Windows Recovery scamware - No Desktop Icons

glricht said:
Well, I just got another one of these today on a Win XP Pro SP3 machine. No desktop icons, nothing in "All Programs", etc, etc.

Found 4 items hiding in different places in Doc&Sets. Removed them, dumped the temp files, ran UNHIDE.EXE, reset the MBR, etc. Got the program list back, but still no desktop icons. Also, right-click wasn't working, plus a bunch of other probs still evident.

Talked to the customer about when the problem appeared to see how far back I needed to go to try a System Restore and he told me that he's been having browser redirects for almost two months! :eek:

At this point, no use in continuing as who knows what else is going on; N&P time :(
Click to expand...

Volsnap.sys is infected. If you can't right click, guarantee it. Combofix from safe mode gets it or do it manually
 
glricht said:
Well, I just got another one of these today on a Win XP Pro SP3 machine. No desktop icons, nothing in "All Programs", etc, etc.

Found 4 items hiding in different places in Doc&Sets. Removed them, dumped the temp files, ran UNHIDE.EXE, reset the MBR, etc. Got the program list back, but still no desktop icons. Also, right-click wasn't working, plus a bunch of other probs still evident.

Talked to the customer about when the problem appeared to see how far back I needed to go to try a System Restore and he told me that he's been having browser redirects for almost two months! :eek:

At this point, no use in continuing as who knows what else is going on; N&P time :(
Click to expand...

The no desktop icons is a registry key. I can't remember which one but hitman will find it and repair it.

MeDammit said:
Volsnap.sys is infected. If you can't right click, guarantee it. Combofix from safe mode gets it or do it manually
Click to expand...

Will sfc repair it?

I tried a repair install on mine and it didn't help.
 
At rt7lite dot com on their footer, there is a link for their registry tweaker that looks like it fixes some of these issues with hidden icons. Hopefully it will help.

Best of luck
 
I thought I knew just about every tech phrase that was worth knowing...

Oh and must say I'm very impressed and interested to see different flavors of this scam rolling around.
 
Although i would hope that trashing the host's hdd doesn't become mainstream again. Not enough people have sufficient backup procedures (its own problem). The case i had concluded with them requesting an online, local and image backup setup.
 
Had one of these 3 days ago, tried manual removal, reverse changes no avail. Tried all our beloved scanners including Combofix, cloud based stuff and removed the infection. But as stated there were so many systems files corrupt SFC could not repair, the amount of time required to reverse the damage is simply too long. NP
 
Sorry, just found this thread again.

To replace volsnap.sys, boot from a CD (windows recovery console, UBCD, Hiren's; take your pic) and copy/expand volsnap.sys from a windows CD (same version as what's on the machine). Volsnap.sys is in %WinDir%\system32\drivers
 
i never saw what scamware it was, ESET apparently stopped it or removed it. but i got one in this afternoon with the same deal. the entire %user% folder and contents had its permissions set to read only and hidden. i fixed the permissions, and removed some other infections but it trashed alot of stuff. over 200 system files that sfc could not repair. could not access the hosts file with out copying it else where.

what ever this was its one of the worst rouges that i have seen. i so i nuked and paved, i have it sitting right here waiting for updates to finish so i can get it to the client in the am.
 
If anyone has an .exe to share, please let me know. I've studied earlier variants of this, and they weren't that hard to remove.
 
Vicenarian said:
If anyone has an .exe to share, please let me know. I've studied earlier variants of this, and they weren't that hard to remove.
Click to expand...

For anyone that wants a copy of this rouge, PM me your email and I will send it to you.
 
OK I just removed this bug with great success.

I will post another thread with the skinny.
 
You must log in or register to reply here.

Similar threads

HCHTech
Slow opening times for files on a network drive
Replies
10
Views
348
trevm999
trevm999
Velvis
Mac desktop files missing
Replies
6
Views
1K
Peperonix
P
britechguy
Beware when setting up a fresh copy of Windows 11
Replies
3
Views
545
britechguy
britechguy
Big Jim
iMac not booting
Replies
7
Views
700
Big Jim
Big Jim
Appletax
[SOLVED] Can't remove fake BSOD that might use mshta.exe
Replies
5
Views
262
NviGate Systems
NviGate Systems
Back
Top