Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Data-Restore successful removal.


  • Please log in to reply
3 replies to this topic

#1 heavydude

heavydude

  • Members
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:12 PM

Posted 10 October 2011 - 04:46 PM

Windows Vista Home Premium Version 6.0 (Build 6002 - Service Pack 2)
Internet Explorer 7.0.6002.18005

First time poster. I hope this is in the right place.

I was hit with Data-Restore a few days ago and suspected it was a fake. After having a friend go online and confirm that for me I was able to start my computer in safe mode and get online.

I found the instructions here for its removal and was able to get rid of it using rkill, unhide.exe, and Malwarebytes.

The instructions list the Data-Restore files and registry entries:

%LocalAppData%\<random>
%LocalAppData%\<random>.exe
%LocalAppData%\~<random>
%LocalAppData%\~<random>
%StartMenu%\Programs\Data Restore\
%StartMenu%\Programs\Data Restore\Data Restore.lnk
%StartMenu%\Programs\Data Restore\Uninstall Data Restore.lnk
%Temp%\smtmp\
%Temp%\smtmp\1
%Temp%\smtmp\1
%Temp%\smtmp\2
%Temp%\smtmp\3
%Temp%\smtmp\4
%UserProfile%\Desktop\Data Restore.lnk

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'Yes'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "CertificateRevocation" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnonBadCertRecving" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop "NoChangingWallPaper" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '.zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoDesktop" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "<random>.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "<random>"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "DisableTaskMgr" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = '0'

After Malwarebytes removed the intruder I checked all of the above.

The <random> files were already gone and I deleted the rest of the files.

Many of the registry entries were gone but the following remained:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '.zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = '0'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = '0'

Here's the question:

Am I supposed to delete those entries, change them, or leave them alone?

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:12 PM

Posted 10 October 2011 - 05:05 PM

Delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
Delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments

Change HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" to Yes

The last two you can change under folder options. They just correspnd to showing hidden and system files.

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:12 PM

Posted 10 October 2011 - 05:07 PM

Alternatively you can use this reg file to fix the first 3 lines:

http://download.bleepingcomputer.com/reg/fakehdd.reg

#4 heavydude

heavydude
  • Topic Starter

  • Members
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:12 PM

Posted 10 October 2011 - 05:48 PM

Thanks.

That took care of it.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users