Malware Removal Instructions

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Wednesday, 13 July 2011

How to Remove System Repair (Uninstall Guide)

Posted on 11:47 by Unknown
System Repair is a rogue computer optimization and repair program that misleads users into buying doubtful value and unknown origin software by making you think your computer is infected or has some critical hard drive or system registry errors. Most of the time, users get infected when they click on a malicious link or fake pop-up messages which are really well made copies of Windows Security Center or other screens in Windows operating systems. Cyber crooks also use various social engineering tricks and fake online virus scanners in order to convince users to clean supposedly infected machines immediately with the offered tool. Some varieties of rogue computer security and optimization programs may get installed on your computer just by you visiting a website with a malicious advertisement or code, and you might never know you've been impacted. In such case, System Repair pop-ups on your computer screen like from nowhere and begins to scan your computer for viruses and system errors. If your computer is infected by this rogue applications, you should stop work and get rid of it immediately. To remove System Repair and associated malware from your computer, please follow the steps in the removal instructions below.

New graphical user interface (03/2013). The new one looks much better, has clean interface. Scammers are clearly following the latest software trends.



The fake scanner which was used previously by scammers to scare users into thinking that their computers have serious performance and stability issues. This scanner may still be downloaded from previously infected websites.



Once installed, System Repair performs a fake system scan for viruses and system/registry errors. After the fake scan, this rogue application reports eleven critical hard drive and system errors and immediately prompts you to pay for a full version of the program to fix found problems which actually do not even exist. What is more, System Repair hides certain files or copies them to Windows temporary folder (Temp). It makes your desktop background black and pretty much empty just to make you think that those falsely detected hard drive and registry errors truly exist. Furthermore, System Repair may drop a rootkit from the TDSS (TDL3 or TDL4) family which hides its presence from the user and may download other malware on your computer or re-install System Repair scareware if it was successfully removed from the system. You should use TDSSKiller and Backdoor.Tidserv removal tool before or after the removal of System Repair to make sure your PC is not infected by a rootkit from a TDSS family. Otherwise, System Repair might be re-downloaded to computer computer.

Here are some examples of a warning pop-up windows from this rogue program:







Additionally, you can activate the rogue program by entering one of the following registration codes and fake email as shown in the removal instructions below.

Once this is done, you are free to install anti-malware software and remove the rogue anti-virus program from your computer properly. Most importantly, don't be fooled and do not pay for this phony system optimization and repair program. If you have already purchased it, please contact your credit card company and dispute the charges. Unlike viruses, rogue applications do not self-replicate and can not delete your files, so you shouldn't worry about that. If you have any further questions, please leave a comment below. Good luck and be safe online!

Update: Monday, March 18, 2013

I've found a new variant of System repair virus with a slightly modified graphical user interface (see the image above). This only confirms that the rogue application is being actively repacked and distributed. At its core, rogue application remains pretty much the same. Removal instructions that were written for previous versions of this malware works perfectly fine too. If you think that some parts of the removal instructions are not accurate, please leave a comment below or simply email me.


Method 1: System Repair virus removal using debugged activation keys:

1. Use the activation keys given below to activate your copy of System Repair virus. This will allow you to download and run recommended anti-malware software and automatically restore hidden files and shortcuts. Don't worry, you're not doing anything illegal and it won't make the situation worse.

Use fake email and the following activation key:

08467206738602987934024759008355
56723489134092874867245789235982



2. Download recommended anti-malware software (direct download) and run a full system scan to remove this virus from your computer.


Method 2: System Repair removal instructions:

1. First of all, you need to unhide the files and folders. Select Run... from the Start Menu or just hit the key combination CTRL+R on your keyboard. In the Open: field, enter cmd and hit Enter or click OK.



At the command prompt, enter attrib -h /s /d and hit Enter. Now, you should see all your files and folders. NOTE: you may have to repeat this step because the malware may hide your files again.



If you still can't see any of your files, Select Run... from the Start Menu or just hit the key combination CTRL+R on your keyboard. In the Open: field, enter explorer and hit Enter or click OK.



2. Open Internet Explorer. Select Run... from the Start Menu or just hit the key combination CTRL+R on your keyboard. In the Open: field, enter iexplore.exe and hit Enter or click OK.

Download recommended anti-malware software (direct download) and run a full system scan.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe. Don't forget to update the installed program before scanning.

3. Open Internet Explorer and download TDSSKiller or Backdoor.Tidserv Removal Tool. This malware usually (but not always) comes bundled with TDSS rootkit. Removing this rootkit from your computer is very important (if exists). Run TDSSKiller or Backdoor.Tidserv Removal Tool to remove the rootkit.




