Arief Prabowo

Data Recovery Rogue Removal Instructions

Recommended Posts

The Emsisoft malware research team has discovered a new outbreak of the Data Recovery. Emsisoft Anti-Malware detects this malware as Rogue.Win32.DataRecovery.b.

Data Recovery is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AllUsersProfile%\Application Data\peNIiagqcfvoe9
%AllUsersProfile%\Application Data\peNIiagqcfvoe9.exe
%AllUsersProfile%\Application Data\-peNIiagqcfvoe9
%AllUsersProfile%\Application Data\-peNIiagqcfvoe9r
%AppData%\Microsoft\Internet Explorer\Quick Launch\Data_Recovery.lnk
%UserProfile%\Desktop\Data_Recovery.lnk
%UserProfile%\Desktop\Data_Recovery_License.txt
%UserProfile%\Local Settings\Temp\license.dat
%UserProfile%\Local Settings\Temp\RZQQnkXDzMfhGS.exe.tmp
%UserProfile%\Start Menu\Programs\Data Recovery\
%UserProfile%\Start Menu\Programs\Data Recovery\Data Recovery.lnk
%UserProfile%\Start Menu\Programs\Data Recovery\Uninstall Data Recovery.lnk

Create/modify registry entries:

HKEY_CURRENT_USER\software\
nsreg = 00000000
pth = 43003A005C0044006F00630075006D0065006E0074007300200061006E…

HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Download\
CheckExeSignatures = no

HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Main\
Use FormSuggest = Yes

HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
TaskbarGlomming = empty
TaskbarGlomLevel = 0x02000000
Hidden = empty
ShowSuperHidden = empty
Start_ShowUser = 0x01000000
Start_ShowControlPanel = 0x01000000
Start_ShowHelp = 0x01000000
Start_ShowMyComputer = 0x01000000
Start_ShowMyDocs = 0x01000000
Start_ShowMyMusic = 0x01000000
Start_ShowMyGames = 0x01000000
Start_ShowMyPics = 0x01000000
Start_ShowPrinters = 0x01000000
Start_ShowRecentDocs = 0x01000000
Start_ShowRun = 0x01000000
Start_ShowSearch = 0x01000000
Start_ShowSetProgramAccessAndDefaults = 0x01000000
Start_ShowNetConn = 0x01000000
Start_ShowNetPlaces = 0x01000000

HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Associations\
LowRiskFileTypes = .zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;...

HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
SaveZoneInformation = 0x01000000

HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run\
peNIiagqcfvoe9 = %AllUsersProfile%\Application Data\peNIiagqcfvoe9.exe

Screenshosts:

Rogue.Win32.DataRecovery.b_1-400x331.png

Rogue.Win32.DataRecovery.b_2-400x331.png

Rogue.Win32.DataRecovery.b_3-400x240.png

To register this rogue application you can try the following serial number and enter any email:

08869246386344953972969146034087

How to remove the infection of Data Recovery(Rogue.Win32.DataRecovery.b)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.