Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Recycler


  • Please log in to reply
6 replies to this topic

#1 nightmare051n

nightmare051n

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 03 June 2008 - 01:17 AM

Trojan Recycler on both computers one portable hard drive and 2 jump drives
this recycler came from my accont form my school. then my jump drive got it and then so on an so. i have tried mcgafe and tried getting rid of it using command promit that is what the school tech depratment said to do. what i can tell is that the Recycler is a hidden folder and it acts copys my recycle bin meingwhat i put in the bin is shown in there also there is two hidden files in there first is a file called INFO.exe the second one is desktop.ini and in that it reads
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
then in the main directoty there is another hiden file name autorun.inf and that reads
[autorun]
open=

shell\open\Command=RECYCLER\INFO.exe
shell\open\Default=1
shell\explore\Command=RECYCLER\INFO.exe

this is only my 2 jump drives
for my 1 of my computers (this one has vista lets call this the vista computer) it is this there is a hidden file in the main directory is named autoexec.bat it says that is a Rem Dummy file for NTVDM
then insteid of the recycler folder it has a $recycle.bin folder in side it has 3 hidden folders
S-1-5-21-2283680159-711593911-2923597990-1000
S-1-5-21-2283680159-711593911-2923597990-1001
S-1-5-21-2283680159-711593911-2923597990-1002
this hidden directory is about 2Gb and is increasing size though out

then the other computer (this one has windows xp lets call it the xp computer) has the recycler folder but has either the
S-1-5-21-2283680159-711593911-2923597990-1000 folder but diffrent lettering or the info.exe and desktop.ini i think is the desktop.ini and info.exe i have tp check agian
same thing with the portible hard drive i think this one has the
S-1-5-21-2283680159-711593911-2923597990-1000 hidden folder but diffrent lettering i think t does i have to check agian.

that all the info i know, bt i do know that other people have had this problem before and i also most common viris scan just notice it but cant remove it.

BC AdBot (Login to Remove)

 


m

#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:25 AM

Posted 03 June 2008 - 12:02 PM

credit Quietman

using a clean computer immunize and disinfect all drives,

Flash drive infections usually involve malware that loads an autorun.inf file into the root folder of all drives (internal, external, removable). When the removable media is inserted, autorun looks for autorun.inf and automatically executes another malicious file to run on your computer. When a flash drive becomes infected, the Trojan will infect a system when the removable media is inserted if autorun has not been disabled.

Please insert your flash drive. Hold down the Shift key when inserting the drive until Windows detects it to bypass the autorun feature and keep autorun.inf from executing automatically.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that is plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read Danger USB! Worm targets removable memory sticks.

You can hold down the Shift key when inserting the drive into your computer until Windows detects it to keep autorun.inf from executing automatically. However, I recommend disabling the Autorun feature feature on USB and removable drives as a method of prevention. This should keep the malicious file from automatically running upon insertion and infecting your system while allowing you to safely perform a scan.


http://www.techsupportforum.com/sect...isinfector.exe

this would be the first step

I would then run MBAM

http://www.bleepingcomputer.com/forums/ind...mp;#entry811062
Chewy

No. Try not. Do... or do not. There is no try.

#3 nightmare051n

nightmare051n
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 03 June 2008 - 04:58 PM

i did what u told me to do. i did this for the vista and one jumpe dirve. the jump drive is fixed it looks like but the vista no so heres what tahtone scan said
Malwarebytes' Anti-Malware 1.14
Database version: 818

4:56:11 PM 6/3/2008
mbam-log-6-3-2008 (16-56-11).txt

Scan type: Quick Scan
Objects scanned: 40531
Time elapsed: 5 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
this is the quick scan
the full scan i will do next i will put thst up a.s.a.p

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:25 AM

Posted 03 June 2008 - 05:08 PM

the vista computer looks good, that was probably a broken remnant of an infection

there might be a rootkit hiding something else but we would need to see some more logs of past cleanups
Chewy

No. Try not. Do... or do not. There is no try.

#5 nightmare051n

nightmare051n
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 03 June 2008 - 09:20 PM

while her is the full scan
Malwarebytes' Anti-Malware 1.14
Database version: 818

9:15:45 PM 6/3/2008
mbam-log-6-3-2008 (21-15-45).txt

Scan type: Full Scan (C:\|D:\|F:\|)
Objects scanned: 180043
Time elapsed: 1 hour(s), 7 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

It still has that hidden folder $recycle.bin that is over 2gb

next i'll do the xp compter with the portable drive conected. ill tell you how that goes.
and thank you for helping me

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:25 AM

Posted 03 June 2008 - 09:27 PM

vista hides a ton of stuff, It drove me crazy

the xp computer will be a lot harder to clean, vista is a lot more bulletproof from driver based malware

run the flash disinfector on the xp computer, it would be better to never let it on the internet till we see some logs

Edited by DaChew, 03 June 2008 - 09:29 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#7 nightmare051n

nightmare051n
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 03 June 2008 - 09:51 PM

k




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users