Ini info2

Keywords: ini info2
Description: Infected by Recycler & $RECYCLE.BIN virus/worm - posted in Am I infected? What do I do?: Hi, My computer has been infected by RECYCLER & $RECYCLE.BIN virus/worm and i cant get rid of them. Recycler intruded my PC from a USB pen drive that i inserted. I was using Norton Internet Security at that time but it didnt detect the worm/virus. Days later i saw $RECYCLE.BIN had also infected my PC. I am now using Kaspersky Internet Security 2010 but it also cannot detect &...

Welcome to BleepingComputer. a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

My computer has been infected by RECYCLER & $RECYCLE.BIN virus/worm and i cant get rid of them.

Recycler intruded my PC from a USB pen drive that i inserted. I was using Norton Internet Security at that time but it didnt detect the worm/virus.

Days later i saw $RECYCLE.BIN had also infected my PC. I am now using Kaspersky Internet Security 2010 but it also cannot detect & remove these 2 infections.

There are RECYCLER & $RECYCLE.BIN folders in every partition of my hard drive. If i manually delete these folders, they recreate themselves.

My computer has been infected by RECYCLER & $RECYCLE.BIN virus/worm and i cant get rid of them

How do you know? If Kaspersky is not detecting a threat in Recylcer, then what program is alerting you to infection?

The Recycle Bin (Recycler) folder is a feature which provides a safety net when deleting files or folders in Windows. The file(s) remain there until you empty the Ricycle Bin or restore the file. The actual location of the Recycle Bin varies depending on the operating system and file system used. On NTFS file systems, Recycler is the name of the Recycle Bin Folder which can be found in each partition on your hard drive. On FAT file systems, the folder is named Recycled.
  • Differences Between the Recycle Bin and the Recycler Folder
  • Working with File Systems
  • How NTFS Works
The Recycler folder contains a Recycle Bin directory for each registered user on the computer, sorted by their security identifier (SID). Inside the Recycler folder you will find an image of the recycle bin with a name that includes a long number with dashes (S-1-5-21-1417001333-920026266-725345543-1003) used to identify the user that deleted the files.
  • S - The string is a SID.
  • 1 - The revision level.
  • 5 - The identifier authority value.
  • 21-1417001333-920026266-725345543 - Domain or local computer identifier.
  • 1003 – A Relative ID (RID). This number, starting from 1000, increments by 1 for each user that's added by the Administrator. 1003 means the 3rd user profile that was created.
For more specific informaton about SIDS, please refer to:
  • Security Identifiers
  • Well-known SIDs
  • Well-known security identifiers in Windows
Once the recycle bins are empty, the legitimate directories should be empty as well. However, even after emptying the Recycler bin, the Recycler folder will still contain a "Recycle Bin" for each user that logs on to the computer, sorted by their security SID. If you delete the C:\Recycler folder, Windows will automatically recreate it on next reboot.

If you never saw these folders before, you should not be alarmed. The Recycler folder is hidden by default unless you reconfigured Windows to show hidden files and folders by unchecking "Hide protected operating system files " in Tools > Folder Options > View.

The Norton Protected Recycle Bin includes a directory called NProtect. which is is used to store temporary copies of files that the user has deleted or modified. This feature supplements the Windows Recycle Bin, creating a temporary backup of certain types of files that the Windows Recycle Bin does not back up. and allows the user to recover these protected files if they are accidentally deleted. NProtect is hidden from the Windows FindFirst/FindNext APIs using rootkit technologies. Since the hidden directory is not visible to Windows, files in the directory might not be scanned during virus scans but may be detected by anti-rootkit tools.

My computer has been infected by RECYCLER & $RECYCLE.BIN virus/worm and i cant get rid of them

How do you know? If Kaspersky is not detecting a threat in Recylcer, then what program is alerting you to infection?

Because these 2 folders have spread to every USB pen drive & external hard drive that i connected to my computer.

The RECYCLER folder has 2 hidden files which are 'desktop.ini' & 'INFO2' (which i saw by using WinRAR)

Yes, although the RECYCLER folder contains legitimate files, it is also a known hiding place for some types of malware which loads an autorun.inf file that modifies and uses the Windows Explorer's right-click context menu so that the standard "Open" or "Explore" command redirects to executing the malicious file as described here. The presence of a desktop.ini configuration file instructs Windows to display the folder RECYCLER as if it were actually a Recycle Bin.

alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator .
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • TFC will clear out all temp folders for all user accounts (temp, IE temp, Java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.

