Infected by Recycler & $RECYCLE.BIN virus/worm

Hi,
My computer has been infected by RECYCLER & $RECYCLE.BIN virus/worm and i cant get rid of them.
Recycler intruded my PC from a USB pen drive that i inserted. I was using Norton Internet Security at that time but it didnt detect the worm/virus.
Days later i saw $RECYCLE.BIN had also infected my PC. I am now using Kaspersky Internet Security 2010 but it also cannot detect & remove these 2 infections.
There are RECYCLER & $RECYCLE.BIN folders in every partition of my hard drive. If i manually delete these folders, they recreate themselves.
Please help me!

My computer has been infected by RECYCLER & $RECYCLE.BIN virus/worm and i cant get rid of them

How do you know? If Kaspersky is not detecting a threat in Recylcer, then what program is alerting you to infection?

The Recycle Bin (Recycler) folder is a feature which provides a safety net when deleting files or folders in Windows. The file(s) remain there until you empty the Ricycle Bin or restore the file. The actual location of the Recycle Bin varies depending on the operating system and file system used. On NTFS file systems, Recycler is the name of the Recycle Bin Folder which can be found in each partition on your hard drive. On FAT file systems, the folder is named Recycled.

• Differences Between the Recycle Bin and the Recycler Folder
• Working with File Systems
• How NTFS Works

The Recycler folder contains a Recycle Bin directory for each registered user on the computer, sorted by their security identifier (SID). Inside the Recycler folder you will find an image of the recycle bin with a name that includes a long number with dashes (S-1-5-21-1417001333-920026266-725345543-1003) used to identify the user that deleted the files.

• S - The string is a SID.
• 1 - The revision level.
• 5 - The identifier authority value.
• 21-1417001333-920026266-725345543 - Domain or local computer identifier.
• 1003 – A Relative ID (RID). This number, starting from 1000, increments by 1 for each user that's added by the Administrator. 1003 means the 3rd user profile that was created.

For more specific informaton about SIDS, please refer to:

• Security Identifiers
• Well-known SIDs
• Well-known security identifiers in Windows

Once the recycle bins are empty, the legitimate directories should be empty as well. However, even after emptying the Recycler bin, the Recycler folder will still contain a "Recycle Bin" for each user that logs on to the computer, sorted by their security SID. If you delete the C:\Recycler folder, Windows will automatically recreate it on next reboot.

If you never saw these folders before, you should not be alarmed. The Recycler folder is hidden by default unless you reconfigured Windows to show hidden files and folders by unchecking "Hide protected operating system files" in Tools > Folder Options > View.

The Norton Protected Recycle Bin includes a directory called NProtect, which is is used to store temporary copies of files that the user has deleted or modified. This feature supplements the Windows Recycle Bin, creating a temporary backup of certain types of files that the Windows Recycle Bin does not back up....and allows the user to recover these protected files if they are accidentally deleted. NProtect is hidden from the Windows FindFirst/FindNext APIs using rootkit technologies. Since the hidden directory is not visible to Windows, files in the directory might not be scanned during virus scans but may be detected by anti-rootkit tools.

My computer has been infected by RECYCLER & $RECYCLE.BIN virus/worm and i cant get rid of them

How do you know? If Kaspersky is not detecting a threat in Recylcer, then what program is alerting you to infection?

Because these 2 folders have spread to every USB pen drive & external hard drive that i connected to my computer.
The RECYCLER folder has 2 hidden files which are 'desktop.ini' & 'INFO2' (which i saw by using WinRAR)

Yes, although the RECYCLER folder contains legitimate files, it is also a known hiding place for some types of malware which loads an autorun.inf file that modifies and uses the Windows Explorer's right-click context menu so that the standard "Open" or "Explore" command redirects to executing the malicious file as described here. The presence of a desktop.ini configuration file instructs Windows to display the folder RECYCLER as if it were actually a Recycle Bin.

