Solved Recycler virus (unremovable)

[rajevcharudutta]

How do you take such beautiful screen shots?

My internet connection is through a USB dongle, Vodafone Mobile Broadband (not cable or telephone). When I startup my computer, it autoruns and asks if I want to connect to the internet. Will Flash Disinfecter disable its autorun file? I hope it will not create any problems with my internet connector.

One of my music software "Swar Shala Pro" runs on an older version of Java. I have updated it, but am not sure if it will run properly if we delete the older version. When I tried installing it (after formating the C: drive some time ago due to virus problems), on the latest version of Java, it wouldn't install. I had to reinstall the old version of Java on which it was originally installed. I'm not sure if the developers have taken care of this, in their update.

Is removing older versions of Java mandatory?

 

[Broni]

Will Flash Disinfecter disable its autorun file? I hope it will not create any problems with my internet connector.

It may.

Is removing older versions of Java mandatory?

It is.

 

[rajevcharudutta]

Safety first, I can always reinstall the older version of Java if the software doesn't work properly.

 

[Broni]

Go on.......

 

[rajevcharudutta]

The Flash Disinfector messed up my internet connection. I did a system restore to undo.

THE NEXT STEP: OTL LOG FILE

All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-842925246-1659004503-1801674531-1003\Software\Microsoft\Internet Explorer\URLSearchHooks\\{472734EA-242A-422b-ADF8-83D1E48CC825} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472734EA-242A-422b-ADF8-83D1E48CC825}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry value HKEY_USERS\S-1-5-21-842925246-1659004503-1801674531-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 111826 bytes

User: MADHAVI
->Temp folder emptied: 326588 bytes
->Temporary Internet Files folder emptied: 1726926 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 39006839 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 487 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 402 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2162283 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16384 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 41.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: LocalService

User: MADHAVI
->Flash cache emptied: 0 bytes

User: NetworkService

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.31.0 log created on 12242011_110731

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\MADHAVI\Local Settings\Temporary Internet Files\Content.Word\~WRS{24E77BE0-D184-48DB-8B65-7ED1402A1313}.tmp not found!
File\Folder C:\Documents and Settings\MADHAVI\Local Settings\Temporary Internet Files\Content.Word\~WRS{54BCB50D-9760-4E24-AA0D-B84A10078323}.tmp not found!
File\Folder C:\Documents and Settings\MADHAVI\Local Settings\Temporary Internet Files\Content.Word\~WRS{A5DB1A90-8F97-4530-AB6A-2CE4341CB0E5}.tmp not found!
File\Folder C:\Documents and Settings\MADHAVI\Local Settings\Temporary Internet Files\Content.Word\~WRS{CAF522FB-6AC1-4AFE-94CC-8369F0C86AA1}.tmp not found!
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_6d8.dat not found!

Registry entries deleted on Reboot...

 

[Broni]

I did a system restore to undo

How far back did you go?

I clearly said to install Flash Disinfector when we're totally done!

 

[rajevcharudutta]

Just one step. i.e. The system was restored to as it was before running Flash Disinfector. I started today with the Flash Disinfector and encountered the problem, so I restored it to yesterday, when you replied, "Go on......". Yesterday I din't have time to go on.


I started the process today with Flash Disinfector. So except for that everything is as it was.

Then I ran the OTL, Installed the latest version of Java, and removed the older versions with JavaRa

 

[rajevcharudutta]

