Data Recovery

Posted: September 14, 2011
Threat Metric
Threat Level: 10/10
Infected PCs 246

Data Recovery Description

Data Recovery Screenshot 1Data Recovery is a clone of System Recovery and other fake defraggers and file-recovery programs from the FakeSysDef family. Although Data Recovery pretends to offer file analysis, defragmentation and information-restoration services, these features don't really exist. Data Recovery's actual purpose as scamware is to filch the money from your bank account by creating a range of system problems on your computer and then demanding that you spend money on Data Recovery's registered version, supposedly to cure these problems. SpywareRemove.com malware researchers haven't seen any indications that Data Recovery is less malevolent than any of Data Recovery's relatives, and you should counteract any Data Recovery infection with anti-malware software that can remove all Data Recovery components via system scans.

The Fake Scans and Defrags That Data Recovery Uses for Its Own Ill Gain

The majority of Data Recovery infections occur due to contact with fake software update downloads or contact with malicious websites that exploit drive-by-download scripts to install Data Recovery without consent. Although Data Recovery may pretend to scan your PC for errors or fragmented files, what Data Recovery is really doing is creating a simulation of such a scan as an excuse to create fake error messages. Errors may also appear without being prompted by direct usage of Data Recovery, since Data Recovery's only aim is to create an atmosphere of paranoia and desperation, before Data Recovery asks you for your money.

Data Recovery has been updated to have a new interface and name called Smart Data Recovery. Both apps utilize similar actions for tricking PC users out of money.

Typical Data Recovery errors can include, but aren't limited to:

Bad sectors on hard drive or damaged file allocation table – Critical Error

28% of HDD space is unreadable – Critical Error

Critical Error
A critical error has occurred while indexing data stored on hard drive. System restart required.

A problem detected while reading boot operation system files

System Restore
The system has been restored after a critical error. Data integrity and hard drive integrity verification required.

Boot sector of the hard drive disk is damaged – Critical Error – Limited Edition

Windows – No Disk
Exception Processing Message 0×0000013

Read time of hard drive cluster less than 500 ms – Critical Error

Serious system error
The system will reboot in 30 seconds
Windows can not continue operating due to fatal system error.
Windows was forced to restart.
All unsaved data will be lost.

Confirmation
Data Recovery detected an error on your hard drive when trying to access a file
C:\Program Files\Internet Explorer\iexplore.exe
Perform data recovery now?

Disk Error
Can not find file: C:\Program Files\Messenger\msmsgs.exe
File may be deleted or corrupt.
It is strongly recommended to check the disk for errors.

Confirmation
Your hard drive contains a lot of critical errors!
All your data including installed programs, documents, email, etc. are at risk of irreversible corrupt.
The trial version does not have low-level access module needed to fix the errors found.
It is strongly recommended to activate the full version software with necessary modules. Activate full version now?

Since all of Data Recovery's supposed features are really just billboards for Data Recovery's fake warning messages, you should never try to use Data Recovery if you find Data Recovery on your computer. SpywareRemove.com malware experts also advise that you immediately cancel any credit card that was used to purchase Data Recovery's registration key, since allowing the card to remain active may put you in danger of other charges of a fraudulent nature in the future.

Recovering Your Computer from Data Recovery's Ravages

Unfortunately, SpywareRemove.com malware experts have also noted that Data Recovery infections can mean more than just being attacked by fake error messages. Some of the most prominent Data Recovery side effects can also include:

  • Browser hijackers that block websites, redirect you to dangerous websites or control your web browser's settings. These hijacks may even be accomplished by a Master Boot Record rootkit component, such as a TDSS Rootkit, TDL3 Rootkit, Rootkit.Boot.Mybios.a or TDSS.e!rootkit.
  • Vanishing shortcuts and other files. Data Recovery may alter file-viewing settings from your Registry that makes files from Windows Explorer invisible, although you should be able to view and access these files in another program (such as the Command Prompt). In other cases, Data Recovery may actually move files, especially shortcuts and place them in unusual locations, such as your Temp folder.
  • Blocked security programs, including anti-virus scanners and some basic utilities like Windows Task Manager.

Other fake security programs that exhibit equivalent attacks to Data Recovery include System Defragmenter, Ultra Defragger, HDD Control, Win HDD, Win Defrag, Win Defragmenter, Disk Doctor, Hard Drive Diagnostic, HDD Diagnostic, HDD Plus, HDD Repair, HDD Rescue, Smart HDD, Defragmenter, HDD Tools, Disk Repair, Windows Optimization Center, Scanner, HDD Low and Hdd Fix. All of these scamware products, as well as Data Recovery, can be combatted with appropriate usage of anti-malware software and traditional anti-malware tactics (such as Safe Mode-based reboots). Since Data Recovery may include rootkits components, SpywareRemove.com malware researchers advise that you don't try to remove Data Recovery by yourself whenever software-based tools are available.