Please download TFC (Temp File Cleaner) by Old Timer and save it to your desktop.
alternate download link

• Save any unsaved work. TFC will close ALL open programs including your browser!
• Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
• Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
• TFC will clear out all temp folders for all user accounts (temp, IE temp, Java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
• Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:

• Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
• Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
• The Express scan will automatically begin.
  (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
• If prompted to download the Full version Free Trial, just ignore and click the X to close the window.
• If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)

• After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  Note: If you only want to scan your usb (flash) drive, then instead put a check next to Custom Scan and click on (highlight) the drive letter associated with it.
• In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
• Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
• Please be patient as this scan could take a long time to complete.
• When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
• Click Select All, then choose Cure > Move incurable.
• In the top menu, click file and choose save report list.
• Save the DrWeb.csv report to your desktop.
• Exit Dr.Web Cureit when done.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

If you cannot boot into safe mode or complete a scan, then try doing it in normal mode. Be aware, this scan could take a long time to complete..

Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.alternate download link 1
alternate download link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
• Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

• If Malwarebytes Anti-Malware results in any error messages, check the Help file's list of error codes within its program folder first. If you do not find any information, please refer to Common Issues, Questions, and their Solutions, Frequently Asked Questions. If the error you are receiving is not in the list, please report it here so the research team can investigate.

• Some types of malware will disable Malwarebytes Anti-Malware and other security tools to keep them from running properly. If that's the case, please refer to the suggestions provided in For those having trouble running Malwarebytes Anti-Malware.

As you instructed, i ran TFC & rebooted my PC when it asked to. Then i booted the computer in Safe Mode. Ran Dr.Web CureIt & express scanned my PC. It didnt find any malware. Then i ran Complete scan. But it took way too long to scan & i lost my patience and stopped the scan when it reached like 90%. It was 4 am & I couldnt stay awake anymore. Dr.Web CureIt did not detect the 2 viruses i had earlier reported. This is the log that it generated.

Aone3GPConverter.exe/data002\{app}\app\AddiTunes.exe;G:\New Softwares\A_1_3GP_Video_Convertor_4.43_ByMechoDownload\Aone3GPConverter.exe/data002;Trojan.PWS.Legmir;;
Aone3GPConverter.exe/data002\{app}\app\QT3GPPFlatten.exe;G:\New Softwares\A_1_3GP_Video_Convertor_4.43_ByMechoDownload\Aone3GPConverter.exe/data002;Trojan.PWS.Legmir;;
data002;G:\New Softwares\A_1_3GP_Video_Convertor_4.43_ByMechoDownload;Archive contains infected objects;;
Aone3GPConverter.exe;G:\New Softwares\A_1_3GP_Video_Convertor_4.43_ByMechoDownload;Container contains infected objects;Moved.;
newinternettv2007full.exe\data005;G:\New Softwares\NewInternetTV2007full_by_FOT9_F\NewInternetTV2007full.exe/documents and settings\mike\desktop\lol\newinternett;Program.RemoteAdmin;;
newinternettv2007full.exe\data006;G:\New Softwares\NewInternetTV2007full_by_FOT9_F\NewInternetTV2007full.exe/documents and settings\mike\desktop\lol\newinternett;Program.RemoteAdmin.21;;
newinternettv2007full.exe\data007;G:\New Softwares\NewInternetTV2007full_by_FOT9_F\NewInternetTV2007full.exe/documents and settings\mike\desktop\lol\newinternett;Program.RemoteAdmin;;
documents and settings\mike\desktop\lol\newinternettv2007full.exe;G:\New Softwares\NewInternetTV2007full_by_FOT9_F\NewInternetTV2007full.exe/documents and settings\mike\desktop\lol;Container contains infected objects;;
arrieffie7(7uafb9ai).exe\runtime.exe;G:\New Softwares\NewInternetTV2007full_by_FOT9_F\NewInternetTV2007full.exe/documents and settings\mike\desktop\lol\arrieffie7(7;Trojan.Packed.650;;
documents and settings\mike\desktop\lol\arrieffie7(7uafb9ai).exe;G:\New Softwares\NewInternetTV2007full_by_FOT9_F\NewInternetTV2007full.exe/documents and settings\mike\desktop\lol;Archive contains infected objects;;
NewInternetTV2007full.exe;G:\New Softwares\NewInternetTV2007full_by_FOT9_F;Container contains infected objects;Moved.;
Vista Transformation Pack 3.0.exe/data020\data006;G:\New Softwares\Vista Transformation Pack Installer\Vista Transformation Pack 3.0.exe/data020;Tool.CloseApp;;
data020;G:\New Softwares\Vista Transformation Pack Installer;Archive contains infected objects;;
Vista Transformation Pack 3.0.exe;G:\New Softwares\Vista Transformation Pack Installer;Archive contains infected objects;Moved.;
BMSetup.exe\data003;G:\Old Softwares\Latest Softwares\bwm_www.softarchive.net\bwm\BMSetup\BMSetup.exe;Program.SrvAny;;
BMSetup.exe;G:\Old Softwares\Latest Softwares\bwm_www.softarchive.net\bwm\BMSetup;Container contains infected objects;Moved.;

