How to remove Windows Scan and Memory Scan (Uninstall Guide)

Windows Scan, Windows Fix Disk, Memory Scan, System Diagnostic, Windows Safe Mode are new names of the fake disk defragmenter that reports false system security threats, registry errors and some other problems on your computer. It's a piece of malware that pretends to be a legitimate and useful Windows repair tool. It has many names, more than 20, but it uses the same graphical user interface (see the image below). There isn't much to say about this rogue called Windows Scan or Memory Scan. We've already posted numerous articles about this threat, e.g. How to Remove Disk Optimizer (Uninstall Guide) or How to Remove My Disk (Uninstall Guide). Quick facts about Windows Scan and Memory Scan: reports non-existent errors (the same 11 errors on different machines), displays fake security warnings, blocks other programs and gives a false sense of security. Windows Scan and Memory Scan is promoted through the use of fake online scanners, spam emails, infected/compromised websites and via social networks. You can active the rogue program by using these codes and any email: 0973467457475070215340537432225 or 8475082234984902023718742058948. This malware resides in C:\Documents and Settings\All Users\Application Data folder if you run Windows XP. If you have Windows Vista or Windows 7 then you can find the rogue program in C:\ProgramData\ folder. Look for randomly named folder with random file names inside that folder. Rename the main executable of Windows Scan or Memory Scan and then restart your computer. For more information, please follow the removal instructions below to remove Windows Scan and Memory Scan malware for free. If you need more help with this rogue program, you can always leave a comment. Good luck and be safe online!

Windows Repair GUI


Windows Tool GUI


Windows Scan GUI

---

Removal instructions:

1. Download Process Explorer. (click the link and wait for few seconds, download will begin automatically)
2. End malware processes, e.g. 254hdeJHdergfkse.exe or KHdrgeHQDSaw2rs.exe.



OR just rename/delete files related to Windows Scan or Memory Scan. Files are located in %AllUserProfile% folder. See the list at the end of this page for more details. Windows Scan or Memory Scan files in Windows XP: (note: by default, Application Data folder is hidden. If you can't see such folder/files, please read Show Hidden Files and Folders in Windows)



3. Download free anti-malware software from the list below and run a full system scan.

• MalwareBytes Anti-malware
• SUPERAntispyware
• Spybot S&D
• Hitman Pro 3.5 

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET NOD32 Antivirus.

---

Alternate removal instructions (in Safe Mode with Networking):

1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key. Read more detailed instructions here: http://www.computerhope.com/issues/chsafe.htm


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Download free anti-malware software from the list below and run a full system scan.

• MalwareBytes Anti-malware 
• SUPERAntispyware 
• Spybot S&D 
• Hitman Pro 3.5 

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

3. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET NOD32 Antivirus.

---

Windows Scan and Memory Scan associated files and registry values:

Files:

Windows XP:

• %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS]
• %AllUsersProfile%\Application Data\~[SET OF RANDOM CHARACTERS]
• %UsersProfile%\Local Settings\Application Data\[SET OF RANDOM CHARACTERS].lic
• %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS].dll
• %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS].exe
• %UsersProfile%\Desktop\Windows Scan.lnk
• %UsersProfile%\Start Menu\Programs\Windows Scan\
• %UsersProfile%\Start Menu\Programs\Windows Scan\Windows Scan.lnk
• %UsersProfile%\Start Menu\Programs\Windows Scan\Uninstall Windows Scan.lnk

%AllUsersProfile% refers to: C:\Documents and Settings\All Users
%UserProfile% refers to: C:\Documents and Settings\[User Name]

Windows Vista/7:

• %AllUsersProfile%\[SET OF RANDOM CHARACTERS]
• %AllUsersProfile%\~[SET OF RANDOM CHARACTERS]
• %AllUsersProfile%\[SET OF RANDOM CHARACTERS].lic
• %AllUsersProfile%\[SET OF RANDOM CHARACTERS].dll
• %AllUsersProfile%\[SET OF RANDOM CHARACTERS].exe
• %UsersProfile%\Desktop\Windows Scan.lnk
• %UsersProfile%\Start Menu\Programs\Windows Scan\
• %UsersProfile%\Start Menu\Programs\Windows Scan\Windows Scan.lnk
• %UsersProfile%\Start Menu\Programs\Windows Scan\Uninstall Windows Scan.lnk

%AllUsersProfile% refers to: C:\ProgramData
%UserProfile% refers to: C:\Users\[User Name]

Registry values:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS].exe"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:'
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'yes'

Share this information with other people: