1. Symantec/
  2. Security Response/
  3. ErrorRepair

ErrorRepair

Updated:
April 22, 2009 9:24:09 AM
Type:
Misleading Application
Name:
ErrorRepair
Risk Impact:
Medium
Systems Affected:
Windows
Behavior
The program must be manually installed.

The program reports false or exaggerated system security threats on the computer.





The user is then prompted to pay for a full license of the application in order to remove the threats.





Installation
When the program is executed, it creates the following files:
  • %UserProfile%\Application Data\ErrorRepairTool\Logs\[DATE FORMAT].log
  • %UserProfile%\Application Data\ErrorRepairTool\Results\Evidence.db
  • %UserProfile%\Application Data\ErrorRepairTool\Results\Junk.db
  • %UserProfile%\Application Data\ErrorRepairTool\Results\Registry.db
  • %UserProfile%\Application Data\ErrorRepairTool\Results\Update.db
  • %UserProfile%\Local Settings\Temp\escan-parsed.log
  • %UserProfile%\Local Settings\Temp\[RANDOM CHARACTERS].tmp
  • C:\Documents and Settings\All Users\Desktop\ErrorRepairTool.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\ErrorRepairTool\ErrorRepairTool on the Web.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\ErrorRepairTool\ErrorRepairTool.lnk
  • %ProgramFiles%\Downloaded Installers\{2C94E4E3-3E09-4285-9F72-DA40F9C30E5C}\setup.msi
  • %ProgramFiles%\ErrorRepairTool\definitions.db
  • %ProgramFiles%\ErrorRepairTool\ErrorRepairTool.exe
  • %ProgramFiles%\ErrorRepairTool\ErrorRepairTool.url
  • %ProgramFiles%\ErrorRepairTool\privacy.db
  • %Windir%\Installer\[RANDOM CHARACTERS].msi
  • %Windir%\Installer\{2C94E4E3-3E09-4285-9F72-DA40F9C30E5C}\Icon.exe
  • %Windir%\Tasks\ErrorRepairTool Scan.job


Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"ErrorRepairTool" = "%ProgramFiles%\ErrorRepairTool\ErrorRepairTool.exe -boot"

It also creates the following registry subkeys:
  • HKEY_CURRENT_USER\Software\ErrorRepairTool
  • HKEY_CLASSES_ROOT\Installer\Features\3E4E49C290E35824F927AD049F3CE0C5
  • HKEY_CLASSES_ROOT\Installer\Products\3E4E49C290E35824F927AD049F3CE0C5
  • HKEY_CLASSES_ROOT\Installer\UpgradeCodes\6D4A22EA0F76866418C9EF7DD18D3682
  • HKEY_LOCAL_MACHINE\SOFTWARE\ErrorRepairTool
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2C94E4E3-3E09-4285-9F72-DA40F9C30E5C}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\ErrorRepairTool
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\12D75FA4684B5D14C90E739A093B6041
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9A3C48B56DCF42A489F4D91839FD8E7B
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BD561BBCA1F45824FB493ADF001CA7CC
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DB882DDE54F704F47B0C4271C027D0A7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3E4E49C290E35824F927AD049F3CE0C5
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube