Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recycler virus?


  • Please log in to reply
16 replies to this topic

#1 Etsd2311

Etsd2311

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 02 February 2009 - 05:56 PM

when i click on C:local drive i get this error message,however i can right click and explore drive and it will open
Attached File  untitled.bmp   511.77KB   32 downloads

any answers will help
Patrick-

BC AdBot (Login to Remove)

 


#2 Etsd2311

Etsd2311
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 02 February 2009 - 06:34 PM

http://s165.photobucket.com/albums/u69/etsd2311/?action=viewĄt=untitled.jpg

#3 Etsd2311

Etsd2311
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 02 February 2009 - 06:38 PM

Posted Image

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:35 AM

Posted 02 February 2009 - 06:40 PM

Hello Patrick.

Nasty infection going around lately.

Download and Run OTMoveIT
  • Please download OTMoveIt3 by OldTimer to your desktop. If you have already used the program, there is no need to download a new one.
  • Double-click OTMoveIt3.exe to run it. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Copy the lines in the codebox below. Do not copy the word "code".
    :files
    c:\recycler\
    d:\recycler\
    e:\recycler\
    f:\recycler\
    g:\recycler\
    h:\recycler\
  • Return to OTMoveIt3, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Close all open windows expect OTMoveIt.
  • Click the Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3.
Note: If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key. Navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest ".log" file present, and copy/paste the contents of that document back here in your next post.

Download and Run FlashDisinfector
You have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Create and Run Batch Script
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "code".
    reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2" /s >Log.txt 2>&1
    start notepad log
    del %0
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input test.bat
  • Hit OK.
When done properly, the icon should look like Posted Image.

Double click test.bat.

You will see a log open. Post back with that.

With Regards,
The Panda

#5 Etsd2311

Etsd2311
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 03 February 2009 - 11:53 AM

thank you so much for this!





========== FILES ==========
Folder c:\recycler not found.
Folder d:\recycler not found.
Folder e:\recycler not found.
Folder f:\recycler not found.
Folder g:\recycler not found.
Folder h:\recycler not found.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02032009_105257




! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell
<NO NAME> REG_SZ Autorun

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\AutoRun
<NO NAME> REG_SZ Auto&Play

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\AutoRun\command
<NO NAME> REG_SZ C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-9-8-16-100007014-100027171-100021303-1793.com c:\

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\Open

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\Open\command
<NO NAME> REG_SZ C:\RECYCLER\S-9-8-16-100007014-100027171-100021303-1793.com c:\

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5F01000101EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF002000000009000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\_Autorun

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\_Autorun\DefaultIcon
<NO NAME> REG_SZ E:\LaunchU3.exe,0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3c0cb6c2-3cbb-11dd-bbdc-806d6172696f}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5F01000101EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00E000000009000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3c0cb6c2-3cbb-11dd-bbdc-806d6172696f}\_Autorun

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3c0cb6c2-3cbb-11dd-bbdc-806d6172696f}\_Autorun\DefaultIcon
<NO NAME> REG_SZ D:\mri.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{90ee99dc-f210-11dd-bc1c-00123fdc7060}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 0101FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000010000008000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b7834147-3cb5-11dd-8531-806d6172696f}
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f123c572-aea8-11dd-bbf8-00123fdc7060}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FDF5F5F5F5FDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5FDF5F5F5F5F5FCF5F5F5F5F5FCFCF5F5F5F5FCFCFCFCFCF010101EEFFFFFFFFFFFFFFFFFFFFFFFFFF000010000008000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f123c572-aea8-11dd-bbf8-00123fdc7060}\shell
<NO NAME> REG_SZ None

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f123c572-aea8-11dd-bbf8-00123fdc7060}\shell\Autoplay
MUIVerb REG_SZ @shell32.dll,-8504

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f123c572-aea8-11dd-bbf8-00123fdc7060}\shell\Autoplay\DropTarget
CLSID REG_SZ {f26a669a-bcbb-4e37-abf9-7325da15f931}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fd0dfe72-800b-11dd-bbed-00123fdc7060}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5F01000100FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF002000000009000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fd0dfe72-800b-11dd-bbed-00123fdc7060}\Shell
<NO NAME> REG_SZ AutoRun

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fd0dfe72-800b-11dd-bbed-00123fdc7060}\Shell\AutoRun
<NO NAME> REG_SZ Auto&Play

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fd0dfe72-800b-11dd-bbed-00123fdc7060}\Shell\AutoRun\command
<NO NAME> REG_SZ E:\LaunchU3.exe -a

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fd0dfe72-800b-11dd-bbed-00123fdc7060}\_Autorun

