1

New Threat: System Defragmenter

Author: Marianne Layador – PC Tools Malware Research Team

Installation Method

System Defragmenter is scam-ware that imitates a legitimate utility tool that will scan the system for hard drive and memory problems. It is installed through the typical method and uses the same techniques as antivirus rogue applications. It persuades the user to buy the fake program by warning of critical system errors that will surely alarm and grab his/her attention.

After scanning, it reports the following, which are hard coded fake errors:

Drive C initializing error
Bad sectors on hard drive or damaged file allocation table – Critical Error
Read time of hard drive clusters less than 500 ms – Critical Error
Hard drive doesn’t respond to system commands – Critical Error
Data Safety Problem. System integrity is at risk.
RAM Memory defragmentation is required. Only 20% of RAM Memory is free to use
RAM Memory temperature %d%% C. Optimization is required for normal RAM functioning
Registry Error – Critical Error
1532 MB to be removed for computer performance optimization – Performance Issue
Files placement on hard drive is not optimized. Defragmentation is required – Performance Issue
%d%% of HDD space is unreadable – Critical Error

Note: %d%% is equivalent to number percentage

To make this product look legitimate, it will even prompt you to start in safe mode and the product will initiate and attempt to fix the issue.

After assessing the system, it will still recommend that the user click the “Run defragmentation” button which will lead to the website where the user can buy the product.

Payment Link:

http://secure.defragmentetorstore.com/secure/payments/

PC Tools advises against entering any credit card information on these forms. Victims of this attack are strongly advised to immediately contact their credit card companies to dispute the anomalous transactions and ensure that there will be no future unauthorized charges.

Fake Malware Warnings

To make the user panic even more, for any executable files he/she launches, System Defragmenter will try to capture the process and prevent it from running. It will show the following error:

In normal windows mode, this scam-ware tricks you through what you are viewing in the program files and windows folders. In the program files folder you will see what the windows folder should contain and vice versa. Any attempt to open the subfolders and files in these folders will tell you that it is unavailable.

There are also several other fake alerts:

Manual Removal Guide

System Defragmenter drops the following files:

%DesktopDir%System Defragmenter.lnk
%Programs%System DefragmenterSystem Defragmenter.lnk
%Temp%maindll.dll
%Temp%exe.exe
%Temp%.exe

System Defragmenter creates the following autostart key

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
exe.exe=%Temp%exe.exe

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
=%Temp%.exe

System Defragmenter modifies the following registry entries:

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedHideIcons
"HideIcons"=dword:00000001

Default value: "HideIcons"=dword:00000000

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesActiveDesktop]
“NoChangingWallPaper”=dword:00000001

Default value: “NoChangingWallPaper”=dword:00000000

In order to cleanup System Defragmenter, the above files / folders and registry entries that were added would have to be removed. For the modified registry entries, restore them to their original value. It is advisable to do it in safe mode as the DLL component is hook in explorer.

To avoid problems in editing the Windows registry, kindly seek assistance.

This entry was posted in Malware Alerts and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>