Arief Prabowo

Data Recovery Rogue Removal Instructions

1 post in this topic

The Emsisoft malware research team has discovered a new outbreak of the Data Recovery. Emsisoft Anti-Malware detects this malware as Rogue.Win32.DataRecovery.b.

Data Recovery is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AllUsersProfile%\Application Data\peNIiagqcfvoe9
%AllUsersProfile%\Application Data\peNIiagqcfvoe9.exe
%AllUsersProfile%\Application Data\-peNIiagqcfvoe9
%AllUsersProfile%\Application Data\-peNIiagqcfvoe9r
%AppData%\Microsoft\Internet Explorer\Quick Launch\Data_Recovery.lnk
%UserProfile%\Desktop\Data_Recovery.lnk
%UserProfile%\Desktop\Data_Recovery_License.txt
%UserProfile%\Local Settings\Temp\license.dat
%UserProfile%\Local Settings\Temp\RZQQnkXDzMfhGS.exe.tmp
%UserProfile%\Start Menu\Programs\Data Recovery\
%UserProfile%\Start Menu\Programs\Data Recovery\Data Recovery.lnk
%UserProfile%\Start Menu\Programs\Data Recovery\Uninstall Data Recovery.lnk

Create/modify registry entries:

HKEY_CURRENT_USER\software\
nsreg = 00000000
pth = 43003A005C0044006F00630075006D0065006E0074007300200061006E…

HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Download\
CheckExeSignatures = no

HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Main\
Use FormSuggest = Yes

HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
TaskbarGlomming = empty
TaskbarGlomLevel = 0x02000000
Hidden = empty
ShowSuperHidden = empty
Start_ShowUser = 0x01000000
Start_ShowControlPanel = 0x01000000
Start_ShowHelp = 0x01000000
Start_ShowMyComputer = 0x01000000
Start_ShowMyDocs = 0x01000000
Start_ShowMyMusic = 0x01000000
Start_ShowMyGames = 0x01000000
Start_ShowMyPics = 0x01000000
Start_ShowPrinters = 0x01000000
Start_ShowRecentDocs = 0x01000000
Start_ShowRun = 0x01000000
Start_ShowSearch = 0x01000000
Start_ShowSetProgramAccessAndDefaults = 0x01000000
Start_ShowNetConn = 0x01000000
Start_ShowNetPlaces = 0x01000000

HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Associations\
LowRiskFileTypes = .zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;...

HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Attachments\
SaveZoneInformation = 0x01000000

HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run\
peNIiagqcfvoe9 = %AllUsersProfile%\Application Data\peNIiagqcfvoe9.exe

Screenshosts:

Rogue.Win32.DataRecovery.b_1-400x331.png

Rogue.Win32.DataRecovery.b_2-400x331.png

Rogue.Win32.DataRecovery.b_3-400x240.png

To register this rogue application you can try the following serial number and enter any email:

08869246386344953972969146034087

How to remove the infection of Data Recovery(Rogue.Win32.DataRecovery.b)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.