HDD rescue is another skin of fake system optimization applications. This family of applications (typically under guise of hard disk defragmenters) detect various non-software related issues and claim to be able to fix these errors. The problem is that the problems HDD Rescue detects are fake and tries to scare you into buying a software that you do not need. This is considered scam and rates this HDD rescue as rogue application.
HDD rescue attacks PC in several stages. First it starts showing various alerts. These alerts would not convince an experienced system user, but they look serious enough to convince other people:
Damaged hard drive clusters detected. Private data is at risk.
Hard Drive not found. Missing hard drive.
RAM memory usage is critically high. RAM memory failure.
Windows can’t find hard disk space. Hard drive error
Windows was unable to save all the data for the file [random name]. The data has been lost. This error may be caused by a failure of your computer hardware.
A critical error has occurred while indexing data stored on hard drive. System restart required.
The system has been restored after a critical error. Data integrity and hard drive integrity verification required.
As many users do not pay attention to alerts, HDD Rescue tries to attract attention by stopping legitimate programs from executing by simulating HDD failure :
Windows cannot find notepad.exe . Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.
Windows detected a hard drive problem.
A hard drive error occurred while starting the application.
One must note, that running applications, even ones accessing disk, are not affected. Thus there are no real disk failure.
If you click on any of the alerts, you are forced to scan PC with this “HDD Rescue” application. It will show more scammy warnings and will ask to purchase its full versions for 60-80 USD. Do not pay for it, as it is a phishing scam : They re-sell your credit card details and might charge you more than once for nothing. Also, all you will get for paying is a registration key for software you do not need.
The key will likely be this : 0973467457475070215340537432225 like in other parasites of the same family. You should use it to disable HDDRescue popups and to ease the full removal process.
After you disable the HDD Rescue popups, we recommend downloading spyhunter or Malwarebytes Anti-Malware for full system scan as it uses random file names. These programs might help to remove HDD Rescue fully from the system as well. If there are problems launching the programs, do a system restore, run TDSS killer and above mentioned programs again.
You should remember, that it is far less likely to get infection like HDD Rescue with full versions of spyhunter or Malwarebytes Anti-Malware, as they prevent majority of infections from entering the system.
Screenshot take from Malware researchers S!Ri.URZ blog.
Automatic Malware removal tools
14 responses to “HDD Rescue”
I cannot remove hdd rescue form my laptop
I have downloaded spyware doctor version 7 and scanned my computer several times but hdd rescue is not removed.
Paul : Contact PC Tools support – it might be a bit different version of trojans, they know about fake disk defragmenters and will solve your issue.
You can also try following manual removal instructions above.
Were PC Tools support able to help? I have the same malware on my home PC and am looking for a reliable fix to implement this evening when I get home.
Jeff: Try scanning after you update with SD. If not, try scanning with other tools as well : MBAM, hitman pro ,etc.
Bit of a tricky one to fix as it tries to stop you launching anything like cmd or taskmgr and you need to be logged in as a user as it uses the current_user reg.
Way I did it was:
Navigate to c:\windows\system32. Find cmd.exe and create a desktop link to it.
Launch cmd from desk. Do a runas /user:cceng cmd
in the new cmd window, launch taskmgr.
In taskmgr, kill the virus processes (They will be random number/letter strings.exe, should look pretty obvious. )
In the admin cmd, launch regedit
Navigate to: HKCU\Software\Microsoft\Windows\CurrentVersion\run and delete all the reg values in there along with the files they point to.
Delete any desktop + startmenu icons to it.
Thanks. I’ll give these a try and let you know how I made out.
I’m having the exact same problems, and have done everything you’ve said before to no avail except for going into the registry editor. I was wondering what you mean by deleting all of the ‘reg files’, does this mean delete absolutely all of the files I see? Even the deafault? They’re all type “REG_SZ”… And this won’t remove anything important from my computer?
I find it funny that we are saying that this is a virus that asks for money for a fake fix but we have to buy a spyware removal tool anyway to get rid of it. Are there any free spyware removal tools out there that can be used?
I’m having the same problem, but in the registry editor there are no files matching the random number sequences I’ve been deleting, but there are several along the lines of “LvhZhfngOxzlia/AppData/Local/Temp/[random numbers].exe”
Are these what you’re referring to? Because that’s pretty much all that’s there, makign up 50 of the 57 entries, and there are many beginning with the “LvhZhfng…” without a random number sequence, ending in \login.exe or \system.exe
Are these ALL viruses? Or will removing them disable important componants of my computer?
Please help, studying for exams is greatly hindered with this vile malware taunting me!
Anthony: best to my knowledge there are no fully free and all-functioning decent anti-malware tools (with real-time protection) except Spybot S&D, which is not that good nowdays. You can try SAS and MBAM trials (check my comparison). Their trials will not protect from reinfection though.
J : These random ones should be.
Wow I really just had TONS of infections… Thanks! This all worked perfectly. Sanity restored.
@Reue I’m having the exact same problems, and have done everything you’ve said before to no avail except for going into the registry editor. I was wondering what you mean by deleting all of the ‘reg files’, does this mean delete absolutely all of the files I see? Even the deafault? They’re all type “REG_SZ”… And this won’t remove anything important from my computer?
Lacy: Do not edit registry if you are unsure what you are doing. It is better to use registration code from the guide, and then do a scan with tools (spyware doctor, malwarebytes). Delete only what they detect.