Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rotinom


  • Please log in to reply
12 replies to this topic

#1 hellevene

hellevene

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 12 May 2014 - 01:41 PM

Hello everybody,

 

I was recently infected by this beast, Rotinom, not really that dangerous but persistent enough. So, after managing to, seemingly, get rid of it by the combined help of Kasperksy and Malwarebytes and some online instructions I followed manually (e.g. correcting the registry values it affects) my laptop behaves as before. However, the next time switched on my laptop, I discovered in each one of the folders called Recycler -which exist in each one of the hard disks, built-in or external- a folder with the name "S-1-5-21-583907252-764733703-682003330-1005". Which, incidentally is the name of one of the folders Rotinom creates inside the Application Data folder after it has infected a pc. So, I deleted it through a program called "windirstat" -because it was impossible to delete it by simply pressing, "delete" as a message "you cannot delete file. Close first all programs... etc." appears. (As a matter of fact, the only way to see its contents is through this program. Which contents are: a folder called "files" which contains two files, "desktop.ini" and "INFO2" and a folder called "Dc2" with nothing in it.) But after a while, I checked again and it is still there. I deleted again but the same happened. As I said, my laptop seems to work normally but the persistence of this folder makes me think that it is not entirely disinftected. Any idea?


Edited by hamluis, 12 May 2014 - 03:59 PM.
Moved from XP to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 UpgradeMe

UpgradeMe

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta, GA USA
  • Local time:12:48 AM

Posted 12 May 2014 - 10:26 PM

Hellevene...

 

That does sound like you still have malware on your PC.  Rather than try to fix the problem, I would wait for a malware expert to tell you more and help you straighten out the problem...



#3 hellevene

hellevene
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 18 May 2014 - 11:28 AM

P.S. Also, something that might be of help concerning this worm and its aftermath. After MalwareBytes had finished the job, I rechecked both my C drive and the external hard-disc which was infected (and which was the source of the data Rotinom had transfered to my C drive, filling it to the top) and nothing was found. Then, I scanned them also with Kaspersky and PandaCloud Cleaner; nothing was found too. However, almost every folder of my external drive, including the one where all my data is stored, had been set to "hidden" by Rotinom and I could see them only after changing the related Registry Value. So, I tried to change this attribute manually but it was impossible, as I could not uncheck the "hidden" option. Finally, I found a program called "Attribute Changer" and only through this I managed to change the attribute and see my folders normally. In other words, both MawareBytes and Kaspersky didn't manage to detect and/or correct this damage caused by Rotinom.


Hello again,

I had no reply, so I guess nobody can figure out what is going on with this case; or nobody wants to reveal it without charge. In any case, let me add some things I noticed. My laptop still behaves normally; no sign of Rotinom after one week, more or less. However, the "S-1-5-21-583907252-764733703-682003330-1005" folder is still there, despite my everyday's efforts to get rid of it. I keep deleting it every time I notice its presence and after a while it returns. Meanwhile, I have noticed some things:

1) The "S-1-5-21-583907252-764733703-682003330-1005" folder is considered to be a system folder; also, a "read only" and "hidden" one. The "hidden" attribute cannot be altered through "properties". I can change it though, through a program called "attribute changer" (the same program I used in order to change the "hidden" option of almost every folder contained in my contaminated external hard disc (see the P.S. of my first post) together with the "system" one. On the other hand, "attribute changer" doesn't show it as a "read only" folder although "properties" do! So if I want to change this attribute, I can only do it through properties; but even if I change it, pressing "apply" too, the next moment is again "read only". Also, even if I change all three attributes, I still cannot delete it using "delete", as a message "You cannot delete file. Close first all programs... etc." appears. I even tried to delete it with "cmd" but after typing "dir", it showed no directory.*** (I am not sure if I expressed this last one correctly since my computer jargon is not that good. My OS is Windows XP SP3.) So, I delete it using the "windirstat" program, as I have said.

