Has anyone heard of this.

TxTech · 03-12-2009, 11:10 AM

I had a user who had some type of malware, but I don't know what it is. Now I have it on my portable drive (after using it to back up her data) and I got it on my PC after trying to run SAV on the portable. (I had to reimage both PCs to get trid of it.) But I need to clean the portable drive before I use it again.

I have run SAV, SpybotD&S, Malwarebytes, but nothing can even detect whatever this is.
The symptoms are:
User cannot open local HD. Error message is: Cannot find RECYCLER\S-8-8-24-100026533-100007783-100027606-8409.com c:\

The malware puts a false AUTORUN entry in the context (rigth click) menu. I have found this in the registry: C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-8-8-24-100026533-100007783-100027606-8409.com C:\
Also it change the DNS entries from DHCP to 83.255.112.67 and 85.255.112.170

There was also a process running (even in safe mode) called system the was constantly using 50% of the proc time.

The user could not open or run any apps or do a proper shut down.

I could not install Hijackthis and it probably would not have been able to run anyway due to the erratic operation of the system.

Also the OS was XP Pro SP2.

Any ideas what this is or how to get rid of it without formatting the drive?

Thanks.

P.S. I forgot to say that it was also periotically trying to read the floppy drive with no disk in it.

Ried · 03-13-2009, 11:33 PM

Hello TxTech and welcome,

Yes, we are familiar with this type of infection, however specifics are needed to pull it out. A HijackThis log won't do much good for this infection - see if you can download and run the tools as outlined in our sticky topic New Instructions - Read This Before Posting for Malware Removal Help and post the requested logs in your next reply.

TxTech · 03-15-2009, 06:42 AM

Sorry, Ried, I have already re imaged both PCs. I was able to fix the portable hard drive and my flash drive by deleting the autorun.ini file. I think I'm clean for now, but if I see this again, I will run the programs you suggested and get the log files. Thanks.

Ried · 03-15-2009, 07:34 AM

Hi TxTech.

Thanks for getting back to me, I appreciate it. As long as you had a good image to push, that was your safest move.

Malware authors began a while ago to exploit the autorun/autoplay feature. These days, many security apps will disable it and even Microsoft recommends disabling it.

Disabling autorun/autoplay does not prevent you from accessing those media sources. They are still available by opening My Computer and accessing the source drive (cd, dvd, usb flash or external harddrive). Pictures on a camera can still be accessed/transfered through My Pictures and selecting Get Pictures from a Scanner or Camera. Media can also be accessed via the program you intend to use it with, such as music cds accessed via Media Player, blank cds via your burning program, image handling software provided with the camera, etc.

You can follow the instructions at Microsoft, or use Flash_Disinfector. This tool will disable the autorun feature as well as place a protective file on the drive to prevent this infection in the future. I highly recommend running this tool on any PC's you come across in your travels, and any removable drive.

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.

The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

TxTech · 03-17-2009, 11:53 AM

Good info, thanks.

Ried · 03-17-2009, 05:35 PM

You're welcome. Take care.

03-12-2009, 11:10 AM	#1 (permalink)
TxTech Registered User Join Date: Mar 2009 Posts: 3 OS: WinXP Pro SP3	Has anyone heard of this. I had a user who had some type of malware, but I don't know what it is. Now I have it on my portable drive (after using it to back up her data) and I got it on my PC after trying to run SAV on the portable. (I had to reimage both PCs to get trid of it.) But I need to clean the portable drive before I use it again. I have run SAV, SpybotD&S, Malwarebytes, but nothing can even detect whatever this is. The symptoms are: User cannot open local HD. Error message is: Cannot find RECYCLER\S-8-8-24-100026533-100007783-100027606-8409.com c:\ The malware puts a false AUTORUN entry in the context (rigth click) menu. I have found this in the registry: C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-8-8-24-100026533-100007783-100027606-8409.com C:\ Also it change the DNS entries from DHCP to 83.255.112.67 and 85.255.112.170 There was also a process running (even in safe mode) called system the was constantly using 50% of the proc time. The user could not open or run any apps or do a proper shut down. I could not install Hijackthis and it probably would not have been able to run anyway due to the erratic operation of the system. Also the OS was XP Pro SP2. Any ideas what this is or how to get rid of it without formatting the drive? Thanks. P.S. I forgot to say that it was also periotically trying to read the floppy drive with no disk in it. Last edited by TxTech; 03-12-2009 at 11:24 AM.

03-13-2009, 11:33 PM	#2 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,897 OS: WinXP and Vista	Re: Has anyone heard of this. Hello TxTech and welcome, Yes, we are familiar with this type of infection, however specifics are needed to pull it out. A HijackThis log won't do much good for this infection - see if you can download and run the tools as outlined in our sticky topic New Instructions - Read This Before Posting for Malware Removal Help and post the requested logs in your next reply. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

03-15-2009, 06:42 AM	#3 (permalink)
TxTech Registered User Join Date: Mar 2009 Posts: 3 OS: WinXP Pro SP3	Re: Has anyone heard of this. Sorry, Ried, I have already re imaged both PCs. I was able to fix the portable hard drive and my flash drive by deleting the autorun.ini file. I think I'm clean for now, but if I see this again, I will run the programs you suggested and get the log files. Thanks.

03-15-2009, 07:34 AM	#4 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,897 OS: WinXP and Vista	Re: Has anyone heard of this. Hi TxTech. Thanks for getting back to me, I appreciate it. As long as you had a good image to push, that was your safest move. Malware authors began a while ago to exploit the autorun/autoplay feature. These days, many security apps will disable it and even Microsoft recommends disabling it. Disabling autorun/autoplay does not prevent you from accessing those media sources. They are still available by opening My Computer and accessing the source drive (cd, dvd, usb flash or external harddrive). Pictures on a camera can still be accessed/transfered through My Pictures and selecting Get Pictures from a Scanner or Camera. Media can also be accessed via the program you intend to use it with, such as music cds accessed via Media Player, blank cds via your burning program, image handling software provided with the camera, etc. You can follow the instructions at Microsoft, or use Flash_Disinfector. This tool will disable the autorun feature as well as place a protective file on the drive to prevent this infection in the future. I highly recommend running this tool on any PC's you come across in your travels, and any removable drive. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well. Wait until it has finished scanning and then exit the program. Reboot your computer when done. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

03-17-2009, 11:53 AM	#5 (permalink)
TxTech Registered User Join Date: Mar 2009 Posts: 3 OS: WinXP Pro SP3	Re: Has anyone heard of this. Good info, thanks.

03-17-2009, 05:35 PM	#6 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,897 OS: WinXP and Vista	Re: Has anyone heard of this. You're welcome. Take care. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."