Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recycler Virus or just leftovers


  • Please log in to reply
3 replies to this topic

#1 wmcot

wmcot

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Salt Lake City, Utah
  • Local time:08:52 AM

Posted 28 January 2012 - 08:10 PM

I have recently cleaned my machine from the Windows XP Security Center virus and I found traces of a possible old recycler virus in the Recycler folders. Each partition has a folder S-1-5-21-2052111302-602162358-839522115-1003 which has 2 files in it. One is a Desktop.ini file with [.ShellClassInfo] CLSID={645FF040-5081-101B-9F08-00AA002F954E} in it and a the other marked INFO2.

When I check the Registry for the CLSID listed it links to Recycle bin or Shell32.dll with 31 or 32 after it (the full and empty recycle bin icons.)

I have scanned my system with Malwarebytes, Avira, and several other tools (MiniToolBox, TDSSKiller, ESET, RKill, GMER, HijackThis, aswMBR, etc.) and all have come up clean.

I have undone the superhidden status of Recycler so these programs can see it.

I have used cmd.exe and manually deleted all the Recycler files (of course they come back when I delete anything.)

All this was done with System restore turned OFF and a new Restore Point created after the scans, deletions, etc.

I have checked all the Mount Points with GMER(or ESET?) and there is no trace of Recycler.exe or anything that looks unusual.

I even ran Panda's USB vaccine which has said that my computer was "Immunized."

Are these folders in Recycler normal or are they traces of the Recycler Virus that won't go away?

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:52 AM

Posted 28 January 2012 - 09:14 PM

The best solution is to post a DDS log.

We need a deeper look. Please go here....Preparation Guide ,do steps 6-9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If GMER won't run skip it and move on.

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 wmcot

wmcot
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Salt Lake City, Utah
  • Local time:08:52 AM

Posted 31 January 2012 - 12:03 AM

Everything looked OK to me. I posted the logs in the other forum.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:52 AM

Posted 31 January 2012 - 10:16 AM

Your log(s) is posted here.

After posting a log for analysis and help with malware infection, we normally close the originating topic to prevent confusion as nothing else should be done until the MRT review your log.

In this case, I do not see anything of significant concern in your log. If the following information addresses your questions, let me know and I will close the other topic.

The Recycle Bin is a feature which provides a safety net when deleting files or folders in Windows. When you delete a file it immediately appears in the Recycle Bin and remains there until you empty it or restore the file. The actual location of the Recycle Bin varies depending on the operating system and file system used. On NTFS file systems (Windows 2000, XP, NT), RECYCLER is the name of the Recycle Bin Folder which can be found in each partition on your hard drive. On Windows Vista and Windows 7 it is called the RECYCLE.BIN. On older FAT file systems, the folder is named RECYCLED.The RECYCLED or RECYCLER folder contains a hidden master database file called INFO2 which stores information related to the deleted file that will be used when Windows tries to restore it. That information includes:
  • The file's original full path name.
  • The file's size.
  • The date and time when the file was moved into the recycle bin.
  • The file's unique ID number within the Recycle Bin.
When deleting a file, Windows will rename it to DC1. As more file are deleted, the number of the file will be increased by one (i.e. DC2). The number is an indexing number for the file which will read by INFO2. When the recycle bin is emptied, the INFO2 file will also be deleted and Windows will create a nwe INFO2 file which will reset the number counter into 0. This process works differently in Vista/Windows 7 where the operating system creates a separate record file for each file that is deleted. For more specific details as to how this works in Vista, please refer to:The RECYCLER folder contains a Recycle Bin directory for each registered user on the computer, sorted by their security identifier (SID). Inside this folder you will find an image of the recycle bin with a name that includes a long number with dashes (S-1-5-21-1417001333-920026266-725345543-1003) used to identify the user that deleted the files.
  • S - The string is a SID.
  • 1 - The revision level.
  • 5 - The identifier authority value.
  • 21-1417001333-920026266-725345543 - Domain or local computer identifier.
  • 1003 A Relative ID (RID). This number, starting from 1000, increments by 1 for each user that's added by the Administrator. 1003 means the 3rd user profile that was created.
For more specific informaton about SIDS, please refer to:Once the Recycle bins are empty, the legitimate directories should be empty as well. However, even after emptying the Recycler bin, the RECYCLER folder will still contain a "Recycle Bin" for each user that logs on to the computer, sorted by their security SID. If you delete the C:\RECYCLER folder, Windows will automatically recreate it on next reboot.

Note: Although the RECYCLER folder contains legitimate files, it is also a known hiding place for some types of malware since that folder is hidden by default. However, if your computer is infected with malware, there most likely will be other obvious signs or symptoms of infection.

The CLSID {645FF040-5081-101B-9F08-00AA002F954E) is related to valid registry keys - see here.

Desktop.ini is a text file for configuration settings that allows you to specify how a file system folder will be viewed and handled. It can be added to any Windows folder to store information about customized folders. The most common use of the desktop.ini file is to assign a custom icon to a folder. File system folders are commonly displayed with a standard icon and have a set of properties that describe the folder, such as whether or not the folder is shared. Therefore, if you have customized the display of a folder in any way, such as changing its icon or manner of display, Windows will save those settings in a desktop.ini file. Since Desktop.ini is a system file, it is normally hidden unless Windows is configured to show hidden/protected operating system files in Explorer's Folder Options.
If this does not answer your questions, and you want another opinion by a thorough review of your logs and further analysis, again let me know. We will then close this topic and leave the other one open.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users