BleepingComputer.com: recycler S-1-5-21

im running xp home on c drive, e is my backup using norton ghost 14. i see a system volume information and a recyler folder on both drives. the SVI folder in E has a changelog notepad text file thats full of Recycler S-1-5-21 references. no scan ive run has picked it up. malwarebytes shows zero even if i scan the individual files. gmer shows a bunch of s-1-5-21 files but doesnt flag any of them, hypersight gives me suspicious activity in the kernal info messages about two eips trying to reset the write protect but are denied. running combofix deleted two adware files and reported a locked registry key S-1-5-21. f secure blacklight doesnt see it either, while i can reformat the drives and reinstall XP ( since im too poor for 7 right now) im wondering if theres a less drastic solution? my other question is, if i delete the partitions on both drives, reinstall xp and load up malware bytes and avast home, will they detect infected files when i reload them. i guess id wipe the backup drive, reinstall windows on that, E, and transfer files from C and then make E my boot drive. first post hopefully making it in the right place. if not yell at me i learn fast

The Recycle Bin (Recycler) folder provides a safety net when deleting files or folders in Windows. The file(s) remain there until you empty the Ricycle Bin or restore the file. The actual location of the Recycle Bin varies depending on the operating system and file system used. On NTFS file systems, Recycler is the name of the Recycle Bin Folder in each partition. On FAT file systems, the folder is named Recycled.

• Differences Between the Recycle Bin and the Recycler Folder
  
• Working with File Systems
  
• How NTFS Works

The Recycler folder contains a Recycle Bin directory for each registered user on the computer, sorted by their security identifier (SID). Inside the Recycler folder you will find an image of the recycle bin with a name that includes a long number with dashes (S-1-5-21-1417001333-920026266-725345543-1003) used to identify the user that deleted the files.

• S - The string is a SID.
  
• 1 - The revision level.
  
• 5 - The identifier authority value.
  
• 21-1417001333-920026266-725345543 - Domain or local computer identifier.
  
• 1003 – A Relative ID (RID). This number, starting from 1000, increments by 1 for each user that's added by the Administrator. 1003 means the 3rd user profile that was created.

For more specific informaton about SIDS, please refer to:

• Security Identifiers
  
• Well-known SIDs
  
• Well-known security identifiers in Windows

Once the recycle bins are empty, the legitimate directories should be empty as well. The Recycler folder is hidden by default unless you reconfigured Windows to show hidden files and folders by unchecking "Hide protected operating system files" in Tools > Folder Options > View. However, even after emptying the Recycler bin, the Recycler folder will still contain a "Recycle Bin" for each user that logs on to the computer, sorted by their security SID. If you delete the C:\Recycler folder, Windows will automatically recreate it on next reboot.

If there are numerous files listed taking up a lot of space, you can try manually deleting all but one of the user bins. You may find that although you have determined there are deleted files within one or more of the C:\recycler\S-1-5-21**** folders, these files may be hidden or inaccessible. There are various ways to delete these hidden files.

• How do I Delete Windows XP Recycle Bin Hidden Files?.
  
• Recycle bin is corrupt?

Keep in mind that although the RECYCLER folder contains legitimate files, it is also a common hiding place for some types of malware. Removal of such malicious files sometimes can be difficult and may require security tools that scan such areas for these threats. If malware is present in this location, the computer usually shows other signs or symptoms of infection.