***However, one time I managed to delete it by simply pressing delete -after changing "system", "hidden" and "read only" attributes- but I have no idea how that happened and I couldn't repeat it after.

2) I am 99% sure that during the last two days, "S-1-5-21-583907252-764733703-682003330-1005" appears inside Recycler ONLY after I delete files from any of my hard discs, internal or external ones. When I do that, it appears firstly in the Recycler folder of the hard disc whose files I deleted and then it "spreads" to the Recycler folders of the other hard discs, and it contains all the files I have deleted. After deleting it, it disapears together with its contents. Which contents disappear also from the recycle bin. But the icon of the recylce bin doesn't change; it still shows it as if it contains deleted files although it contains none. (Note: When I delete files using "delete+shift", the "S-1-5-21-583907252-764733703-682003330-1005" does not appear inside Recycler.)

3) PandaCloudCleaner (but not Kaspersky or MalwareBytes) notifies me about a "Suspicious Policy". Here's this part of the log:

REGKEY: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run[InstallerLauncher]. Value: InstallerLauncher To be deleted.Suspicious Policy.

I don't know what's this. It is true that I have changed some Registry Values in order to show hidden and superhidden files (see my first post) -and some of which are considered also "suspicious policies" from PCC- but I didn't change this one for sure.

That's a crazy behaviour, isn't it? I mean, everything seems to work properly, all three antivirus programs I have used (namely, MalwareBytes free, Kaspersky and PandaCloudCleaner) detect no virus/trojan/worm but the folder is still there like it has a life of its own. Any help would be appreciated. Of course, I can simply format my latpop and give an end to this madness; it's not that difficult as I have not many programs to re-install and after all I have spent much more  trying to figure out what it going on. But I have to admit that I am a mad person too and I want to defeat this beast instead of succumbing to it. I am also very curious to discover what the hell is happening.

Thanks,

pq



#4 UpgradeMe

UpgradeMe

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta, GA USA
  • Local time:12:48 AM

Posted 18 May 2014 - 03:02 PM

hellevene...

 

Thanks for the update.

 

The folder S-1-5-21-583907252-764733703-682003330-1005 name looked to me like something that I recalled could be associated with System Restore, so I tried a search of My Computer for "S-1-5-21". On my computer there is a folder named "S-1-5-21-2000478354-706699826-682003330-500".  I assume this is the same thing but for my PC.  The numbers could be code for a date or just about anything else I think (some sort of sequence code for system restore).  This folder appears on my PC once in each drive recycle bin and then in several other locations.

 

I recommend you do a search to see where this shows up on your PC.  Open Windows Explorer in XP and right click on My Computer on the left side of WE and select search.  Add S-1-5-21 to the search box and see what turns up. Here are the locations on my PC for the version of the folder I have:

 

C:\WINDOWS\system32\appmgmt

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials

C:\Documents and Settings\Administrator\Application Data\Microsoft\Protect

C:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA

C:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials

 

If this shows up in normal places, I think the only unusual behavior is that it is visible.  In that case, I do think I remember something from way back around 1999 on a PC I had then where something similar happened and the problem eventually resolved itself.  That was Windows 98 SE, but I am sure that part of Windows XP is the same.  In any case, please update where you find the folder.

 

P.S.-There are a ton of registry keys associated with this folder (maybe 30-40) when I search "S-1-5-21" using the program "Everything".  Everything gives one the ability to see literally everything as the name implies.  Anyway, these keys all have to do with System Restore...



#5 UpgradeMe

UpgradeMe

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta, GA USA
  • Local time:12:48 AM

Posted 18 May 2014 - 03:44 PM

Just checked to see if I could make these folders visible.  I opened a folder and used:

 

Tools->Folder Options->View->1.  Under Hidden files and folders set to "Show hidden files and folders"  2.  Uncheck "Hide protected operating system files" (Recommended)

 

This folder was not visible in the C drive recycle but bin could be seen in a folder called "Recycler" on the C, D, and E drives of the PC.  I looked further and found the folder placed directly on the C drive in a folder titled similarly "Recycler".