Secutiry Check Log:-

Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
Avira Free Antivirus
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
CCleaner
Java(TM) 6 Update 12
Java(TM) 6 Update 14
Out of date Java installed!
Adobe Flash Player ( 10.3.183.11) Flash Player Out of Date!
Mozilla Firefox (3.6.24) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
``````````End of Log````````````

 

[rajevcharudutta]

Done with TFC (Temporary File Cleaner.

Now only thing that remains is ESET Online Scanner. I'll do that tonight, when the Internet Traffic is less and speed is faster.

After that I'll inform you.

 

[Broni]

Just one step. i.e. The system was restored to as it was before running Flash Disinfector. I started today with the Flash Disinfector and encountered the problem, so I restored it to yesterday, when you replied, "Go on......".

You should be fine then.

Update Adobe Flash Player
Download the Latest Adobe Flash for Firefox and IE Without Any Extras: http://www.404techsupport.com/2010/...-flash-for-firefox-and-ie-without-any-extras/

1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.

 

[rajevcharudutta]

It's here already, so wish you a very MERRY CHRISTMAS

The ESET log:

C:\Documents and Settings\All Users\Application Data\Autorun Eater\Autorun Backup\autorun0.inf INF/Autorun virus deleted - quarantined
C:\Documents and Settings\MADHAVI\My Documents\Downloads\New Softwares\Unlocker 1.9.1\Unlocker1.9.1.exe Win32/Adware.ADON application deleted - quarantined
C:\System Volume Information\_restore{7ACBB082-AE1F-4D9C-A0AF-0CA08E253B8A}\RP1\A0000177.exe a variant of Win32/AutoRun.Agent.ACU worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{7ACBB082-AE1F-4D9C-A0AF-0CA08E253B8A}\RP1\A0000234.exe probably a variant of Win32/AutoRun.Agent.ACU worm cleaned by deleting - quarantined
C:\System Volume Information\_restore{7ACBB082-AE1F-4D9C-A0AF-0CA08E253B8A}\RP15\A0004780.inf INF/Autorun virus deleted - quarantined

 

[Broni]

Not here yet but....

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following:

:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

• Double-click OTL.exe to start the program.
• Close all other programs apart from OTL as this step will require a reboot
• On the OTL main screen, press the CLEANUP button
• Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.

 

[rajevcharudutta]

Your computer is clean (What a beautiful Christmas Present)

In computing terms, I'll say THANKS A TERA, or a TERA THANKS!

1. Updated the ADOBE FLASH PLAYER for Firefox (updated) and IE-8 (updated this too)
2. Java version I received this message: Congratulations! You have the recommended Java installed (Version 6 Update 30)
3. Ran JavaRa and removed the older versions.

now going for the latest instructions.

ONCE MORE: THANK YOU SO MUCH DUDE!

 

[Broni]

Way to go!!

Good luck and stay safe

 

[rajevcharudutta]

LOL! That's exactly how I feel like.

OTL log:-

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: MADHAVI
->Temp folder emptied: 99692 bytes
->Temporary Internet Files folder emptied: 1776773 bytes
->Java cache emptied: 2027 bytes
->FireFox cache emptied: 10921495 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 470 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16384 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 651 bytes

Total Files Cleaned = 12.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: LocalService

User: MADHAVI
->Flash cache emptied: 0 bytes

User: NetworkService

Total Flash Files Cleaned = 0.00 mb

Restore points cleared and new OTL Restore Point set!

OTL by OldTimer - Version 3.2.31.0 log created on 12252011_114303

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\MADHAVI\Local Settings\Temporary Internet Files\Content.IE5\UZUN2MNM\topic174723-2[1].html not found!
C:\Documents and Settings\MADHAVI\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_ac.dat not found!

Registry entries deleted on Reboot...

 

[rajevcharudutta]

One more thing, about the external drive (backup 300GB) and the Flash Disinfecter.
How do I clean it or ensure it is totally clean like the computer?, ....before removing OTL.

 

[Broni]

Scan it with your AV program.

 

[rajevcharudutta]

In the opening post of this thread, I mentioned that Avira Free Edition (updated) doesn't detect this virus. Now if I connect my ext HD, and the virus gets back into action, I'll be back to square one. I'm scared to connect the ext HD to my computer. With great trepidation, I'll give it a try.

I get a java error on starting the computer, "jusched.exe has encountered a prolem and needs to close. We are sorry for the inconvenience".

 

[Broni]

Disable jusched.exe as a startup: http://www.howtogeek.com/howto/windows-vista/what-is-juschedexe-and-why-is-it-running/

As for connecting external drive, install this on your computer.
It'll prevent any external file to self-execute.
Download, and run Flash Disinfector, and save it to your desktop (Windows Vista and Windows 7 users, scroll down)

*Please disable any AV / ScriptBlockers as they might detect Flash Disinfector to be malicious and block it. Hence, the failure in executing. You can enable them back after the cleaning process*

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
• Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Windows Vista and Windows 7 users
Flash Disinfector is not compatible with the above Windows version.
Please, use Panda USB Vaccine, or BitDefender’s USB Immunizer

 

[rajevcharudutta]

After Flash Disinfector treatment as specified, when I connect the external drive from time to time, repeatedly get this error message in a Pop up window:-

Windows - No Disk (Title Bar)

[ICON] Exception Processing Message c0000013 Paramaters 756bf7c 4 756bf7c 756bf7c
(The ICON is a red circle with a thick white "x" inside)

(three buttons) Cancel Try Again Continue.

Did it. Scanned ext HD with MBAM instead of Avira and found 44 infections.

When we delete the detected infections, are the infections removed or the entire file deleted. If the entire file is deleted, then will the software run properly (if some imp exe file is deleted)?

Sometimes even if we put a certain file in the "ignore" list the antivirus keeps on informing that there is suspected infection in so and so file. What do we do then?

 

[Broni]

As for the first issue I suggest you start new topic in Windows\hardware forum.

When we delete the detected infections, are the infections removed or the entire file deleted.

Entire file is put to a vault or deleted if you opt to do so.

If the entire file is deleted, then will the software run properly (if some imp exe file is deleted)?

In that case you must reinstall program.

Sometimes even if we put a certain file in the "ignore" list the antivirus keeps on informing that there is suspected infection in so and so file. What do we do then?

It ignores for now but not for the future.

 

[rajevcharudutta]

This is slightly off the topic, but, how do you take the snapshots of dialouge boxes? I tried
it with a digital camera, but, din't come out well. It is much easier to post a picture, than
describe the entire dialouge box (like the error message).

 

[Broni]

I use SnagIt. Not free though.
There are some freebies though...

http://www.gadwin.com/printscreen/
http://www.donationcoder.com/Software/Mouser/screenshotcaptor/index.html

 

[rajevcharudutta]

Thanks for everyting. Your help has been invaluable.

 

[Broni]

You're very welcome