Method 3: Manual System Repair removal instructions:

1. First of all, you need to unhide the files and folders. Select Run... from the Start Menu or just hit the key combination CTRL+R on your keyboard. In the Open: field, enter cmd and hit Enter or click OK.



At the command prompt, enter attrib -h /s /d and hit Enter. Now, you should see all your files and folders. NOTE: you may have to repeat this step because the malware may hide your files again.



2. The rogue application places an icon or your desktop. Right click on the icon, click Properties in the drop-down menu, then click the Shortcut tab.



The location of the malware is in the Target box.



On computers running Windows XP, malware hides in:
C:\Documents and Settings\All Users\Application Data\

NOTE: by default, Application Data folder is hidden. Malware files are hidden as well. To see hidden files and folders, please read Show Hidden Files and Folders in Windows.

Under the Hidden files and folders section, click Show hidden files and folders, and remove the checkmark from the checkbox labeled:

- Hide extensions for known file types
- Hide protected operating system files

Click OK to save the changes. Now you will be able to see all files and folders in the Application Data directory.

On computers running Windows Vista/7, malware hides in:
C:\ProgramData\

3. Look for suspect ".exe" files in the given directories depending on the Windows version you have.

Example Windows XP:
C:\Documents and Settings\All Users\Application Data\16441124.exe
C:\Documents and Settings\All Users\Application Data\fWpYMRQgdRYv.exe

Example Windows Vista/7:
C:\ProgramData\16441124.exe
C:\ProgramData\fWpYMRQgdRYv.exe

Basically, there will be a couple of ".exe" file named with a series of numbers or letters.



Rename those files to 16441124.vir, fWpYMRQgdRYv.vir etc. For example:



It should be: C:\Documents and Settings\All Users\Application Data\16441124.vir

Instead of: C:\Documents and Settings\All Users\Application Data\16441124.exe

4. Restart your computer. The malware should be inactive after the restart.


5. Download recommended anti-malware software (direct download) and run a full system scan.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe. Don't forget to update the installed program before scanning.


6. Open Internet Explorer and download TDSSKiller or Backdoor.Tidserv Removal Tool. This malware usually (but not always) comes bundled with TDSS rootkit. Removing this rootkit from your computer is very important (if exists). Run TDSSKiller and remove the rootkit.




Associated System Repair files and registry values:

Files:

Windows XP:
  • %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS]
  • %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS].exe
  • %UsersProfile%\Desktop\System Repair.lnk
  • %UsersProfile%\Start Menu\Programs\System Repair\
  • %UsersProfile%\Start Menu\Programs\System Repair\System Repair.lnk
  • %UsersProfile%\Start Menu\Programs\System Repair\Uninstall System Repair.lnk
%AllUsersProfile% refers to: C:\Documents and Settings\All Users
%UserProfile% refers to: C:\Documents and Settings\[User Name]

Windows Vista/7:
  • %AllUsersProfile%\[SET OF RANDOM CHARACTERS]
  • %AllUsersProfile%\[SET OF RANDOM CHARACTERS].exe
  • %UsersProfile%\Desktop\System Repair.lnk
  • %UsersProfile%\Start Menu\Programs\System Repair\
  • %UsersProfile%\Start Menu\Programs\System Repair\System Repair.lnk
  • %UsersProfile%\Start Menu\Programs\System Repair\Uninstall System Repair.lnk
%AllUsersProfile% refers to: C:\ProgramData
%UserProfile% refers to: C:\Users\[User Name]