 

Check to see if your "Folder options" as shown above are set to show hidden files and that there is a check in the "Hide protected operating system files" option check box...

 

There is one unusual thing about the S-5-1-21 search.  I noticed there is a folder titled S-1-5-21-1417001333-790525478-725345543-500 in the D drive hidden Recylcer folder (along with the S-1-5-21-2000478354-706699826-682003330-500 folder mentioned in the previous post) and several similarly named folders in the E drive hidden Recycler folder (all begin with S-1-5-21).  These folders apparently don't show up using the "S-1-5-21" search I used to search My Computer for a file similar to yours...only the S-1-5-21-2000478354-706699826-682003330-500 folder mentioned in the previous post appears.  This is a little bit strange.  I don't have an explanation for it.  The XP search client was set to find hidden files and protected system files.  Then again, this is not a source of concern.  I'm used to this kind of thing with Windows...

 

If you search your computer using S-5-1-21 to find these, make sure you scroll down before starting the search and select under "More advanced options" "Search system folders", "Search hidden files and folders", and "Search subfolders".  This is in the XP search client.  I don't recall which version of Windows you are using but you need your search to show these types of files for them to show up when you do the search...


Edited by UpgradeMe, 18 May 2014 - 04:23 PM.


#6 hellevene

hellevene
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 19 May 2014 - 12:54 PM

Hello UpgradeMe and thanks for the detailed replies.

 

My OS is Windows XP, SP3.

 

As I have said in my original post, I have adjusted some registry values and this is why I can see hidden/superhidden folders like Recycler etc. Also, after noticing I had been infected, I deactivated System Restore in order to perform a proper disinfection and it is still deactivated.

 

These are the results of the search:

WPFFontCache_v0400-S-1-5-21-583907252-764733703-682003330-1005-0 - C:\Documents and Settings\LocalService\Local Settings\Application Data

S-1-5-21-583907252-764733703-682003330-500 - C:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials

S-1-5-21-583907252-764733703-682003330-1005 - C:\Documents and Settings\pq\Application Data\Microsoft\Credentials

S-1-5-21-583907252-764733703-682003330-1005 - C:\Documents and Settings\pq\Application Data\Microsoft\Protect

S-1-5-21-583907252-764733703-682003330-500 - C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials

S-1-5-21-583907252-764733703-682003330-1005 - C:\Documents and Settings\pq\Application Data\Microsoft\Crypto\RSA

S-1-5-21-583907252-764733703-682003330-1005 - C:\Documents and Settings\pq\Local Settings\Application Data\Microsoft\Credentials

 

So, they are quite similar with yours; or, in any case, there are some S-1-5 etc. folders in various places of my laptop. (Of course, if you see something unusual about these results, you may notify me.)

 

I also searched for folders starting with S-1-5-21 in all my external hard drives but I found none. (However, if I delete any file from any of these hard drives, a folder with the name S-1-5-21.....-1005 will appear in their Recycler, as I have mentioned in a previous post.) So, I suppose S-1-5 etc. is a Windows folder.

 

There is something more I noticed just today; If I delete any file using "shift+delete" then the S-1-5 etc folder does not appear inside the Recycler. Moreover, as I have said, I could not delete the S-1-5 etc. folder from the Recycler by simply pressing delete, so I had to use a program called "WinDirStat" in order to do so. However, if I use "shift+delete" I can delete it and all its contents, permanently of course.

 

I also found this post somewhere:

http://www.symantec.com/connect/forums/virus-alert-crecyclers-1-5-21-1482476501-1644491937-682003330-1013svchostexe

However, my S-1-5 etc. folder contains files only when I delete one and it is possible for me to delete both those and the S-1-5 folder. So, I suppose, this post is another story about another beast.

