\ folder. Look for randomly named files, e.g. 23hdgrosg9drh.exe. You can't just simply delete Disk Helper files unless you end the main process of this rogue program. It will block Task Manager and other system utilities to protect itself from being removed. That's why instead of deleting malicious files, you should try to rename them. You need to rename the main executable and dll files. Then restart your computer. If this works, you won't see the fake scanner on your computer screen anymore. Besides, it won't block other programs on your computer and won't display those stupid error messages about missing hard drive errors and possible data loss because of critical registry/system errors. Here are some of the fake errors that Disk Helper reports after the fake scan:
- Data Safety Problem. System integrity is at risk.
- 32% of HDD space is unreadable
- Drive C initializing error
- Hard drive doesn't respond to system commands
- Registry Error - Critical Error
The text of some of the alerts you may see include:
Critical Error
Hard Drive not found. Missing hard drive.
Critical Error
Windows can't find hard disk space. Hard drive error
Low Disk SpaceAs you can see, Disk Helper is a typical rip-off rogue that asks to pay for simulated removal of hard drive errors, registry problems and privacy issues. If you have already paid for this scareware then you should contact your credit card company and dispute the charges. Just tell them that Disk Helper is an infection and that you won't your money back. Then please follow the steps in the Disk Helper removal guide below. If you don't understand some parts of the removal procedure, please leave a comment. Also, please inform your friends about this malware. Good luck and be safe online!
You are running very low disk space on Local Disk (C:).
Disk Helper removal instructions:
1. Download Process Explorer. (click the link and wait for few seconds, download will begin automatically)
2. End Disk Helper processes, e.g. 25hdgeJGd9rkd.exe or fHdrGHsldrge.exe.
OR just rename/delete files related to Disk Helper. Files are located in %AllUserProfile% folder. See the list at the end of this page for more details. Disk Optimizer files in Windows XP: (note: by default, Application Data folder is hidden. If you can't see such folder/files, please read Show Hidden Files and Folders in Windows)
3. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.
4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET NOD32 Antivirus.
Disk Helper removal instructions (in Safe Mode with Networking):
1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm
NOTE: Login as the same user you were previously logged in with in the normal Windows mode.
2. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.
3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET NOD32 Antivirus.
Disk Helper associated files and registry values:
Files:
Windows XP:
- %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS]
- %AllUsersProfile%\Application Data\~[SET OF RANDOM CHARACTERS]
- %UsersProfile%\Local Settings\Application Data\[SET OF RANDOM CHARACTERS].lic
- %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS].dll
- %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS].exe
- %UsersProfile%\Desktop\Disk Helper.lnk
- %UsersProfile%\Start Menu\Programs\Disk Helper\
- %UsersProfile%\Start Menu\Programs\Disk Helper\Disk Helper.lnk
- %UsersProfile%\Start Menu\Programs\Disk Helper\Uninstall Disk Helper.lnk
%UserProfile% refers to: C:\Documents and Settings\[User Name]
Windows Vista/7:
- %AllUsersProfile%\[SET OF RANDOM CHARACTERS]
- %AllUsersProfile%\~[SET OF RANDOM CHARACTERS]
- %AllUsersProfile%\[SET OF RANDOM CHARACTERS].lic
- %AllUsersProfile%\[SET OF RANDOM CHARACTERS].dll
- %AllUsersProfile%\[SET OF RANDOM CHARACTERS].exe
- %UsersProfile%\Desktop\Disk Helper.lnk
- %UsersProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Disk Helper\
- %UsersProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Disk Helper\Disk Helper.lnk
- %UsersProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Disk Helper\Uninstall Disk Helper.lnk
%UserProfile% refers to: C:\Users\[User Name]
Registry values:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS].exe"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes"='.zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;'
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = "no"
0 comments:
Post a Comment