Data Recovery Screenshot 2Data Recovery Screenshot 3Data Recovery Screenshot 4Data Recovery Screenshot 5Data Recovery Screenshot 6Data Recovery Screenshot 2Data Recovery Screenshot 7Data Recovery Screenshot 8Data Recovery Screenshot 9Data Recovery Screenshot 10Data Recovery Screenshot 11Data Recovery Screenshot 12Data Recovery Screenshot 13Data Recovery Screenshot 14Data Recovery Screenshot 15Data Recovery Screenshot 16Data Recovery Screenshot 17Data Recovery Screenshot 18Data Recovery Screenshot 19

Aliases


Trojan.Generic.KD.357944 [GData]Trojan.Agent/Gen-RogueASa variant of Win32/Kryptik.SUA [NOD32]FakeAlert-SysDef.b [McAfee]

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Data Recovery may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



%ALLUSERSPROFILE%\Application Data\aaqcLbHptUym.exe File name: aaqcLbHptUym.exe
Size: 471.04 KB (471040 bytes)
MD5: c9eccf753d782b5427eb0e57c7e651c6
Detection count: 21
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\Application Data\
Group: Malware file
Last Updated: September 14, 2011
%ALLUSERSPROFILE%\Application Data\fjfYYuH67HH.exe File name: fjfYYuH67HH.exe
Size: 470.01 KB (470016 bytes)
MD5: 3cbccf2b1deb57b125069258c48abf7a
Detection count: 20
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\Application Data\
Group: Malware file
Last Updated: September 14, 2011
%ALLUSERSPROFILE%\Application Data\aaqcLAptUym.exe File name: aaqcLAptUym.exe
Size: 440.83 KB (440832 bytes)
MD5: 7e166a87270a0b8754ec946fb7a16626
Detection count: 19
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\Application Data\
Group: Malware file
Last Updated: September 14, 2011
%ALLUSERSPROFILE%\Application Data\VIKqcLAptUym.exe File name: VIKqcLAptUym.exe
Size: 472.06 KB (472064 bytes)
MD5: 433cf46d22a951113884be6ca7b0a5e7
Detection count: 18
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\Application Data\
Group: Malware file
Last Updated: April 19, 2021
%ALLUSERSPROFILE%\Application Data\6DSS92c31Apgjk.exe File name: 6DSS92c31Apgjk.exe
Size: 356.35 KB (356352 bytes)
MD5: bec326497bad81e5a9300739f62140c3
Detection count: 17
File type: Executable File
Mime Type: unknown/exe
Path: %ALLUSERSPROFILE%\Application Data\
Group: Malware file
Last Updated: September 14, 2011
%Documents and Settings%\[User Name]\Local Settings\Temp\smtmp\1 File name: %Documents and Settings%\[User Name]\Local Settings\Temp\smtmp\1
Group: Malware file
%Documents and Settings%\[User Name]\Local Settings\Temp\smtmp\2 File name: %Documents and Settings%\[User Name]\Local Settings\Temp\smtmp\2
Group: Malware file
%Documents and Settings%\[User Name]\Local Settings\Temp\smtmp\3 File name: %Documents and Settings%\[User Name]\Local Settings\Temp\smtmp\3
Group: Malware file
%Documents and Settings%\[User Name]\Local Settings\Temp\smtmp\4 File name: %Documents and Settings%\[User Name]\Local Settings\Temp\smtmp\4
Group: Malware file
%Documents and Settings%\[User Name]\Local Settings\Application Data\[RANDOM CHARACTERS] File name: %Documents and Settings%\[User Name]\Local Settings\Application Data\[RANDOM CHARACTERS]
Group: Malware file
%Documents and Settings%\[User Name]\Local Settings\Application Data\[RANDOM CHARACTERS].exe File name: %Documents and Settings%\[User Name]\Local Settings\Application Data\[RANDOM CHARACTERS].exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%Documents and Settings%\[User Name]\Local Settings\Application Data\~ File name: %Documents and Settings%\[User Name]\Local Settings\Application Data\~
Group: Malware file
%Documents and Settings%\[User Name]\Start Menu\\Programs\Data Recovery\ File name: %Documents and Settings%\[User Name]\Start Menu\\Programs\Data Recovery\
Group: Malware file
%Documents and Settings%\[User Name]\Start Menu\\Programs\Data Recovery\Data Recovery.lnk File name: %Documents and Settings%\[User Name]\Start Menu\\Programs\Data Recovery\Data Recovery.lnk
File type: Shortcut
Mime Type: unknown/lnk
Group: Malware file
%Documents and Settings%\[User Name]\Start Menu\\Programs\Data Recovery\Uninstall Data Recovery.lnk File name: %Documents and Settings%\[User Name]\Start Menu\\Programs\Data Recovery\Uninstall Data Recovery.lnk
File type: Shortcut
Mime Type: unknown/lnk
Group: Malware file
%Documents and Settings%\[User Name]\Desktop\Data Recovery.lnk File name: %Documents and Settings%\[User Name]\Desktop\Data Recovery.lnk
File type: Shortcut
Mime Type: unknown/lnk
Group: Malware file
%Documents and Settings%\[User Name]\Local Settings\Temp\smtmp\ File name: %Documents and Settings%\[User Name]\Local Settings\Temp\smtmp\
Group: Malware file

Registry Modifications


The following newly produced Registry Values are:

File name without pathData_Recovery.lnkHKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'Yes'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop "NoChangingWallPaper" = '1'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDesktop" = '1'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM CHARACTERS].exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[RANDOM CHARACTERS]"HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = '0'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU "MRUList"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = '1'

Related Posts

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.