 

Anyway, after reading your posts, and also seeing that my laptop still behaves perfectly normal after more than a week + none of the 3 antiviruses I have used can detect any virus/worm/trojan etc., I started to think that it is normal for a folder with that name to exist in various places inside a Windows OS pc, including the Recycler. And that Rotinom creates a folder with that same name inside the infected drives, for its own malicious reasons. Otherwise, why do you also have a folder with a very, very similar name in your pc too? What do you think?

 

P.S. In order to get sure about my hypothesis, you can try if you want the following experiment:

Delete any file. Then, go inside your Recycler folder. I suppose you will find your S-1-5 etc. there. Check if it contains the file you have deleted; I suppose it will be there. Then, permanently delete the S-1-5 etc. folder by pressing "shift+delete"; get sure that it is deleted. Then, delete any other file and go check again Recycler to see if it re-appeared there, containing the newly deleted file. If it has re-appered, then it is almost sure that this is a normal Windows OS procedure and that it is normal for a folder with the name S-1-5 etc. to exist inside Recycler.

(I am not a technician but judging from my experiences with the S-1-5 etc. folder, I am almost sure that this is a safe experiment; I specially refer to the part where you permanently delete the S-1-5 etc. folder. However, seeing that you are more experienced in techncal matters, if you have any doubt about its safety, you can at least perform the previous steps just to see whether the deleted files will appear inside the S-1-5 etc. folder. Maybe, any technician that reads this can give us his/her own opinion.)



#7 UpgradeMe

UpgradeMe

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta, GA USA
  • Local time:12:48 AM

Posted 19 May 2014 - 02:02 PM

 

I started to think that it is normal for a folder with that name to exist in various places inside a Windows OS pc, including the Recycler. And that Rotinom creates a folder with that same name inside the infected drives, for its own malicious reasons. Otherwise, why do you also have a folder with a very, very similar name in your pc too? What do you think?

 

I would say yes this is normal.  Typically, these are hidden files (using normal Windows settings), so they won't even be noticed by most users.  You can actually set system and hidden files to be hidden as I mentioned I think in my most recent post prior to this one.  Just open any folder and follow those instructions to do so.  I don't use desktop icons (Rainmenter instead...desktop being the place where the hidden and system folders and files aggravate me the most), so I am able to leave hidden and system files as visible without being annoyed.  Anyway, with this setup, I can't see them on the desktop (good) with the icons turned off, but I also don't have to make these types of files visible when I need to find something in Windows, where many are one or both of these types of files and would otherwise be invisible...

 

I recall a virus which also happens to be from the Windows 98 days, where the virus would systematically fill up the recycle bin over the course of several minutes.  Eventually, the PC would become totally unusable as Windows needs about 15% of free space on the main drive to function.  That was a nasty virus, so you are correct to be concerned about this issue.

 

Looking at the folders/files, I recognize them now.  I believe Windows System Restore uses these files to restore the correct setup to the recycle bin of your PC when you restore to an earlier date.  As for deleting the folders,etc., I will take your word for it.  That rings a bell with me as normal in Windows for them to be replaced in those folders.  This would be sort of like the copies of your Documents and Settings (icons, startups and so on) that System Restore keeps to restore the PC.  It also keeps full copies of the system registry from each restore point date/time...


Edited by UpgradeMe, 19 May 2014 - 02:05 PM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:48 AM

Posted 19 May 2014 - 09:24 PM

This is difficult to remove on your own as you see. You guys are doing good but it's still surviving.

“W32/Rotinom” is detection for a worm that spreads over USB devices. The worm queries the following location SYSTEM\CurrentControlSet\Services\USBSTOR\Enum in order get the all usb drives injected to machine.

Upon execution, the malware will try to spread to all fixed and removable drives as described below. Besides that it will drop a copy of itself in the following location:

Descriptiion here
http://home.mcafee.com/virusinfo/virusprofile.aspx?key=268495


I think it would be better to have one of the malware specialists find all of it and take it out.

