Jump to content


Photo
- - - - -

Data Recovery Rogue Removal Instructions


  • Please log in to reply
No replies to this topic

#1 Arief Prabowo

Arief Prabowo

    Forum Veteran

  • Emsisoft Employee
  • 2645 posts
  • LocationIndonesia

Posted 30 April 2012 - 04:52 AM

The Emsisoft malware research team has discovered a new outbreak of the Data Recovery. Emsisoft Anti-Malware detects this malware as Rogue.Win32.DataRecovery.b.

Data Recovery is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AllUsersProfile%\Application Data\peNIiagqcfvoe9
%AllUsersProfile%\Application Data\peNIiagqcfvoe9.exe
%AllUsersProfile%\Application Data\-peNIiagqcfvoe9
%AllUsersProfile%\Application Data\-peNIiagqcfvoe9r
%AppData%\Microsoft\Internet Explorer\Quick Launch\Data_Recovery.lnk
%UserProfile%\Desktop\Data_Recovery.lnk
%UserProfile%\Desktop\Data_Recovery_License.txt
%UserProfile%\Local Settings\Temp\license.dat
%UserProfile%\Local Settings\Temp\RZQQnkXDzMfhGS.exe.tmp
%UserProfile%\Start Menu\Programs\Data Recovery\
%UserProfile%\Start Menu\Programs\Data Recovery\Data Recovery.lnk
%UserProfile%\Start Menu\Programs\Data Recovery\Uninstall Data Recovery.lnk

Create/modify registry entries:

HKEY_CURRENT_USER\software\
nsreg = 00000000
pth = 43003A005C0044006F00630075006D0065006E0074007300200061006E…

HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Download\
CheckExeSignatures = no

HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Main\
Use FormSuggest = Yes

HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
TaskbarGlomming = empty
TaskbarGlomLevel = 0x02000000
Hidden = empty
ShowSuperHidden = empty
Start_ShowUser = 0x01000000
Start_ShowControlPanel = 0x01000000
Start_ShowHelp = 0x01000000
Start_ShowMyComputer = 0x01000000
Start_ShowMyDocs = 0x01000000
Start_ShowMyMusic = 0x01000000
Start_ShowMyGames = 0x01000000
Start_ShowMyPics = 0x01000000
Start_ShowPrinters = 0x01000000
Start_ShowRecentDocs = 0x01000000
Start_ShowRun = 0x01000000
Start_ShowSearch = 0x01000000
Start_ShowSetProgramAccessAndDefaults = 0x01000000
Start_ShowNetConn = 0x01000000
Start_ShowNetPlaces = 0x01000000

HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Associations\
LowRiskFileTypes = .zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;...

HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
SaveZoneInformation = 0x01000000

HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run\
peNIiagqcfvoe9 = %AllUsersProfile%\Application Data\peNIiagqcfvoe9.exe

Screenshosts:

Posted Image

Posted Image

Posted Image

To register this rogue application you can try the following serial number and enter any email:
08869246386344953972969146034087

How to remove the infection of Data Recovery(Rogue.Win32.DataRecovery.b)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Best regards,

Arief Prabowo [Research]

Emsisoft Team - http://www.emsisoft.com





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users