Windows Legacy OS forum

General discussion

USB Stick Virus causes Windows XP Problems (RECYCLER.exe)

by VirusFighter / May 12, 2007 1:25 PM PDT

Hi,

I got an interesting Problem. I havent figured it out completely yet and hope for some support from you guys.
I?m not a geek, and moreover completely new at forums. But enough personal preliminaries.

I have an USB Stick. When I Plug it in, everything is fine, till i double click it in Windows Explorer. After I do so, it does something i havent really figured out. But so far I can report the following problems it seems to cause:

i) After a while i get a Windows error message that tells me: RECYCLER.exe has encountered a problem and needs to be closed, ...

ii) The USB Stick wont open anymore, when I double click it. I have to right click it and say explore out of the context menu.

iii) I cant show hidden files anymore in Folder Options! I solved this Problem already by following the tips of this Forum here in that thread:

http://forums.cnet.com/5208-6142_102-0.html?forumID=5&threadID=232457&messageID=2396828

I Used the Registry fix:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL

in the right side of the window, there must be a entry called: checkedvalue

right click on it n and select ' value'....
if its value is set for ' 0' than delete it n set the value as ' 1'..
close the regedit window.....
now the problem must be gone......this worked in my system n now i can
unhide the hidden files......


This Registry Fix makes me capable to show hidden files in Windows explorer again.


iv) when i unplug the USB stick and Plug it in again, Windows just wouldn`t give me the menu with the Options what i want to do anymore.


As I said, I fixed the problem to show hidden Files. So there are two hidden Files on my USB Stick:

a) autorun
b) RECYCLER

autorun looks like this:

[AutoRun]
open=RECYCLER.exe
shellexecute=RECYCLER.exe
shell\Auto\command=RECYCLER.exe


What the RECYCLER.exe does, i cant really tell. I tried to figure out by disassembling it with a tool from HavenTools called PE Explorer:

http://www.heaventools.com/

But my Computer Skills seem to be not sufficient enough to analyse it properly. Can anybody help me?

Discussion is locked
You are posting a reply to: USB Stick Virus causes Windows XP Problems (RECYCLER.exe)
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: USB Stick Virus causes Windows XP Problems (RECYCLER.exe)
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Autorun/autoplay
by ttb123 / May 12, 2007 3:43 PM PDT

I don't feel that there is a virus on your USB drive. Just about any kind of media anymore has an autorun file on it. When you put the media (CDs, DVDs, floppies, SD cards) in your computer the 1st thing windows is programmed to do is to check for the autorun file and run it. Since the autorun points to the recycler.exe file then turning off autorun would stop this from happening. However, if you turn off autorun whenever you put a CD or DVD into the computer it will not automatically start it up. The error your getting with the recycler.exe I would ignore, but it is causing the problem with locking up explorer because something may be wrong with it. My suggestion would be to just delete the autorun file off of the USB drive as it wont mess up anything it just wont automatically startup for you. This prevents you of going through the hassel of turning off autoplay/autorun.

Collapse -
help.!
by nayboyd / September 22, 2007 4:36 PM PDT
In reply to: Autorun/autoplay

recycler.exe

Collapse -
Basically,...
by trublubush / May 12, 2007 3:45 PM PDT

what you have on that stick is a "Shuckbot" trojan. It appears that your computer's firewall/AV program is trying to block it.

What interests me is the stick itself: Wherever in the world did you get a hold of this little item??

But, what interests me even more is: Why don't you toss this stick out the window?? Why are you trying to analyze what could well be a college geek prank? USB sticks at a dime a dozen are definitely not all that! You could easily buy another one.

>Trublu

Collapse -
Not possible to buy new one
by c932408 / April 4, 2009 8:04 PM PDT
In reply to: Basically,...

May be you are a born rich person and you may say these words. Flash drives are not so cheap to discard them like a CD when infected from virus. They are not so cheap in many parts and hence your reply is not at all a worth.
Here we are discussing solution but not to get new one.

Collapse -
Did you note the date
by MarkFlax Forum moderator / April 4, 2009 10:47 PM PDT

of the post you are replying to?

Some 2 years ago.

Mark

Collapse -
Old discussion. Nothing new here.
by R. Proffitt Forum moderator / April 4, 2009 11:30 PM PDT

Let's lock it and let it drop back into the archives.

