Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

recycler S-1-5-21


  • Please log in to reply
1 reply to this topic

#1 Tampaman

Tampaman

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:17 PM

Posted 20 November 2009 - 06:53 PM

im running xp home on c drive, e is my backup using norton ghost 14. i see a system volume information and a recyler folder on both drives. the SVI folder in E has a changelog notepad text file thats full of Recycler S-1-5-21 references. no scan ive run has picked it up. malwarebytes shows zero even if i scan the individual files. gmer shows a bunch of s-1-5-21 files but doesnt flag any of them, hypersight gives me suspicious activity in the kernal info messages about two eips trying to reset the write protect but are denied. running combofix deleted two adware files and reported a locked registry key S-1-5-21. f secure blacklight doesnt see it either, while i can reformat the drives and reinstall XP ( since im too poor for 7 right now) im wondering if theres a less drastic solution? my other question is, if i delete the partitions on both drives, reinstall xp and load up malware bytes and avast home, will they detect infected files when i reload them. i guess id wipe the backup drive, reinstall windows on that, E, and transfer files from C and then make E my boot drive. first post hopefully making it in the right place. if not yell at me i learn fast :thumbsup:

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 32,795 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:17 PM

Posted 20 November 2009 - 10:16 PM

The Recycle Bin (Recycler) folder provides a safety net when deleting files or folders in Windows. The file(s) remain there until you empty the Ricycle Bin or restore the file. The actual location of the Recycle Bin varies depending on the operating system and file system used. On NTFS file systems, Recycler is the name of the Recycle Bin Folder in each partition. On FAT file systems, the folder is named Recycled. The Recycler folder contains a Recycle Bin directory for each registered user on the computer, sorted by their security identifier (SID). Inside the Recycler folder you will find an image of the recycle bin with a name that includes a long number with dashes (S-1-5-21-1417001333-920026266-725345543-1003) used to identify the user that deleted the files.
  • S - The string is a SID.
  • 1 - The revision level.
  • 5 - The identifier authority value.
  • 21-1417001333-920026266-725345543 - Domain or local computer identifier.
  • 1003 A Relative ID (RID). This number, starting from 1000, increments by 1 for each user that's added by the Administrator. 1003 means the 3rd user profile that was created.
For more specific informaton about SIDS, please refer to:Once the recycle bins are empty, the legitimate directories should be empty as well. The Recycler folder is hidden by default unless you reconfigured Windows to show hidden files and folders by unchecking "Hide protected operating system files" in Tools > Folder Options > View. However, even after emptying the Recycler bin, the Recycler folder will still contain a "Recycle Bin" for each user that logs on to the computer, sorted by their security SID. If you delete the C:\Recycler folder, Windows will automatically recreate it on next reboot.

If there are numerous files listed taking up a lot of space, you can try manually deleting all but one of the user bins. You may find that although you have determined there are deleted files within one or more of the C:\recycler\S-1-5-21**** folders, these files may be hidden or inaccessible. There are various ways to delete these hidden files.Keep in mind that although the RECYCLER folder contains legitimate files, it is also a common hiding place for some types of malware. Removal of such malicious files sometimes can be difficult and may require security tools that scan such areas for these threats. If malware is present in this location, the computer usually shows other signs or symptoms of infection.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users