Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

$RECYCLE.BIN + CONFIG.MSI files cannot be hidden following use of ComboFix.exe


  • Please log in to reply
3 replies to this topic

#1 Dinosaucy

Dinosaucy

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:29 AM

Posted 20 April 2011 - 01:31 PM

Hello,

On Microsoft Answer's MSE section I was seeking help troubleshooting a popup which occasionaly appears on my machine. A member instructed me to run Combofix + a TDSS removal program, thinking I was infected with a rootkit.

http://answers.microsoft.com/en-us/protect/forum/protect_scanning/keep-getting-a-popup-while-away-from-computer-from/0361c7dc-6665-e011-8dfc-68b599b31bf5

No rootkits were discovered but having run those two applications my system now reveals these normally hidden folders on all hard drives;
•CONFIG.MSI
•$RECYCLE.BIN

Attached is a screenshot of what the folders look like in explorer; it appears that they are no longer set with hidden\system attributes.

I am running Windows 7 Ultimate (32bit) SP1 with Microsoft Security Essentials as my Anti-Virus.

Attempts taken to try and resolve this issue;
•Restart Computer - has been restarted a few times since the intial use of ComboFix.exe)
•Web Search - I have not found any articles which match my issue
•Folder Options - The setting "Hide Protected Operating System Files" has no affect on these folders now, whether it is turned on or off.

It is possible that the TDSSKiller.exe program from Kasperky is the cause of this-- or some other occurance entirely --but given that I have not installed any other new applications or made any system changes since running ComboFix.exe (and combofix.exe seems far more complex than the TDSSkiller.exe) it seems a likely culprit.

I'm thinking I just need to manualy reassign these folders as being system folders, but am unsure how to do this in win7 or if ComboFix has made other system changes I will have to track down...

Thanks for your time :)

Attached Files


Edited by hamluis, 20 April 2011 - 08:12 PM.
Moved from Win 7 to AV, Firewall, etc.


BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:11:29 AM

Posted 20 April 2011 - 08:11 PM

You are asking questions re the use of malware tools...the Win 7 forum cannot answer those questions, it's not what the forum is for and no one here is qualified to answer questions re ComboFix.

ComboFix usage, Questions, Help - Look here - http://www.bleepingcomputer.com/forums/topic273628.html

I'll move your topic to a forum where some malware issues are handled.

Louis

#3 Dinosaucy

Dinosaucy
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:29 AM

Posted 12 May 2011 - 07:13 PM

A follow up;

I deleted the $RECYCLE.BIN and CONFIG.MSI folders, and they have not returned.

I'm guessing if this was a bug of the Combofix it's not a major one :)

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:29 PM

Posted 13 May 2011 - 06:33 AM

Config.msi is a hidden temporary folder on the root drive of Windows (usually Drive C) which is normally deleted by the MS Windows Installer when it's done. The folder contains Rollback Script files that are being installed or updated during a program installation. The files are actually backups of existing files and normally end with end with an .rbf or .rbs extension.

The Recycle Bin (RECYCLER) folder is a feature which provides a safety net when deleting files or folders in Windows. When you delete a file it immediately appears in the Recycle Bin and remains there until you empty it or restore the file. The actual location of the Recycle Bin varies depending on the operating system and file system used. On NTFS file systems, RECYCLER is the name of the Recycle Bin Folder which can be found in each partition on your hard drive. On FAT file systems, the folder is named RECYCLED.The RECYCLED or RECYCLER folder contains a hidden master database file called INFO2 which stores information related to the deleted file that will be used when Windows tries to restore it. That information includes:
  • The file's original full path name.
  • The file's size.
  • The date and time when the file was moved into the recycle bin.
  • The file's unique ID number within the Recycle Bin.
When deleting a file, Windows will rename it to DC1. As more file are deleted, the number of the file will be increased by one (i.e. DC2). The number is an indexing number for the file which will read by INFO2. When the recycle bin is emptied, the INFO2 file will also be deleted and Windows will create a nwe INFO2 file which will reset the number counter into 0. This process works differently in Vista where the operating system creates a separate record file for each file that is deleted. For more specific details as to how this works in Vista, please refer to:The RECYCLER folder contains a Recycle Bin directory for each registered user on the computer, sorted by their security identifier (SID). Inside the RECYCLER folder you will find an image of the recycle bin with a name that includes a long number with dashes (S-1-5-21-1417001333-920026266-725345543-1003) used to identify the user that deleted the files.
  • S - The string is a SID.
  • 1 - The revision level.
  • 5 - The identifier authority value.
  • 21-1417001333-920026266-725345543 - Domain or local computer identifier.
  • 1003 A Relative ID (RID). This number, starting from 1000, increments by 1 for each user that's added by the Administrator. 1003 means the 3rd user profile that was created.

If you have never seen the RECYCLER folders on your hard drive and partitions before, you should not be alarmed. The Recycler folder is hidden by default unless you reconfigured Windows to show hidden files and folders by unchecking "Hide protected operating system files" in Tools > Folder Options > View. Keep in mind that some types of malware can also alter (modify) file/folder attributes and various settings in Folder Options so that is the most likely explanation.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users