Collapse -
its a real problem...
by MoronZilla / May 13, 2007 3:03 PM PDT

i got a few things 2 say
for starters the virus has again been upgraded
and now has a recycler folder with an info.exe inside it, but because its essentially a recycle bin you cant actually see the info.exe - even with hidden and system files visible

@ TruBlu...
where i'm from, usb sticks aren't that cheap so its not as easy to just get a new 1

@ttb123
just deleting the autorun and recycler files doesnt stop it...
this is a problem, cuz wen i got a new usb stick and chucked it in my ****, the autorun and recycler appeared before i'd even done anything and like TruBlu sed, it is a shuckbot trojan, and once it occurs, the **** is infected and any usb stick put in gets the virus.
from what i've learned the virus doesn't really do anything but make everything complicated.

inside the autorun.inf is:

[autorun]
open=.\recycled\info.exe
shell\1=

Collapse -
Have You Tried??
by Grif Thomas Forum moderator / May 14, 2007 10:14 AM PDT
In reply to: its a real problem...

First cleaning out the machine by running a good trojan cleaner in SAFE MODE? Something like AVG Antispyware or TrojanHunter.

Ewido/AVG Antispyware 7.5 Tool

TrojanHunter

Also make sure to clean out the registry entries mentioned here so it won't attempt to load on the machine at startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
"Taskman"="C:\\WINNT\\system32\\drivers\\taskmen.exe"
"DataAccess"="C:\\WINNT\\taskmen.exe"

or this one as well:

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Recycle Bin Handler =<system folder>\recycler.exe

and delete it if they exist.

There are a couple of ways to go about this.. You can leave the infected flash drive in the USB port and scan it along with the rest of the computer WITHOUT opening it and attempt to clean it while it's in the port...OR... you can clean out the machine first, then place the drive and press the "Shift" key to hopefully prevent it from autorunning.. You could then open "My Computer", then RIGHT click on the removable drive and choose "Format" (or use the format utility for the specific model of flash drive you have, or run a RIGHT click scan with your antivirus or AVG Antispyware..

Hope this helps.

Grif

Collapse -
Nothing happened...
by MoronZilla / May 14, 2007 11:39 AM PDT
In reply to: Have You Tried??

thanks Grif but none of ur tips helped...i've got avg antispyware - as a matter of fact i have all the avg products and none of them did anything about it...i then downloaded trojanhunter but that didnt do anything either... :s

now about the registry entries...none of them are even in there, so i guess that wouldnt be the problem but thanks anywayz...

Collapse -
Cetrainly, but there's a way out
by ersdeedee / November 23, 2008 6:14 AM PST
In reply to: its a real problem...

Buddy, just get to kelly's corner and find a vbs file titled "show hidden files" and run it. Then find the autorun on your usb device and open it with notepad. In this, you would find the name of the program which the autorun links to, most probably recycler.exe or recycled.exe. This may be located in a RECYCLER folder on the root of the drive. Just take them out.
Then run msconfig from the run dialog choose the startup tab.
If you find iiiiii.exe or kavo.exe or tavo.exe or ckvo.exe or amvo.exe, uncheck them and delete them from the system32 folder in the windows folder.

Collapse -
its an trojan
by VirusFighter / May 14, 2007 6:02 PM PDT

First i want to thank you for all your support and advices.

I kinda got rid of that trojan. That means i don`t have any problems anymore and it doesn`t come back at least for the past few days.

What i found out is that this trojan is called "W32/SillyFDC-Y". The following link gives a few more informations:

http://www.sophos.de/security/analyses/w32sillyfdcy.html


But anyways there seem to be different variants of this trojan around. So I feel sorry for MoronZilla, that seem to have a more nasty version of it than myself had.

I could delete the autorun and RECYCLER files from all the removable medias that i have.

What makes me wonder is that my Sophos antivirus which is absolutely up to date didn`t detect this particular worm. A let it run several times over the hole computer intensively but it didn`t detect the expected worm.

Anyways what solved my problem was:

i) Deleting the above mentioned files from every removable media i found them on

ii) Cleaning out my entire registry using the cost-free registry cleaner: "Wise Registry Cleaner 2"

iii) running Sophos Antivirus intensively over my computer several times

iv) finally fixing the last registry problems that the worm screw up by hand and mainly using the Windows Tweak UI Registry Power Tool.


Everything seems to work fine again in my case. Hopefully it stays this way.

Cheers

Collapse -
all my drives :(
by m-jabi / May 19, 2007 12:06 PM PDT
In reply to: its an trojan

I have this stupid virus on all of drives now. I don?t know what to do and please don?t tell me to format my computer cause I don?t want to lose the data. by the way one of the weird things that now I cant show the hidden files. even when I change the option it automatically switch back to do not show hidden files !!!

