Home Malware Programs Rogue Defragmenter Programs System Recovery

System Recovery

Posted: September 3, 2011

Threat Metric

Threat Level: 10/10
Infected PCs: 14
First Seen: September 5, 2011
Last Seen: January 8, 2020
OS(es) Affected: Windows

System Recovery Screenshot 1System Recovery is a fake defragmentation program (or defragger) that belongs to the FakeSysDef family. System Recovery creates hostile error messages and a range of other system problems to make it appear as though your PC is seconds away from spontaneous combustion. SpywareRemove.com malware experts haven't found any real error-detection or removal features in System Recovery, let alone actual defragmentation features, and due to these deceitful and outright harmful traits, System Recovery should be considered scamware instead of a legitimate program. Until you delete System Recovery with the appropriate anti-malware product, you should be prepared for attacks that these scamware programs are known for, such as browser hijacks, vanishing files and unwanted changes to your desktop.

Staying Alert for System Recovery's Fraudulent PC Monitoring Features

System Recovery, like other FakeHDD rogue defragmenters, pretends to offer many different features that you wouldn't see on a normal defragger, such as RAM analysis and Registry-cleaning. Since these features require extremely specialized functions, SpywareRemove.com malware researchers weren't surprised to discover that System Recovery doesn't have any of the features it advertises, including its supposed defragging function. Instead, these fake features are merely billboards for posting fake warnings.

Many of these errors are also recreated by other rogue defraggers that are related to System Recovery. Examples include System Defragmenter, Ultra Defragger, HDD Control, Win HDD, Win Defrag, Win Defragmenter, Disk Doctor, Hard Drive Diagnostic, HDD Diagnostic, HDD Plus, HDD Repair, HDD Rescue, Smart HDD, Defragmenter, HDD Tools, Disk Repair, Windows Optimization Center, Scanner, HDD Low and Hdd Fix. All of these programs belong to the same overall family of rogue defragmenters as System Recovery and utilize similar attacks.

Finding a Way to Recover Your PC from System Recovery

Gaining access to powerful anti-malware programs is recommended as the first step towards removing System Recovery efficiently. However, System Recovery will create a number of hostile conditions that SpywareRemove.com malware research team has noted may need to be worked around before you can kick System Recovery out of your PC.

  • System Recovery may use several methods to hide files on your hard drive, including moving program shortcuts to your Temp folder and attacking Windows Explorer to prevent it from showing certain files. Until you've gotten rid of System Recovery, it's recommended that you try to avoid cleaning out folders casually, since System Recovery may have stored your important files in these locations. If you can't access a critical file, consider using the Command Prompt program, which should show any files that System Recovery tries to hide from Windows Explorer.
  • System Recovery may also block security programs. The easiest way to duck under this unwarranted assault is to use Safe Mode or another form of system boot that stops System Recovery from launching in the first place. Because System Recovery, like many other FakeHDD programs, will hook itself into the normal startup routine for your PC, you should assume that System Recovery is active if you've used a normal system boot.
  • Finally, web browser redirect attacks are also common with any FakeHDD infection, including System Recovery. Take care to avoid giving away money or private information to websites that System Recovery redirects you to, and never try to buy System Recovery. If necessary, our malware experts have found that you can use the free code '1203978628012489708290478989147' to imitate registration for System Recovery prior to deletion.


System Recovery Screenshot 2System Recovery Screenshot 3System Recovery Screenshot 4System Recovery Screenshot 5System Recovery Screenshot 6System Recovery Screenshot 7System Recovery Screenshot 8