I have used Malware Bytes before, but it wasnt able to detect the mentioned viruses. Do i still have to run it again?

Please help.

My instructions included this note:

Please be patient as this scan could take a long time to complete.

Thus, you need to wait until the scan has finished. Most folks go to bed and let it run overnight.

If you already ran MBAM for what you are dealing with now and it found nothing, then there is no need to do it again unless you are using an old version of it and/or an outdated datebase. Last I checked it was 3633.

Yes i ran MBAM recently but it didnt detect the viruses.
Here is the Dr.Web CureIt log:

A0005131.exe/data002\{app}\app\AddiTunes.exe;G:\System Volume Information\_restore{B5C37BC7-4C08-47BA-BE4B-62F6BBDABCED}\RP15\A0005131.exe/data002;Trojan.PWS.Legmir;;
A0005131.exe/data002\{app}\app\QT3GPPFlatten.exe;G:\System Volume Information\_restore{B5C37BC7-4C08-47BA-BE4B-62F6BBDABCED}\RP15\A0005131.exe/data002;Trojan.PWS.Legmir;;
data002;G:\System Volume Information\_restore{B5C37BC7-4C08-47BA-BE4B-62F6BBDABCED}\RP15;Archive contains infected objects;;
A0005131.exe;G:\System Volume Information\_restore{B5C37BC7-4C08-47BA-BE4B-62F6BBDABCED}\RP15;Container contains infected objects;Moved.;
newinternettv2007full.exe\data005;G:\System Volume Information\_restore{B5C37BC7-4C08-47BA-BE4B-62F6BBDABCED}\RP15\A0005132.exe/documents and settings\mike\deskt;Program.RemoteAdmin;;
newinternettv2007full.exe\data006;G:\System Volume Information\_restore{B5C37BC7-4C08-47BA-BE4B-62F6BBDABCED}\RP15\A0005132.exe/documents and settings\mike\deskt;Program.RemoteAdmin.21;;
newinternettv2007full.exe\data007;G:\System Volume Information\_restore{B5C37BC7-4C08-47BA-BE4B-62F6BBDABCED}\RP15\A0005132.exe/documents and settings\mike\deskt;Program.RemoteAdmin;;
documents and settings\mike\desktop\lol\newinternettv2007full.exe;G:\System Volume Information\_restore{B5C37BC7-4C08-47BA-BE4B-62F6BBDABCED}\RP15\A0005132.exe/documents and settings\mike\deskt;Container contains infected objects;;
arrieffie7(7uafb9ai).exe\runtime.exe;G:\System Volume Information\_restore{B5C37BC7-4C08-47BA-BE4B-62F6BBDABCED}\RP15\A0005132.exe/documents and settings\mike\deskt;Trojan.Packed.650;;
documents and settings\mike\desktop\lol\arrieffie7(7uafb9ai).exe;G:\System Volume Information\_restore{B5C37BC7-4C08-47BA-BE4B-62F6BBDABCED}\RP15\A0005132.exe/documents and settings\mike\deskt;Archive contains infected objects;;
A0005132.exe;G:\System Volume Information\_restore{B5C37BC7-4C08-47BA-BE4B-62F6BBDABCED}\RP15;Container contains infected objects;Moved.;
A0005133.exe/data020\data006;G:\System Volume Information\_restore{B5C37BC7-4C08-47BA-BE4B-62F6BBDABCED}\RP15\A0005133.exe/data020;Tool.CloseApp;;
data020;G:\System Volume Information\_restore{B5C37BC7-4C08-47BA-BE4B-62F6BBDABCED}\RP15;Archive contains infected objects;;
A0005133.exe;G:\System Volume Information\_restore{B5C37BC7-4C08-47BA-BE4B-62F6BBDABCED}\RP15;Archive contains infected objects;Moved.;
A0005134.exe\data003;G:\System Volume Information\_restore{B5C37BC7-4C08-47BA-BE4B-62F6BBDABCED}\RP15\A0005134.exe;Program.SrvAny;;
A0005134.exe;G:\System Volume Information\_restore{B5C37BC7-4C08-47BA-BE4B-62F6BBDABCED}\RP15;Container contains infected objects;Moved.;

