I have spent a good few days (bad ones actually) trying to eradicate this thing off my son's computer.
It is very similar to what is reported here:
I followed the instructions and uploaded the 2 files required.
Symptoms are as follows:
Bad behaviour is that when in my computer and double clicking C or E drive (e is an external portable drive) I get a message "could not find file c:\recycler\S-#####-######-######-#####.com where ### represents a random series of numbers separated by hyphens - I don't know for sure how many numbers there are, it's just an example. Similar for E drive or it just doesn't open.
If I go into the registry to HKCU\Software\Microsoft\Windows\Current Version\Explorer\mountpoints2 there are a number of entries there, most of which have a value of Base = drive.
Originally both the C drive entry and E drive entry had subfolders there of autoplay and open, both of which had a subfolder command which ran along the lines of the one in the post above:
@="C:\\WINDOWS\\system32\\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe"
except my entry is then C:\\WINDOWS\\system32\\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL C:\recycler\s-###-####-####-####.com
I deleted the subfolders from the C and E key and they didn't come back.
However there are 2 other keys in there that are long numbers in parentheses, one of which started with the number 13 and one with 4 - these had identical subfolders to the C and E drive keys, but no matter how many times I delete these they come back.
If I delete them, I can then open the icons in My computer. I can open anything on the comptuer via Windows explorer, and dialogue boxes to save or find a file etc all work fine. it's just in My computer, and just those 2 icons - I also have a network drive but it and the CD Rom aren't affected.
So I get rid of these entries and when I re-boot and check the registry the values of 13... and 4... are still looking normal eg base....drive and no subfolders. But as soon as I click on one of those icons I get the message again and the values go back in the registry.
I have updated my antivirus and two lots of malware and run it - over the last few days some has been found and removed, this morning more was found by malwarebytes and removed. I then ran AV over the entire machine and malwarebytes and nothing was found. But I bet if I restart the computer now, it will happen again...as has been the case.
Initially I also had problems connecting to my AV update site as well with a ZLob DNS changer, but got rid of that and all was ok with several reboots yesterday. First boot this morning...same problem - Malwarebytes found lots more Zlobs and deleted them, update working again now...but again, I wonder for how long?
Await a better mind than mine to help me figure this out...
Ps just did an experiment and restarted the computer - Av still works, but this time when i double clicked My computer on the desktop, I went to regedit BEFORE opening the c drive just to take a look - and the subfolders were back. So it's the action of double clicking the My Computer icon that puts the values back in the registry as if I look at the registry before doing that it's fine.
STOP PRESS!!!! I think I might have fixed this after going here:
I applied the reasoning there to my own case - I deleted all the mountpoints2 entries, then using icesword, I was able to find autorun.ini on both the c and e drives (that was a problem before as they weren't visible in normal mode). Deleted these 2 files on the C and e drive and now it all works on restart! I didn't do anything about a svchosts file or hosts file though - I dn't know whether one applied in this case but I wouldn't have known which one it was I had to find.
Wouldn't mind someone just doing some cross-checking with me to make sure we have this thing properly removed and there aren't any other things still lurking, as we had multiple viruses and trojans in the last few days - though AV is now reporting it clean. (But then again it didn't pick THIS one up, did it?)
Many thanks again
Edited by ozeannie, 06 February 2009 - 01:11 AM.