File Repair

By Domesticus in Rogue Anti-Spyware Program

One of the most common rogue defragmenter infections is the System Repair fake defragmentation tool. System Repair has a large number of clones, which include Windows Tool, Windows Diagnostic, WinScan, Smart Defragmenter, and FakeHDD. File Repair is simply one more clone in the System Repair family of rogue computer optimization programs. The main problem with File Repair is that it can be confused with a legitimate system optimization program with the same name. However, there are ways in which both can be easily differentiated. If your computer has been infected with the rogue defragmentation tool File Repair, ESG team of PC security researchers recommends the use of an up-to-date anti-malware program in order to eliminate it.

The Differences Between the Fake Defragmenter File Repair and the Real Thing

An inexperienced computer user may have trouble telling apart the fake defragmenter File Repair and legitimate system utilities with similar names. It is because of this that ESG team of PC security researchers recommends following these guidelines to make sure that your version of File Repair is not a fake defragmenter tool:

  • Legitimate computer optimization programs are not installed without the consent of the computer user, or recommended through a poorly-written fake security alert. These are usually directly downloaded from a reputable, trustworthy source. The File Repair fake defragmentation tool is typically downloaded and installed by a Trojan. Two Trojans that are closely associated with the File Repair rogue are the Fake Microsoft Security Essentials Alert Malware Trojan and the Zlob Trojan. Both of these will display fake error messages that recommend downloading rogue security programs like File Repair. File Repair may also be downloaded directly; however, its sources are almost never reputable software-download websites.
  • Real defragmentation tools will not start up automatically, refuse to be uninstalled or closed, and will never run in the background without your authorization. The fake defragmenter File Repair will change the Windows Registry in order to start up automatically. It will also refuse to close until it is finished displaying a fake system scan and, even after it is supposedly closed, it will still continue to run in the background. File Repair cannot be deleted through normal means, and you will need a trustworthy anti-malware application in order to remove it.
  • Genuine system optimization tools will never display a large number of problems on your computer system, and then refuse to fix them unless you pay. They will also never block your access to your own files for "security reasons". The way File Repair works is part of a scam intended to force a computer user to pay for this fake system optimization tool. They will literally block access to the computer user's own files claiming that it is for the user's own good. Real defragmenter programs will never take your computer hostage in this way, even if it is a demonstration.

File System Details

File Repair may create the following file(s):
# File Name Detections
1. %AllUsersProfile%\Application Data\[RANDOM CHARACTERS].dll
2. %AllUsersProfile%\Application Data\[RANDOM CHARACTERS].exe
3. %AllUsersProfile%\Application Data\[RANDOM CHARACTERS]
4. %UserProfile%\Start Menu\Programs\File Repair\File Repair.lnk
5. %AllUsersProfile%\Application Data\~[RANDOM CHARACTERS]r
6. %UserProfile%\Start Menu\Programs\File Repair\Uninstall File Repair.lnk
7. %AllUsersProfile%\Application Data\~[RANDOM CHARACTERS]
8. %UserProfile%\Start Menu\Programs\File Repair\
9. %UserProfile%\Desktop\File Repair.lnk

Registry Details

File Repair may create the following registry entry or registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop "NoChangingWallPaper" = '1'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = 0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM CHARACTERS]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'yes'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM CHARACTERS].exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '/{hq:/s's:/ogn:/uyu:/dyd:/c'u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/'wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v'w:/rbs:'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0'

Related Posts


Most Viewed