Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How to remove Recycler\ trojan from Removeable harddrive


  • This topic is locked This topic is locked
2 replies to this topic

#1 vanus draco

vanus draco

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 14 February 2009 - 01:48 AM

Anyway i recently got hit with a trojan, my anti virus (AVG 8 Free) found it and supposedly removed it, but still i stopped being able to log into my accounts, the computer would freeze on log in 3 out of 4 times. i quickly got out my portable harddrive and copied the stuff i need over, then reformated the main drive and reinstalled everything. However, the trojan seems to have got to all of my harddrives, so i had to nuke everything, deleted every partition and reinstalled windows.

Now i went and reinstalled the operating system, and some programs i need:
here's what i downloaded, the rest i got from disks known to be safe.
AVG 8 Free Anti virus
Firefox
WinRAR

Anyway when i tried to get the stuff from my Removeable harddrive the symptom appeared again,

An warning message that says:
Windows cannot find 'RECYLER\S-8-7-26-100012043-100021302-100003534-3633.com'. make sure you typed the name correctly and try again.

This use to happen when i try to access any drive, now it's just my removable backup. (a Western Digital My Passport Elite)
Scan with AVG have removed a trojan but the unfortunate symptom is still there and not going away. I can access the removable drive with windows explorer, or just right click the drive in my computer and select explore, but i am scared to copy my files from it because it's still infected.

Another effect of the trojan is that Google seems to redirect all searches to some wierd places, this is gone after i reformated but perhaps this will help identify the problem?

any help would be very welcome, thanks.

I run the DDS with the removeable drive attached,

Attached File  Attach.txt   3.83KB   4 downloads

DDS (Ver_09-02-01.01) - NTFSx86
Run by Robin at 1:24:08.79 on Sat 02/14/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.937 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\E-Color\Common\IconMgr.exe
C:\Program Files\E-Color\E-Color Indicator\TICIcon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Creative\MediaSource5\CTDetctu.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
D:\Robin\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Robin\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRunOnce: [CMSRegOu] "c:\program files\creative\mediasource5\CMSRegOu.exe" /r
uRunOnce: [StartMSu] "c:\program files\creative\mediasource5\Startmsu.exe" /s
uRunOnce: [Inetreg] "c:\program files\installshield installation information\{ac85cd9e-bc46-4874-90e6-adb558de7d9e}\Setup.exe" /i_again -s
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\e-color.lnk - c:\program files\e-color\common\IconMgr.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\robin\applic~1\mozilla\firefox\profiles\edykf1jo.default\
FF - plugin: d:\robin\mozilla firefox\plugins\npbittorrent.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-13 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-13 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-13 107272]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-2-13 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-13 298264]