Reboot your computer in " Safe Mode " using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
(This is a short scan of files currently running in memory, boot sectors, and targeted folders ).
  • If prompted to download the Full version Free Trial, just ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured )
    • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media. Note. If you only want to scan your usb (flash) drive, then instead put a check next to Custom Scan and click on (highlight) the drive letter associated with it.
    • In the top menu, click Settings > Change settings. and uncheck "Heuristic analysis " under the "Scanning" tab, then click Apply, Ok.
    • Back at the main window, click the green arrow "Start Scanning " button on the right under the Dr.Web logo.
    • Please be patient as this scan could take a long time to complete.
    • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
    • Click Select All. then choose Cure > Move incurable .
    • In the top menu, click file and choose save report list .
    • Save the DrWeb.csv report to your desktop.
    • Exit Dr.Web Cureit when done.
    • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
    • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report )
    If you cannot boot into safe mode or complete a scan, then try doing it in normal mode. Be aware, this scan could take a long time to complete. . MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
    • Make sure you are connected to the Internet.
    • Double-click on mbam-setup.exe to install the application.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • When installation has finished, make sure you leave both of these checked:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish .
    MBAM will automatically start and you will be asked to update the program before performing a scan.
    • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
    On the Scanner tab:
    • Make sure the "Perform Quick Scan " option is selected.
    • Then click on the Scan button.
    • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
    • The scan will begin and " Scan in progress " will show at the top. It may take some time to complete so please be patient.
    • When the scan is finished, a message box will say " The scan completed successfully. Click 'Show Results' to display all objects found ".
    • Click OK to close the message box and continue with the removal process.
    Back at the main Scanner screen:
    • Click on the Show Results button to see a list of any malware that was found.
    • Make sure that everything is checked . and click Remove Selected .
    • When removal is completed, a log report will open in Notepad.
    • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
    • Exit MBAM when done.
    Note. If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
    • If Malwarebytes Anti-Malware results in any error messages, check the Help file's list of error codes within its program folder first. If you do not find any information, please refer to Common Issues, Questions, and their Solutions, Frequently Asked Questions. If the error you are receiving is not in the list, please report it here so the research team can investigate.
    • Some types of malware will disable Malwarebytes Anti-Malware and other security tools to keep them from running properly. If that's the case, please refer to the suggestions provided in For those having trouble running Malwarebytes Anti-Malware .

    As you instructed, i ran TFC & rebooted my PC when it asked to. Then i booted the computer in Safe Mode. Ran Dr.Web CureIt & express scanned my PC. It didnt find any malware. Then i ran Complete scan. But it took way too long to scan & i lost my patience and stopped the scan when it reached like 90%. It was 4 am & I couldnt stay awake anymore. Dr.Web CureIt did not detect the 2 viruses i had earlier reported. This is the log that it generated.

    Aone3GPConverter.exe/data002\\app\AddiTunes.exe;G:\New Softwares\A_1_3GP_Video_Convertor_4.43_ByMechoDownload\Aone3GPConverter.exe/data002;Trojan.PWS.Legmir;;

    Aone3GPConverter.exe/data002\\app\QT3GPPFlatten.exe;G:\New Softwares\A_1_3GP_Video_Convertor_4.43_ByMechoDownload\Aone3GPConverter.exe/data002;Trojan.PWS.Legmir;;

    data002;G:\New Softwares\A_1_3GP_Video_Convertor_4.43_ByMechoDownload;Archive contains infected objects;;

    Aone3GPConverter.exe;G:\New Softwares\A_1_3GP_Video_Convertor_4.43_ByMechoDownload;Container contains infected objects;Moved.;

    newinternettv2007full.exe\data005;G:\New Softwares\NewInternetTV2007full_by_FOT9_F\NewInternetTV2007full.exe/documents and settings\mike\desktop\lol\newinternett;Program.RemoteAdmin;;

    newinternettv2007full.exe\data006;G:\New Softwares\NewInternetTV2007full_by_FOT9_F\NewInternetTV2007full.exe/documents and settings\mike\desktop\lol\newinternett;Program.RemoteAdmin.21;;

    newinternettv2007full.exe\data007;G:\New Softwares\NewInternetTV2007full_by_FOT9_F\NewInternetTV2007full.exe/documents and settings\mike\desktop\lol\newinternett;Program.RemoteAdmin;;

    documents and settings\mike\desktop\lol\newinternettv2007full.exe;G:\New Softwares\NewInternetTV2007full_by_FOT9_F\NewInternetTV2007full.exe/documents and settings\mike\desktop\lol;Container contains infected objects;;

    arrieffie7(7uafb9ai).exe\runtime.exe;G:\New Softwares\NewInternetTV2007full_by_FOT9_F\NewInternetTV2007full.exe/documents and settings\mike\desktop\lol\arrieffie7(7;Trojan.Packed.650;;

    documents and settings\mike\desktop\lol\arrieffie7(7uafb9ai).exe;G:\New Softwares\NewInternetTV2007full_by_FOT9_F\NewInternetTV2007full.exe/documents and settings\mike\desktop\lol;Archive contains infected objects;;

    NewInternetTV2007full.exe;G:\New Softwares\NewInternetTV2007full_by_FOT9_F;Container contains infected objects;Moved.;

    Vista Transformation Pack 3.0.exe/data020\data006;G:\New Softwares\Vista Transformation Pack Installer\Vista Transformation Pack 3.0.exe/data020;Tool.CloseApp;;

    data020;G:\New Softwares\Vista Transformation Pack Installer;Archive contains infected objects;;

    Vista Transformation Pack 3.0.exe;G:\New Softwares\Vista Transformation Pack Installer;Archive contains infected objects;Moved.;

    BMSetup.exe\data003;G:\Old Softwares\Latest Softwares\\bwm\BMSetup\BMSetup.exe;Program.SrvAny;;

    BMSetup.exe;G:\Old Softwares\Latest Softwares\\bwm\BMSetup;Container contains infected objects;Moved.;

    I have used Malware Bytes before, but it wasnt able to detect the mentioned viruses. Do i still have to run it again?

    A0005131.exe/data002\\app\AddiTunes.exe;G:\System Volume Information\_restore\RP15\A0005131.exe/data002;Trojan.PWS.Legmir;;

    A0005131.exe/data002\\app\QT3GPPFlatten.exe;G:\System Volume Information\_restore\RP15\A0005131.exe/data002;Trojan.PWS.Legmir;;

    data002;G:\System Volume Information\_restore\RP15;Archive contains infected objects;;

    A0005131.exe;G:\System Volume Information\_restore\RP15;Container contains infected objects;Moved.;

    newinternettv2007full.exe\data005;G:\System Volume Information\_restore\RP15\A0005132.exe/documents and settings\mike\deskt;Program.RemoteAdmin;;

    newinternettv2007full.exe\data006;G:\System Volume Information\_restore\RP15\A0005132.exe/documents and settings\mike\deskt;Program.RemoteAdmin.21;;

    newinternettv2007full.exe\data007;G:\System Volume Information\_restore\RP15\A0005132.exe/documents and settings\mike\deskt;Program.RemoteAdmin;;

    documents and settings\mike\desktop\lol\newinternettv2007full.exe;G:\System Volume Information\_restore\RP15\A0005132.exe/documents and settings\mike\deskt;Container contains infected objects;;

    arrieffie7(7uafb9ai).exe\runtime.exe;G:\System Volume Information\_restore\RP15\A0005132.exe/documents and settings\mike\deskt;Trojan.Packed.650;;

    documents and settings\mike\desktop\lol\arrieffie7(7uafb9ai).exe;G:\System Volume Information\_restore\RP15\A0005132.exe/documents and settings\mike\deskt;Archive contains infected objects;;

    A0005132.exe;G:\System Volume Information\_restore\RP15;Container contains infected objects;Moved.;

    A0005133.exe/data020\data006;G:\System Volume Information\_restore\RP15\A0005133.exe/data020;Tool.CloseApp;;

    data020;G:\System Volume Information\_restore\RP15;Archive contains infected objects;;

    A0005133.exe;G:\System Volume Information\_restore\RP15;Archive contains infected objects;Moved.;

    A0005134.exe\data003;G:\System Volume Information\_restore\RP15\A0005134.exe;Program.SrvAny;;

    A0005134.exe;G:\System Volume Information\_restore\RP15;Container contains infected objects;Moved.;

    The detected _restore\RP ***\A00 *****.xxx file(s) identified by your scan are in the System Volume Information Folder (SVI) which is a part of System Restore . The *** after RP represents a sequential number automatically assigned by the operating system. The ***** after A00 represents a sequential number where the original file was backed up and renamed except for its extension. To learn more about this, refer to:
    • Restore Point Forensics
    • Forensic Analysis of System Restore Points in Microsoft Windows XP
    System Restore is the feature that protects your computer by monitoring a core set of system and application files and by creating backups (snapshots saved as restore points) of vital system configurations and files before changes are made. These restore points can be used to "roll back " your computer to a clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. See What's Restored when using System Restore and What's Not .

