Go Back   Tech Support Forum > Microsoft Support > Windows 7 Support, Windows Vista Support

[SOLVED] $Recycle.bin and System Volume Information Virus

This is a discussion on [SOLVED] $Recycle.bin and System Volume Information Virus within the Windows 7 Support, Windows Vista Support forums, part of the Tech Support Forum category. I just installed Windows 7 Ultimate SP1 on my system. It was clean until I decided to give out my


Closed Thread
 
Thread Tools Search this Thread
Old 06-10-2011, 10:03 AM   #1
Registered Member
 
Join Date: Mar 2009
Posts: 73
OS: Windows 8 Professional



I just installed Windows 7 Ultimate SP1 on my system. It was clean until I decided to give out my External HDD to a friend. And when I plugged it back into the comp, I forgot to scan it and then saw that it had this strange Virus of sorts. @Recycle.bin and System Volume Information. Soon, it had spread to all my partitions. I tried deleting them manually, but $recycle.bin would just pop back up, While System Volume Information wouldn't even get deleted and I can't open it as Access Is Denied even when logged in as Administator. I've tried Norton Internet Security 2011 and Bitdefender Total Protection 2011 but to no avail. I tried Autorun Eater and Malwarebyte Anti-Malware. But those too, failed. Finally, I installed Ubuntu on my system and maually deleted the troublesome folders. And then permanently deleted them from the trash too. Only to see that the Folders were back in Windows! Any suggestion?

Processor: i5 2500-K @3.30Ghz
RAM: 4GB DDR3
OS: Windows 7 Ultimate SP1
HDD: WD 1TB
Attached Thumbnails
Click image for larger version

Name:	SS1.jpg
Views:	383
Size:	71.7 KB
ID:	93198   Click image for larger version

Name:	SS2.jpg
Views:	286
Size:	78.5 KB
ID:	93199  

__________________
ashwin.terminat is offline  
Old 06-10-2011, 10:14 AM   #2
Team Manager, Microsoft Support
Microsoft MVP
BSOD Kernel Dump Expert
 
jcgriff2's Avatar

Microsoft Most Valuable Professional
 
Join Date: Sep 2007
Location: New Jersey Shore
Posts: 30,701
OS: Windows 10, 8.1, 7 + Windbg :)



$Recycle.Bin = the recycle bin
System Volume Information = hidden system folder - system restore

You will find these 2 on every NTFS partition where system restore is turned on.

Why do you suspect virus?

Regards. . .

jcgriff2

`

jcgriff2 is offline  
Old 06-10-2011, 10:16 AM   #3
Registered Member
 
Join Date: Mar 2009
Posts: 73
OS: Windows 8 Professional



Because I've turned off system restore on all the drive except C. But why would it show up after it was on the External HDD. And besides, I've configured the Recycle Bin such that the files don't go to the Recycle Bin at all. So I can't understand the existence of a Recycle Bin folder or a System Volume Information folder in these drives.
__________________
ashwin.terminat is offline  
Old 06-10-2011, 10:30 AM   #4
Team Manager, Microsoft Support
Microsoft MVP
BSOD Kernel Dump Expert
 
jcgriff2's Avatar

Microsoft Most Valuable Professional
 
Join Date: Sep 2007
Location: New Jersey Shore
Posts: 30,701
OS: Windows 10, 8.1, 7 + Windbg :)



Your screenshots were drive c:

Recycle Bin contains a single 129 byte desktop.ini file for each active user account. From my system -
Code:
C:\$Recycle.Bin>dir /a
Volume in drive C is Windows7 x64
Volume Serial Number is 289F-AF69
 
Directory of C:\$Recycle.Bin
 
06/07/2011  13:04    <DIR>          S-1-5-21-1477948808-2898045070-2393627958-1001
07/11/2010  00:21    <DIR>          S-1-5-21-1477948808-2898045070-2393627958-500  
Code:
 
Directory of C:\$Recycle.Bin\S-1-5-21-1477948808-2898045070-2393627958-500
 
07/11/2010  00:21    <DIR>          .
07/11/2010  00:21    <DIR>          ..
07/11/2010  00:21               129 desktop.ini
           1 File(s)            129 bytes
           2 Dir(s)  74,607,003,648 bytes free
Contents of desktop.ini -
Code:
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-8964
Make sure system restore is in fact turned off for all drives except c:

Regards. . .

jcgriff2

`
jcgriff2 is offline  
Old 06-10-2011, 10:38 AM   #5
Registered Member
 
Join Date: Mar 2009
Posts: 73
OS: Windows 8 Professional



I too have a single file of 129 bytes or so. So this is normal? Why does the fishy folder have a recycle bin folder by the code name of sorts of S-1-5-21-330910056-542397928-1330698660-1000 which is empty? And what about the SVI folder? Is that normal too? But why did it now show up immediately after the External HDD, which I've been using for so many days now was plugged in before I gave it away?
__________________
ashwin.terminat is offline  
Old 06-10-2011, 12:05 PM   #6
Team Manager, Microsoft Support
Microsoft MVP
BSOD Kernel Dump Expert
 
jcgriff2's Avatar

Microsoft Most Valuable Professional
 
Join Date: Sep 2007
Location: New Jersey Shore
Posts: 30,701
OS: Windows 10, 8.1, 7 + Windbg :)



Yes, the 129 byte desktop.ini file in recycle bin is normal.

