Data Recovery virus is rouge software to fool your computer and to easily hunt for the confidential information such as bank account details, email ID & passwords etc.
Whenever data recovery virus attacks to your system, you may found a bunch of pop hard drive error messages and asks you to fix them immediately by purchasing data recovery software keys.
Where they came from?
While surfing websites, these applications are downloaded automatically using drive by downloads scripts (Trojan Virus) placed on any particular malware sites and will installed on users system without notifying them.
Those malware sites are intentionally created to harm users PC or laptop by altering registry information and sending automated response to their command and control (C & C) Server.
How we can identify it?
As like other known viruses, this is also created for stealing confidential information and alter normal system performance.
Once you got stuck with these circumstances, you may suffer with several unknown problems like automatic browser redirect, automated scanning process to check hard drive for errors and force you to purchase the data recovery software so that they steal your bank account details, registry level corruption to get access to your private area in computer system etc.
Moreover, it will begin automatic scanning every time you start your PC and shows results with an option to fix it now. Some common issues that data recovery virus will reports are:
Hard drive boot sector reading error
System blocks were not found
Error 0x00000024 – NTFS_FILE_SYSTEM
Error 0x00000078 – INACCESSIBLE_BOOT_DEVICE
Error 0x0000002E – DATA_BUS_ERROR
Error 0x00000050 – PAGE_FAULT_IN_NONPAGED_AREA
The DRM attribute value is too small before disk scan
Below are some screen shots taken from data recovery virus infected PC. You can see and identify weather the same screen appears in your case too:
Once you click on repair option, it will take you to the product activation page:
Once you click on ‘Buy License Now‘, it will take to the hackers website and any mentioned bank details can be easily decipher by them. For the time being, you are advised to enter the temporary activation code mentioned below so that you can stop the fake alerts and follow the virus removal procedure:
Remember, entering the activation code will not remove the data recovery virus, instead it just stops any more infection and prevents virus to create no more fake alerts.
How we can remove them?
You are requested to take a snap of this tutorial and print it out, as we need to restart PC several times during manual removal guide.
1. Remove or unplug any attached storage media devices like CD Rom, USB, memory card, external hard drive etc. and restart your PC.
2. Press and hold F8 key just after starting the system to reach Advanced Boot Options screen.
3. Select option ‘Safe Mode with Networking’ from the advanced boot options screen
4. Once you reached at your desktop home screen, press ‘Window Key‘ + ‘R’ and type regedit in the open text box
5. You have to delete the below mentioned registry entries modified by the data recovery virus:HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced “Hidden” = ’0′
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced “ShowSuperHidden” = ’0′
HKCU\Software\Microsoft\Internet Explorer\Main “Use FormSuggest” = ‘Yes’
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings “CertificateRevocation” = ’0′
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnonBadCertRecving” = ’0′
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop “NoChangingWallPaper” = ’1′
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = ’1′
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer “NoDesktop” = ’1′
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = ’1′
HKCU\Software\Microsoft\Windows\CurrentVersion\Run “(random char).exe”
HKCU\Software\Microsoft\Windows\CurrentVersion\Run “(random char)”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “DisableTaskMgr” = ’1′
HKCU\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = ‘no’
P.S.: To access & modify system registries, you need to be logged in as a System Administrator
- Remove the malicious files:%StartMenu%\Programs\Data Recovery\
%StartMenu%\Programs\Data Recovery\Data Recovery.lnk
%StartMenu%\Programs\Data Recovery\Uninstall Data Recovery.lnk
- Scan your computer with installed AV program or download it from malwarebyte.com. Note: You can also use Microsoft security essentials to effectively scan your PC. Alternatively, you can download malwarebytes antimalware (MBAM) and scan your system for advanced scanning. Don’t forget to update MBAM after installation as it helps you to scan virus more effectively.
- You need to choose full scan options situated on MBAM scanner screen. After completing the scanning, MBAM will show you the message and an option to remove the scanned issues. Choose remove all and close MBAM.
- If you found that even after removing all the malware programs and infected files, some files were still missing or hidden then you can use Unhide.exe. This program will remove +H attribute on all of the hard drive files applied by the data recovery virus.
About the Author: Abhayjeet is a part time blogger and computer security expert who usually writes article on different type of virus attack cases and strategy to recover back your data which gets deleted or formatted from viruses.