Arief Prabowo

Data Recovery Rogue Removal Instructions

Recommended Posts

The Emsisoft malware research team has discovered a new outbreak of the Data Recovery. Emsisoft Anti-Malware detects this malware as Rogue.Win32.DataRecovery.b.

Data Recovery is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AllUsersProfile%\Application Data\peNIiagqcfvoe9
%AllUsersProfile%\Application Data\peNIiagqcfvoe9.exe
%AllUsersProfile%\Application Data\-peNIiagqcfvoe9
%AllUsersProfile%\Application Data\-peNIiagqcfvoe9r
%AppData%\Microsoft\Internet Explorer\Quick Launch\Data_Recovery.lnk
%UserProfile%\Local Settings\Temp\license.dat
%UserProfile%\Local Settings\Temp\RZQQnkXDzMfhGS.exe.tmp
%UserProfile%\Start Menu\Programs\Data Recovery\
%UserProfile%\Start Menu\Programs\Data Recovery\Data Recovery.lnk
%UserProfile%\Start Menu\Programs\Data Recovery\Uninstall Data Recovery.lnk

Create/modify registry entries:

nsreg = 00000000
pth = 43003A005C0044006F00630075006D0065006E0074007300200061006E…

HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Download\
CheckExeSignatures = no

HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Main\
Use FormSuggest = Yes

TaskbarGlomming = empty
TaskbarGlomLevel = 0x02000000
Hidden = empty
ShowSuperHidden = empty
Start_ShowUser = 0x01000000
Start_ShowControlPanel = 0x01000000
Start_ShowHelp = 0x01000000
Start_ShowMyComputer = 0x01000000
Start_ShowMyDocs = 0x01000000
Start_ShowMyMusic = 0x01000000
Start_ShowMyGames = 0x01000000
Start_ShowMyPics = 0x01000000
Start_ShowPrinters = 0x01000000
Start_ShowRecentDocs = 0x01000000
Start_ShowRun = 0x01000000
Start_ShowSearch = 0x01000000
Start_ShowSetProgramAccessAndDefaults = 0x01000000
Start_ShowNetConn = 0x01000000
Start_ShowNetPlaces = 0x01000000

LowRiskFileTypes = .zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;...

SaveZoneInformation = 0x01000000

peNIiagqcfvoe9 = %AllUsersProfile%\Application Data\peNIiagqcfvoe9.exe





To register this rogue application you can try the following serial number and enter any email:


How to remove the infection of Data Recovery(Rogue.Win32.DataRecovery.b)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.