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fd0dfe72-800b-11dd-bbed-00123fdc7060}\_Autorun\DefaultIcon
<NO NAME> REG_SZ E:\LaunchU3.exe,0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fd0dfe73-800b-11dd-bbed-00123fdc7060}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FDF5F5F5F5FDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5FDF5F5F5F5F5F005F5F5F5F5FCFCF5F5F5F5F010100EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000010000008020000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fd0dfe73-800b-11dd-bbed-00123fdc7060}\shell
<NO NAME> REG_SZ None

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fd0dfe73-800b-11dd-bbed-00123fdc7060}\shell\Autoplay
MUIVerb REG_SZ @shell32.dll,-8504

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fd0dfe73-800b-11dd-bbed-00123fdc7060}\shell\Autoplay\DropTarget
CLSID REG_SZ {f26a669a-bcbb-4e37-abf9-7325da15f931}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3c0cb6c2-3cbb-11dd-bbdc-806d6172696f}
Data REG_BINARY 360B00005C005C003F005C0049004400450023004300640052006F006D005000480049004C004900500053005F00430044005200570023004400560044005F0053004300420035003200360035005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F0054004400310035005F005F005F005F002300350026003200380031006400300066006100360026003000260030002E0030002E00300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00330063003000630062003600630032002D0033006300620062002D0031003100640064002D0062006200640063002D003800300036006400360031003700320036003900360066007D005C00000049006E00760061006C00690064000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000049006E00760061006C00690064000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F00005001000000100000001F010000BDADDBBABDADDBBABDADDBBABDADDBBABDADDBBA0000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Generation REG_DWORD 0x2

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{90ee99dc-f210-11dd-bc1c-00123fdc7060}
Data REG_BINARY 000000005C005C003F005C00530054004F0052004100470045002300520065006D006F007600610062006C0065004D0065006400690061002300370026003100350063003800620064003600660026003000260052004D0023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00390030006500650039003900640063002D0066003200310030002D0031003100640064002D0062006300310063002D003000300031003200330066006400630037003000360030007D005C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000046004100540033003200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000040000000190000006000000FF00000010000000B8833668000000000000003000200000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000
Generation REG_DWORD 0x1

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b7834147-3cb5-11dd-8531-806d6172696f}
Data REG_BINARY 000000005C005C003F005C00530054004F005200410047004500230056006F006C0075006D006500230031002600330030006100390036003500390038002600300026005300690067006E0061007400750072006500380036004100430038003600410043004F006600660073006500740037004500300030004C0065006E0067007400680044004600380037004200300030003000300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00620037003800330034003100340037002D0033006300620035002D0031003100640064002D0038003500330031002D003800300036006400360031003700320036003900360066007D005C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004E0054004600530000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000800000001100000FF000700FF000000160000008BFCE4A4000000000000003000200000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000
Generation REG_DWORD 0x1

#6 Etsd2311

Etsd2311
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 03 February 2009 - 11:54 AM

thank you so much for this!





========== FILES ==========
Folder c:\recycler not found.
Folder d:\recycler not found.
Folder e:\recycler not found.
Folder f:\recycler not found.
Folder g:\recycler not found.
Folder h:\recycler not found.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02032009_105257




! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell
<NO NAME> REG_SZ Autorun

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\AutoRun
<NO NAME> REG_SZ Auto&Play

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\Shell\AutoRun\command

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:35 AM

Posted 03 February 2009 - 11:59 AM

Hello.

Please run this script with OTMoveIt
:reg
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
Any sign of infection at the moment?

With Regards,
The Panda

#8 Etsd2311

Etsd2311
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 03 February 2009 - 02:19 PM

========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\\ deleted successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02032009_124933


i dont believe so thank you Panda!!

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:35 AM

Posted 03 February 2009 - 04:40 PM

Welcome.

Let's reset the system restore and you should be good to go.

Set New System Restore Point
Now you should set a Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, tools cannot access it to delete these bad files, which sometimes can reinfect your system. Setting a new restore point after cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click System Restore.
  • Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name then click Create.
  • Then, click on Start > Run and type:
    cleanmgr
  • Click OK > More Options tab.
  • Click Clean Up in the System Restore section to remove all previous restore points except the newly created one.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any further questions or concerns?

