System Fix (aka SystemFix) is scareware that deceptively delivers erroneous messages from the Windows Taskbar. These alerts claim the computer is malfunctioning in an effort to trick the victim into purchasing a bogus repair tool. To further the ruse, System Fix hides your files and folders, moves your shortcuts, and terminates programs when you try to run them. System Fix also disables access to Windows Task Manager and lowers security settings in Internet Explorer.
System Fix may be encountered via a malicious website advertisement (malvertising) or it may be delivered as a silent drive-by download. If the user clicks through the advertisement or is subjected to the drive-by download, System Fix installs several randomly named files to the Application Data folder.
In Windows 7, this folder is typically C:\ProgramData and can be accessed by clicking Start | Run and typing (without the quote) “shell: common appdata”. On Windows XP, the Application Data folder is typically C:\Documents and Settings\All Users\Application Data.
The dropped files are loaded as hidden processes in order to remain undetected while maintaining control of the victim’s PC. The system Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run is modified to cause Windows to load these files automatically each time Windows is started.
The following Registry values are also created on the infected computer:
Value: Use FormSuggest = "Yes"
(This change enables autocomplete for forms submitted via Internet Explorer)
Value: WarnOnZoneCrossing = 0x00000000
(This change prevents Internet Explorer from prompting: “When you send information to the Internet, it might be possible for others to see that information. Do you want to continue?”)
Value: WarnonBadCertRecving = 0x00000000
(This change disables the Internet Explorer warning for bad certificates)
Value: CertificateRevocation = 0x00000000
(This change disables the Internet Explorer warning for revoked certificates)
Value: NoChangingWallPaper = 1
(Prevents user from changing the desktop wallpaper)
Value: LowRiskFileTypes = <list of extensions>
(Specifies several risky file types as being low risk)
Value: SaveZoneInformation = 1
(Does not save zone information in attachments)
Value: NoDesktop = 1
(Removes icons, shortcuts, and other user-defined or default items from desktop)
Value: DisableTaskMgr = 1
(Disables access to Windows Task Manager)
Value: DisableTaskMgr = 1
(Disables access to Windows Task Manager. See: How to Re-Enable Access to Task Manager)
CheckExeSignatures = no
(Prevents Internet Explorer for checking digital certificates for downloaded files)
Value: Hidden = 0
Value: ShowSuperHidden = 0
(Hides files and folders from view. See How to View Hidden Files and Folders)
Note that for the sake of readability, HKEY_CURRENT_USER is reflected as HKCU and HKEY_LOCAL_MACHINE as HKLM in the description above.
In the background, System Fix also tries to connect to various remote websites and attempts to download additional malware to the infected computer. Attempted downloads include the TDSS rootkit, which serves as a framework to download – and hide – even more malware.
System Fix will also install shortcut links to itself on the victim’s desktop and the Start Menu programs folder. Upon initial infection, System Fix will then begin displaying warning messages from the Windows Taskbar, examples of which include:
- Critical Error: Hard drive clusters are partly damaged. Segment load failure
- Hard Drive Failure: The system has detected a problem with one or more installed IDE / SATA hard disks. It is recommended that you restart the system
- System Error: An error occurred while reading system files. Run a system diagnostic utility to check your hard disk drive for errors
- Windows detected a hard disk problem: A potential disk failure may cause loss of files, applications and documents stored on the hard disk. It's highly recommended to scan and solve HDD problems before continue using this PC.
If the victim then chooses to run System Fix, multiple errors will be returned in the System Fix console with instructions to purchase the repair tool.
If you have fallen victim to this scam and purchased the bogus removal tool, contact your credit card company and report the fraud. To remove System Fix from an infected computer, follow the steps provided by BleepingComputer.
Please note that simply removing System Fix will not remove any of the additional malware that may have been installed, including the TDSS rootkit. Given the security implications, you may wish to consider backing up your known good data files and doing a complete format and reinstall.