Data Recovery

Data Recovery Description

Type: Rogue Defragmenter Program

ScreenshotData Recovery is a fake defragmenter and system optimization tool. Programs like Data Recovery are known as rogueware and are part of a well-known computer scam. Date Recovery, in particular, belongs to a large family of rogue defragmenter tools that include such programs as PC Recovery and System Recovery. Despite being marketed as legitimate computer optimization applications, ESG security researchers have classified Data Recovery and its clones as malware. Data Recovery belongs to a particular category of malware that many PC security researchers refer to as scareware. Data Recovery receives this name because its main goal is to scare a computer user into paying a specific amount of money. Do not fall for the Data Recovery scam. If your computer system is displaying symptoms of a Data Recovery infection, ESG security researchers recommend using fully-updated anti-virus applications to destroy Data Recovery and any of its associated malware infections.

Data Recovery has a new clone called Smart Data Recovery. The interface for Smart Data Recovery has been updated from Data Recovery's but remains to have virtually the same misleading actions and claims of removing malware from a PC.

Symptoms of a Data Recovery Infection

Data Recovery and Data Recovery's clones cause a number of specific problems on an infected computer system. Like all rogue defragmenters, these problems are meant to confuse and panic an inexperienced computer user. In a panicked state, a computer user is more likely to believe Data Recovery's claims that Data Recovery can fix the very problems Data Recovery is causing in the first place. ESG security researchers recommend being on the lookout for any of the following problems, and to take actions if your computer is displaying any of these symptoms:

  • One of the main symptoms of a Data Recovery infection is Data Recovery's main screen, displayed upon start-up. A computer user cannot exit this screen until Data Recovery performs a fake computer scan. The results of this fake scan are always extremely negative. In fact, for experienced computer researchers, these results are laughable, often bordering on the impossible. For example, Data Recovery will often claim that the computer system cannot detect a hard drive, although the very fact that the computer system is working is proof to the contrary. These extremely negative results are not meant to be logical, but are actually meant to scare an inexperienced computer user into buying a useless "full version" of Data Recovery.
  • Data Recovery displays a large number of error messages and fake security alerts insisting on the results of its fake scan, often blocking Data Recovery's victim from accessing files on the infected computer system.
  • A computer infected with Data Recovery usually becomes extremely slow and unstable, often becoming "stuck" or crashing frequently.


3 security vendors flagged this file as malicious.

Anti-Virus Software Detection
GData Trojan.Generic.KD.357944
NOD32 a variant of Win32/Kryptik.SUA
McAfee FakeAlert-SysDef.b

Technical Information

Screenshots & Other Imagery

Data Recovery Video

Tip: Turn your sound ON and watch the video in Full Screen mode.

File System Details

Data Recovery creates the following file(s):
# File Name MD5 Detection Count
1 VIKqcLAptUym.exe 433cf46d22a951113884be6ca7b0a5e7 1
2 %Documents and Settings%\[User Name]\Local Settings\Application Data\[RANDOM CHARACTERS].exe N/A
3 %Documents and Settings%\[User Name]\Local Settings\Temp\smtmp\3 N/A
4 %Documents and Settings%\[User Name]\Local Settings\Application Data\~ N/A
5 %Documents and Settings%\[User Name]\Start Menu\\Programs\Data Recovery\Uninstall Data Recovery.lnk N/A
6 %AppData%\Protector-[rnd].exe task N/A
7 %Desktopdir%\Data_Recovery.lnk N/A
8 %Documents and Settings%\[User Name]\Local Settings\Temp\smtmp\2 N/A
9 %Documents and Settings%\[User Name]\Local Settings\Application Data\[RANDOM CHARACTERS] N/A
10 %Documents and Settings%\[User Name]\Start Menu\\Programs\Data Recovery\Data Recovery.lnk N/A
11 %Documents and Settings%\[User Name]\Local Settings\Temp\smtmp\ N/A
12 %AppData%\Microsoft\Internet Explorer\Quick Launch\Data_Recovery.lnk N/A
13 %Programs%\Data Recovery\Uninstall Data Recovery.lnk N/A
14 %Documents and Settings%\[User Name]\Local Settings\Temp\smtmp\1 N/A
15 %Documents and Settings%\[User Name]\Local Settings\Temp\smtmp\4 N/A
16 %Documents and Settings%\[User Name]\Start Menu\\Programs\Data Recovery\ N/A
17 %Documents and Settings%\[User Name]\Desktop\Data Recovery.lnk N/A
18 %AppData%\Protector-[rnd].exe reg N/A
19 %Programs%\Data Recovery\Data Recovery.lnk N/A
20 6DSS92c31Apgjk.exe bec326497bad81e5a9300739f62140c3 0
21 aaqcLAptUym.exe 7e166a87270a0b8754ec946fb7a16626 0
22 fjfYYuH67HH.exe 3cbccf2b1deb57b125069258c48abf7a 0
23 aaqcLbHptUym.exe c9eccf753d782b5427eb0e57c7e651c6 0

Registry Details

Data Recovery creates the following registry entry or registry entries:
File name without path
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM CHARACTERS].exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = '1'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[rnd_0].exe %CommonAppliData%\[rnd_0].exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU "MRUList"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'Yes'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop "NoChangingWallPaper" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDesktop" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM CHARACTERS]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = '0'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr 0

Related Posts

Site Disclaimer is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.