I got an interesting Problem. I havent figured it out completely yet and hope for some support from you guys.
I´m not a geek, and moreover completely new at forums. But enough personal preliminaries.
I have an USB Stick. When I Plug it in, everything is fine, till i double click it in Windows Explorer. After I do so, it does something i havent really figured out. But so far I can report the following problems it seems to cause:
i) After a while i get a Windows error message that tells me: RECYCLER.exe has encountered a problem and needs to be closed, …
ii) The USB Stick wont open anymore, when I double click it. I have to right click it and say explore out of the context menu.
iii) I cant show hidden files anymore in Folder Options! I solved this Problem already by following the tips of this Forum here in that thread:
http://forums.cnet.com/5208-6142_102-0.html?forumID=5&threadID=232457&messageID=2396828
I Used the Registry fix:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenSHOWALL
in the right side of the window, there must be a entry called: checkedvalue
right click on it n and select value….
if its value is set for 0 than delete it n set the value as 1..
close the regedit window…..
now the problem must be gone……this worked in my system n now i can
unhide the hidden files……
This Registry Fix makes me capable to show hidden files in Windows explorer again.
iv) when i unplug the USB stick and Plug it in again, Windows just wouldn`t give me the menu with the Options what i want to do anymore.
As I said, I fixed the problem to show hidden Files. So there are two hidden Files on my USB Stick:
a) autorun
b) RECYCLER
autorun looks like this:
[AutoRun]
open=RECYCLER.exe
shellexecute=RECYCLER.exe
shellAutocommand=RECYCLER.exe
What the RECYCLER.exe does, i cant really tell. I tried to figure out by disassembling it with a tool from HavenTools called PE Explorer:
But my Computer Skills seem to be not sufficient enough to analyse it properly. Can anybody help me?
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun
“Taskman”=”C:\WINNT\system32\drivers\taskmen.exe”
“DataAccess”=”C:\WINNT\taskmen.exe”
or this one as well:
Locate the HKEY_LOCAL_MACHINE entry:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Recycle Bin Handler =<system folder>
ecycler.exe
and delete it if they exist.
There are a couple of ways to go about this.. You can leave the infected flash drive in the USB port and scan it along with the rest of the computer WITHOUT opening it and attempt to clean it while its in the port…OR… you can clean out the machine first, then place the drive and press the “Shift” key to hopefully prevent it from autorunning.. You could then open “My Computer”, then RIGHT click on the removable drive and choose “Format” (or use the format utility for the specific model of flash drive you have, or run a RIGHT click scan with your antivirus or AVG Antispyware..
Hope this helps.
Grif
First i want to thank you for all your support and advices.
I kinda got rid of that trojan. That means i don`t have any problems anymore and it doesn`t come back at least for the past few days.
What i found out is that this trojan is called “W32/SillyFDC-Y”. The following link gives a few more informations:
http://www.sophos.de/security/analyses/w32sillyfdcy.html
But anyways there seem to be different variants of this trojan around. So I feel sorry for MoronZilla, that seem to have a more nasty version of it than myself had.
I could delete the autorun and RECYCLER files from all the removable medias that i have.
What makes me wonder is that my Sophos antivirus which is absolutely up to date didn`t detect this particular worm. A let it run several times over the hole computer intensively but it didn`t detect the expected worm.
Anyways what solved my problem was:
i) Deleting the above mentioned files from every removable media i found them on
ii) Cleaning out my entire registry using the cost-free registry cleaner: “Wise Registry Cleaner 2″
iii) running Sophos Antivirus intensively over my computer several times
iv) finally fixing the last registry problems that the worm screw up by hand and mainly using the Windows Tweak UI Registry Power Tool.
Everything seems to work fine again in my case. Hopefully it stays this way.
Cheers
