The File Recovery rogue belongs to the The FakeHDD or FakeSysDef family of rogues. File Recovery appears as a fake hard drive repair and antivirus anti-malware application. Like many rogues inserted by Trojans, File Recovery rogue displays fake error messages that display several critical hard disk issues. These errors are simply meant to scare the user and convince them to purchase the “repair” provided by the rogue.
File Recovery rogue will pretend to perform a Check routine that supposedly examines your hard drive for errors, under the guise of being a legitimate antivirus product. It then presents a Repair screen that displays a fake hard drive diagnostic report. This report states that there are numerous issues with the hard disks and prompts the user to repair these issues which requires the purchase of a license.
Remember not enter any information into any of these adware pop-up screens as they are not legitimate.
Upon infection, File Recovery rogue makes the following system changes:
- Deletes desktop and start menu shortcuts and stores a backup of them in “%TEMP%\smtp” folder.
- Hides system files and folders (such as user “Application Data” folder and Windows System32 folder) by adding the “hidden” attribute.
- Does not allow other programs or applications to execute and instead shows a pop-up warning in the system tray that the user computer hard drive is corrupt.
- Configures itself to start automatically on user login.
If this screen is appearing on your PC, download STOPzilla AVM 2013 after following the directions below to prevent future infections!
To remove File Recovery rogue, you should first download and run the free Process Explorer tool from Microsoft. This will list all active processes on the system. Look for a process name running from %CommonAppData%. Right click on it and select the Kill Process option.
Your next step should be to unhide all hidden documents and files. To do this, click the Start button, then click Run. Type the following into the dialogue box, then click OK:
attrib -h %Documents%\*.*
The File Recovery rogue can be removed manually by deleting the files and registry entries listed in the Notes section. Editing the system registry is not recommended since it could lead to system instability if any legitimate entries are accidentally removed or corrupted.
Editing the system registry is not recommended since it could lead to system instability if any legit entries are accidentally removed or corrupted. Due to the rogue’s ability to block applications from running and download other infections, such as Trojans, we recommend manual removal only for experienced users, such as IT specialists or System administrators. For other users, we recommend a quality antivirus that protects you from malware, spyware, and Trojans. If you have any additional questions during the removal process while using STOPzilla, call 1-855-969-0790.
%Desktop% represents the path “C:\ Documents and Settings\<Current User>\Desktop” for Windows 2000/XP, and “C:\Users\<Current User>\Desktop” for Windows Vista, Windows 7, and Windows 8.
%AppData% represents the path “C:\Documents and Settings\<Current User>\Application Data” for Windows 2000/XP, and “C:\Users\<Current User>\AppData\Roaming” for Windows Vista, Windows 7, and Windows 8.
%CommonAppData% represents the path “C:\Documents and Settings\All Users\Application Data” for Windows 2000/XP and “C:\ProgramData\” for Windows Vista, Windows 7, and Windows 8.
%CommonStartMenu% represents the path “C:\Documents and Settings\All Users\Start Menu” for Windows NT/2000/2003/XP and “C:\ProgramData\Microsoft\Windows\Start Menu” for Windows Vista, Windows 7, and Windows 8.
%StartMenu% represents the path “C:\Windows\start menu\” for Windows 95/98/ME, “C:\Documents and Settings\<Current User>\Start Menu\” for Windows 2000/XP, and “C:\Users\<Current User>\AppData\Roaming\Microsoft\Windows\Start Menu” for Windows Vista, Windows 7, and Widows 8.
%Temp% represents the path “C:\Windows\Temp” for Windows 95/98/ME, “C:\Documents and Settings\<Current User>\Local Settings\Temp” for Windows 2000/XP, and “C:\Users\<Current User>\AppData\Local\Temp” for Windows Vista and Windows 7, and Windows 8.
File Recovery rogue related files
%AppData%\Microsoft\Internet Explorer\Quick Launch\File_Recovery.lnk
%StartMenu%\Programs\File Recovery\File Recovery.lnk
Fake Error Messages
- Hard drive boot sector reading error
- System blocks were not found
- Error 0×00000024 – NTFS_FILE_SYSTEM
- Error 0×00000078 – INACCESSIBLE_BOOT_DEVICE
- Error 0x0000002E – DATA_BUS_ERROR
- Error 0×00000050 – PAGE_FAULT_IN_NONPAGED_AREA
- The DRM attribute value is too small before disk scan.
System blocks were not found
This is most likely occurred because of hard disk failure.
This may also lead to a potential loss of data.
- Hard Drive Boot Sector Reading Error
During I/O system initialization, the boot device driver might have failed to initialize the boot device. File system initialization might have failed because it did not recognize the data on boot device.
- Critical Error
- Drive sector not found error
- Critical Error
- Hard drive controller failure
- Device initialization failed
- Data Error Reading Drive C:\
- Seek Error – Sector not found
- Serious Disk Error Writing Drive C:\
- This device cannot find enough free resources that it can use
File Recovery rogue will display the following error messages when the user attempts to run a program:
A hard drive error occurred while starting the application.Windows cannot find notepad. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.
File Recovery rogue related registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = ‘.zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = ’1′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer “NoDesktop” = ’1′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = ’1′
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “DisableTaskMgr” = ’1′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “<random>.exe” %CommonAppData%\<random>.exe
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = ‘no’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced “Hidden” = ’0′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced “ShowSuperHidden” = ’0′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “CertificateRevocation” = ’0′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnonBadCertRecving” = ’0′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop “NoChangingWallPaper” = ’1′