Jump to content

- - - - -

Data Recovery Rogue Removal Instructions

  • Please log in to reply
No replies to this topic

#1 Arief Prabowo

Arief Prabowo

    Forum Veteran

  • Emsisoft Employee
  • 3958 posts
  • LocationIndonesia

Posted 30 April 2012 - 04:52 AM

The Emsisoft malware research team has discovered a new outbreak of the Data Recovery. Emsisoft Anti-Malware detects this malware as Rogue.Win32.DataRecovery.b.

Data Recovery is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AllUsersProfile%\Application Data\peNIiagqcfvoe9
%AllUsersProfile%\Application Data\peNIiagqcfvoe9.exe
%AllUsersProfile%\Application Data\-peNIiagqcfvoe9
%AllUsersProfile%\Application Data\-peNIiagqcfvoe9r
%AppData%\Microsoft\Internet Explorer\Quick Launch\Data_Recovery.lnk
%UserProfile%\Local Settings\Temp\license.dat
%UserProfile%\Local Settings\Temp\RZQQnkXDzMfhGS.exe.tmp
%UserProfile%\Start Menu\Programs\Data Recovery\
%UserProfile%\Start Menu\Programs\Data Recovery\Data Recovery.lnk
%UserProfile%\Start Menu\Programs\Data Recovery\Uninstall Data Recovery.lnk

Create/modify registry entries:

nsreg = 00000000
pth = 43003A005C0044006F00630075006D0065006E0074007300200061006E…

HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Download\
CheckExeSignatures = no

HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Main\
Use FormSuggest = Yes

TaskbarGlomming = empty
TaskbarGlomLevel = 0x02000000
Hidden = empty
ShowSuperHidden = empty
Start_ShowUser = 0x01000000
Start_ShowControlPanel = 0x01000000
Start_ShowHelp = 0x01000000
Start_ShowMyComputer = 0x01000000
Start_ShowMyDocs = 0x01000000
Start_ShowMyMusic = 0x01000000
Start_ShowMyGames = 0x01000000
Start_ShowMyPics = 0x01000000
Start_ShowPrinters = 0x01000000
Start_ShowRecentDocs = 0x01000000
Start_ShowRun = 0x01000000
Start_ShowSearch = 0x01000000
Start_ShowSetProgramAccessAndDefaults = 0x01000000
Start_ShowNetConn = 0x01000000
Start_ShowNetPlaces = 0x01000000

LowRiskFileTypes = .zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;...

SaveZoneInformation = 0x01000000

peNIiagqcfvoe9 = %AllUsersProfile%\Application Data\peNIiagqcfvoe9.exe


Posted Image

Posted Image

Posted Image

To register this rogue application you can try the following serial number and enter any email:

How to remove the infection of Data Recovery(Rogue.Win32.DataRecovery.b)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Best regards,

Arief Prabowo [Research]

Emsisoft Team - http://www.emsisoft.com

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users