Please help.

Dr.WebCureIt only found threats in the System Volume Information Folder.

The detected _restore{GUID}\RP***\A00*****.xxx file(s) identified by your scan are in the System Volume Information Folder (SVI) which is a part of System Restore. The *** after RP represents a sequential number automatically assigned by the operating system. The ***** after A00 represents a sequential number where the original file was backed up and renamed except for its extension. To learn more about this, refer to:

• Restore Point Forensics
• Forensic Analysis of System Restore Points in Microsoft Windows XP

System Restore is the feature that protects your computer by monitoring a core set of system and application files and by creating backups (snapshots saved as restore points) of vital system configurations and files before changes are made. These restore points can be used to "roll back" your computer to a clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. See What's Restored when using System Restore and What's Not.

System Restore is enabled by default and will back up the good as well as malicious files, so when malware is present on the system it gets included in restore points as an A00***** file. If you only get a detection on a file in the SVI folder, that means the original file was on your system in another location at some point and probably has been removed. However, when you scan your system with anti-virus or anti-malware tools, you may receive an alert that a malicious file was detected in the SVI folder (in System Restore points) and moved into quarantine. When a security program quarantines a file, that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat. Thereafter, you can delete it at any time.

If your anti-virus or anti-malware tool cannot move the files to quarantine, they sometimes can reinfect your system if you accidentally use an old restore point. In order to avoid reinfection and remove these file(s) if your security tools cannot remove them, the easiest thing to do after disinfection is Create a New Restore Point to enable your computer to "roll-back" to a clean working state and use Disk Cleanup to remove all but the most recent restore point. Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.

If your anti-virus or anti-malware tool was able to move the file(s), I still recommend creating a new restore point and using disk cleanup as the last step after removing malware from an infected computer.

When a Recycler infection is detected, Dr.WebCureIt will show detections like these:

Dc70.tmp\data009;C:\RECYCLER\S-1-5-21-4241611754-1010757394-4064456881-1005\Dc70.tmp;Trojan.Fakealert.949;;
Dc70.tmp;C:\RECYCLER\S-1-5-21-4241611754-1010757394-4064456881-1005;Archive contains infected objects;Moved.;
Dc80.exe;C:\RECYCLER\S-1-5-21-4241611754-1010757394-4064456881-1005;Trojan.DownLoad.840;Deleted.;
Dc83.exe;C:\RECYCLER\S-1-5-21-4241611754-1010757394-4064456881-1005;Trojan.Packed.524;Deleted.;
exe32.exe;c:\recycler\s-1-5-21-1482476501-1644491937-682003330-1013;Win32.HLLW.Flooder.1;Deleted;

Malwarebytes Anti-Malware will show detections like these:

Folders Infected:
C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851 (Backdoor.Bot) -> Quarantined and deleted successfully.