Please follow this Preparation Guide, do steps 6,7 and 8 and post in a new topic.
Let me know if all went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 hellevene

hellevene
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 20 May 2014 - 12:40 PM

Hello boopme,

 

Yes, it was a nasty one. However, I wonder why you didn't notice through the posts that:

 

1) Rotinom does much more things than those you describe some of which were not fixed by neither MalwareBytes free nor Kaspersky (I used PandaCloudCleaner after the other two had removed the infected files so I am not sure about this) and I had to use two other programs as well as to follow online instructions in order to be able to write this post.

2) That it's almost sure I am clean by now; and I have to thank UpgradeMe who was the one that gave me some very valuable info.

 

Moreover, in case you are one of these specialists you either don't know that folders with the name "S-1-5-21-583907252 etc." are normal Windows' folders which means you are not a very special specialist; or you know it but you prefer to keep it for yourself for a reason I am incapable to apprehend which means you are a very special specialist. Of course, I may be wrong about that so, could you please tell me the exact reasons that make you believe I am still infected? Also, if you are not specialist at all, then, what are you and why do you want to spoil our (mine and UpMe's) victory?

 

UpgradeMe, don't take my word! I am not a specialist. However, I have erased my S-1-5 etc. folder from the Recycler more than 50 times and it is still there. So, if you decide to perform this experiment, I am very curious about the results.


Edited by hellevene, 20 May 2014 - 12:41 PM.


#10 UpgradeMe

UpgradeMe

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta, GA USA
  • Local time:12:48 AM

Posted 20 May 2014 - 02:11 PM

hellevene...

 

S-1-5-21 folders cannot be deleted on this PC.  I get a message that the folder can't be deleted.  I think you said that you are using a special program to remove the folder, but this is exactly what to expect from the folder.  It's intentionally protected by Windows.

 

When you had the malware problem, the problem was something that was placed in one of the S-1-5-21 folder(s).  Your a-v or whatever identified it as Rotinom either identified a file in one of these folders (or many folders) or identified a file and then a behavior of a program (i.e. adding files to folders without approval, etc.).  The behaviors you are seeing in recycle bin are normal and not associated with any malware.  It was something that was in one of the folders that caused it to be flagged.  At worst, these normal folders could contain malware which must be removed.

 

If the program that infected your computer is gone, you won't see the problem again.  If you want to set your computer up so that you don't have to look at hidden files and system files, use the reverse of 1 and 2 of this action:

 

Tools->Folder Options->View->1.  Under Hidden files and folders set to "Show hidden files and folders"  2.  Uncheck "Hide protected operating system files" (Recommended)

 

Here is a little bit of information about recycler:

 

http://www.bleepingcomputer.com/forums/t/272858/recycler-s-1-5-21/

 

It was something in your recycler that was reported as Rotinom...not the folder.  The S-1-5-21 was part of the location of the potential threat.  If you had your recycle bin filling fast with things that shouldn't be there, you would then need to be concerned that the Rotinom malware is still there.  If this happened, your hard drives would fill up unexplicably over time (sometimes very fast).  Here is information:

 

http://opinion.myjoyonline.com/pages/feature/201104/64797.php

 

At present, I would say you are 100% clean and have no worries.  I have experienced this malware on a Windows 98 SE PC.  Once it's gone, it's gone.

 

Again, the folder behaviors of the S-1-5-21 folders you are seeing are normal.  See here:

 

 

A S-1-5-21 directory is a default directory created when you create an account (on a Windows based PC). Since there is a

default hidden account in Windows, there are always folders of this type on a Windows PC.  Also, this type of directory is a default one.  As such you it is not possible to delete files in the directory nor can the directory itself be deleted.  They are all protected.  This location is an ideal place for placement of malware. If your anti-virus program finds questionable files in the folder seek help from a malware removal specialist.

