Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

autorun.inf Recycler


  • Please log in to reply
1 reply to this topic

#1 sweenox

sweenox

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 29 March 2009 - 10:33 PM

All started in the afternoon when I found out I couldn't access my C drive, so I scanned my computer with Norton 360 and sure enough it found a virus and I proceeded to delete it. After restarting my computer as suggested by Norton I found out that I was able to access my C drive {hooray}, though I assumed it was fixed I wanted to make sure it was gone for good so I downloaded malwarebytes and autorun eater as suggested by other forums. So this is where I'm stuck, malwarebytes won't run, and autorun eater keeps detecting a "suspicious" file. This is what autorun eater shows it as:
[autorun]
;lqxbdlvwkjpbejsizqvk
shellexecute="RECYCLER\S-3-9-56-100021... c:\"
;bzmkmrpmhduoaoghf
shell\Open\command="RECYCLER\S-3-9-56-... c:\"
;xzugnnvjnxsangvdamctjsdthlh
shell=Open

So I assume that I still have the virus, I tried deleting it through CMD, the whole "attrib -r -s -h" etc. and I keep typing the "del autorun.inf" command and cmd prompt confirms that there is no such file to be deleted [file no longer exists] but auto run eater begs to differ and keeps detecting it, I'm losing my sanity over this stupid recycler virus, what to do? Please reply, I'm desperate. [As you can tell, that I joined this forum, like a minute before I posted this topic.]

Edited by sweenox, 29 March 2009 - 10:34 PM.


BC AdBot (Login to Remove)

 


#2 sweenox

sweenox
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 30 March 2009 - 01:05 AM

Ok, so I found a post http://www.bleepingcomputer.com/forums/ind...ler+autorun.inf ,on what kind of seems to be my error. And following Panda's tutorial, I've come up with this.

========== FILES ==========
Folder c:\recycler not found.
Folder d:\recycler not found.
Folder e:\recycler not found.
Folder f:\recycler not found.
Folder g:\recycler not found.

OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 03292009_225639

and then the next step calls for a scan with malwarebytes, but unfortunately I can't run it. I guessed the virus is keeping it from running so I tried to run in safe mode but it doesn't work.

So I skipped to the BAT file part and got this:


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{11e49e88-ca39-11dd-a3a6-0014a50f739a}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FDF5F5F5F5FDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5FDF5F5F5F5F5F01000101EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000010000008060000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{11e49e88-ca39-11dd-a3a6-0014a50f739a}\shell
<NO NAME> REG_SZ None

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{11e49e88-ca39-11dd-a3a6-0014a50f739a}\shell\Autoplay
MUIVerb REG_SZ @shell32.dll,-8504

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{11e49e88-ca39-11dd-a3a6-0014a50f739a}\shell\Autoplay\DropTarget
CLSID REG_SZ {f26a669a-bcbb-4e37-abf9-7325da15f931}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{92e87f90-10f4-11de-a42f-0014a50f739a}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FDF5F5F5F5FDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5FDF5F5F5F5F5FCF5F5F5F5F5FCFCF5F5F5F5FCFCFCFCFCFCFCFCF5FCFCFCF5F5F5F5F5F5F5F5F5F5F000010000000000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b94d75f3-fe22-11dd-a405-0014a50f739a}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FCF5F5F5F5FCFCF5F5F5FCFCFCF5F5F5FCFCFCF5F5FCF5F5F5F5F5FCF5F5F5F5F5FDFDF5F5F5F5FCFCFCFCFCFCFCFCF5FCFCFDF5F5F5F5F5F5F5F5F5F5F002000000000000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b94d75f3-fe22-11dd-a405-0014a50f739a}\_Autorun

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b94d75f3-fe22-11dd-a405-0014a50f739a}\_Autorun\DefaultIcon
<NO NAME> REG_SZ F:\SC.ICO

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c672b128-104d-11de-a42e-0014a50f739a}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FDF5F5F5F5FDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5FDF5F5F5F5F5FCF5F5F5F5F5FCFCF5F5F5F5FCFCFCFCFCF00FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000010000008000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{db3cdbcc-a097-11dd-a35b-b7e3407e0c16}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FDF5F5F5F5FDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5FDF5F5F5F5F5F005F5F5F5F5FCFCF5F5F5F5F010100EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000010000008020000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{db3cdbcc-a097-11dd-a35b-b7e3407e0c16}\shell
<NO NAME> REG_SZ None

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{db3cdbcc-a097-11dd-a35b-b7e3407e0c16}\shell\Autoplay
MUIVerb REG_SZ @shell32.dll,-8504

