Trojan.generic found in Recycle bin

Hi,

There seems to be a virus attaching itself to my recycle bin. I followed some instructions found in the forum. Followed them step-by-step btw. here are the directions

  1. Clean your temporary files.
  2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
  3. Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
  4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
  6. Clean your Hosts file (replacing it) with HostsMan tool.
  7. Disable System Restore and then reenable it again.
  8. Immunize your system with SpywareBlaster.
  9. Check if you have insecure applications with Secunia Software Inspector.

The first time i tried to do this, my pc blue-screened on dr. web cure-it. My hard drive would not even start. Apparently, this virus removed the actual driver files for the hard drive. At least there was something on the BSoD about an undetected hard drive. So, I formatted the pc, since that was the only way to get it to do anything. Thought the format would have completely removed it, but then it came back. I’m not sure how, because I installed and used the programs recommended here. I even switched to the Firefox browser before i downloaded avast and other safety programs.

This trojan.generic.1432807 that has shown up was detected by Spyware Terminator. It is listed as the following filename:

C:$Recycle.Bin\S-1-5-21-2176286580-1352733964-43735590-1000$RC8C6CI.exe

I moved it to the quarantine folder of Spyware Terminator. Avast doesnhttp://forum.avast.com/index.php?action=post;board=4.0’t seem to detect it. CCleaner did hang up while emptying the recycle bin on a file named C:$Recycle.bin\S1-5-21-217628658-1352733964-437335590-1000$RMVQ8IY.exe . Now, since the 1st file mentioned has been quarantined, CCleaner has been able to sucessfully finish.

Could you tell me how to remove this file. Or is it now considered “inactive”. Is there an actual virus buried somewhere in my pc that is causing this type of thing to be recurring? It’s not the first time that I’ve seen this C:$Recycle.Bin… type of file. When the problem first started (keyboard wouldn’t type, pc ran very slow, yahoo messenger wouldn’t function properly, etc) there were files that would not delete from the recycle bin. The pc’s been formatted since then though and not a system restore, an actual format C:\ delete it all and start from scratch.

How do I find the actual file(s) that are causing this problem to return and/or multiply? Also, I used Hijackthis and I do have a log file, but I don’t know what to do with it.

[font=segeo ui] Hello cb14 and welcome to the forums,

A good possibility would be deleting those in Safe Mode to eliminate those hang ups. How to Boot into Safe Mode

The first file you mentioned was already quarantined, so I could say, it is already isolated properly and can be considered as “inactive”.

About your Hijack This log, please attach it onto your next reply. Just click Additional Options… on the reply windows to enable attachment of files.

Alright here is a log from today, just made a few minutes ago. Thanks so much for your reply and help.

There doesn’t seem to be anything going on with my pc right now. Everything seems to be functioning normally. The only thing that worries me is the fact that this virus could activate itself again. I’m still not sure how it got activated in the first place. Is it possible for this virus to be one that activates itself after a certain length of time, automatically? But, barring that Dr.Web CureIt! activated the virus, it having some type of timer in it’s programming is my other theory. And this time Dr. Web neither activated or found it.

[font=Segoe UI] About the reactivation of virus, it will remain inactive unless something wrong happens to your AV. Moreover, if a firewall is not active, a trojan downloader may re-download the suspicious file, therefore, infected file will not reactivate but will be substituted with another one. So it would be best to always have a good firewall.

You log shows that you don’t use a firewall (or could be deactivated by some malware). If possible, please consider enabling Vista’s Firewall or download an alternative one like:

1 Agnitum Outpost Firewall
2 PC Tools Firewall Plus
3 Online Armor Firewall

NOTE: Use only one firewall. Two or more firewalls could cause system instability and conflicts.

I see that you have not added the Critical Updates to Vista as it is at SP2 now:
http://www.microsoft.com/downloads/details.aspx?familyid=A4DD31D5-F907-4406-9012-A5C3199EA2B3&displaylang=en <== full update

Go to Control Panel then Automatic updates then set it to at least Do not download updates but notify me

Update to IE8 as it is more secure and has performance improvements.

