Unusable Computer

March 18, 2009 at 05:26:18
Specs: Windows XP SP2, Q6600 / 2GB
Here's the story so far: Yesterday my brother got a trojan which went undetected by Norton, AVG, Kaspersky and NOD32, the trojan or virus was already on the computer when he installed the antiviruses apart from Norton. What the virus has done is removed his sound drivers and network drivers and stops him from reinstalling or if he does removes them straight away, it also comes up with an error when you try to open any local drive it says:

"Windows cannot find 'RECYCLER\S-1-3-80-100010057-100005829-100001762-7806.com'. Make sure you typed the name correctly.." etc.

I now have the same problem trying to give him files from my flash drive and put it back into mine so I now also have the virus.

On the flash drive it had a folder called RECYLER which I deleted soon as I saw it but obviously was too late by then. So now I have no sound or network drivers as well, but I noticed you can still get around the error when you open a hard drive by using explore instead of normal view or by making shortcuts to folders. Also when I tried to reset explorer.exe with task manager by forcing it to stop and reopening by starting new task I couldn't bring get it to start but in task manager I could see it, I think that is what the virus or whatever it is is called and thats why I couldn't open eplorer.

I'm fearful of attempting to back up any data now that I have seen the virus can travel like that and I really don't want to have to reformat my computer or anything.

See More: Unusable Computer

Report •

March 18, 2009 at 06:21:08
That proves my theory that anti virus software is worthless.

I ran into a similar problem on a client's PC. It didn't delete the network drivers but it stopped RPC service from running. Check that first. Start run services.msc and press enter or from the task manager, file, new task, services.msc

RPC (remote procedure call) needs to be started. If that get's you back on the net, download, update and run anti malware from malwarebytes.org

Report •

March 18, 2009 at 06:42:04
I ran through that and found that RPC is running still, I'm still not sure what I've got on my PC but before it removed my network drivers I tried to use firefox and IE and each time I opened a new page or did anything it would open a page with ads, one page of ads for each link or new page I visisted. Thanks for the suggestion though.

I also did a search and looked at every file created today (the day I got the virus) and haven't seen anything so I'm guessing its pretty well hidden.

Report •

March 18, 2009 at 16:09:30
Click start, run, type msconfig, press enter and go to the startup tab. Look for strange entries there and disable anything that's not needed at boot time, which is almost all of it. Reboot, click ok. See what happens.

Report •

Related Solutions

March 18, 2009 at 18:21:37
I found 2 files in startup that have no name or command and don't show their location and a third one using a few random characters with more random characters in command and location is: "SOFTWARE\Microsoft\Windows\CurrentVersion\Run". The virus also is removing my windows theme and changing it to classic windows.

Another error popped up, svchost.exe - Application Error "The instruction at '0x75606e6a' referenced memory at '0x00000008'. The memory could not be 'read'. Click ok to terminate the program".

With all programs removed from the startup, the error above hasn't shown up since reboot, my theme was changed back to classic again and I noticed that when I had turned my computer on and loaded windows it still played with startup noise and shutdown noise but can't play any sound files still.

My brother backed up all of his stuff and reinstalled windows then the brand new norton before putting his backed up stuff back on his computer. So far despite his backup being infected norton seems to be stopping it completely. His norton picked up a virus called W32.SillyFDC but he still has a virus that norton won't seem to pickup or let me manually quarantine it despite that, its in "C:\RECYCLER\S-1-5-21-1078081533-1202945662-839522115-1004" and also in his "D:\RECYCLER\S-1-5-21-1078081533-1202945662-839522115-1004". Roughly every 3-40 seconds there is an attempt to download packets stealthily through port 1900, and they come from 5 different IP addresses but they are are all local from what I can see and this happens from when he starts up until he shuts down so norton is constantly having to do work in the background to block these attempts.

The only signs on the virus that I can see on his are the constant packet download attempts through that port and the recyler folders, I would really like to be able to remove this virus once and for all.

More bad news, when I turned my computer off the download attempts stopped on my brothers computer so now I'm worried that its going to destroy everyone else's work on the network resulting in 15years of work full of viruse.

Report •

March 18, 2009 at 19:14:01
Another update, the attempts only stopped but only for a minute before they started again after a finding a different source. I hope its not another computer in the network.

Report •

March 19, 2009 at 06:11:06
The entries that you found in msconfig are part of the problem but may not be all of it. Go back into it, make sure that they are still unchecked and search the registry for them.

Download, update and run anti malware from malwarebytes.org

If that doesn't fix everything, run Hijack This and post the log.

Report •

March 19, 2009 at 23:23:38
That would be a bit difficult with the infected computer having no network access so no internet and if I put it on a usb or something then that would just render it infected and useless as well, most sites don't have fully updated software and require updates so another problem.

Report •

March 20, 2009 at 00:11:37
Edit: Double post.

Report •

March 20, 2009 at 05:45:20
Then open the registry and follow the path I give you (+ signs) in HKLM and HKCU
Open the run folder(s). Many viruses hide there. Delete them if you see them. Also, search for the entries that you found in msconfig using the registry search tool under edit. Use F3 to find the next entry until it finished searching.

Report •

March 23, 2009 at 19:21:16
Guys you know I knew a site that gives free update of the latest Virus out every where and they telling you how to defend you're self from it. The sites is below my signiture.

For Free System Security Guide and The Latest Updates About malware Subscribe at http://www.systemsecurityinstitute.org

Report •

Ask Question