Collapse -
dw...no formatting ;)
by MoronZilla / May 19, 2007 4:35 PM PDT
In reply to: all my drives :(

haha formatting won't even fix it...i format my drives most days but it just comes back :s but thx 4 da heads up about the hidden files thing...dunno how i'd go cuz i leave every file visible on my **** so...yer sry but i cant help u much...cuz so far all i've found is...well...nuthin...hopefully sum 1 can help...

Collapse -
Try this...
by RogueOnTheNet / November 28, 2007 9:07 AM PST
In reply to: dw...no formatting ;)

The simple solution is to format your drives. However, make sure you use the unconditional switch or you won't repair the boot sector. You do that like so...

a:>format c: /u

Apply the same rule to formatting other drives.

Another simple formatting fix is to download PCLinuxOS (http://www.pclinuxos.com/) and burn a live CD. You can then use it to format your drive and boot sector. PCLinuxOS will automatically handle overwriting and formatting the boot sector since it is installing a new OS on your drive. Go ahead and let PCLinuxOS install and set up. Now go back and reinstall Windows by inserting your Windows CD and starting up. Your drive will be reformatted.

That should get rid of it on your hard drives. Do this first, that way you know your PC is virus free.

Now, you can use the same PCLinuxOS live CD to format your USB drive! You can safely do this after Windows is installed. Just insert the PCLinuxOS live-CD and reboot. Don't install it, but just choose to run it as a live-CD. It won't install on your hard drive and mess with Windows or anything. Once it is up and running, you plug your USB drive in. Then, you will be looking at your Linux desktop...click on the "install" icon on your desktop.

You should get a dialog asking if you want to install it and whatnot (it's been a while since I did it to my USB drive)...and you install it to your USB drive. This will overwrite the USB drive boot sector and format your drive.

Later on, reboot your PC in Windows. Insert your USB drive. Reformat it from Windows. Your problems should be gone.

But really, once you install PCLinuxOS on your PC...you may just wonder why the heck you ought to ever go back to using Windows. I run a dualboot WinXP Pro and PCLinuxOS box. I used to have it triple-boot and run those two and either Debian or SuSe...but now I'm just using Windows for music recording software and playing happily on PCLinuxOS.

Hope this helps.

Collapse -
You replied to a post that was 6 months old
by PudgyOne / November 28, 2007 7:10 PM PST
In reply to: Try this...

I think the solution was already found.


Rick

Collapse -
Formatting your hard drive...
by soul83 / May 20, 2008 4:00 AM PDT
In reply to: Try this...

Using the format switch /u might be a good idea. But I would personally go for zero-filling the entire hard drive to completely erase all the data. Western Digital and Seagate offer free drive utilities that take care of this.

Just download the software onto floppy drive or create a bootable cd (nero and most other burning apps have a burn from ".iso" image option). This should also save time over installing linux. IMO it's too easy for linux installations to corrupt the partioning on the drive. I've experimented with trying to install linux then changing my mind and going back to windows a couple of times on an old computer and it stuffed things up. Zero-filling the hard drive completely reset it allowing it to be reformatted to use with windows on the first attempt.

Luckily, the only experience I've had with this 'recycler' virus are the random emails from individuals panicking at my uni. I usually back things up anyway so I wouldn't be too worried about having the computer crash for a day or so (unless I'm writing an assignment at the eleventh hour lol).

Collapse -
hi! i thgink i have its latest version..
by slim0131 / October 4, 2007 2:35 PM PDT
In reply to: its an trojan

The virus is in my hard disk. and I have five files that loops one another.

3 of em have iexplorer icons,
4 if you count the recycler.exe
all four are .exe
the 5th file is the autorun program.

what it does is it attaches itself to a hard drive and makes copies of the .exe to ALL your folders... i.e. it attaches itself to the program files folder then creates a .exe with the name "program files.exe"

I haven't tried your method yet... but i hope it works... i got the freaking virus from a school comp that i connected my USB with...

Collapse -
Re: hi! i thgink i have its latest version..
by amitrajh / May 1, 2008 9:53 PM PDT

Dear Slim0131,

I hae recently joined Cnet forums and was going thru the posts on this article. The problem that I have on my machine is I am not able to delete any file from my system. whenever I delete any file another file of the same name gets created. Also all the folders on my system are doubled. The actual folders are hidden and the new ones that are created are all of 40 Kb.

