How To Remove Win HDD Virus

By Steve Espino – PC Tools Malware Research Team

If you ever receive any alerts related to “Win HDD” or observe any signs that it exists on your PC, make sure you take the proper steps to avoid it and/or remove it from your computer.  Win HDD is a fraudulent system diagnostics and hard drive defragmenter software which displays fake alerts and system errors on computers affected by it. It’s part of a family of fake system utilities programs which include HDD Diagnostic, HDD Defragmenter and HDD Control.

Similar to bogus antivirus programs, these system utilities programs are predominantly distributed using various Social Engineering techniques such as fake My Computer online scans. Often, they may be downloaded and installed by other malware existing on the affected computers.

Win HDD / HDD Diagnostic

Fake Malware Warnings

Win HDD displays a list of false information and fake warnings, and it can allegedly fix the problems only if the unsuspecting user buys the fake software it offers.

Win HDD Fake Scans and Error Messages

Win HDD Activation Notifications

Win HDD Fake Support Center

Dropped Files / Folders

Win HDD drops the following files:

  • %temp%dfrg
  • %temp%dfrgr
  • %temp%<random>.exe (i.e. 98afc0.exe)
  • %programs%Win HDDUninstall Win HDD.lnk
  • %programs%Win HDDWin HDD.lnk

and creates the folders:

  • %programs%Win HDD

Windows Registry Modifications

Win HDD creates these registry entries:

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun
  • value: <random>
  • data: %temp%<random>.exe (i.e. 98afc0.exe)

How to remove Win HDD

Important Notice: Before attempting to manually remove Win HDD, be aware that you might need to modify browser settings, modify or remove registry settings and delete files and folders, which can result in your system becoming unstable. PC Tools recommends that the following procedures be performed by experienced users.

For additional information about working with the Windows Registry, please read the following Microsoft article: http://support.microsoft.com/kb/256986/EN-US/

1. Restarting in Safe Mode

In order to properly remove Win HDD, the infected machine needs to be restarted in Safe Mode.

For information on how to restart you computer in Safe Mode please refer to one of the following instructions from Microsoft depending on which version of Windows you are using:

Windows XP:


Windows Vista:


Windows 7:


2. Cleaning Dropped Files/Foldes

Once the affected machine has been restarted in Safe Mode, please run the Windows Explorer.

To delete Win HDD files / folders, click on the Start button and then select Find or Search depending on the version of Windows you are running.

Search for the each of the following entries and delete them:

Important Notice: Please take extreme caution as Win HDD uses random characters.

  • %temp%dfrg
  • %temp%dfrgr
  • %temp%<random>.exe (i.e. 98afc0.exe)
  • %programs%Win HDDUninstall Win HDD.lnk
  • %programs%Win HDDWin HDD.lnk
  • %programs%Win HDD


Typical paths for equivalent system variables are as follows:

  • %temp% – C:Documents and Settings[username]Local SettingsTemp
  • %programs% – C:Documents and Settings[UserName]Start MenuPrograms

3. Cleaning the Windows Registry

Important Notice: Please take extreme caution as Win HDD uses random characters.

Download and install PC Tools Startup Explorer here.

Run PC Tools Startup Explorer, and locate the Win HDD startup entry from the Startup Programs category.

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun
  • value: <random>
  • data: %temp%<random>.exe (i.e. 98afc0.exe)

As can be seen on the screenshot below, Win HDD uses Microsoft Security Essentials as the program name.  Select this entry, click Disable, and then click Delete.

Removing Win HDD Startup using PC Tools Startup Explorer

4. Scan the Computer using PC Tools Spyware Doctor

Scan the affected computer using PC Tools Spyware Doctor in order to clean the Windows Hosts file, and automatically remove all traces of infection including malicious running processes, dropped files, created folders, registry keys and entries.

This entry was posted in Malware Alerts and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>