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



%ALLUSERSPROFILE%\Application Data\YvhFlJjjduMa.exe File name: YvhFlJjjduMa.exe
Size: 454.14 KB (454144 bytes)
MD5: cb4a95d5b7068d1f5a189be43469c77c
Detection count: 18
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\Application Data
Group: Malware file
Last Updated: September 5, 2011
%ALLUSERSPROFILE%\Application Data\BvhFlJjjduMa.exe File name: BvhFlJjjduMa.exe
Size: 453.12 KB (453120 bytes)
MD5: 85e8b994c934b8a948e39fec39a0851a
Detection count: 17
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\Application Data
Group: Malware file
Last Updated: September 5, 2011
%ALLUSERSPROFILE%\Application Data\BvhFlJwnduMa.exe File name: BvhFlJwnduMa.exe
Size: 433.66 KB (433664 bytes)
MD5: 16077679cd29b633b380389d192aef56
Detection count: 14
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\Application Data
Group: Malware file
Last Updated: September 5, 2011
%ALLUSERSPROFILE%\Application Data\GyxHFmRWxGIKn.exe File name: GyxHFmRWxGIKn.exe
Size: 453.63 KB (453632 bytes)
MD5: a8e9d0c3e94425633d2a063074170145
Detection count: 13
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\Application Data
Group: Malware file
Last Updated: September 5, 2011
%ALLUSERSPROFILE%\Application Data\iMXxHFmRWxGIKn.exe File name: iMXxHFmRWxGIKn.exe
Size: 464.38 KB (464384 bytes)
MD5: af4c4d542ce33cf71cf2e1fca7953fb5
Detection count: 12
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\Application Data
Group: Malware file
Last Updated: January 8, 2020
%LocalAppData%\[RANDOM CHARACTERS] File name: %LocalAppData%\[RANDOM CHARACTERS]
Group: Malware file
%LocalAppData%\[RANDOM CHARACTERS].exe File name: %LocalAppData%\[RANDOM CHARACTERS].exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%LocalAppData%\~[RANDOM CHARACTERS] File name: %LocalAppData%\~[RANDOM CHARACTERS]
Group: Malware file
%Temp%\smtmp\ File name: %Temp%\smtmp\
Group: Malware file
%Temp%\smtmp\1 File name: %Temp%\smtmp\1
Group: Malware file
%Temp%\smtmp\2 File name: %Temp%\smtmp\2
Group: Malware file
%Temp%\smtmp\3 File name: %Temp%\smtmp\3
Group: Malware file
%Temp%\smtmp\4 File name: %Temp%\smtmp\4
Group: Malware file
%StartMenu%\Programs\System Recovery\ File name: %StartMenu%\Programs\System Recovery\
Group: Malware file
%StartMenu%\Programs\System Recovery\System Recovery.lnk File name: %StartMenu%\Programs\System Recovery\System Recovery.lnk
File type: Shortcut
Mime Type: unknown/lnk
Group: Malware file
%StartMenu%\Programs\System Recovery\Uninstall System Recovery.lnk File name: %StartMenu%\Programs\System Recovery\Uninstall System Recovery.lnk
File type: Shortcut
Mime Type: unknown/lnk
Group: Malware file
%UserProfile%\Desktop\System Recovery.lnk File name: %UserProfile%\Desktop\System Recovery.lnk
File type: Shortcut
Mime Type: unknown/lnk
Group: Malware file

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'Yes'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '/{hq:/s's:/ogn:/uyu:/dyd:/c'u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/'wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v'w:/rbs:'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop "NoChangingWallPaper" = '1'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDesktop" = '1'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = '1'HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU "MRUList"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = '0'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\..{RunKeys}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM CHARACTERS]"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM CHARACTERS].exe"

Additional Information

The following messages's were detected:
# Message
1Activation Reminder System Recovery Activation Advanced module activation required to fix detected errors and performance issues. Please purchase Advanced Module license to activate this software and enable all features.
2Critical Error A critical error has occurred while indexing data stored on hard drive. System restart required.
3Critical Error Hard Drive not found. Missing hard drive.
4Critical Error Hard drive critical error. Run a system diagnostic utility to check your hard disk drive for errors. Windows can't find hard disk space. Hard drive error.
5Critical Error RAM memory usage is critically high. RAM memory failure.
6Critical Error Windows can't find hard disk space. Hard drive error
7Critical Error! Damaged hard drive clusters detected. Private data is at risk.
8Critical Error! Windows was unable to save all the data for the file \System32\496A8300. The data has been lost. This error may be caused by a failure of your computer hardware.
9Critical Hard Disk Drive Error System Recovery detected a bad sector on your hard disk drive. This error may cause the following problems: - Data corruption and loss - Hard drive inaccessibility - System errors and failures
10Fix Disk System Recovery Diagnostics will scan the system to identify performance problems. Start or Cancel
11Hard Drive Failure The system has detected a problem with one or more installed IDE / SATA hard disks. It is recommended that you restart the system.
12System Error An error occurred while reading system files. Run a system diagnostic utility to check your hard disk drive for errors.
13System Recovery Diagnostics Windows detected a hard disk error. A problem with the hard drive sectors has been detected. It is recommended to download the following sertified software to fix the detected hard drive problems. Do you want to download recommended software?
14System Restore The system has been restored after a critical error. Data integrity and hard drive integrity verification required.
15Windows - No Disk Exception Processing Message 0x0000013

Loading...