 

This is a paraphrase from a translation at Answers.com.  For each account on the PC (see C:\Documents and Settings) you should have one of these folders (on remote drives...on the main drive, only one at a time (whichever account you are using, will be visible)



#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:48 AM

Posted 20 May 2014 - 07:33 PM

Hello guys

I am 1st Responder, not a member of the Malware Removal Team (MRT). 1st Responders are trusted staff members who assist members with malware infections in the Am I infected? What do I do? We know how to direct victims to run basic tools, post and read their logs. When we see evidence of more sophisticated malware requiring further investigation or more powerful tools than we can use in this forum, 1st Responders refer them to the read the Preparation Guide and post their log in the Virus, Trojan, Spyware, and Malware Removal Logs forum so one of our trained MRT experts can assist further.

I felt it was your best option and that is why I made post #8
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 hellevene

hellevene
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 25 May 2014 - 02:29 PM

Hello 1st Responder with the code name "boopme".

 

OK, I understand that your job here is to either help users, in case they have minor problems, or direct them to some specialist. However, wouldn't it be better to first read their posts? It is evident you didn't read this one.

 

Hello UpgradeMe.

 

Are you sure the S-1-5 etc. folder cannot be deleted? Did you press "shift+delete" or just 'delete"? Anyway, I don't think it matters anymore, since this laptop responds perfectly well, more than two weeks after disinfection.

 

Rotinom creates a new folder by the name S-1-5 etc. inside User/Local Settings/Application Data where it places a copy of itself. This folder was erased after disinfection. Then, by chance I discovered one with the same name inside Recycler -it was not reported by an antivirus- and I was alarmed because of the name. Since I didn't know there is a normal Windows' system folder by that name, I was afraid I was not properly disinfected. I was more concerned after I saw I could not get rid of it, although I could temporarily delete it -firstly with the assistance of WinDirStat program and then by "shift+delete". And because, as it seems, no specialist here or in MalwareBytes forum knew that S-1-5 etc. is a normal windows folder so as to appease me -on the contrary, some wanted me to believe I was still infected- I kept investigating the matter until you shared your knowledge with me. Thanks.



#13 UpgradeMe

UpgradeMe

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta, GA USA
  • Local time:12:48 AM

Posted 25 May 2014 - 04:18 PM

 

 

Rotinom creates a new folder by the name S-1-5 etc. inside User/Local Settings/Application Data where it places a copy of itself. This folder was erased after disinfection. Then, by chance I discovered one with the same name inside Recycler -it was not reported by an antivirus- and I was alarmed because of the name. Since I didn't know there is a normal Windows' system folder by that name, I was afraid I was not properly disinfected. I was more concerned after I saw I could not get rid of it, although I could temporarily delete it -firstly with the assistance of WinDirStat program and then by "shift+delete". And because, as it seems, no specialist here or in MalwareBytes forum knew that S-1-5 etc. is a normal windows folder so as to appease me -on the contrary, some wanted me to believe I was still infected- I kept investigating the matter until you shared your knowledge with me. Thanks.

 

Hellevene:  Just a guess here, but I think you could get rid of the contents of that folder by turning off System Restore. This will delete all of your current restore points, which, in the case of an infection which is associated with system restore, could be a good thing actually.  When you turn it back on it creates a new restore point automatically.

 

I use hard drive imaging to protect from this sort of problem  Also, I have system restore set to use no more than 5 GB.  This works nicely as I still have 20 or more restore points.  Since I began imaging, however, I have never yet had to use system restore.

 

As for the S-1-5 folders (and contained files) not being removable.  I don't think it (or the files inside) can be permanantly removed.  Actually, I believe there is a backup copy of the folder and of the contained files stored in system restore, which Windows uses automatically to recopy the folder and files back to the location.  If you really wanted to be safe, you could try turning off system restore and check to see if the folders are gone.  If they are present, then you could check to see if the contained files are still present, which I doubt they would be.  Anyway, it's the contained files within the S-1-5 folder that you would want to get rid of if anything.  Folders aren't dangerous.

 

All this said, I think it's likely that malware removal removed any dangerous files from the system restore area of your PC.  The malware experts here and at some other sites are very good and they have very good software that they work with to clean PCs of malware.  It can be dangerous, and it is complicated software, but they know what to recommend and when.


Edited by UpgradeMe, 25 May 2014 - 04:20 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users