Windows Repair – rogue. How to remove Windows Repair virus

andy | March 27, 2011

It is our duty before our users to tell them of another virus that has just been elaborated by the load of criminals and is now being distributed in the world wide web space. It has the name of Windows Repair. This is beyond any doubt the rogue tool that is arranging bogus PC scanning and claims to be certain excellent analysis and optimization device that shows fictitious data in order to frighten you into believing that there is a serious error with your computer. Windows Repair normally comes inside of PC by means of Trojans that show fake error reports and security notices on the compromized computer. All such warnings tell many untrue things and fairy-tales of some “serious” errors with your computer’s hard drive and then offers you to download and install a device that can allegedly repair your PC and bring it to previous good state. After hitting on of such warning alarms notes Windows Repair will automatically be uploaded and installed onto your system.


Windows Repair virus

Windows Repair virus

At once upon successful installation Windows Repair will be configured in such a manner that it will be started automatically with every Windows launching. The user will face plenty of error notices while trying to run the programs or uninstall files. Windows Repair will then offer you to arrange scanning of your system, which of course will fictitiously detect plenty of errors and it would claim that it is impossible to get them fixed until you purchase the registered version of the program. If user tries to use so-called defragmenter program the message will state that it is necessary to launch in Safe Mode and then show a fake Safe Mode background that states of itself to defrag your computer. Hence, don`t be tricked and don`t let them scare you. Never trust their advises and do not delete any which were falsely detected. They try to cheat you and make you believe that your system doesn’t work as it should; Windows Repair will also amend your system in such a manner that some folders on your PC would show no information. So, when user opens such folders, for example, C:WindowsSystem32 or other drive letters, instead of common list of files it will show a different folder’s contents or show that the folder is totally empty. All such well-designed tricks are made in order to persuade you that there is corruption on your HDD and that`s the reason why your files are not detected. After you close these warning notifications, new ones will appear which would indicate that this product that is able to help you in fixing your HDD.

Taking the above-mentioned information into account, remember this: Windows Repair scares the user about errors with security of PC system and it thus must be deleted immediately after revealing its dwelling on the attacked computer. Remember, that only reputable anti-virus program can render you real superb protection which helps to avoid secret infiltrations of this or any other junkware. You can get all this achieved by following the removal guide stipulated below. These advises include both manual and automated instructions. The choice is up to you.

Windows Repair automatic remover:

1. Download the latest version of GridinSoft Trojan Killer to clear (not infected) computer and install it.

2. Update the virus database.
3. Copy the entire folder “GridinSoft Trojan Killer” to your jump drive (memory stick). Normally it is located at the following path: (C:Program FilesGridinSoft Trojan Killer). “C” stands for the system disk of your computer. The name of the system disk, however, can be marked with another letter.
4. Open your jump drive (memory stick). Find the folder “GridinSoft Trojan Killer” there. Open it , find the file under the name “trojankiller.exe” and rename it to “iexplore.exe”.
5. Move memory stick to infected PC, open “GridinSoft Trojan Killer” folder and run iexplore.exe. Optional: copy the folder “GridinSoft Trojan Killer” from your jump drive to some other folder created on your PC and run “iexplore.exe”.

The procedure of removal of Windows Repair virus with GridinSoft Trojan Killer is shown at this video:

Windows Repair modifies your file system in such a manner that all files and folders become hidden. In order to remove this “hidden” attribute users may use the standard system utility called attrib.exe

In order to remove “hidden” attribute from all files and folders using attrib.exe:

  1. Launch console – Start-Run-cmd (Win+R-cmd)
  2. Enter command attrib.exe -h SysDisk:*.* /s /d (SysDisk – system disk, for example C:)

In order to get the description of commands of attrib.exe utility please find the information in Windows Help (attrib.exe /?)

  1. Launch console – Start-Run-cmd (Win+R)
  2. Enter command attrib.exe /?

Windows Repair manual removal guide:

Delete Windows Repair files:
%TempDir%[random]
%TempDir%[random].exe
%TempDir%dfrg
%TempDir%dfrgr
%Desktop%Windows Repair.lnk
%Programs%Windows Repair
%Programs%Windows RepairWindows Repair.lnk

Delete Windows Repair registry entries:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun “[random]”
HKCUSoftwareMicrosoftWindowsCurrentVersionRun “[random].exe”

12 Comments

  1. dein Freund says:

    Super, du hast mir den Tag gerettet!

  2. GeoD says:

    Is it possible the iexplore.exe file is infected with the virus, and is used as the relaunch of Windows Repair?

    I followed your manual instructions to remove Windows Repair, and found that in Safe Mode, it was easy as Windows Repair didn’t run.

    I searched the virus and HD looking for the a file that might be the process file, but didn’t find one.

    When I rebooted XP.SP3 into full mode for the first time, I let it set for a while to see what would happen. Within a short period of time, Windows Repair had regenerated itself.

    The second time I manually removed it, I looked for a process with a more suspicious view, and found that iexplore.exe was loading as a process, even in Safe Mode. I killed it and it came back. I renamed the file to iexplore.sus and it never returned.

    I started as a computer consultant when IE was introduced and have never found an instance of iexplore.exe loading as a process when Internet Explorer was not open, so I suspect iexplore.exe is infected.

    I have been having problems trying to install Outlook after a recent OS re-install – I opted not to install Outlook Express, not knowing Outlook needed it. In trying to install OE after the fact, I had to uninstall IE 6.0, and had reinstalled it, and trying to determine if I had IE 6.0 back to the version equal to XP.SP3 when I was hit with the Windows Repair virus. I’m wondering if IE was missing a security update and was vulnerable. Any thoughts, anyone?

    Thanks..

  3. Jessica says:

    Ho un problema Windows repair si è inserito nel mio computer non so che cosa devo fare qualcuno mi puó aiutare spiegandmi in modo chiaro dove devo andare e cosa fare per rimuoverlo?

  4. stephuk says:

    I have done a few scans (both in safe mode with networking and normal mode) and each time it freezes at 49% and I have to manually restart the computer. Could u please help with this, I cant think of anything else to do..

  5. ale says:

    fantastic,

    i had a competitor offer which was unable to detetct and remove this horrible malware.

    thanks

  6. zak says:

    i am attempting to unhide the files and i keep getting a message not resetting system file – C:\Users\my name\ntuser.dat this is followed by 7 other lines starting the same and saying different file names

  7. bob says:

    i did the attrib in console and it is saying access denied to all of the folders. just scrolling through all of the folders saying access denied…. any help?

  8. Mariusz says:

    superrrrrr!!!

  9. C says:

    My background is stuck on solid colors. Any suggestions? Thx in advance.

  10. Nicki says:

    I keep freezing at 76% what should I do?

  11. Destiny says:

    I’m so glad that the internet awlols free info like this!

  12. When you run the unhide (attrib) command and you can’t get access, you need to do a few thing. Run the command prompt in Admin mode, then if you are still denied access use either Hiren’s mini windows or ERD/DART windows and run this same command.

3 Trackbacks

Leave a comment

*