S-1-5-21-330910056-542397928-1330698660-1000 = SID = Security Identifier

To check your user account SID, bring up a command prompt and type -
Code:
  whoami /user
There can be multiple SID folders in recycle bin.

-1000, -1001, etc... = User Admin accounts
-500 = Hidden Admin user account

$Recycle.Bin + System Volume Information folders likely always existed on c:

Perhaps you made a change recently to "show hidden folders/ files"..?

Regards. . .

jcgriff2

`
jcgriff2 is offline  
Old 06-10-2011, 02:16 PM   #7
TSF Team, Emeritus
 
spunk.funk's Avatar
 
Join Date: May 2010
Location: Los Angeles
Posts: 28,347
OS: Windows 8 64, Windows 7 64 Bit SP1, XP SP3, Mac OSX

My System


Every external USB drive has a grayed out (hidden)Recycle Bin icon which is connected to the Recycle Bin on the C: drive. If you delete something on the external, it will sit in the Recycle Bin on the C: in case you want to restore it. If you delete a file on the external, unplug the external, and then Empty the Recycle Bin, the recycle bin will still say there is something in it until you plug in the external drive and empty again.
spunk.funk is offline  
Old 06-10-2011, 09:36 PM   #8
Registered Member
 
Join Date: Mar 2009
Posts: 73
OS: Windows 8 Professional



whoa! Ok thanks. :) Looks like make a big fuss out of nothing really. Anyway, thanks guys. I just hid protected OS files and it "vanished".
__________________
ashwin.terminat is offline  
Old 06-10-2011, 10:11 PM   #9
Team Manager, Microsoft Support
Microsoft MVP
BSOD Kernel Dump Expert
 
jcgriff2's Avatar

Microsoft Most Valuable Professional
 
Join Date: Sep 2007
Location: New Jersey Shore
Posts: 30,701
OS: Windows 10, 8.1, 7 + Windbg :)



No big fuss made, I assure you. Always feel free to create a thread on any topic you would like clarification on or help with. That's why we're here.

I'm glad to hear all is well.

Regards. . .

jcgriff2

`
jcgriff2 is offline  
Old 06-11-2011, 09:29 AM   #10
Registered Member
 
Join Date: Mar 2009
Posts: 73
OS: Windows 8 Professional



Thanks for your help guys. :) Just that it was a brand new comp which costed me a 1000$, so was a tad worried.

__________________
ashwin.terminat is offline  
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Request for assistance cleaning up/out virus & bad image errors
Hi there. With the hope someone may be able to navigate me through a fix to restore this laptop to its pre "Windows XP Recovery" virus state, and the further hope I've not frustrated the solution process going too far ahead solo, here goes... My laptop is a newer Dell running Windows XP (I...
dagtagit Resolved HJT Threads 74 06-14-2011 05:40 PM
BSOD in Windows 7 driver powerstate failure [moved from Vista/7]
I read the instructions for posting to try and solve my problem with BSOD. This occurs randomly, sometimes when we are working on the computer other times when it is just on with no one using the machine. Information requested: OS - Windows 7 64 bit Windows 7 was oringinal OS installed OS -...
keeperdad BSOD, App Crashes And Hangs 2 02-05-2011 04:57 PM
Virus redirecting all of my pages.
My computer is completely screwed! First no sound now this! Almost every time I try to do something on the internet my page is getting redirected to something else! I always have to rush to click the X button to stop the page from loading. But I want a permanent fix! Please help.
TheresMoreToMe Resolved HJT Threads 26 01-26-2011 04:48 PM
Problem with E-mail attaching stuff
I keep getting Delivery Status Notification (Failure) from my Hotmail account. It says this: >>>>>>>>>> Hotmail Active Viewhttp://gfx2.hotmail.com/mail/w4/pr04/ltr/clear.gif 1 attachment (1.4 KB) http://gfx1.hotmail.com/mail/w4/pr04/ltr/at48/default.pngRe hey.eml Download(1.1 KB)
GenghisTron Virus/Trojan/Spyware Help 21 01-21-2011 06:55 AM
How to disable your security applications
Note: Those which do not have the instructions for re-enabling are usually re-enabled by a reboot. Once the scans are completed, be sure to Turn On "Real-Time Scanning". Adaware 10 Free/Pro Antivirus Open Ad-aware 10 Click on "Real-time Protection" in the left panel, and toggle it...
amateur Virus/Trojan/Spyware Help 0 06-14-2010 01:12 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 09:53 PM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts