I appear to have a virus which replicates via USB sticks. It activates the process recycld.exe and installs an autorun on the USB to infect new computers. It also deactivates task manager and acess to the registry! I have tried multiple virus scanners (including avast) in both normal and safe mode, but none of them seem to find it… Avast on another computer stopped it being infected, but it wont seem to remove the infection from this machine.
Hi,
it may be caused by some registry values.
Try to run “regedit” and check keys listed below.
If the regedit tool is also disabled, maybe “HKLM(HKCU)\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools”, Value=1, solution can be found here: http://www.pcreview.co.uk/forums/thread-1713099.php
If you can’t run regedit.exe after you set “HKLM(HKCU)\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools” to value 0, then it could be caused by “HKLM(HKCU)\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe”, so you can rename/copy regedit.exe to another name i.e. re.exe and try to run this one.
Task manager can be disabled by:
HKLM(HKCU)\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr, if the value is set to 1.
Maybe some application blocks others:
If regedit is succesfully launched then check this keys (HKLM=HKEY_LOCAL_MACHINE, HKCU=HKEY_CURRENT_USER):
HKLM(HKCU)\Software\Microsoft\Windows\CurrentVersion\Run
HKLM(HKCU)\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM(HKCU)\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM(HKCU)\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKLM(HKCU)\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
HKLM(HKCU)\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM(HKCU)\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKLM(HKCU)\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
HKLM(HKCU)\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
(subkeys with key “Debugger” set to i.e. “ntsd -d” (except key “Your Image File Name Here without a path”)).
Also check startup folder in start menu (i.e. C:\Documents and Settings\ for WinXP):
<start_menu>\All Users\Start Menu\Programs\Startup
<start_menu><loginName>\Start Menu\Programs\Startup
If you find some files, that links from registry keys listed above, or the “recycld.exe”, please send it to virus@avast.com to improve protection.
two versions are available : 1. if you have already installed .net, download app without .net
2. if you don’t, no need to install .net, just download the app with .net . as explained in the blog