I have a Recycler.exe (having an icon like a folder) in each drive that I have, and, that is causing all the problems (seems like).

Whenever I try to delete this Recycler folder it copies itself back. Also there is a autorun.ini and few other files, which if I try to delete are copied back.

Please help.

regards.

Collapse -
Re: recycler.exe
by Kees Bakker / May 1, 2008 10:20 PM PDT

- I'd start with booting in Safe Mode and try to delete all those things you want to delete and can't.
- Then, while still in safe mode, rerun your antivirus scans (full scan).
- If safe mode doesn't work download (free) moveonboot and try that.
- If that doesn't work either, boot from the Windows XP CD, go into the recovery console and delete those files from there.

Four ways to try. One of them might work.

Kees

Collapse -
Re: recycler.exe
by amitrajh / May 1, 2008 10:25 PM PDT
In reply to: Re: recycler.exe

Thanks Kees, I will check these out and will let you and the group know about the results.

Regards,
amitrajh.

Collapse -
40KB File Folder Explorer Problem - USB (Trojan/Virus)
by Jayaraj_Arockia / July 1, 2008 7:49 PM PDT

The problem that I have on my machine is I am not able to delete any file from my system. Whenever I delete any file another file of the same name gets created. Also all the folders on my system are doubled. The actual folders are hidden and the new ones that are created are all of 40 Kb.

I changed the Registry key - Windows/Explorer/Advanced/Hide to 1(as suggested by some forum), where I can see the hide folders now. But again when I restart the machine, only the unwanted folders of 40KB are seen. When I try to delete, it keep on creating.

I have a Recycler.exe (having an icon like a folder) in each drive that I have, and, that is causing all the problems (seems like).

Whenever I try to delete this Recycler folder it copies itself back. Also there is a autorun.ini and few other files, which if I try to delete are copied back.

If anyone faced the same problem or found any solution, plz let me know.

Collapse -
it's 'kinda' easy.
by Nukerer / September 17, 2008 11:50 PM PDT

There are three ways to go about this.
One is good ol' DOS command prompt.
1st go to your root ( c:/> ) by default, windows command prompt console root is in the Documents folder, all u have to do is keep typing ( cd .. ) till you get to the root directory ( c:/> ) then go

dir /a /p

you might want to look for these:
<dir> RSH recycler
xx Kb RSH autorun.inf

1st thing needs to be done is to get rid of those 'flags' RSH
R -read only
S -system
H -hidden
by typing this:
attrib autorun.inf -r -s -h
then you can:

del autorun.inf *enter* (are you sure (y/n) of course Yes -_- )

same thing done for the recycler folder

then do it on your flash drive by going to it's root dir. if it's drive e:/, then type in cmd>> e:
and do above again.

caveat emptor: Be careful with these commands lol. AND it's a better idea to get a working version of DOS on floppy and do the above there, or a flashdrive bootable version of Linux or whatever that can read NTFS and FAT32 volumes and delete files off em. or you can stick that flashdrive in a system running Linux or Fedora that can read NTFS and delete it from there (two-step process; initial delete sends it into a .trashes (mac) or .Trash-root (linux/fedora) and you have to delete that as well to keep it from coming back. As for system hard disks where you run windows on it, either get an external drive case/adapter for that drive (IDE-PATA or SATA) and delete it using a mac or linux box, or get another hard drive / partition and install linux on that (make sure it CAN read fat32/NTFS volumes) in a dualboot config, or a live CD/USB setup.

External drive manual delete with Linux worked well; deleted every last RECYCLER and autorun.inf off them ALL. Hopefully the last virus i'll ever see on my system, ever.

Hope this helps.

Collapse -
Formating Discs
by helljack6 / September 18, 2008 6:38 AM PDT
In reply to: it's 'kinda' easy.

If you're going to format/reformat your hard drive, you might as well do it the right way.

Google BCWipePD or DBAN. Download their free ISOs and burn to discs respectively, each is free and does two things:

1. Gives you a ton of reformating options with all user controls

2. BCWipePD gives you the additional ability to use the Putnam wipe (35 passes). I guarantee you whatever you THINK you might have on that drive isn't going to be there after the use of either tool.

HOWEVER, pay attention because if you have more than one INTERNAL DRIVE or an EXTERNAL drive or even a THUMBDRIVE, BOTH of the above referenced tools WIPE ALL DRIVES FOUND ATTACHED TO THE SYSTEM unless you specify.

