Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help Forums Windows Startup Programs Database Virus, Spyware, and Malware Removal Guides Computer Tutorials Uninstall Database File Database Computer Glossary Computer Resources
 

Welcome Guest ( Log In | Click here to Register a free account now! )



Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.
MalwareByte's Anti-Malware Download

> 

When posting your problem, do not run and post a ComboFix logs. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.

 
Reply to this topicStart new topic
> recycler S-1-5-21, ive read this is a virus if so id like some help
Tampaman
post Nov 20 2009, 06:53 PM
Post #1


New Member
*

Group: Members
Posts: 1
Joined: 20-November 09
Member No.: 405,762
im running xp home on c drive, e is my backup using norton ghost 14. i see a system volume information and a recyler folder on both drives. the SVI folder in E has a changelog notepad text file thats full of Recycler S-1-5-21 references. no scan ive run has picked it up. malwarebytes shows zero even if i scan the individual files. gmer shows a bunch of s-1-5-21 files but doesnt flag any of them, hypersight gives me suspicious activity in the kernal info messages about two eips trying to reset the write protect but are denied. running combofix deleted two adware files and reported a locked registry key S-1-5-21. f secure blacklight doesnt see it either, while i can reformat the drives and reinstall XP ( since im too poor for 7 right now) im wondering if theres a less drastic solution? my other question is, if i delete the partitions on both drives, reinstall xp and load up malware bytes and avast home, will they detect infected files when i reload them. i guess id wipe the backup drive, reinstall windows on that, E, and transfer files from C and then make E my boot drive. first post hopefully making it in the right place. if not yell at me i learn fast smile.gif
Go to the top of the page
 
+Quote Post
quietman7
post Nov 20 2009, 10:16 PM
Post #2


Bleepin' Janitor
******

Group: Global Moderator
Posts: 19,389
Joined: 9-July 05
From: Virginia, USA
Member No.: 26,513
The Recycle Bin (Recycler) folder provides a safety net when deleting files or folders in Windows. The file(s) remain there until you empty the Ricycle Bin or restore the file. The actual location of the Recycle Bin varies depending on the operating system and file system used. On NTFS file systems, Recycler is the name of the Recycle Bin Folder in each partition. On FAT file systems, the folder is named Recycled. The Recycler folder contains a Recycle Bin directory for each registered user on the computer, sorted by their security identifier (SID). Inside the Recycler folder you will find an image of the recycle bin with a name that includes a long number with dashes (S-1-5-21-1417001333-920026266-725345543-1003) used to identify the user that deleted the files.
  • S - The string is a SID.
  • 1 - The revision level.
  • 5 - The identifier authority value.
  • 21-1417001333-920026266-725345543 - Domain or local computer identifier.
  • 1003 – A Relative ID (RID). This number, starting from 1000, increments by 1 for each user that's added by the Administrator. 1003 means the 3rd user profile that was created.
For more specific informaton about SIDS, please refer to:Once the recycle bins are empty, the legitimate directories should be empty as well. The Recycler folder is hidden by default unless you reconfigured Windows to show hidden files and folders by unchecking "Hide protected operating system files" in Tools > Folder Options > View. However, even after emptying the Recycler bin, the Recycler folder will still contain a "Recycle Bin" for each user that logs on to the computer, sorted by their security SID. If you delete the C:\Recycler folder, Windows will automatically recreate it on next reboot.

If there are numerous files listed taking up a lot of space, you can try manually deleting all but one of the user bins. You may find that although you have determined there are deleted files within one or more of the C:\recycler\S-1-5-21**** folders, these files may be hidden or inaccessible. There are various ways to delete these hidden files.Keep in mind that although the RECYCLER folder contains legitimate files, it is also a common hiding place for some types of malware. Removal of such malicious files sometimes can be difficult and may require security tools that scan such areas for these threats. If malware is present in this location, the computer usually shows other signs or symptoms of infection.


--------------------
"THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?"

Microsoft MVP - Windows Security 2007-2010
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Go to the top of the page
 
+Quote Post
« Next Oldest · Am I infected? What do I do? · Next Newest »
 

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version Time is now: 19th March 2010 - 02:11 PM


Advertise   |   About Us   |   Terms of Use   |   Privacy Policy   |   Contact Us   |   Site Map   |   Chat   |   Tutorials   |   Uninstall List
Discussion Forums   |   The Computer Glossary   |   Resources   |   RSS Feeds   |   Startups   |   The File Database   |   Virus Removal Guides

© 2003-2010 All Rights Reserved Bleeping Computer LLC.

Powered By IP.Board © 2010  IPS, Inc.