Files Infected:
C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851\Desktop.ini (Backdoor.Bot) -> Quarantined and deleted successfully
C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

Kaspersky Online scan will show detections like these:

C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe Infected: Trojan.Win32.Small.buy 1
C:\RECYCLER\S-1-5-21-3497612302-3102775374-3015387129-1005\Dc1.exe Infected: Backdoor.Win32.Small.hpz 1
C:\RECYCLER\S-1-5-21-3497612302-3102775374-3015387129-1005\Dc5.exe Infected: Backdoor.Win32.Small.hpz 1

Please perform a scan with Kaspersky Online Virus Scanner.
-- Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.
-- This scan will not remove any detected file threats but it will show where they are located so they can be cleaned with other tools.[/i]

• Vista users: need to right-click either the IE or FF Start Menu or Quick Launch Bar icons and select Run As Administrator) from the context menu.
• Read the "Advantages - Requirements and Limitations" then press the ... button.
• You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
• When the downloads have finished, you should see 'Database is updated. Ready to scan'. Click on the ... button.
• Make sure these boxes are checked. By default, they should be. If not, please check them and click on the ... button afterwards:
  • Detect malicious programs of the following categories:
    Viruses, Worms, Trojan Horses, Rootkits
    Spyware, Adware, Dialers and other potentially dangerous programs
  • Scan compound files (doesn't apply to the File scan area):
    Archives
    Mail databases
• Click on My Computer under the Scan section. OK any warnings from your protection programs.
• The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
• Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
• Click on Save Report As... and change the Files of type to Text file (.txt)
• Name the file KAVScan_ddmmyy (day, month, year) before clicking on the Save button and save it to your Desktop.
• Copy and paste (Ctrl+C) the saved scan results from that file in your next reply.

-- Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

I get the following error even if i pause protection in Kaspersky:

The program could not be started.The program could not be started. Please close the window of Kaspersky Online Scanner 7.0 and start the program again from the web site of Kaspersky Lab.
[ERROR: java.lang.RuntimeException: Kaspersky Online Scanner 7.0 cannot be started because this computer has Kaspersky Internet Security 8.0 (9.0) installed.]

Ok, then do this instead.

Please perform a scan with Eset Online Antiivirus Scanner.
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista users need to run Internet Explorer as Administrator. Right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

• Click the green ESET Online Scanner button.
• Read the End User License Agreement and check the box: YES, I accept the Terms of Use.
• Click on the Start button next to it.
• You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.
• A new window will appear asking "Do you want to install this software?"".
• Answer Yes to download and install the ActiveX controls that allows the scan to run.
• Click Start.
• Check Remove found threats and Scan potentially unwanted applications.
• Click Scan to start. (please be patient as the scan could take some time to complete)
• If offered the option to get information or buy software. Just close the window.
• When the scan has finished, a log.txt file will be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
• Click > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:
  
  

  C:\Program Files\EsetOnlineScanner\log.txt

• Click Ok and the scan results will open in Notepad.
• Copy and paste the contents of log.txt in your next reply.

Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

ESET Online scan will show detections like these:

C:\RECYCLER\S-1-5-21-9368654446-6361595346-761753620-2558\wingn.exe Win32/Peerfrag.AW worm cleaned by deleting - quarantined
C:\RECYCLER\S-1-5-21-6541318143-9035559838-880471481-0896\wingn.exe Win32/Peerfrag.AW worm cleaned by deleting (after the next restart) - quarantined

Here's the ESET Online Scanner Log, seems like it cant find the viruses too

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=10eab6370df52a428e9bee7dc800f4b9
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-01-28 08:40:26
# local_time=2010-01-29 02:10:26 (+0530, India Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1280 16777191 100 0 1551784 1551784 0 0
# compatibility_mode=8192 67108863 100 0 2151 2151 0 0
# scanned=143026
# found=4
# cleaned=4
# scan_time=2914
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0005132.exe probably a variant of Win32/Adware.Agent application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\NewInternetTV2007full.exe probably a variant of Win32/Adware.Agent application (deleted - quarantined) 00000000000000000000000000000000 C
G:\New Softwares\ESET\Marsu-fix2.5_x32.exe Win32/Autoit.NET trojan (deleted - quarantined) 00000000000000000000000000000000 C
G:\New Softwares\ESET\MarsuFix v2.5\Marsu-fix2.5_x64.exe Win32/Autoit.NET trojan (deleted - quarantined) 00000000000000000000000000000000 C

Just to let u know, there are 2 files in all Recycler folders which are 'desktop.ini' (size=65 bytes) & 'INFO2' (size= 20 bytes) that i can see from WinRAR.
Why arent any malware-removal tools able to detect the viruses? The RECYCLER & $RECYCLE.BIN folders have spread to removable media so the viruses are there on my computer i believe.
I appreciate all the help i have recieved from you so far, thank you! But i hope you provide more help in removing these viruses completely.

