Recycler Virus
 

I am attempting to follow the steps in the SysChat removal of the Recycler virus. Step 3 calls for disabling folders and files using a command prompt. It has been many years since I have keyed any commands at a command prompt, so I am not sure how to disable folders and files in the Safe Mode. I tried a few times on my own, but nothing worked. I also need a clarification for Step 4. I am supposed to modify the “NoDriveTypeAutoRun”entries which have the “03fffffff”value in a couple of Registry folders, but there is no instruction of what the modification should be. Would any change accomplish the goal of disrupting the operation of the virus, or is there a specific change that must be entered? Thank you.

Hello.
I've just found this post and had a look at the post on syschat.
It's the first time I've seen the post and it's nearly 10pm where I am.
So if you can hang on until tomorrow morning GMT I'll take a proper look and help you out.
In the meantime, unless you've got experience with dealing with the registry and the risks involved, leave it until I get back to you.
Thankyou and goodnight!

Martin

Recycler Virus
 

Martin,

Thank you for your message. I look forward to your advice tomorrow.

GopherOne

Removing The Recycler Virus
 

To change the file attributes from hidden or read-only. At the command prompt: type attrib -r -a -s -h *.* and press enter. This will remove the read-only, archive, system, and hidden attributes from all files.
Follow the rest of the instructions in the tutorial. Just double check the registry entries before you complete the following instructions. You need to change the registry entry value to what it states in the tutorial: 03ffffff

Martin

Recycler virus
 

Martin,

I still do not completely understand. According to the KarlM virus removal instructions, I must disable the hidden folders, system folders and read only attributes associated with [autorun.inf]. In your response I did not recognize any step to accomplish the disabling, nor did I recognize the modifications that should be made to the registry. I am rather inexperienced in working with the registry, so I want to be confident I understand what I need to do before I make any changes. Thank you. Vern

PS. When you referred to "the tutorial", were you referring to the KarlM instructions for virus removal, or something else?

Sorry.
When you boot into safe mode and open up the command prompt, push the windows start button hold it down and then push the 'r' key.
This will open up the run window. Type in cmd and push enter to open up the command prompt.
Once you have. Type in the exact command that I posted.
This is what will change the permissions of your files and folders.
Open the run window again and type in regedt32.
This is going to open up the windows registry.
Carry out a search for the entries stated earlier in the tutorial ( the post you've been following).
If you have access to the internet via another computer let me know when you get this far.
Have you ever edited a registry entry before?

Recycler virus
 

I know changing the registry is risky for those without such training, so I have avoided it. I don't recall changing it in the past. Thank you for the more detailed instructions. I do have a laptop that I could use for access to the internet. I will have to be away for about three hours, but I should be back by about 1900 GMT. If that's too late, let me know and I can arrange for another time tomorrow or Monday.

Yeah I'll be around. I'll keep an eye on this thread

Ok hold on. I see what you mean. The instructions in the tutorial aren't very clear.
Hold on and I'll post instructions that are easier to follow. I'll try and get it done tonight.
It'll be in easier to follow steps and take you through every move.

Recycler virus
 

Martin, I'm back on line now. I am using a laptop, so I should be able to key in my desktop. I just read your last message. Do you want me to stand by, or should we convene at another time? Vern

Boot into safe mode by pressing F8 during the boot process and select the 'boot into safe mode' option.

When your computer has finished booting, hold down ctrl+alt+delete together and select 'start task manager'.

Click on the processes tab and look for recycler.exe.
Right click and choose to end the process.

Go to My Computer and then go on to your root drive ( ususally the C drive )
( windows 7 ).

Near the top left corner of the window, you should see a button labelled 'Organize'.

Click here and then select the 'Folders and Search' option.

You should have a small window open titled 'Folder Options'.

Click on the view tab and scroll down until you see 'Show hidden files, folders and drives'. Check this button.

Scroll down a little further and you will see 'Hide protected operating system files'. Uncheck this box.

Go into the root drive and look for a folder named 'recycler'.
Open the folder.

If you see any suspicious .exe files that you were unaware of using, delete them, including the recycler.exe file and autorun.inf file.

Hold down the windows logo key and press 'r', this will open the run window.
type in regedt32 to open the registry editor.

Go to 'Edit' and choose 'Find'.

***Enter NoDriveTypeAutoRun and search. You should find the entries in HKEY_LOCAL_MACHINE\SOFTWARE\ and HKEY_CURRENT_USER\SOFTWARE.***

Once you've found the entires you need to right click and modify the data in the right hand window.