=============== Created Last 30 ================

2009-02-14 00:26 <DIR> --d----- c:\windows\pss
2009-02-13 23:33 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-02-13 23:29 <DIR> --d----- c:\program files\common files\Hewlett-Packard
2009-02-13 23:29 <DIR> --d----- c:\program files\DNA
2009-02-13 23:29 <DIR> --d----- c:\program files\BitTorrent
2009-02-13 23:28 117,760 a------- c:\windows\system32\hpzll5ha.dll
2009-02-13 23:27 <DIR> --d----- c:\program files\HP
2009-02-13 23:26 26,496 ac------ c:\windows\system32\dllcache\usbstor.sys
2009-02-13 23:23 647,872 -------- c:\windows\system32\Mscomct2.ocx
2009-02-13 23:23 41,984 -------- c:\windows\Ctregrun.exe
2009-02-13 23:22 122,771 a------- c:\windows\hpoins14.dat
2009-02-13 23:22 1,996 -------- c:\windows\hpomdl14.dat
2009-02-13 23:22 308,709 a------- c:\windows\system32\autorun.inf
2009-02-13 23:20 22,752 a------- c:\windows\system32\spupdsvc.exe
2009-02-13 23:13 44,032 -------- c:\windows\system32\CTSVCCDA.EXE
2009-02-13 23:13 25,088 -------- c:\windows\system32\CTSVCCTL.EXE
2009-02-13 23:13 <DIR> --d----- c:\program files\common files\Creative
2009-02-13 23:13 <DIR> --d-h--- c:\program files\Creative Installation Information
2009-02-13 23:07 <DIR> --d----- c:\windows\RegisteredPackages
2009-02-13 23:06 <DIR> --d----- c:\program files\Creative
2009-02-13 22:41 <DIR> --d----- c:\windows\SHELLNEW
2009-02-13 22:27 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-13 22:26 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-02-13 22:26 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-13 22:26 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-02-13 22:26 <DIR> --d----- c:\program files\AVG
2009-02-13 22:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-02-13 22:19 <DIR> --ds---- c:\documents and settings\robin\UserData
2009-02-13 22:13 <DIR> --d----- c:\windows\Cache
2009-02-13 22:08 61,440 a------- c:\windows\system32\3Deep.dll
2009-02-13 22:08 <DIR> --d----- c:\windows\system32\Color
2009-02-13 22:08 <DIR> --d----- c:\program files\E-Color
2009-02-13 22:07 306,688 a------- c:\windows\IsUninst.exe
2009-02-13 22:06 516,096 -------- c:\windows\system32\ati2sgag.exe
2009-02-13 22:06 290,816 a----r-- c:\windows\system32\atiiiexx.dll
2009-02-13 22:05 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-02-13 22:05 <DIR> --d----- c:\program files\ATI Technologies
2009-02-13 22:02 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-02-13 22:01 41,852 a----r-- c:\windows\system32\UpdDrv2K.exe
2009-02-13 22:01 <DIR> --d----- c:\windows\OPTIONS
2009-02-13 22:00 3,311 a------- c:\windows\Ascd_tmp.ini
2009-02-13 22:00 5,824 a------- c:\windows\system32\drivers\ASUSHWIO.SYS
2009-02-13 21:58 <DIR> --d----- c:\documents and settings\Robin
2009-02-13 21:56 <DIR> --ds---- c:\windows\system32\Microsoft
2009-02-13 21:55 8,192 a------- c:\windows\REGLOCS.OLD
2009-02-13 21:54 28,288 ac------ c:\windows\system32\dllcache\xjis.nls
2009-02-13 21:52 77,824 ac------ c:\windows\system32\dllcache\quick.ime
2009-02-13 21:51 35,328 ac------ c:\windows\system32\dllcache\iprip.dll
2009-02-13 21:50 480,256 ac------ c:\windows\system32\dllcache\cintsetp.exe
2009-02-13 21:49 <DIR> --d----- c:\windows\system32\xircom
2009-02-13 21:49 2,577 a------- c:\windows\system32\CONFIG.NT
2009-02-13 21:49 0 a------- c:\windows\control.ini
2009-02-13 21:48 23,392 a------- c:\windows\system32\nscompat.tlb
2009-02-13 21:48 16,832 a------- c:\windows\system32\amcompat.tlb
2009-02-13 21:48 316,640 a------- c:\windows\WMSysPr9.prx
2009-02-13 21:46 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-02-13 21:46 488 a---hr-- c:\windows\system32\WindowsLogon.manifest
2009-02-13 21:46 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-02-13 21:46 <DIR> --ds---- c:\windows\Downloaded Program Files
2009-02-13 21:46 <DIR> --d--r-- c:\windows\Offline Web Pages
2009-02-13 21:46 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-02-13 21:46 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-02-13 21:46 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-02-13 21:46 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-02-13 21:46 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-02-13 21:46 749 a---hr-- c:\windows\system32\cdplayer.exe.manifest
2009-02-13 21:45 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-02-13 21:45 4,399,505 ac------ c:\windows\system32\dllcache\nls302en.lex
2009-02-13 21:45 <DIR> --d----- c:\windows\system32\DirectX
2009-02-13 21:44 <DIR> --d----- c:\program files\common files\MSSoap
2009-02-13 21:42 <DIR> --d----- c:\program files\Online Services
2009-02-13 21:41 <DIR> --d----- c:\program files\Messenger
2009-02-13 21:41 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-02-13 21:40 <DIR> --d----- c:\program files\Windows NT
2009-02-13 16:27 <DIR> --d----- c:\program files\common files\ODBC
2009-02-13 16:27 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-02-13 16:27 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-02-13 21:47 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-13 21:42 21,640 a------- c:\windows\system32\emptyregdb.dat
2003-07-31 04:53 147,456 a------- c:\windows\inf\EL2K_XP.sys
2003-07-31 04:50 448,768 a------- c:\windows\inf\EL2K_N64.sys
2003-07-31 04:43 147,456 a------- c:\windows\inf\EL2K_2K.sys

============= FINISH: 1:24:30.58 ===============

Edited by vanus draco, 14 February 2009 - 01:58 AM.


BC AdBot (Login to Remove)

 


#2 vanus draco

vanus draco
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 21 February 2009 - 02:04 PM

nevermind i fixed it my self. no need to reply to this any more, thanks.

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:08:52 PM

Posted 21 February 2009 - 03:21 PM

Thanks for informing us.

This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

R,
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users