Why arent any malware-removal tools able to detect the viruses?

Because I don't see any evidence of an active malware infection based on the results of all these scans and the lack of symptoms which would affect system performance or show other signs. Usually when there is an active infection in the RECYCLER folder, it will involve a malicious file which loads an autorun.inf file that modifies and uses the Windows Explorer's right-click context menu so that the standard "Open" or "Explore" command redirects to executing the malicious file as described here. The presence of a desktop.ini configuration file instructs Windows to display the folder RECYCLER as if it were actually a Recycle Bin. This is another example of a typical Worm:Win32/Autorun infection where you will find autorun.ini and desktop.ini together with a malicious file. Keep in mind that both autorun.inf and desktop.ini can also be a legitimate files so the presence of those files may not always be an indication of infection.

Please, reread Post #2 and Why is there more than one "RECYCLER" folder on my machine

The RECYCLER folder has 2 hidden files which are 'desktop.ini' & 'INFO2' (which i saw by using WinRAR)

The RECYCLED or RECYCLER folder contains a hidden master database file called INFO2 which stores information related to the deleted file that will be used when Windows tries to restore it. That information includes:

• The file's original full path name.
• The file's size.
• The date and time when the file was moved into the recycle bin.
• The file's unique ID number within the Recycle Bin.

When deleting a file, Windows will rename it to DC1. As more file are deleted, the number of the file will be increased by one (i.e. DC2). The number is an indexing number for the file which will read by INFO2. When the recycle bin is emptied, the INFO2 file will also be deleted and Windows will create a nwe INFO2 file which will reset the number counter into 0. This process works differently in Vista where the operating system creates a separate record file for each file that is deleted. For more specific details as to how this works in Vista, please refer to:

• The Forensic Analysis of the Microsoft Windows Vista Recycle Bin
• Forensics: EnCase, Vista and the Recycle Bin Contents

Desktop.ini is a text file for configuration settings that allows you to specify how a file system folder will be viewed and handled. It can be added to any Windows folder to store information about customized folders. The most common use of the desktop.ini file is to assign a custom icon to a folder. File system folders are commonly displayed with a standard icon and have a set of properties that describe the folder, such as whether or not the folder is shared. Therefore, if you have customized the display of a folder in any way, such as changing its icon or manner of display, Windows will save those settings in a desktop.ini file. Since Desktop.ini is a system file, it is normally hidden unless Windows is configured to show hidden/protected operating system files in Explorer's Folder Options.

I had once used Autorun Eater & it had detected 1 infected autorun file. I guess it was responsible for removing the virus. Thanks for all the help, i appreciate it.

Autorun Eater will warn and remove any suspicious 'autorun.inf' files based on user decision/settings. Suspicious and confirmed infection are not necessarily the same thing so I'm not sure what if found/removed.

Anyway, glad to hear you got it sorted out.

Hi,
My computer has been infected by RECYCLER & $RECYCLE.BIN virus/worm and i cant get rid of them.
Recycler intruded my PC from a USB pen drive that i inserted. I was using Norton Internet Security at that time but it didnt detect the worm/virus.
Days later i saw $RECYCLE.BIN had also infected my PC. I am now using Kaspersky Internet Security 2010 but it also cannot detect & remove these 2 infections.
There are RECYCLER & $RECYCLE.BIN folders in every partition of my hard drive. If i manually delete these folders, they recreate themselves.
Please help me!

I just got the same virus today. I ran Combofix and it didn't detect it. I ran free online Eset scan (Google it) and it detected eleven infections including the RECYCLER & $RECYCLE.BIN virus/worm which were on my external drive. Being that both of those had never been on my backup drive before I suspected a problem. It ran about an hour or more but deleted all infections. Checked the external drive and RECYCLER & $RECYCLE.BIN are gone. Make sure you check the box to delete and/or quarantine them.