Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Unerasable virus similar to recycler virus but not that

  • This topic is locked This topic is locked
2 replies to this topic

#1 Rafael Diament

Rafael Diament

  • Members
  • 5 posts
  • Local time:12:55 PM

Posted 12 September 2009 - 07:21 PM

It's about an uneraseable virus (think so...) that looks like the recycler bin virus with a folder whose prefix is S-1-5-21-1801674531-1580436667-1343024091-1003 (the number changes everytime you make a fresh install but it allways starts with s-1-5-21 and end with 1003) in all the system hidden folders c:\recycler, etc. It's expanded all over the registry and it has some folders (S-1-5-21-etc.) with temporary uneraseable files (you shred them and they come back, it's like a Stephen King argument), I use unlocker to erase things (they are locked by the proccess explorer), I had even made a script with the command killproc for the explorer process to be able to delete everything but nothing happened. I have tried to use different antivirus and antimalaware solutions but they don't detect anything or this thing don't let the installation come to an end (or the update of definitions). The hijack part of a-squared anti-malaware detects the tricky autoruns and more, but when you try to block them (including ctfmon), the virus reacts aggresively and mess everything in the system. I have even tried to wipe the whole disk (including erasing the mbr, bios, cmos, everything) using utilities disks like hirens and more, but it looks like this crap moves from disk to RAM and backwards so I don't know what to do about it. I have tried Comodo firewall but it wasn't of much help. Avira neither. Mamutu behaviour blocker (from a-squared) is kind of a good protection (it doesn't clean but keep things safe) so are other heuristic antivirus. But they can't clean it. One thing is clear. It infects Windows XP or Vista (installing Vista you can see a hidden and uneraseable partition Z:) but it can't infect Linux (tried Ubuntu, Fedora and its allright). I attach the logs of Hijack and Root Repeal and hope somebody can help me about this.

Thank you. Rafael Diament.

Attached Files

BC AdBot (Login to Remove)


#2 Net_Surfer


  • Banned
  • 2,154 posts
  • Gender:Male
  • Local time:08:55 AM

Posted 27 September 2009 - 11:20 PM

Hello and :( to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here

*If you have since resolved the original problem you were having, we would appreciate you letting us know.

*If not please perform the following steps below so we can have a look at the current condition of your machine.

*If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

**If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay


We need to see some information about what is happening in your machine.

Please perform the following scan:

Posted Image
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Kind regards


#3 teacup61


    Bleepin' Texan!

  • Malware Response Team
  • 17,075 posts
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:55 AM

Posted 08 October 2009 - 05:22 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image

Error reading poptart in Drive A: Delete kids y/n?

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users