Data Recovery

By Domesticus in Rogue Anti-Spyware Program | 520 views
Rate it:
1 Star2 Stars3 Stars4 Stars5 Stars (6 votes, average: 4.00 out of 5)
Loading ... Loading ...
 More... More

Data Recovery Description

Image Screenshot

[+] Click Image to Enlarge

Data Recovery is a fake defragmenter and system optimization tool. Programs like Data Recovery are known as rogueware and are part of a well-known computer scam. Date Recovery, in particular, belongs to a large family of rogue defragmenter tools that include such programs as PC Recovery and System Recovery. Despite being marketed as legitimate computer optimization applications, ESG security researchers have classified Data Recovery and its clones as malware. Data Recovery belongs to a particular category of malware that many PC security researchers refer to as scareware. Data Recovery receives this name because its main goal is to scare a computer user into paying a specific amount of money. Do not fall for the Data Recovery scam. If your computer system is displaying symptoms of a Data Recovery infection, ESG security researchers recommend using fully-updated anti-virus applications to destroy Data Recovery and any of its associated malware infections.

Data Recovery has a new clone called Smart Data Recovery. The interface for Smart Data Recovery has been updated from Data Recovery’s but remains to have virtually the same misleading actions and claims of removing malware from a PC.

Symptoms of a Data Recovery Infection

Data Recovery and Data Recovery’s clones cause a number of specific problems on an infected computer system. Like all rogue defragmenters, these problems are meant to confuse and panic an inexperienced computer user. In a panicked state, a computer user is more likely to believe Data Recovery’s claims that Data Recovery can fix the very problems Data Recovery is causing in the first place. ESG security researchers recommend being on the lookout for any of the following problems, and to take actions if your computer is displaying any of these symptoms:

  • One of the main symptoms of a Data Recovery infection is Data Recovery’s main screen, displayed upon start-up. A computer user cannot exit this screen until Data Recovery performs a fake computer scan. The results of this fake scan are always extremely negative. In fact, for experienced computer researchers, these results are laughable, often bordering on the impossible. For example, Data Recovery will often claim that the computer system cannot detect a hard drive, although the very fact that the computer system is working is proof to the contrary. These extremely negative results are not meant to be logical, but are actually meant to scare an inexperienced computer user into buying a useless “full version” of Data Recovery.
  • Data Recovery displays a large number of error messages and fake security alerts insisting on the results of its fake scan, often blocking Data Recovery’s victim from accessing files on the infected computer system.
  • A computer infected with Data Recovery usually becomes extremely slow and unstable, often becoming “stuck” or crashing frequently.

Type: Rogue AntiSpyware Programs

How Can You Detect Data Recovery?

Download SpyHunter’s Detection Scanner
to Detect Data Recovery.

Can’t install SpyHunter? Click here to view possible causes of installation issues.

‘How Data Recovery Infects Your Computer’ Video

Data Recovery Removal Details

Data Recovery has typically the following processes in memory:

  • %Documents and Settings%\[User Name]\Local Settings\Application Data\[RANDOM CHARACTERS].exe

Data Recovery creates the following files in the system:

  • %Documents and Settings%\[User Name]\Local Settings\Temp\smtmp\3
  • %Documents and Settings%\[User Name]\Local Settings\Application Data\~
  • %Documents and Settings%\[User Name]\Start Menu\\Programs\Data Recovery\Uninstall Data Recovery.lnk
  • %AppData%\Protector-[rnd].exe task
  • %Desktopdir%\Data_Recovery.lnk
  • %Documents and Settings%\[User Name]\Local Settings\Temp\smtmp\2
  • %Documents and Settings%\[User Name]\Local Settings\Application Data\[RANDOM CHARACTERS]
  • %Documents and Settings%\[User Name]\Start Menu\\Programs\Data Recovery\Data Recovery.lnk
  • %Documents and Settings%\[User Name]\Local Settings\Temp\smtmp\
  • %AppData%\Microsoft\Internet Explorer\Quick Launch\Data_Recovery.lnk
  • %Programs%\Data Recovery\Uninstall Data Recovery.lnk
  • %Documents and Settings%\[User Name]\Local Settings\Temp\smtmp\1
  • %Documents and Settings%\[User Name]\Local Settings\Temp\smtmp\4
  • %Documents and Settings%\[User Name]\Start Menu\\Programs\Data Recovery\
  • %Documents and Settings%\[User Name]\Desktop\Data Recovery.lnk
  • %AppData%\Protector-[rnd].exe reg
  • %Programs%\Data Recovery\Data Recovery.lnk

Data Recovery creates the following registry entries:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnonBadCertRecving” = ‘0′
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = ‘1′
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[RANDOM CHARACTERS].exe”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced “Hidden” = ‘0′
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “DisableTaskMgr” = ‘1′
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[rnd_0].exe %CommonAppliData%\[rnd_0].exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “CertificateRevocation” = ‘0′
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = ‘/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:’
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = ‘1′
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = ‘no’
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU “MRUList”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main “Use FormSuggest” = ‘Yes’
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop “NoChangingWallPaper” = ‘1′
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer “NoDesktop” = ‘1′
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[RANDOM CHARACTERS]”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced “ShowSuperHidden” = ‘0′
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr 0

Important Article Disclaimer

ESG Support Center

This entry was last updated on 11/30/11 and posted on 09/14/11. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
« PC Security Pro
Search.searchcompletion.com »

Leave a Comment

Note: Abusive comments are not allowed. Please do not post comments regarding technical support issues. ESG customers that have issues with SpyHunter should open a customer support ticket.

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word

Popular Malware

Popular Trojans

Recent Malware

Home | SpyHunter Risk Assessment Model | Privacy Policy | End User License Agreement | Additional Terms and Conditions
Copyright 2003-2012. Enigma Software Group USA, LLC. All Rights Reserved.