With Regards,
The Panda

#10 luv2c

luv2c

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:35 AM

Posted 03 February 2009 - 07:04 PM

Hello there Panda,I want to thank you very much for the information you gave for the recycler virus.It so happens yesterday the exact thing happened to me whereby I could only access my hard drives by right clicking /explore and then view folders.I had the exact same warning box as the other gentleman and found this site from a search engine.I followed your steps exactly and it seems fine now.I can access my drives the normal way and the OTMoveit removed that same HKey .........MountPoints 2 thing from the computer.
The only problem I've run into is setting a system restore point.As far as that goes when I noticed I had issues accessing my hard drives I tried to revert back to a previous system restore point and when I clicked next after selecting a previous restore point it did nothing and just hung like that.When I tried to create a new restore point after doing everything you instructed here,it told me to restart the computer to create a new restore point(windows xp/sp3).So I did that and when I tried to create a new restore point I received the same message to reboot and go back to system restore to create a new point.
Any ideas why I can't make a restore point or even revert back to previous points?.I'll check this forum out to see if there is already an answer for this,as I know this can be a common problem.
Thanks again for the help with this recycler virus.I'm not sure if it happened d/loading some freeware to try out or not.One of them installed a toolbar(Ask toolbar)that came bundled with the software as well and I've since removed those programs.It caught me off guard as I usually go virus/trojan free for years with my Anit-virus and spyware/malware software I use.

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:35 AM

Posted 04 February 2009 - 11:48 AM

Hello.

Let's clear the restore points another way.

Click on Start -> Run _> Type: services.msc
Double click the System Restore Service.
Stop the service. Start it again.

That should wipe the restore points.

Anyways, it shouldn't matter that much since the autorun files aren't saved in system restore.

With Regards,
The Panda

Edited by PropagandaPanda, 04 February 2009 - 11:49 AM.


#12 luv2c

luv2c

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:35 AM

Posted 04 February 2009 - 05:13 PM

Hello Panda,
Thanks for the help,I read a few posts and cleared the restore points already but I kind of like the way you mentioned doing it.Seems pretty quick that way.Just for the sake of trying I went to created my own restore point but received the same message again about rebooting and then doing it,but this just goes on forever so no use trying and perhaps it's not that necessary anyway.

#13 eatton

eatton

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 28 April 2009 - 07:14 PM

c:\RECYCLER moved successfully.
Folder d:\recycler not found.
Folder e:\recycler not found.
Folder f:\recycler not found.
Folder g:\recycler not found.
Folder h:\recycler not found.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04282009_210536

#14 eatton

eatton

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 28 April 2009 - 07:25 PM

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\H
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7cd7dfe6-3273-11de-b4b2-0001805a5ce6}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FDF5F5F5F5FDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5FDF5F5F5F5F5F01000101EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000100000009070000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7cd7dfe6-3273-11de-b4b2-0001805a5ce6}\Shell
<NO NAME> REG_SZ Autorun

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7cd7dfe6-3273-11de-b4b2-0001805a5ce6}\Shell\Autoplay
MUIVerb REG_SZ @shell32.dll,-8504

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7cd7dfe6-3273-11de-b4b2-0001805a5ce6}\Shell\Autoplay\DropTarget
CLSID REG_SZ {f26a669a-bcbb-4e37-abf9-7325da15f931}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7cd7dfe6-3273-11de-b4b2-0001805a5ce6}\Shell\AutoRun
<NO NAME> REG_SZ Auto&Play

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7cd7dfe6-3273-11de-b4b2-0001805a5ce6}\Shell\AutoRun\command
<NO NAME> REG_SZ C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-1-5-28-100012862-100020043-100016776-3120.com e:\

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7cd7dfe6-3273-11de-b4b2-0001805a5ce6}\Shell\Open

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7cd7dfe6-3273-11de-b4b2-0001805a5ce6}\Shell\Open\command
<NO NAME> REG_SZ RECYCLER\S-1-5-28-100012862-100020043-100016776-3120.com e:\

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7cd7dfe7-3273-11de-b4b2-0001805a5ce6}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FDF5F5F5F5FDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5FDF5F5F5F5F5F01000101EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000010000008070000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8cf511ae-31b5-11de-b9cd-806d6172696f}
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{aa16e9c2-31ba-11de-b4b0-806d6172696f}
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{aa16e9c3-31ba-11de-b4b0-806d6172696f}
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d66a329c-32a6-11de-b4b3-0001805a5ce6}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FDF5F5F5F5FDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5FDF5F5F5F5F5F01000101EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000010000008060000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{de9592b2-3310-11de-b4b5-0001805a5ce6}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FDF5F5F5F5FDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5FDF5F5F5F5F5FCF5F5F5F5F5FCFCF5F5F5F5FCFCFCFCFCF010101EEFFFFFFFFFFFFFFFFFFFFFFFFFF000010000008000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{de9592b2-3310-11de-b4b5-0001805a5ce6}\shell
<NO NAME> REG_SZ None