    System Restore is enabled by default and will back up the good as well as malicious files. so when malware is present on the system it gets included in restore points as an A00***** file. If you only get a detection on a file in the SVI folder, that means the original file was on your system in another location at some point and probably has been removed. However, when you scan your system with anti-virus or anti-malware tools, you may receive an alert that a malicious file was detected in the SVI folder (in System Restore points) and moved into quarantine. When a security program quarantines a file, that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat . Thereafter, you can delete it at any time.

    If your anti-virus or anti-malware tool cannot move the files to quarantine, they sometimes can reinfect your system if you accidentally use an old restore point. In order to avoid reinfection and remove these file(s) if your security tools cannot remove them, the easiest thing to do after disinfection is Create a New Restore Point to enable your computer to "roll-back " to a clean working state and use Disk Cleanup to remove all but the most recent restore point. Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista .

    If your anti-virus or anti-malware tool was able to move the file(s), I still recommend creating a new restore point and using disk cleanup as the last step after removing malware from an infected computer.


    Dc70.tmp;C:\RECYCLER\S-1-5-21-4241611754-1010757394-4064456881-1005;Archive contains infected objects;Moved.;




    C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851 (Backdoor.Bot) -> Quarantined and deleted successfully.

    C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851\Desktop.ini (Backdoor.Bot) -> Quarantined and deleted successfully

    C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

    C:\RECYCLER\S-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe Infected: 1

    C:\RECYCLER\S-1-5-21-3497612302-3102775374-3015387129-1005\Dc1.exe Infected: Backdoor.Win32.Small.hpz 1

    C:\RECYCLER\S-1-5-21-3497612302-3102775374-3015387129-1005\Dc5.exe Infected: Backdoor.Win32.Small.hpz 1

    -- Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.

    -- This scan will not remove any detected file threats but it will show where they are located so they can be cleaned with other tools. [/i]
    • Vista users: need to right-click either the IE or FF Start Menu or Quick Launch Bar icons and select Run As Administrator) from the context menu.
    • Read the "Advantages - Requirements and Limitations " then press the . button.
    • You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
    • When the downloads have finished, you should see 'Database is updated. Ready to scan'. Click on the . button.
    • Make sure these boxes are checked. By default, they should be. If not, please check them and click on the . button afterwards:
      • Detect malicious programs of the following categories:
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area) : Mail databases
  • Click on My Computer under the Scan section. OK any warnings from your protection programs.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
  • Click on Save Report As. and change the Files of type to Text file (.txt)
  • Name the file KAVScan_ddmmyy (day, month, year) before clicking on the Save button and save it to your Desktop.
  • Copy and paste (Ctrl+C) the saved scan results from that file in your next reply.
  • -- Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

    Photogallery Ini info2:

    Paguyuban KSE Unpad on Twitter: "Nah, ini info2 tth Kepengurusan ...

    Synchronized Beatbox on Twitter: "#Info2 : Regist di buka mulai ...

    Gunadarma Youth on Twitter: "Join Google I/O 2015! Daftar: http ...


    andinayuwananda : Mau tau info2 terkini tentang Arsitektur ITS ...

    Tune Talk Tone Excel Easy Biz - Pengenalan

    Dicode Suministros S.L

    Dicode Suministros S.L

    Tune Talk Tone Excel Easy Biz - Pengenalan

    January 2013 - | cari info event terkini ...

    Himpunan Alumni ESL | Klear (formerly twtrland)

    Cepetan Ikuti Event ini | Parade 2013, Festival Band dan ...

    info event band di Bekasi - September - | cari ...

    September 2013 - | cari info event terkini ...

    What Are These desktop.ini Files I Keep Seeing?

    Coming Soon "Launching Mini Album" - | cari info ...

    La presentacin "Servicio de Informtica y Comunicaciones ...

    SIPA FESTIVAL on Twitter: "@titotetot Poster beserta jadwal tampil ...

    event band maret di fatmawati jakarta selatan - ...

    Festival band dll.... bulan Pebruari 2013 - ...

    Reference | Jebat Must Die