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{db3cdbcc-a097-11dd-a35b-b7e3407e0c16}\shell\Autoplay\DropTarget
CLSID REG_SZ {f26a669a-bcbb-4e37-abf9-7325da15f931}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f7b740c4-9f81-11dd-ba9e-806d6172696f}
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f7b740c5-9f81-11dd-ba9e-806d6172696f}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5F01000101EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF002000000009000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f7b740c5-9f81-11dd-ba9e-806d6172696f}\_Autorun

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f7b740c5-9f81-11dd-ba9e-806d6172696f}\_Autorun\DefaultIcon
<NO NAME> REG_SZ D:\setup.exe,0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f7b740c6-9f81-11dd-ba9e-806d6172696f}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5F01000101EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF006000000009000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f7b740c6-9f81-11dd-ba9e-806d6172696f}\_Autorun

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f7b740c6-9f81-11dd-ba9e-806d6172696f}\_Autorun\DefaultIcon
<NO NAME> REG_SZ E:\autoRcd.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f7b740c7-9f81-11dd-ba9e-806d6172696f}
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b94d75f3-fe22-11dd-a405-0014a50f739a}
Data REG_BINARY 000000005C005C003F005C00530043005300490023004300640052006F006D002600560065006E005F0052005200380034003200320043002600500072006F0064005F00530044004B003500340030004A0026005200650076005F0032002E0030004200230035002600330036006500350039003700320026003000260030003000300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00620039003400640037003500660033002D0066006500320032002D0031003100640064002D0061003400300035002D003000300031003400610035003000660037003300390061007D005C00000049006E00760061006C00690064000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000049006E00760061006C006900640000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000001000000013810000BDADDBBABDADDBBABDADDBBABDADDBBABDADDBBA0000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000
Generation REG_DWORD 0x1

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{f7b740c4-9f81-11dd-ba9e-806d6172696f}
Data REG_BINARY 000000005C005C003F005C004600440043002300470045004E0045005200490043005F0046004C004F005000500059005F00440052004900560045002300350026006300340061006500340030003400260030002600300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00660037006200370034003000630034002D0039006600380031002D0031003100640064002D0062006100390065002D003800300036006400360031003700320036003900360066007D005C00000049006E00760061006C00690064000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000049006E00760061006C006900640000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000001100000BDADDBBABDADDBBABDADDBBABDADDBBABDADDBBA0000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000
Generation REG_DWORD 0x1

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{f7b740c5-9f81-11dd-ba9e-806d6172696f}
Data REG_BINARY 000000005C005C003F005C0049004400450023004300640052006F006D004C006900740065002D004F006E005F004C0054004E0034003800360053005F003400380078005F004D00610078005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F0059004400530036005F005F005F005F002300350026003200360034003100660035003000370026003000260030002E0030002E00300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00660037006200370034003000630035002D0039006600380031002D0031003100640064002D0062006100390065002D003800300036006400360031003700320036003900360066007D005C00000049006E00760061006C00690064000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000049006E00760061006C006900640000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000001000000003000000BDADDBBABDADDBBABDADDBBABDADDBBABDADDBBA0000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000
Generation REG_DWORD 0x1

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{f7b740c6-9f81-11dd-ba9e-806d6172696f}
Data REG_BINARY 000000005C005C003F005C0049004400450023004300640052006F006D00430044005700520049005400450052005F0049004400450035003200330032005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F0030003000300052005F005F005F005F002300350026003200360034003100660035003000370026003000260030002E0031002E00300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00660037006200370034003000630036002D0039006600380031002D0031003100640064002D0062006100390065002D003800300036006400360031003700320036003900360066007D005C00000049006E00760061006C00690064000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000049006E00760061006C00690064000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000100000000F010000BDADDBBABDADDBBABDADDBBABDADDBBABDADDBBA0000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000
Generation REG_DWORD 0x1

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{f7b740c7-9f81-11dd-ba9e-806d6172696f}
Data REG_BINARY 000000005C005C003F005C00530054004F005200410047004500230056006F006C0075006D006500230031002600330030006100390036003500390038002600300026005300690067006E0061007400750072006500390044004300390036004500390045004F006600660073006500740031004600360030003800300030004C0065006E00670074006800310031004400440041004500360032003000300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00660037006200370034003000630037002D0039006600380031002D0031003100640064002D0062006100390065002D003800300036006400360031003700320036003900360066007D005C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004E0054004600530000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000800000001100000FF000700FF00000016000000F1842C28000000000000003000200000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000
Generation REG_DWORD 0x1

and then proceeded to the next:

========== FILES ==========
Folder c:\recycled not found.
Folder d:\recycled not found.
Folder e:\recycled not found.
Folder f:\recycled not found.
Folder g:\recycled not found.
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a5943ea3-6e52-11dd-ad2e-0016b65751d5}\\ not found.

OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 03292009_230017

right now I'm at the F-Secure scan part... I'll update some more when I'm finished scanning




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users