[Archived] Trojan In C:\recycler

[Paul]

AVG free version has found the following. If I try to move it to the Virus Vault to delete I get the message the that the file is too big for the Virus vault. Have emptied the virus valut but still get the same message. If I search the C drive to try and delete the file myself I can't find it. I think these files are somehow buried in the area where Windows stores files which have been deleted from the Recycle Bin? We very rarely get this sort of problem so I'm a bit hacked off with it at the moment!

"C:\RECYCLER\S-1-5-21-944241250-2525932865-2683536958-1006\Dc297.rar:\setup.exe:\jkk.exe";"Trojan horse Downloader.VB.BTA";"Infected"

"C:\RECYCLER\S-1-5-21-944241250-2525932865-2683536958-1006\Dc297.rar:\setup.exe";"Trojan horse Downloader.VB.BTA";"Infected"

"C:\RECYCLER\S-1-5-21-944241250-2525932865-2683536958-1006\Dc297.rar";"Trojan horse Downloader.VB.BTA";"Infected"

Any suggestions?

[owenrilla]

I'm no expert in this kind of thing so this may be useless but have you tried this?

It's what I tend to use when my computer is doing something unusual (and it seems to work).

As I say though, I'm no computer expert so if my suggestion makes no sense feel free to ignore it

[Cocker]

Paul,

As above try running Malwarebytes - BUT - make sure you do it in safe mode with system restore turned off (then obviously turn it back on again when done)

If you do not know how to do that let me know and include your operating system.

Malwarebytes may not be able to remove it but its a start (in fact because of this you may have trouble actually installing it)

[Nate]

I've had problems like this and as Cocker said, do it in Safe mode.

[Paul]

Thanks for the advice guys. Some of it I had already done, the rest I have done.......sadly no success. To date I have run in both safe (with System Restore turned off) and normal mode:

AVG 8.5 - paid for version

Spybot

Malware

AdAware

None have been succesful in removing these. Any more thoughts? I shall be whizzing off an e-mail to AVG support shortly.

[Anti-Dingle-Brigade]

SUPERantispyware is my choice. I had endless problems before I installed it but since I put it on about a year ago, I haven't seen a single thing out of place. Highly recommended.

[Cocker]

In that case Paul I am not so sure. The spyware remover is meant to get rid of this from what I have read although certain viruses can disable scanners so although they may appear to be running they may not be working properly.

It could mean running around the registry deleting certain keys (which is kind of what your scanner does for you) but best see what AVG have to say as I wouldnt want to advise you on that myself.

[Glenn]

Unless I'm missing something obvious ....

These are trojans rather than active infections (therefore deleting them should be enough). Makes life easier.

C:\Recycler is a bit special in windows terms, but you know it as your recycle bin.

Windows kindly renames stuff in the recycle bin (for reasons best known to MS), but the extenions stay the same.

So. Look in your recycle bin for a .rar file and delete it.

Hopefully it's a easy as that.

Oh and the reason that AVG/MalwareBytes etc won't remove it, is it's currently found inside a compresses archive file (a .rar to be precise) and whilst reading them is easy, removing the infected files from the archive, without potentially screwing up other things in the archive is rather tricky.

But as you don't need the .rar (why else would it be in your recycle bin) you can just chuck it all away.

[Paul]

Hopefully it's a easy as that.

Sadly it's not. Had already emptied the recycle bin and the infections are still there. From what I have read C:/Recycler is where Windows puts the files people think they have deleted and they then show in the Recycle Bin? The impression I get from reading is even if deleted from the Recycle Bin the files still exist. It's like when the police investigate someone's PC and find all the evidence which the suspect thought was deleted -or do I watch too many crime thrillers?

I have searched - twice - for *.rar and this only finds RELIENTCLIENTWITHAUTOLOGIN.RAR (even Google doesn't know what that is) plus a load of emulator files for iTunes, which I assume are safe.

Have also re-run all the Spyware above - which doesn't find these Trojans - and unistalled / re-installed new down load of AVG. The AVG programme is the only one that finds them.

Must remember to shout at AVG today as they haven't replied to my e-mail

[Glenn]

Well. C:\recycler is like any other folder in so much that if a file is deleted, it's content isn't removed, it's just the point to it (think of it like an index in a book) is remove and the space it occupies is made available for other this to use. But looking at the AVG output, that thinks the pointer to the file is very much there.

So my guess would be either ....

AVG is being mental and reporting something it found on a previous scan which is no longer there.

You have have a rootkit or similar installed that is lying when you ask to see what it is C:\Recycler (although, that would trick AV software too normally).

Edit ..... or .....

The sub folder in C:\recycler called S-1-5-21-944241250-2525932865-2683536958-1006 is hidden and you have windows configured not show (or search) hidden folders. To check this, in Explorer (i.e. you c:\windows window, not Internet Explorer) select tools, then folder options, then view, then "show hidden files and folders".

[Paul]

Thanks Glenn. I think I have already checked this but will do so again when I have time, bit busy for the next few days.

[Dan Furness]

Funny you mention this, I had it today but figured out what it was. When I use the USB link for my phone to laptop, AVG recognises it as a virus when I transfer any files to the computer. When I remove it is fine.

Are you connecting/have anything connected when it happens?

[Paul]

Nothing as simple I'm afraid. Only thing connected is the power pack - it's a laptop. Nice idea though.