File Repair

Posted: August 13, 2011

File Repair Description

File Repair is a new and advanced variant of a rogue defragmenter that SpywareRemove.com malware researchers have observed using dozens of different names to infect PCs, including the recent Windows XP System Repair, Windows Vista System Repair and Win 7 Home System Repair. Like other rogue defraggers, File Repair has no ability to defrag your hard drive or detect hard drive errors, but File Repair still creates error messages to make you think that purchasing File Repair might prevent your PC from breaking down. As an upgraded variant from its rogue defragger subgroup, File Repair is also capable of making advanced attacks, such as blocking security features, hijacking your browser and especially altering your file-viewing preferences to hide files and shortcuts. Removing File Repair itself with a suitable anti-malware application is the only thing that's required to put a stop to these problems.

Why File Repair is More Likely to Hide Your Files Instead of Repairing Them

File Repair may look like a real defragger, and it may even act like a real defragger at first, but even a brief time spent with File Repair quickly reveals its true nature - as a scamware defragmenter that's more interested in handing out fake warnings than in fixing your hard drive. SpywareRemove.com malware researchers have watched File Repair, like many other rogue defraggers that it's related to, create error messages without any basis in reality for the relevant errors. Samples of some of File Repair's favorite scare tactics are shown here:

Hard Drive Failure
The system has detected a problem with one or more installed IDE / SATA hard disks. It is recommended that you restart the system.

System Error
An error occurred while reading system files. Run a system diagnostic utility to check your hard disk drive for errors.

Critical Error!
Windows was unable to save all the data for the file \System32\496A8300. The data has been lost. This error may be caused by a failure of your computer hardware.

Critical Error!
Damaged hard drive clusters detected. Private data is at risk.

Critical Error
Hard Drive not found. Missing hard drive.

Bad sectors on hard drive or damaged file allocation table

Ram Temperature is 83 C. Optimization is required for normal operation.

Requested registry access is not allowed. Registry defragmentation required

GPU RAM temperature is critically high. Urgent RAM memory optimization is required to prevent system crash

Critical Error
Windows can't find hard disk space. Hard drive error

Critical Error
RAM memory usage is critically high. RAM memory failure.

Critical Error
A critical error has occurred while indexing data stored on hard drive. System restart required.

Low Disk Space
You are running very low disk space on Local Disk (C:).

System Restore
The system has been restored after a critical error. Data integrity and hard drive integrity verification required.

Critical Error
Hard drive critical error. Run a system diagnostic utility to check your hard disk drive for errors. Windows can’t find hard disk space. Hard drive error.

SpywareRemove.com malware research team has also seen many of these errors used by other rogue defraggers that use most of File Repair's own code. These related rogue defragmenters, such as System Repair, Windows Repair, Windows XP Repair, Windows Vista Repair, Windows 7 Repair, Windows Startup Repair and many others should be considered just as worthless and hostile as File Repair itself.

An especially worrisome trait of File Repair is the fact that its file-viewing attacks have been expanded from those of its ancestors. While a typical File Repair clone file-viewing attack might make Windows Explorer-viewed files unable to be seen, File Repair has been seen doing the same for desktop shortcuts and Start menu shorts, as well. However, if you use Safe Mode or another boot method that disables File Repair, your shortcuts and files will magically reappear and be completely unharmed.

Putting Good Repair Techniques to Work Against File Repair

Because trojans, such as Zlob, Vundo, and Fake Microsoft Security Essentials Alert are often accompanied by rogue defraggers and other scamware programs like File Repair, you only should delete File Repair by using a proper anti-malware scanner that can detect all potential infections on your PC. Updating your threat definition database is also strongly encouraged, since File Repair is a recent example of its rogue defragger gang as of August 2011, and may not be deleted if your threat definitions are out-of-date.

File Repair and related trojans may also hinder your attempts to removal File Repair and related threats by hijacking your web browser or disabling anti-malware programs. Like the file-viewing attacks mentioned above, these attacks can only occur when File Repair or its trojans are active, and using standard techniques to avoid triggering File Repair's startup routine (which SpywareRemove.com malware researchers have found to be Registry-based) is the solution.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to File Repair may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Technical Details

Registry Modifications


The following newly produced Registry Values are:

HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop "NoChangingWallPaper" = '1'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '/{hq:/s's:/ogn:/uyu:/dyd:/c'u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/'wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v'w:/rbs:'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = '1'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0'HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'yes'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = 0'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\..{RunKeys}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM CHARACTERS].exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM CHARACTERS]"

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.