How to remove a recycler virus

[smokei]

hi i was wondering if anyone could help me. my whole system has been infected with a recyler virus and i cannot seem to remove it.. i've tried anti virus such as avg and zone alarm but to no avail. this virus has infected my external hard drives as well and the data on them cannot be replaced..

if anyone has any advice or can tell me how to get ride of it it will be greatly appreciated.

Thanx =D

[Frozenfireside]

Backdoor.IRC.RPCBot.

Yes?

http://www.symantec.com/security_respon ... 99&tabid=3

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Update the virus definitions.
2. Restart the computer in Safe mode or VGA mode.
3. Run a full system scan and delete all the files detected as viral.
4. Delete the files in the C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\LOGS, and then delete the folder itself.
5. Reverse the changes that were made to the registry.

For specific details on each of these steps, read the following instructions.

1. Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:

* Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
* Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).

The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.


2. Restarting the computer in Safe mode or VGA mode

Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode or VGA mode.

* For Windows 95, 98, Me, 2000, or XP users, restart the computer in Safe mode. For instructions, refer to the document, "How to start the computer in Safe Mode."
* For Windows NT 4 users, restart the computer in VGA mode.



3. Scanning for and deleting the infected files

1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
* For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
* For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files."
2. Run a full system scan.
3. If any files are detected as infected by Backdoor.IRC.RPCBot, Hacktool, Hacktool.DoS, or Trojan Horse, click delete.


4. Deleting the files in the C:\RECYCLER\S-1-5-21-57989841-1715567821-725345543-1004\LOGS folder

1. Using Windows Explorer, look for the folder C:\RECYCLER

WARNING: Do not confuse this with the similarly named Recycle folder
2. Do one of the following:
* If the folder does not exist, go on to the next section.
* If the folder does exist, go on to step c.
3. In the C:\RECYCLER folder, look for the S-1-5-21-57989841-1715567821-725345543-1004 folder. If it exists, look for the LOGS subfolder within it.
4. Delete any files contained within the \Logs subfolder.
5. Delete the S-1-5-21-57989841-1715567821-725345543-1004\LOGS folder itself.


5. Reversing the changes made to the registry

CAUTION: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

1. Click Start, and then click Run. (The Run dialog box appears.)
2. Type regedit

Then click OK. (The Registry Editor opens.)

3. Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\TFTPD32

4. If you do not use your computer as a TFTP server, you can delete the above mentioned key. Otherwise, in the right pane, modify the value data in the value:

"BaseDirectory".

to the correct value data.

5. Navigate to the key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters

6. Modify the value to:

"DisableWebDAV"="00000001"

7. Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole

8. Modify the values to:

"EnableDCOM"="Y"
"EnableRemoteConnect"="Y"

9. Exit the Registry Editor.

[DeathStrike]

thanks. this is very useful. i know lots of ppl complaing bout this virus. its the one going onto ppls flash disks at college. stupid campus computers are using an outdated mcafee.(last update was like in 2006)

[smokei]

awesome thanx man hi 5 it worked beautifully =D

[Frozenfireside]

I am here to help.

[bretled]

Kudos to u Frozen.. I was going mad in finding a solution to eliminate this pest from my system. For the last time I made a desperate search and found this thread. Its gone now finally and what a relief for me! I would have treated you with something if u were in close proximity.

[Frozenfireside]

Make it a pint of Stella if you can Love ma Stella.

I'm up to 4 pints already helping people.

These threads will often help thousands of people because it will get put on google and it will find all the key words searched for.

My pleasure.

[Chasel]

The removal instructions, posted above, for this malware, from Symantec's website are ineffective at best. I tried them and they don't work

I was infected with this virus onto my memory stick from a DTP publishing house whose staff are too stupid to realise their workstation is a vertiable cesspool of viruses and malware.

This malware's executable is known as BLuE.exe or BLaCK.exe, to remove it you will need:

Prevx CSI 3.0
HijackThis
FlashDisinfector
Knowledge of DOS commands.

1)Use Prevx CSI to reveal where it is hiding
2)Use HijackThis to remove the process from memory and any related registry entries
3)Then kill explorer.exe in Task Manager
4)Create new task called cmd.exe
5)in the DOS window I went to the C:\Recycler\S-11....... folders
6)Use the undocumented DOS dir/ah/w command to show the folders/files
7)Use DEL command to delete the malware
8)Reboot machine and confirm the malware no longer runs
9)Download FlashDisinfector
10)Kill explorer.exe
11)insert infected memory stick
12)open dos window using "create new task" like before
13)delete autorun.inf
14)look for hidden/system directories on your memory stick and delete them
15)run FlashDisinfector
16)Create new task called explorer.exe to restore desktop

[KALSTER]

A handy way to stop those Autorun.inf viruses is to first get rid of it. Then create your own Autorun.inf folder on your C:\ and flash drives and make them hidden. Then the virus won't be able to overwrite the folder and infect your drives anymore!

[Anthro]

Sooo.. everytime you open your C:\ it asks to run a program ?
Not the best solution in my opinion.

[KALSTER]

Sooo.. everytime you open your C:\ it asks to run a program ?
Not the best solution in my opinion.

It doesn't. There should be nothing in the folder, no Open commands or anything. I did it on my PC and it is doing nothing of the sort.

Source