Registry values:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS].exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:'
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'yes'
Share this information with other people:
Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in Rogue programs | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Remove ShopperReports (Uninstall Guide)
    ShopperReports is defined as adware or a potentially unwanted program that displays marketing related results in a side pane of the browser...
  • Trojan.MBRlock, Внимание! Ваш компьютер заблокирован
    Trojan.MBRlock is a very disturbing piece of malicious code which infects the master boot record (MBR) and prevents Windows from starting. ...
  • Remove RiskTool.Win32.BitCoinMiner (Uninstall Guide)
    RiskTool.Win32.BitCoinMiner is a risk tool or potentially unwanted application that may use your computer's resources to generate bitco...
  • What is wrtc.exe and how to remove it?
    wrtc.exe - by Perion Network Ltd. What is wrtc.exe? wrtc.exe is a part of IncrediMail software, digitally signed by Perion Network Ltd. This...
  • Remove Rattlingsearchsystem.com (Uninstall Guide)
    Rattlingsearchsystem.com is a ZeroAccess/Sirefef rootkit-related browser hijacker that redirects users to shady websites while searching on...
  • False Positive: Ikarus and Comodo detecting TDSSKiller as a Trojan horse
    This awkward moment when you realize that your favorite rootkit removal utility is detected as malware. I probably wouldn't even have no...
  • Remove TR/ATRAPS.Gen2, removal instructions
    Cyber crooks and third parties that buy stolen data are increasingly using more and more sophisticated techniques, in a variety of different...
  • Remove Ask Search and Ask Toolbar (Uninstall Guide)
    Ask Search and Ask Toolbar are very often incorrectly classified as virus/spyware that may cause search redirects. The majority of us pref...
  • Remove Windows Attention Utility (Uninstall Guide)
    Windows Attention Utility is a rogue security application that generates misleading warnings about nonexistent viruses and attempts to lure...
  • Remove "System Check" (Uninstall Guide)
    System Check is malicious software posing as Windows system utility. Although, it may look like a real thing, it isn't! You are actuall...

Categories

  • Adware
  • Answers
  • Antivirus software
  • Browser Hijackers
  • Cloud Computing
  • Fake Alerts
  • Giveaways
  • Hoax
  • How-To
  • IaaS
  • Internet
  • Malicious websites
  • Malware
  • PaaS
  • Parental Controls
  • Passwords
  • Phishing
  • Process Information
  • Ransomware
  • Rogue programs
  • Rootkits
  • SaaS
  • Security Advisories
  • Spam
  • Spyware
  • Trojans
  • Viruses
  • Web Browsers
  • Worms

Blog Archive

  • ►  2013 (173)
    • ►  December (6)
    • ►  November (13)
    • ►  October (11)
    • ►  September (20)
    • ►  August (4)
    • ►  July (17)
    • ►  June (31)
    • ►  May (25)
    • ►  April (15)
    • ►  March (17)
    • ►  February (7)
    • ►  January (7)
  • ►  2012 (86)
    • ►  November (2)
    • ►  October (4)
    • ►  September (6)
    • ►  August (6)
    • ►  July (11)
    • ►  June (1)
    • ►  May (5)
    • ►  April (7)
    • ►  March (7)
    • ►  February (17)
    • ►  January (20)
  • ▼  2011 (239)
    • ►  December (8)
    • ►  November (18)
    • ►  October (21)
    • ►  September (24)
    • ►  August (28)
    • ▼  July (32)
      • How can I tell if my computer is infected?
      • How do I know if I have spyware on my computer?
      • Remove "Your computer is infected with Spyware!" A...
      • Norton AntiVirus ENHANCED PROTECTION MODE
      • Microsoft Defender ENHANCED PROTECTION MODE
      • Microsoft Security Essentials ENHANCED PROTECTION ...
      • McAfee ENHANCED PROTECTION MODE
      • Dr.Web ENHANCED PROTECTION MODE
      • Comodo ENHANCED PROTECTION MODE
      • Avira AntiVir ENHANCED PROTECTION MODE
      • Remove "Avast ENHANCED PROTECTION MODE" Trojan (Un...
      • Remove "Your codec version is too old" (Uninstall ...
      • How to Remove Total Protect (Uninstall Guide)
      • How to Remove Zentom System Guard (Uninstall Guide)
      • Remove www5.antimalware-lab.com (Uninstall Guide)
      • Remove Jucheck.exe Trojan (Uninstall Guide)
      • How to Remove BlueFlare Antivirus (Uninstall Guide)
      • What Is Cloud Computing? Defining the Cloud
      • IaaS - Cloud Computing
      • PaaS - Cloud Computing
      • SaaS - Cloud Computing
      • How to Remove Scour (Uninstall Guide)
      • How to Remove System Repair (Uninstall Guide)
      • Are there any safe adult websites that won't give ...
      • Remove Windows XP Fix, Windows Vista Fix or Window...
      • "System process at address 0x3BC3 have just crashe...
      • How to Remove Anti-Malware Lab (Uninstall Guide)
      • How do I block a website on Google Chrome?
      • How to Remove Personal Shield Pro (Uninstall Guide)
      • How to Create a Strong Password
      • Remove Windows Supervision Center (Uninstall Guide)
      • Remove TR/VB.Agent.20480.A (Uninstall Guide)
    • ►  June (16)
    • ►  May (23)
    • ►  April (15)
    • ►  March (16)
    • ►  February (9)
    • ►  January (29)
  • ►  2010 (2)
    • ►  December (2)
Powered by Blogger.

About Me

Unknown
View my complete profile