The normal format tool that comes in DOS or a Windows XP setup disc is ok for what it does, but with the amount of malware attaching itself to systems via rootkits, you need to do more than just one pass if you even resort to that level of cleaning.

Collapse -
i have that trojan too!!!
by abeliux / October 5, 2008 8:02 AM PDT

Hello, i'm having the same problem, and i don't know how to solve it. But what i have noticed is:

1.- there are 2 files
<drive>:\autorun.inf and
<drive>:\recycler\S-1... .5111\system.exe

both of them have readonly and sytem atributes, so you only can see it if you have right folder options.


2.-there is a process who create files so if you delete it, the process write it again. This process is launched from user acount session, I ran another session and delete both files and they gone away, but when I come back to infected session the files came again.


I seek for system.exe in registry but it don't apeared, it must have another way to initiate the process maybe a service.

that is what I can say about problem hope it be useful.

Collapse -
Removing Autorun.inf, recycler.exe etc
by baijuep / January 26, 2009 8:58 PM PST

I had the same problem and i tried the method given below

run
cmd
cd\
C:\ attirb -r -s -h autorun.inf
C:\ del autorun.inf
repeat the procedure in all physical drive and flash removal drives

then type exit

donot open or operate any buttons straightly reboot your pc

the problem will be solved

Collapse -
recyler virus removal
by sunsetroad / March 9, 2009 3:48 AM PDT

Use a free programme called autorun eater it removes any defect autorun files on all your drives including any usb drives

Collapse -
If Your Computer Isn't So Infected That .....
by tobeach / October 4, 2007 4:59 PM PDT
Collapse -
Cure for Recycler.exe
by dayud / November 22, 2007 8:32 AM PST

Try using smitfraudfix, I had the same problem with my USB thumbdrive and smitfraudfix fixed it. it's a freeware fix for most malwares. Here's a site where you can download the file.

www.bleepingcomputer.com/files/smitfraudfix.php

or try googling for other site that provide this malware remover.

Collapse -
Remove Recycler.exe, NewFolder.Exe
by Jdev_WebCircuit.in / January 31, 2008 2:07 AM PST

These virus can be removed by AVG Free edition. If AVG is not finding or hanging in normal run, perform the scan in safe mode. (Press F8 While booting, select Safe mode).

Another solution is RegRun Reanimator from www.greatis.com. ( Use it carefully because it suggest many files as suspected).

After the removal by antivirus package, remove the autorun.inf file from your flash drive. [This .inf file hides the Explore and Open lines from the contextmenu.]. You have to use attrib -s -r -h to remove the protection of the .inf file. Otherwise you can use the kill option in RegRun Reanimator.

Jdev

Collapse -
this worked for me
by jibba99 / April 29, 2008 2:15 AM PDT

I had the reported problem of not being able to open (explore) my usb stick....this helped
My approach was 1) save all my stick contents to the computer, and 2) format the stick to remove malware. I did this by:
-plug in your stick
-right click the drive in "my computer"
-click sharing and security
-tools tab
-backup now
the backup wizard will let you create a backup of all your files - just check all the files you want to save. Note that this wizard actually let me see the "virus" or problem files that were causing the problem, that I normally could not see on the stick (dont check these files or any others that look suspicious). Anyway, once you make the backup (just save it to the desktop)
-double click the backup file and
-click advanced mode
-Restore and Manage media tab
-on the left pane, open the + signs until you can check your drive (eg "I:")
-at the bottom, make sure to change Restore files to: alternate location - just create a new folder on the desktop "stick backup" or whatever, and when you choose alternate location, select this folder to restore the files to
-click "start restore"
This should restore all the files that you checked previously. Now that you have saved all your files, you can go ahead and format your stick to get rid of the virus crap.

Popular Forums
icon
Computer Help 47,885 discussions
icon
Computer Newbies 10,322 discussions
icon
iPhones, iPods, & iPads 3,188 discussions
icon
Security 30,333 discussions
icon
TVs & Home Theaters 20,177 discussions
icon
HDTV Picture Setting 1,932 discussions
icon
Phones 15,713 discussions
icon
Windows 7 6,210 discussions
icon
Networking & Wireless 14,510 discussions

Big stars on small screens

Smosh tells CNET what it took to make it big online

Internet sensations Ian Hecox and Anthony Padilla discuss how YouTube has changed and why among all their goals, "real TV" isn't an ambition.