Video Screencast Help

RECYCLER virus

Created: 08 Dec 2011 • Updated: 27 Dec 2011 | 5 comments

Really annoying, but if you try to unhide files and still don't see them, you can use both 7-zip or 7-zip portable programs to go on your flash drive or other removable media and delete a folder called RECYCLER and autorun.inf (it is ok to remove these files, but the delete is temporary). I used the avast! anti-virus and I can scan the whole computer, even the RAM. Still, it is still there. I had troubles with my flash drive, the computer not recognizing it. I just rebooted and it is ok. Also, when you get the autorun pop-up, you can see an open folder picture instead of the normal removable drive picture. This will show if you have it. It also shows up in windows explorer. Still can't completely delete it.

Comments 5 CommentsJump to latest comment

Thomas K's picture

You might want to give the Norton Power Eraser a shot at removing this threat. The tool is designed to remove threats that hide from traditional AV.

http://security.symantec.com/nbrt/npe.aspx?lcid=10...

 

If possible submit a sample to Symantec or ThreatExpert for analysis.

http://www.symantec.com/business/security_response...

http://www.threatexpert.com/submit.aspx

KV1984's picture

Hi try disabling the autorun by follwing the below mentioned article

http://www.symantec.com/docs/TECH104447   

 also try the atrrib command onthe perndrive in cmd pormpt

attrib -r -h -s -a "Drive location :\*.*" \s \d

if it is a single pen drive try the below step that worked for me

Connected the pen drive copy the content to a folder in desktop and format the pendrive and then copy the contents back to the pen drive

 

 

Mithun Sanghavi's picture

Hello,

I see no reason stressing on the Recycler Folder and Autorun.inf. However, what is important here is the content within the Recycler Folder and the code in the Autorun.inf file.

Understand what is the Recycler folder: 

http://support.microsoft.com/kb/171694

 

The RECYCLER folder is the recycle bin. The recycle bin on your desktop is simply a shortcut to all the RECYCLER folders in your computer. If you have a C:\ D:\ and E:\, your recycle bin shows the contents of C:\RECYCLER D:\RECYCLER and E:\RECYCLER. Having these RECYCLER folders on each drive saves the OS from having to copy a deleted file or folder from any other drive to the C:\ drive. 
 
Removing Recycler folder
 
Recycler is a read only folder. To view the folder, go to Tools -> Folder Options -> View tab and uncheck the option of Hide Protected operating System Files. Right click on the folder, go to Properties and unselect the option of Read Only. Now it can be deleted.
 
Recycler Virus
 
There has been identified a virus with the same name that is Recycler.exe which should not be confused with the Recycler folder.
 
Understand what is AutoRun.inf
 
An autorun.inf file is a text file that can be used by the AutoRun and AutoPlay components of Microsoft Windows Operating systems. For the file to be discovered and used by these components, it must be located in the root directory of a volume. As Windows has a case-insensitive view of filenames, the autorun.inf file can be stored as AutoRun.inf or Autorun.INF or any other case combination.
 
So, The code written inside the Autorun.inf sometimes could be used for triggering another virus file which may be hidden in the machine / network / removable drive.
 
and that is the major reason we suggest all to Disable the AutoRun Functionality.
 
 
Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

cus000's picture

Hi,

 

Do you mean recycler.scr?

 

You can try view hidden files using below command:

c:\>dir /a:h /s d >check.txt

 

Also SEP should detect this threat, if it's a new variation do submit the sample to Symantec.