Tech Support Forum banner
Cancel
Create thread New Forums
Status
Not open for further replies.

[SOLVED] $Recycle.bin and System Volume Information Virus

Jump to Latest
31K views 9 replies 3 participants last post by  ashwin.terminat  
A
#1 ·
I just installed Windows 7 Ultimate SP1 on my system. It was clean until I decided to give out my External HDD to a friend. And when I plugged it back into the comp, I forgot to scan it and then saw that it had this strange Virus of sorts. @Recycle.bin and System Volume Information. Soon, it had spread to all my partitions. I tried deleting them manually, but $recycle.bin would just pop back up, While System Volume Information wouldn't even get deleted and I can't open it as Access Is Denied even when logged in as Administator. I've tried Norton Internet Security 2011 and Bitdefender Total Protection 2011 but to no avail. I tried Autorun Eater and Malwarebyte Anti-Malware. But those too, failed. Finally, I installed Ubuntu on my system and maually deleted the troublesome folders. And then permanently deleted them from the trash too. Only to see that the Folders were back in Windows! Any suggestion?

Processor: i5 2500-K @3.30Ghz
RAM: 4GB DDR3
OS: Windows 7 Ultimate SP1
HDD: WD 1TB
 

Attachments

#2 ·
Re: $Recycle.bin and System Volume Information Virus

$Recycle.Bin = the recycle bin
System Volume Information = hidden system folder - system restore

You will find these 2 on every NTFS partition where system restore is turned on.

Why do you suspect virus?

Regards. . .

jcgriff2

`
 
A
#3 ·
Re: $Recycle.bin and System Volume Information Virus

Because I've turned off system restore on all the drive except C. But why would it show up after it was on the External HDD. And besides, I've configured the Recycle Bin such that the files don't go to the Recycle Bin at all. So I can't understand the existence of a Recycle Bin folder or a System Volume Information folder in these drives.
 
#4 ·
Re: $Recycle.bin and System Volume Information Virus

Your screenshots were drive c:

Recycle Bin contains a single 129 byte desktop.ini file for each active user account. From my system -
Code: 
[FONT=lucida console]C:\$Recycle.Bin>dir /a[/FONT]
[FONT=lucida console]Volume in drive C is Windows7 x64[/FONT]
[FONT=lucida console]Volume Serial Number is 289F-AF69[/FONT]
 
[FONT=lucida console]Directory of C:\$Recycle.Bin[/FONT]
 
[FONT=lucida console]06/07/2011  13:04    <DIR>          S-1-5-21-1477948808-2898045070-2393627958-1001[/FONT]
[FONT=lucida console]07/11/2010  00:21    <DIR>          [COLOR=navy]S-1-5-21-1477948808-2898045070-2393627958-500[/COLOR]  [/FONT]
Code: 
[FONT=lucida console]Directory of C:\$Recycle.Bin\[COLOR=navy]S-1-5-21-1477948808-2898045070-2393627958-500[/COLOR][/FONT]
 
[FONT=lucida console]07/11/2010  00:21    <DIR>          .[/FONT]
[FONT=lucida console]07/11/2010  00:21    <DIR>          ..[/FONT]
[FONT=lucida console]07/11/2010  00:21               129 [COLOR=red]desktop.ini[/COLOR][/FONT]
[FONT=lucida console]           1 File(s)            129 bytes[/FONT]
[FONT=lucida console]           2 Dir(s)  74,607,003,648 bytes free[/FONT]
Contents of desktop.ini -
Code: 
[FONT=lucida console][.ShellClassInfo][/FONT]
[FONT=lucida console]CLSID={645FF040-5081-101B-9F08-00AA002F954E}[/FONT]
[FONT=lucida console]LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-8964[/FONT]
Make sure system restore is in fact turned off for all drives except c:

Regards. . .

jcgriff2

`
 
A
#5 · (Edited)
Re: $Recycle.bin and System Volume Information Virus

I too have a single file of 129 bytes or so. So this is normal? Why does the fishy folder have a recycle bin folder by the code name of sorts of S-1-5-21-330910056-542397928-1330698660-1000 which is empty? And what about the SVI folder? Is that normal too? But why did it now show up immediately after the External HDD, which I've been using for so many days now was plugged in before I gave it away?
 
#6 ·
Re: $Recycle.bin and System Volume Information Virus

Yes, the 129 byte desktop.ini file in recycle bin is normal.

S-1-5-21-330910056-542397928-1330698660-1000 = SID = Security Identifier

To check your user account SID, bring up a command prompt and type -
Code: 
whoami /user
There can be multiple SID folders in recycle bin.

-1000, -1001, etc... = User Admin accounts
-500 = Hidden Admin user account

$Recycle.Bin + System Volume Information folders likely always existed on c:

Perhaps you made a change recently to "show hidden folders/ files"..?

Regards. . .

jcgriff2

`
 
#7 ·
Re: $Recycle.bin and System Volume Information Virus

Every external USB drive has a grayed out (hidden)Recycle Bin icon which is connected to the Recycle Bin on the C: drive. If you delete something on the external, it will sit in the Recycle Bin on the C: in case you want to restore it. If you delete a file on the external, unplug the external, and then Empty the Recycle Bin, the recycle bin will still say there is something in it until you plug in the external drive and empty again.
 
Save
Like Like
Status
Not open for further replies.
You have insufficient privileges to reply here.
Tech Support Forum
posts
4.8M
members
966K
Since
2002
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Windows XP Support Windows 7 , Windows Vista Support Motherboards, Bios|UEFI & CPU Networking Support Laptop Support