'Recycler' Virus...

Advertise at AfterDawn.com

Link to us!

Private messages

Compose a private message

List of all updated threads

Threads without replies

Search messages

Thursday 6.3.2025 / 04:12

Search AfterDawn Forums:

afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > 'recycler' virus...

Browse by topic

Forums

Start a new thread

'Recycler' Virus...

Jump to:

Posted

Message

mnm21

Newbie

25. September 2008 @ 07:50

Link to this message

I got this weird virus that has affected my flash drives and also all my partitions.... it creates a "Recycler" folder and an autorun.inf file in any flash drive i plug in and, when i try deleting them .. it comes back again..Please help....here's my hijackthis log :

*********
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:17:48 PM, on 9/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\AVG(XP~1\avgwdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
F:\AVG(XP~1\avgrsx.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Nikhil\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
F:\AVG(XP~1\avgemc.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Nikhil\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Nikhil\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Nikhil\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Nikhil\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
F:\HijackThis\HijackThis.exe

F3 - REG:win.ini: load= F:\TCWIN45\PIPELINE\remind.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - F:\AVG (XP)\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - (no file)
O3 - Toolbar: (no name) - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - (no file)
O4 - HKLM\..\Run: [WPA] regedit.exe /s WXMCE_WPA_CRACK.reg
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Nikhil\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: Shortcut to avgui.exe.lnk = F:\AVG (XP)\avgui.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - F:\AVG (XP)\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - F:\AVG(XP~1\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - F:\AVG(XP~1\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe

--
End of file - 5144 bytes
********

[ + quote]

JPetrucci

cdavfrew

Senior Member

28. September 2008 @ 00:41

Link to this message

Hi mnm21

First plug in all your flash drives and partitions. Open autorun.inf and tell me what is written there.

Now, with all your flash drives plugged in, follow the instructions below.

Now, please download ComboFix.
With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.

? Run Combo-Fix.exe and follow the prompts.
**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
? Wait for the scan to be completed.
? If it requires a reboot, please do it.
? After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Do not click on the ComoboFix window, as it may cause it to stall.

Best Regards :D

[ + quote]

Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.

mnm21

Newbie

29. September 2008 @ 10:04

Link to this message

Thanks a lot for responding!
The contents of the autorun.inf file :
****
[autorun]
open=RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\service.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
shell\open=Open
shell\open\command=RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\service.exe
shell\open\default=1
****

And the ComboFix log :

ComboFix 08-09-27.06 - Nikhil 2008-09-29 19:24:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1547 [GMT 5.5:30]
Running from: F:\Setup Files\Softwares\Combo-Fix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\winhelp.ini
H:\autorun.inf
H:\Knight.exe
H:\New Folder .exe
H:\oufddh.exe
H:\RECYCLER\RECYCLER .exe
H:\regsvr.exe

----- BITS: Possible infected sites -----

hxxp://nxpagent.airtelbroadband.in
.
((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-29 )))))))))))))))))))))))))))))))
.

2008-09-22 20:32 . 2008-09-22 20:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-22 20:32 . 2008-09-22 20:32 0 --a------ C:\WINDOWS\mozver.dat
2008-09-21 12:42 . 2008-09-21 12:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Atheros

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2099-12-31 14:12 --------- d-----w C:\Program Files\Common Files\Java
2008-09-25 12:51 --------- d-----w C:\Documents and Settings\Nikhil\Application Data\gtk-2.0
2008-09-22 15:00 223,128 ----a-w C:\WINDOWS\system32\drivers\vaxscsi.sys
2008-09-21 04:15 --------- d-----w C:\Documents and Settings\Nikhil\Application Data\SiteAdvisor
2008-09-07 06:57 --------- d-----w C:\Documents and Settings\Nikhil\Application Data\uTorrent
2008-09-03 16:15 --------- d-----w C:\Documents and Settings\Nikhil\Application Data\ViStart
2008-08-30 03:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-15 14:13 --------- d-----w C:\Documents and Settings\Nikhil\Application Data\fretsonfire
2008-08-14 12:53 --------- d-----w C:\Program Files\CyberLink
2008-08-14 12:46 --------- d-----w C:\Program Files\HP
2008-08-12 12:23 --------- d-----w C:\Documents and Settings\Nikhil\Application Data\Audacity
2008-08-03 04:19 --------- d-----w C:\Program Files\Common Files\SupportSoft
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"Google Update"="C:\Documents and Settings\Nikhil\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WPA"="regedit.exe" [2004-08-04 C:\WINDOWS\regedit.exe]

C:\Documents and Settings\Nikhil\Start Menu\Programs\Startup\
Shortcut to avgui.exe.lnk - F:\AVG (XP)\avgui.exe [2008-06-14 2636568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"F:\\AVG (XP)\\avgupd.exe"=
"F:\\AVG (XP)\\avgemc.exe"=
"F:\\iTunes\\iTunes.exe"=
"F:\\uTorrent\\uTorrent.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-14 96520]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-14 75272]
R3 slnt;Silan SC92031 PCI Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\slnt.sys [2004-06-22 18004]
S2 avg8emc;AVG8 E-mail Scanner;F:\AVG(XP~1\avgemc.exe [2008-06-14 902424]
S2 avg8wd;AVG8 WatchDog;F:\AVG(XP~1\avgwdsvc.exe [2008-06-14 282904]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Nikhil\Application Data\Mozilla\Firefox\Profiles\5t4d7iud.default\
FF -: plugin - C:\Documents and Settings\Nikhil\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - F:\Firefox 3\plugins\npnul32.dll
FF -: plugin - F:\Firefox 3\plugins\npqtplugin.dll
FF -: plugin - F:\Firefox 3\plugins\npqtplugin2.dll
FF -: plugin - F:\Firefox 3\plugins\npqtplugin3.dll
FF -: plugin - F:\Firefox 3\plugins\npqtplugin4.dll
FF -: plugin - F:\Firefox 3\plugins\npqtplugin5.dll
FF -: plugin - F:\Firefox 3\plugins\npqtplugin6.dll
FF -: plugin - F:\Firefox 3\plugins\npqtplugin7.dll
FF -: plugin - F:\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - F:\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF -: plugin - F:\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-29 19:27:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-29 19:29:21
ComboFix-quarantined-files.txt 2008-09-29 13:58:50

Pre-Run: 2,165,325,824 bytes free
Post-Run: 2,150,801,408 bytes free

124

[ + quote]

JPetrucci

cdavfrew

Senior Member

29. September 2008 @ 10:43

Link to this message

Go to the root of every drive, and delete autorun.inf.

Also, open the Recycler folder, and delete every thing in every subfolder inside.

Reboot, and you should have no more problems left.

Best Regards :D

[ + quote]