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{de9592b2-3310-11de-b4b5-0001805a5ce6}\shell\Autoplay
MUIVerb REG_SZ @shell32.dll,-8504

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{de9592b2-3310-11de-b4b5-0001805a5ce6}\shell\Autoplay\DropTarget
CLSID REG_SZ {f26a669a-bcbb-4e37-abf9-7325da15f931}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{de9592b3-3310-11de-b4b5-0001805a5ce6}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FDF5F5F5F5FDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5FDF5F5F5F5F5F01000101EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000010000008030000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{de9592b3-3310-11de-b4b5-0001805a5ce6}\shell
<NO NAME> REG_SZ None

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{de9592b3-3310-11de-b4b5-0001805a5ce6}\shell\Autoplay
MUIVerb REG_SZ @shell32.dll,-8504

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{de9592b3-3310-11de-b4b5-0001805a5ce6}\shell\Autoplay\DropTarget
CLSID REG_SZ {f26a669a-bcbb-4e37-abf9-7325da15f931}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{7cd7dfe7-3273-11de-b4b2-0001805a5ce6}
Data REG_BINARY 000000005C005C003F005C00530054004F0052004100470045002300520065006D006F007600610062006C0065004D006500640069006100230037002600320034003500360063003300360026003000260052004D0023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00370063006400370064006600650037002D0033003200370033002D0031003100640065002D0062003400620032002D003000300030003100380030003500610035006300650036007D005C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000046004100540000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000040000000190000006000000FF000000100000009F3ED580000000000000003000200000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000
Generation REG_DWORD 0x1

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{8cf511ae-31b5-11de-b9cd-806d6172696f}
Data REG_BINARY 000000005C005C003F005C00530054004F005200410047004500230056006F006C0075006D006500230031002600330030006100390036003500390038002600300026005300690067006E0061007400750072006500430042004200390043004200420039004F006600660073006500740037004500300030004C0065006E00670074006800310032004100310034004200380032003000300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00380063006600350031003100610065002D0033003100620035002D0031003100640065002D0062003900630064002D003800300036006400360031003700320036003900360066007D005C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004E0054004600530000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000800000001100000FF000700FF00000016000000410F6F34000000000000003000200000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000
Generation REG_DWORD 0x1

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{aa16e9c2-31ba-11de-b4b0-806d6172696f}
Data REG_BINARY 000000005C005C003F005C0049004400450023004300640052006F006D004C004900540045002D004F004E005F00430044002D00520057005F0053004F00480052002D00350032003300380053005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F0034005300300036005F005F005F005F002300350026003100340063003200360031003900370026003000260030002E0031002E00300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00610061003100360065003900630032002D0033003100620061002D0031003100640065002D0062003400620030002D003800300036006400360031003700320036003900360066007D005C00000049006E00760061006C00690064000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000049006E00760061006C00690064000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000100000000F010000BDADDBBABDADDBBABDADDBBABDADDBBABDADDBBA0000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000
Generation REG_DWORD 0x1

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{aa16e9c3-31ba-11de-b4b0-806d6172696f}
Data REG_BINARY 000000005C005C003F005C004600440043002300470045004E0045005200490043005F0046004C004F005000500059005F004400520049005600450023003400260033003700310030003800320063003900260030002600300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00610061003100360065003900630033002D0033003100620061002D0031003100640065002D0062003400620030002D003800300036006400360031003700320036003900360066007D005C00000049006E00760061006C00690064000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000049006E00760061006C006900640000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000001100000BDADDBBABDADDBBABDADDBBABDADDBBABDADDBBA0000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000
Generation REG_DWORD 0x1

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d66a329c-32a6-11de-b4b3-0001805a5ce6}
Data REG_BINARY 000000005C005C003F005C00530054004F0052004100470045002300520065006D006F007600610062006C0065004D0065006400690061002300370026003200620037003800320037003200330026003000260052004D0023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00640036003600610033003200390063002D0033003200610036002D0031003100640065002D0062003400620033002D003000300030003100380030003500610035006300650036007D005C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000046004100540033003200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000040000000190000006000000FF000000100000000B6D3A21000000000000003000200000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000
Generation REG_DWORD 0x1

#15 redtux7777

redtux7777

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 07 December 2010 - 10:21 AM

I had a bad link for OTMoveIt3 by OldTimer. I found this working link here-

http://www.geekstogo.com/forum/files/category/6-anti-malware-tools/


This is my first post, love the site and come here often to help me with my computer repair bushiness.

This worked like a charm to get rid of the recycler virus!!!

Thanks for all the help.

Edited by redtux7777, 07 December 2010 - 10:22 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users