Windows Recovery scamware - No Desktop Icons

Blue Banana

Blue Banana

Member
Reaction score
3
Location
South Africa
Okay so the client brings in his laptop with the Windows Recovery Scam malware. I have removed it with Malwarebytes and then proceeded to unhide all the files on the hard drive (the malware hides all the files as well as the desktop icons).

I thought everything should be fine by now, but there are still no programs visible in the start menu and still no desktop icons. Any ideas?
 
Use the search function :)
There are a couple of threads from people having the exact same problem.
 
No.

SEARCH.png
 
Just had one of these the other day. Possibly you didn't unhide exactly everything, specifically the program shortcuts in the start menu folders. Did you use the tool provided or do it manually? Follow the steps on the bleeping computer site to get rid of the virus then use the unhide http://download.bleepingcomputer.com/grinler/unhide.exe tool at the bottom of the page, it resets the hidden attribute on all (pretty much) files on the hard drive.

At least on the system i had last week (xp pro sp3) it did and when i restarted all was fine. What was funny was this system still had a hidden unpassworded admin account, and when i restarted in safe mode and logged into the admin account while there were no files (unless you selected show hidden files and folders), there was no virus active. Could be in the main account there wouldn't be either, but too many of these virus's can follow you into safe mode.
 
commentator8 said:
Just had one of these the other day. Possibly you didn't unhide exactly everything, specifically the program shortcuts in the start menu folders. Did you use the tool provided or do it manually? Follow the steps on the bleeping computer site to get rid of the virus then use the unhide http://download.bleepingcomputer.com/grinler/unhide.exe tool at the bottom of the page, it resets the hidden attribute on all (pretty much) files on the hard drive.

At least on the system i had last week (xp pro sp3) it did and when i restarted all was fine. What was funny was this system still had a hidden unpassworded admin account, and when i restarted in safe mode and logged into the admin account while there were no files (unless you selected show hidden files and folders), there was no virus active. Could be in the main account there wouldn't be either, but too many of these virus's can follow you into safe mode.
Click to expand...

I actually used that same exact tool, but it didn't change a thing, still had no icons, no startup items.
 
Blue Banana said:
Okay so the client brings in his laptop with the Windows Recovery Scam malware. I have removed it with Malwarebytes and then proceeded to unhide all the files on the hard drive (the malware hides all the files as well as the desktop icons).

I thought everything should be fine by now, but there are still no programs visible in the start menu and still no desktop icons. Any ideas?
Click to expand...

I discovered a fix after running combofix and mwb, then unhide.exe and still manually trying to un-hide the start menu items, I did a system restore from the safe mode/w command prompt and rolled back to the day before I got the unit, and ta-dah! there was everything! I then just ran mwb again and MSE full scan, ccleaner and it was clean back to normal.:D
 
I just had one of these. I just did a N&P. After un-hiding files there was still tons of stuff missing. This virus actually deletes files, it doesn't just hide them. I tried system restore, I tried to do a repair install, and nothing worked. Ask anyone, I am all about manual removal but with this one I actually tried MAB and SAS and to no avail.

Its a new era of rogues. Its not just easy removals anymore. They are Fing systems up now.

I kind of think the makers of these viruses are members here. Because every time we make headway they come out with something new.

I have a copy of this one saved on my thumb drive. I plan to try and run it in a VM and see what all it does. However, I am afraid that N&P may be the only way to fix this one.
 
vdub12 said:
I just had one of these. I just did a N&P. After un-hiding files there was still tons of stuff missing. This virus actually deletes files, it doesn't just hide them. I tried system restore, I tried to do a repair install, and nothing worked. Ask anyone, I am all about manual removal but with this one I actually tried MAB and SAS and to no avail.

Its a new era of rogues. Its not just easy removals anymore. They are Fing systems up now.

I kind of think the makers of these viruses are members here. Because every time we make headway they come out with something new.

I have a copy of this one saved on my thumb drive. I plan to try and run it in a VM and see what all it does. However, I am afraid that N&P may be the only way to fix this one.
Click to expand...

Just tried infecting a VM and this is another one that can detect virtualbox. I will have to load an old system up and try and infect that.
 
Let us know what the result is - i'm really curious about the possibility that it might have deleted files. The system i had (as mentioned wasn't that hard to disinfect from the hidden Administrator account) unhid all the files fine, but they also all seemed to be there afterwards (acc the client who admittedly just looked at their important work files).

It would be interesting to know if it has the capability to delete files...
 
@VDUB12
can you pm me a link to this virus or do you still have the link to where and how you got it? It seems that we've seen this issue here a few times but I would like to physically go through it before a client calls me up. This way I can give them a better explanation of the problem and how much it might cost them.
(IE: might have to do data transfer)
Thanks in advance. (my bench computer has not been affected by this problem ...yet) others YES.:confused:
 
I had one of these about 2 weeks ago and it did appear to both corrupt and delete files.

