undeletable files in sandboxIE, corruption of windows profile

Discussion in 'sandboxing & virtualization' started by learningcurve, Apr 18, 2012.

Thread Status:
Not open for further replies.
  1. learningcurve
    Offline

    learningcurve Registered Member

    Does this sound familiar to anyone here?

    Struggling with this repeated corruption (hack?) for several months while
    using SandboxIE on 2 different computers:
    Vista sp2 & Win 7.
    Browsers FF 6-10, IE 9.
    Few addons: request pol, noscript, https Everywhere.
    Sandboxie tight config: only browsers, no access except for saving downloads.
    Standard user profile, uac maxed
    non-risky surfing

    Symptoms:
    * undeletable files left in sandbox after redir and sdelete used

    * or if box emptied, somehow these files find way to Recycle bin (using
    ccleaner possibly) where files are *undeletable and super hidden*
    (Can only see delete using offline tools).

    * if these files stay in sandbox or recycle bin (hidden), user profile increasingly corrupts: permissions change (more lax uac), KAV and KIS security software looses some functions but not all, explorer.exe crashes, notepad as admin crashes, cdrom not fully functional, etc.

    * AV on & offline scans, Gmer, tdsskiller, HitmanPro never find anything

    Only cure even if files removed is new user profile. It's pita to check offline for these files each time, by then some damage may be done anyway.

    What is this generally? Any mitigations? Time for VM?
  2. kjdemuth
    Offline

    kjdemuth Registered Member

    What are the files? Like exe's or system files? Also had you recently installed or updated sandboxie?
  3. Keyboard_Commando
    Offline

    Keyboard_Commando Registered Member

    Use Eraser instead. If you search through the Sandboxie threads here you'll see there are a few members that have had similar experiences to yours with the default RMDIR especially. Eraser has a queuing function - any missed deletions will eventually get wiped. Simply initialize the sandbox again and closing it enables Eraser to queue up any missed deletion instances. I might be wrong about this; because I haven't tried RMDIR for a long time ... but RMDIR just deletes the current sandbox open, so any missed deletions will still remain.

    Try to get the older version of Eraser. I managed to find an older copy by looking around - 5.8.8 version, I say use the older versions because the newest Eraser is pretty crappy, IMO (it runs as a resource hogging service now). Definitely look around for an older version!
  4. chris1341
    Offline

    chris1341 Guest

    Nowhere near the issues you quote but I have had times where files in the sandbox deleted by a third party app remain hidden in the Recycle Bin. In my case it was through deleting the entire Sandbox container rather than just the contents. To fix it I just loaded up a linux live CD and deleted them.

    I'm not sure your other issues are associated with that though. Why would something in the Recycle Bin corrupt your user profile? Is there something else going on? What is your 'tight config' and is it causing the issues?

    Try creating a new sandbox on default settings and see if it empties OK. If it does it might suggest something needs tweaked in your other boxes set-up. Or as Keyboard Comando says try a different delete tool. Or as I do set your Sandboxie container as non-persistent in a Ram Drive so no need for deletion tools - reboot and its all gone.

    Cheers
    Last edited by a moderator: Apr 19, 2012
  5. learningcurve
    Offline

    learningcurve Registered Member

    Thanks for your response, kjdemuth.

    They look like browsing temp files, no exe-s. Using sandboxIE for 9 mos and regularly update, but as this is periodic problem, don't see that newer versions causing problem.

    The undeletable files -- and super hidden -- I can only see w/ offine tool like Ubuntu or a rescue disk. I do not know how to open them w/ these tools.
    At one point, the document looked like a script (?) -text file. Had words cdrom in it and at the time my cdrom was experiencing malfunctions (files look like copied but are not really).

    Thinking may be scripts?
  6. learningcurve
    Offline

    learningcurve Registered Member

    Thanks Keyboard_Commando. I will look into older version of Eraser. Have to admit I am bit afraid of it. Used long time ago and it was heavy on system even then.:-*
  7. learningcurve
    Offline

    learningcurve Registered Member

    Chris1341,

    This exactly the perspective I'm seeking. I may be experienceing two different issues, that just *seem* to be connected. Can a script somehow corrupt the sandbox, or essentially any place it lands: recycle bin, sandbox (recycle bin has been corrupted according MSFIXIT)?

    Default sandboxie config - except allowed downloads, closed FF anti-phishing and Explorer bookmarks opening - hoping it would help.

    Have created new sandbox today and will see if it works. It's not every browsing session, but I have to check every day to make sure.

    Perhaps hidden, undeleteable files is not the cause but a symptom, a rootkit? Script? Many scans and tools have been used (see orig post), nothing found.

    But why would symptom be hidden, undeleatable files?
  8. learningcurve
    Offline

    learningcurve Registered Member

    Would like to add if issue with sandboxie files is red herring, what are the other symptoms indicative of - even generally? Have read the sandboxie forum posts about undeleteable files, but answer never went beyond that issue.

    symptoms:

    User profile progressively, day by day looses security and functionality.
    -User acct suddenly aquires Admin permissions for command or some other elevated program. (Ran Access Enum: no visible changes to perms (as my limited knowledge can determine).
    -Explorer crashes for no reason.
    -Desktop needs to be refreshed after each new action.
    -Recycle bin corrupted


    KIS or KAV also display this behavior: After install - fine, but after a month it's protection / functionality fails, eg.,
    -scans go wacky (huge # of files)
    -firewall fails to keep settings;
    -hips stops notifying,
    -trusted programs blocked and or will suddenly not let me have access to internet - with no changes by me except update.
    -Context menus for AV scanning disappear.

    FF profile files get corrupted: content-prefs.sqlite corrupted.
    Certificate handling fails. Distrusted certs are suddenly trusted again.

    If anyone recognizes this or can point to general cause, would appreciate. As I have a new computer, for it to be experincing *same* probs as last is concerning. Btw- did not import old data onto new comp.

    Regards.
  9. chris1341
    Offline

    chris1341 Guest

    Sounds horrible. o_O I'm afraid I have no patience for such things. I'd have backed up my data, reformatted and reinstalled Windows by now. Others more skilled will have more subtle solutions I'm sure.

    It would help to know what OS and what key programmes you have running alongside KIS/KAV and SBIE but you could start by removing apps one at a time to see if it improves. A lot of your issues are with Kaspersky. Is the install corrupt or is it conflicting with something else? From memory there are a number of other security apps don't play nice with Kaspersky.

    Failing that you might ask the mods to move this thread to get more exposure now it seems, at least, not to be SBIE related so those not interested in sandboxing and virtualisation can review your issues also.

    Cheers
  10. learningcurve
    Offline

    learningcurve Registered Member

    Chris,

    Horrible indeed. Re-format /reinstall may be inevitable. Have done so in the past, but am determined to find cause as it will just come back in my experience.

    Saw an interesting mention of trojaning in the sandbox at sandboxIE forum, perhaps something I need to investigate. And perhaps switch to another security suite, perhaps KIS or KAV (which are exposed to sandbox BTW) just do not play nice or are corrupted somehow.

    Thanks for your input.

    Regards.
Thread Status:
Not open for further replies.