Data Recovery Virus

18 May 2012 Rogue 2 Comments

To remove Data Recovery virus from an infected computer, we highly recommend you to use trusted anti-malware tool. See the complete removal guide on this page.

Not all Data Recovery products are worth trusting for. This claim is supported by the proof that Data Recovery virus produces damages to affected system.

While conducting diagnosis on malicious URL’s, there is one that stands out to be a host for malicious application. Unlike any other fake software, this file needs personal download and execution. After installation, it was determined that the program is Data Recovery, a program that disguises to be a system optimization tool.

It closes all running application on the minute it launch a scan. All folders and files on the compromised computer are set hidden. Program files from start menu are mysteriously disappeared and only way to run any application is by being familiar with location and filename. There’s no harm in the process on displaying back missing folder and files. It’s not much complicated; it can be done with simple folder options. The trickiest part in removing Data Recovery is how to run anti-malware scan if it can easily close any application. Never attempt to use task manager in ending the virus process, it won’t work. Date Recovery disables the function so as other tools it sense can be useful in manual threat removal.

Running a removal tool once in safe mode may have done the trick. On this method, Data Recovery has no chance to get loaded on its own. Thus, security program clearly identifies files and registry entries belonging to Data Recovery virus and performs instant removal. That gives us an idea on the importance of Windows safe mode.

Screenshot Images:

Data Recovery virus

Update: May 18, 2012
There is a new version of Data Recovery malware. Mostly, people may see it as S.M.A.R.T. Repair. The new version now carries a much more perilous rootkit Trojan. It may deeply conceal its presence on the infected computer, which makes the malware difficult to remove. Below is the screen shot of Data Recovery that was released this year (2012).

Data Recovery 2012

This new version of Data Recovery is using a fake USPS (United States Postal Service) emails to reach its target. This fake email contains the following information:

Subject: Your postal label is available.
Message:
Posta notification,
We couldn’t deliver your parcel.
Status/Postal code isn’t valid.
The label of your parcel is enclosed to the letter.
Print your label and show it in the nearest post office of USPS.

As you can see, the fake email from USPS confer about fake delivery of your package. It wants you to execute the attached file by pointing out that it contains full information. Some users who mistakenly open the attached file have suffered from Data Recovery infection. Refer to the fake USPS email image below.

Data Recovery Email

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7

Technical Details and Additional Information:

As an added strategy to deceive its victims, Data Recovery virus will display intriguing task bar alert containing the following text:

Critical Error
HDD critical error. Start a system diagnostics application to scan your hard disk for errors and performance problems.

Related Registry Entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random characters].exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[random characters]"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'Yes'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop "NoChangingWallPaper" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDesktop" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU "MRUList"

Associated Files and Folders:

%StartMenu%\Programs\Data Recovery\
%UserProfile%\Desktop\Data Recovery.lnk
%LocalAppData%\[random characters]
%LocalAppData%\[random characters].exe
%LocalAppData%\~[random characters]
%LocalAppData%\~[random characters]

Video Tutorial (Data Recovery Removal)

This video tutorial is a self-help guide in removing Data Recovery using various method to tweak Windows settings. The process demonstrates the use of MalwareBytes’ Anti-Malware to automatically find and delete files associated to Data Recovery.

How to Remove Data Recovery Virus

Activating the Rogue Program

Data Recovery virus will block running of any programs. It also prevents access to Internet particularly anti-virus web sites. Execution of Windows tools like Task Manager, Registry Editor and Control Panel is similarly block by the rogue program. Activating the program using the registration key below will regain access to the mentioned services.

1. To activate the program, click on "Trial version. Click here to activate.," located on lower right part of Data Recovery virus interface.
2. It will prompt for registration code and email, you may use the following:

Activation Code: 15801587234612645205224631045976
Email Address: Use any email like name@mail.com

3. Once activated, downloading of necessary program to scan and remove Data Recovery virus is now possible. You may proceed with automatic removal using the tool or perform manual procedure by following the guide below.

Data Recovery virus Removal Tool

In order to remove the threat completely, you need to download and run Malwarebytes Anti-Malware. This is a free malware removal tool. If Trojan infection blocks the downloading of this program, get it using a clean computer. Rename the executable file before executing on the infected PC. Once the tool is installed, update the database. Usually, it update itself when it sense that new database is available.

1. After installing and updating the tool, next thing to do is to reboot the computer in Safe Mode with Networking to avoid Data Recovery virus from loading at start-up. You may want to print this procedure as we have to restart the computer to complete the removal process.

2. Restart the computer.
- Before Windows begins to load, press F8 on your keyboard.
- It will display an Advanced Boot Options menu. Select Safe Mode with Networking.
- Windows will now start in Safe Mode.

3. Open Malwarebytes Anti-Malware and perform a complete scan. Delete all detected threats.

How to Unhide Files and Folders

To avoid manual execution of programs and files, Data Recovery virus will hide files and folders on the infected computer. Most victims think that files and folders are deleted, but it is not. The malware simply changed the attributes to hide the data. Follow this guide to show all hidden files and folders if it remains hidden after activating Data Recovery virus.

1. Open My Computer or Windows Explorer.
2. On top menu of upper left corner, click on Organize, then choose Folder and Search Options.

Show Folder and Search Options

3. Folder Options dialog box will appear. Select the View tab.
4. On Advance Settings, mark “Show hidden files, folders and drives."

Show hidden files and folders

5. Click OK to save the settings. You can now view the folders and files, though, they are still concealed because Data Recovery virus sets the attributes to hidden.
6. While still on Windows Explorer, click on the drive (C: or D:). On right pane, mouse over on the folder or file you wanted to unhide. To select all folder, you may use the keyboard shortcut Ctrl+A. Right-click, then select Properties .

Files and Folder Properties

7. On the Attributes area, remove the check mark on Hidden . This will change the attributes of affected files and folders. Click OK to save the settings.

Hidden Files Attribute

What to do next...

Comments and Suggestions

On this area you can find Visitor's personal suggestions. We cannot control and evaluate each recommended procedure from visitors so please use it at your own risks. If your inquiry pertains to Data Recovery Virus payment refund or lost serial key, kindly check the FAQ for rogue program first.

2 Comments

ianlim
Apr 28, 2012 @ 15:08:08
This data recovery virus install itself when after downloading a torrent game. Good thing I was able to prevent further damage when I follow your procedures. Thanks a lot.
sandrazid
May 08, 2012 @ 23:37:24
I never though that I can get this Data Recovery out of my computer because it blocks everything. Thanks to this site, I was able to remove the virus. I will never watch movie again online, except from youtube.