Christian Mairoll

Data Recovery Adware Removal Instructions

Recommended Posts

The Emsisoft malware research team has discovered a new outbreak of the Data Recovery adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.DataRecovery.

Data Recovery is a rogue application, another variant of System Recovery, Master Utilities, PC Repair, HDD Repair and System Repair. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

  • %AllUsersProfiles%Application Data~%random%r
  • %AllUsersProfiles%Application Data%random%.exe
  • %AllUsersProfiles%Application Data%random%.exe
  • %AllUsersProfiles%Application Data%random%
  • %AllUsersProfiles%Application Data~%random%
  • %UserProfile%DesktopData Recovery.lnk
  • %UserProfile%Local SettingsTempsmtmp
  • %UserProfile%Local SettingsTempsmtmp1
  • %UserProfile%Local SettingsTempsmtmp2
  • %UserProfile%Local SettingsTempsmtmp4
  • %UserProfile%Start MenuProgramsData Recovery
  • %UserProfile%Start MenuProgramsData RecoveryData Recovery.lnk
  • %UserProfile%Start MenuProgramsData RecoveryUninstall Data Recovery.lnk

Create/modify registry entries:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem
    DisableTaskMgr: 0×00000001
  • HKEY_CURRENT_USERSoftware
    75fa38b7-8b94-4995-ad32-52e938867954:
    BD: 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00…
  • HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain
    Use FormSuggest: “Yes”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings
    WarnonBadCertRecving: 0×00000000
    CertificateRevocation: 0×00000000
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesActiveDesktop
    NoChangingWallPaper: 0×00000001
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
    NoDesktop: 0×00000001
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesAssociations
    LowRiskFileTypes: “.zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;
    .mp3;.m3u;.wav;.scr;”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesAttachments
    SaveZoneInformation: 0×00000001
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
    %random%: “%AllUsersProfile%Application Data%random%.exe”
  • HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerDownload
    CheckExeSignatures: “no”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced
    Hidden: 0×00000000
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced
    ShowSuperHidden: 0×00000000

Screenshots:

Adware.Win32.DataRecovery

Adware.Win32.DataRecovery

Adware.Win32.DataRecovery

Adware.Win32.DataRecovery

Adware.Win32.DataRecovery

Adware.Win32.DataRecovery

Adware.Win32.DataRecovery

How to remove the infection of Data Recovery (Adware.Win32.DataRecovery)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.



View the full article

Share this post


Link to post
Share on other sites

Activation Keys to help make removable a little easier.

Data Recovery, HDD Repair, & System Repair

E-mail: you can type anything you want here

Key: 8475082234984902023718742058948

Master Utilities

E-mail: you can type anything you want here

Key: 1203978628012489708290478989147

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.