Run Secunia Online Software Inspector (OSI) to check for system most common program vulnerabilities
http://secunia.com/vulnerability_scanning/online

Ok thanks. I did have the windows firewall on, but I thought that it didn’t work. So, I will complete all of your recommendations and after that I should complete the 1st post’ list of steps again and the pc should be ok. Also, I do have windows update set to download but not install updates. I’d no idea that the windows updates are so very important. I use FireFox now, is that an ok browser to use? Someone told me that it is better than IE, is that a common belief?

@cb14

Browsers are a personal thing and if you use the Internet with a browser there will be risks as there are lots of miscreants out there waiting to a) steal your personal information for their own personal gain or b) use your infected system to send spam through their botnet or c) slow the system to a crawl asking you to install their rogue remover.

It comes down to personal preference with IE8 and Firefox with its plethora of ad-ons and multiple updates to fix its vulnerabilities just like IE8 does (however not as frequently) leaves one with a choice and I choose IE8 as I am comfortable with it.

Hi cb14,

IE8 is a hell of a secure browser as you do not use it as by default, YoKenny could tell you how to tune it with zone-security and specific options/settings to make it a more secure browser. When you additionally use your machine’s account with just user rights to surf and use full admin rights only for updates and where you absolutely cannot do without, then your computer is secure against 97% of the known windows malware - this simply does not have the rights to alter things in your system files for instance, so it cannot do that much harm as with full admin rights.
Firefox browser has the added security of security extensions like NoScript and RequestPolicy where you can block any malicious script from running havoc or restrict where the page you visit can go (requests).
GoogleChrome is a browser that is very hard to hack because of the sandbox like qualities it has. It was developed anew and from scratch, and hat could not have been done with IE or Fx or Flock.
I switch between GoogleChrome and Firefox/Flockand use SpywareBlaster to secure all these various browsers I have on my system. Then there is the avast webshield as a last line of defense to disconnect you where a malcode re-direct is threatening (iFrame injection, malicious GIF and other website threats),
so the browser is not the problem that much but how to secure tweak it. YoKenny would also use a hosts block file so the nasties/insecure urls are going to 127.0.0.1 for instance, so your browser cannot go there…

polonus

P.S. I give your HJT logfile an all green, only thing you do not have an active firewall there or
do you use the Windows firewall that is one-sided by default…

D

@polonus

Malwarebytes Anti-Malware resident protection is an additional layer of protection that does not interfere with avast !

Plus with its small lifetime fee for resident protection is well worth the investment.

WinPatrol as a Security Monitor provides an additionall layer of protection.

Let’s keep the Internet safe. 8)

Don’t let malware in period.

Ok, I have added the recommendations and completed all the steps back to the HiJackThis log. So, here is the newest one as of right now. Also, TrendMicro RootkitBuster found those hidden files in the recycle bin and I did remove them all (8 in total). Now, perhaps this problem is nullified because well, my computer did start after doing all of this. That’s a definite improvement on the last time I tried to clean it up. And you guys have been so very helpful and all. Thank you all so much.

[font=Segoe UI] cb14,

Looks like you’re halfway to making your PC secured. A few more things to fix:

1 Consider updating your OS’s current service pack (Vista SP1) to Vista SP2 via Microsoft Update
2 You are running 2 resident antispywares, Spybot S&D and Spyware Terminator, these two resident scanners may cause instability and conflicts. Please consider uninstalling one of those.

@cb14

Read about Crawler toolbar:
http://www.bleepingcomputer.com/startups/CToolBar.exe-14219.html

Ok, installed SP2 and removed those programs. Here is one last logfile in case any of you would like to see it. thanks u guys, my computer is working very nicely now, it’s almost like a new pc ;D

[font=Segoe UI] Congratulations cb14,

Your log shows no sign of any bad issues anymore.