Was able to remove the malware and unhide all files, but rebooting revealed a lot of problems outstanding.

Turned out a number of win\sys32 files were either missing or corrupt. Ended up doing a N&P as I had spent a lot of time and there were simply too many issues remaining.
 
It depends if it installs a rootkit or not. Got two systems with this on, sorting out the start menu is very easy, not sure if it deletes file, in all the examples I've seen it simply makes the user folder hidden.

Some have nasty rootkits installed. The one I had tonight Hitman Pro actually found the infected dll and replaced it.
 
glricht said:
I had one of these about 2 weeks ago and it did appear to both corrupt and delete files.

Was able to remove the malware and unhide all files, but rebooting revealed a lot of problems outstanding.

Turned out a number of win\sys32 files were either missing or corrupt. Ended up doing a N&P as I had spent a lot of time and there were simply too many issues remaining.
Click to expand...

Did you try a system restore to a time before you cleaned it up? I know that seems foolish, but it worked in my case, I had the same issues after removal too, but I ran a few offline scans prior then combofix and mwb, left it with still major files hidden, then just did a system restore to a day before and amazingly that worked, just had to run a mwb scan and a MSE scan afterwards.
 
Last edited:
ell said:
Did you try a system restore to a time before you cleaned it up? I know that seems foolish, but it worked in my case, I had the same issues after removal too, but I ran a few offline scans prior then combofix and mwb, left it with still major files hidden, then just did a system restore to a day before and amazingly that worked, just had to run a mwb scan and a MSE scan afterwards.
Click to expand...

I tried that with the infection I had. It didn't work. The virus infects the restore points to. Before I N&P I restored it to the earliest restore point the computer had and it was still infected.

I am not sure why but the people responsible for this and probably all the rouges are messing these computers up beyond repair. The infection I worked on was clean before I did the N&P. The problems went way deeper then that. Even after a repair install the system was shoot.

I haven't had a chance yet to load up an old system so I can infect it and try to take an inventory on what its doing. I don't hold much hope though. I think we are going to have to start doing N&P more often.
 
As said above in my case volsnap.sys was infected, once that was replaced and the MBR rewritten the system appears to be clean.

Also got another machine with the same virus but no rootkit at all on that one.

It seems this windows recovery fakeware comes in different flavours. Sometimes you get nasty rootkits sometimes not. I really would rewrite the MBR before and after the N&P too just to be on the safe side.
 
joydivision said:
As said above in my case volsnap.sys was infected, once that was replaced and the MBR rewritten the system appears to be clean.

Also got another machine with the same virus but no rootkit at all on that one.

It seems this windows recovery fakeware comes in different flavours. Sometimes you get nasty rootkits sometimes not. I really would rewrite the MBR before and after the N&P too just to be on the safe side.
Click to expand...

The flavor I had, I found 163+ traces found in my offline scans that I ran with 4 different scanners, then when I rebooted to normal I had knocked down most of it, but then used combofix and mwb, killed it completely, but couldn't get everything unhidden properly, thats where the system restore worked. I got lucky, the customer did not want a N&P because his work was on it and a "special" program, he didn't know how to back-up anything. He will be getting a lesson from me today.
 
About a week ago I ran into this little monster as well. Could not boot into safe mode since it locked out the user account and all admin accounts. Loaded my custom ubuntu live thumb and did a basic scan and cleaned a portion. After that I was able to log in as admin in safe mode. Past restore point worked to disable the attacks. Found the program lurking in a folder in the documents and settings.

Luckily for me this time it only hid files instead of deleting them. Love to know what you find out vdub.
 
Well, I just got another one of these today on a Win XP Pro SP3 machine. No desktop icons, nothing in "All Programs", etc, etc.

Found 4 items hiding in different places in Doc&Sets. Removed them, dumped the temp files, ran UNHIDE.EXE, reset the MBR, etc. Got the program list back, but still no desktop icons. Also, right-click wasn't working, plus a bunch of other probs still evident.

Talked to the customer about when the problem appeared to see how far back I needed to go to try a System Restore and he told me that he's been having browser redirects for almost two months! :eek:

At this point, no use in continuing as who knows what else is going on; N&P time :(
 
You must log in or register to reply here.

Similar threads

HCHTech
Slow opening times for files on a network drive
Replies
10
Views
347
trevm999
trevm999
Velvis
Mac desktop files missing
Replies
6
Views
1K
Peperonix
P
britechguy
Beware when setting up a fresh copy of Windows 11
Replies
3
Views
545
britechguy
britechguy
Big Jim
iMac not booting
Replies
7
Views
700
Big Jim
Big Jim
Appletax
[SOLVED] Can't remove fake BSOD that might use mshta.exe
Replies
5
Views
261
NviGate Systems
NviGate Systems
Back
Top