This is where you put in 33ffffff and click Ok

Reboot and complete a full virus scan.

If you can remember when you first got the virus check any cd/usb or external drive for the infection as well otherwise you'll get infected again.

Any problems and I'll have my pc on for the next hour or so.

Recycler virus
 

Martin, Thank you for the new post. I will print out the steps and previous messages and attempt to apply the steps. I may be off line later, so if I don't talk to you again, thank you for your work in helping me. Vern

Recycler virus
 

Martin, There is a problem or two. I am still using MS Windows XP Professional, Service Pack 3. I have been able to find the equivalent folders and files in XP Pro, however. My problem is that when I attempt to delete the only file in the C:\Recycler folder, I get a message that I cannot delete the file because it is being used by another person or program. I am in the Safe Mode and have no other files or programs open now. Please help. Vern

What's the name of the file?

Martin, I could not delete the C:\Recycler folder or its only file because the message in the resulting window said the file was being used by another person or computer. Thinking the file must listed in the Task Manager, I tried to end a process in the Task Manager, but I am not sure that will work. I could not return to the root directory after ending Explorer.exe (no screen icons appeared), and the system would not let me end the processing of "smss.exe". (I am using trial and error to try to find the Recycler related file in use.) Please help me inactivate the Recycler file. Vern

Ok. Looks like you're going to struggle.
I'll find a good removal tool and post the link tomorrow.

Recycler
 

Martin, I see that the Recycler folder in my External F Drive has the same folder as the C.\ folder, but that it also has what looks like a second file. It's actually another folder. The Properties indicate that it has 417 files in 35 folders, although it has no folder icon. The size of the second item in the F drive is 27.6 MB. I have not opened it for fear of activating some malware. It looks like I need some command to override the deletion prevention for active files and folders. I look forward to hearing from you tomorrow. Vern

Try this software instead. It's sometimes difficult to explain manual removal instructions if you aren't very experienced with your computers' system.
I don't want you to go too far and make a mistake with other files and folders that I can't see.

If you have any problems with this software let me know. I haven't used it myself but everyone else seems to be pointing to this software, so good luck and post back to let everbody know if it worked

Thanks!

Free Download - Autorun Virus Remover

Recycler virus
 

Martin, I just finished running the autorun virus detection program from the link you provided. I used the free, limited program. It seems to have scanned only my C:\ drive, but not my external hard drive, and possibly not my flash drive. It detected no threat. The Recycler folder remains on my C:\ drive.

After running the detection program, I went into the System Configuration Utility, hoping I could recognize something I could uncheck in the Startup tab. No luck. Please get back to me about the alternative. Vern

Yeah don't worry about the recycle folder on your c drive its for the bin that you see on your desktop.
You should be able to set up the software to scan your other drives.
If it hasn't found anything how do you know you've got the virus?

Recycler virus
 

Martin,

I will look into scanning the F:\ drive and my flash drives.

A little background may explain my thinking, right or wrong. I have been using MS Security Essentials as my anti-virus software. A few weeks ago I started to receive results that said no threats were detected, but that the scan had not recognized C:\RECYCLER\ and followed by a long string of numbers indicating a file name. I talked with a knowledgeable former co-worker (I'm retired now) and she took the initiative to determine to her satisfaction that Recycler is a dangerous virus. I read about the virus also. My former co-worker was the one who referred me to SysChat.

I tried to follow the 5 step process from Karl M of SysChat, but was unable to get past step 2. In step 2 I thought I deleted the ctfmon.exe file, although a file with that name is still in the C:\Windows\System32 folder. At that point, my contacts with you began. After getting as far as Step 2, I re-ran a Security Essentials scan and for the first time in several weeks received no warning about anything not being recognized. The only change I had made was the deletion of the ctfmon.exe file. Nothing made sense to me, so I wanted to pursue the issue until I felt confident that I was virus free.

Your most recent message was somewhat reassuring. My only indication now of a virus is the existence of the RECYCLER folders in both the C and external drives. If those are the Recycle bins, then maybe I don't have a virus.

One final note. I did clean out my Recycle bin a day or two ago. That may explain the large difference between the contents of my C and external drives.

I apologize if this was a false alarm, and I thank you for taking time to help and educate me. Vern

No problem. If you just carry out regular maintenance like defrag and disk checks and regular anti virus scanning it sounds like you'll be ok.

There is a legitimate process named ctfmon.exe Frequently asked questions about Ctfmon.exe There are viruses that like to try and pose as legitimate processes. Just another trick they use

Any other problems with your pc, go ahead and post. I'll be happy to help.