Continuing cleanup - can't delete a file in c:\RECYCLER

Discussion in 'adware, spyware & hijack cleaning' started by crmurr, May 31, 2004.

Thread Status:
Not open for further replies.
  1. crmurr

    crmurr Registered Member

    Joined:
    May 27, 2004
    Posts:
    18
    After successfully removing a lot of malware there are several items that seem to return after rebooting the system.

    A full system scan by Norton Antivirus detects a number of adware threats, security risks and spyware threats. The files it identifies with these are listed as being contents of a RECYCLER file [S-....1003]. I have tried to delete the file in Windows Explorer in Normal and Safe Mode and get the message "can't delete; in use by another program". The file system is NTFS.

    Is there a way to remove this?

    Thank you for your help.

    crmurr
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi crmurr,

    If you know which user-account it is, it would be easiest to empty the Recycle Bin in that account. ;)

    Regards,

    Pieter
     
  3. crmurr

    crmurr Registered Member

    Joined:
    May 27, 2004
    Posts:
    18
    When I empty the Recycle Bin I still find the file listed in the c:\Recycler folder.

    crmurr
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Like I said, you will have to find the correct user account.
    Or remove the file from the Recovery Console if you have a Windows CD.

    Do you also have Nortons Protected Files in use?

    Regards,

    Pieter
     
  5. crmurr

    crmurr Registered Member

    Joined:
    May 27, 2004
    Posts:
    18
    Yes, Norton Protected Files is in use.

    These are the accounts and status
    Owner available
    Guest turned off
    ASP.NET Machine A... not accessible

    I turned on and logged on to Guest and had same result trying to delete the problem file. The problem file was only visible in c:\RECYCLER.

    crmurr
     
  6. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    You could try this:

    First disable the Norton protected Recycle bin. Do that using the Norton Utilities Options, then rightclick your Recycle Bin, and make sure the "Norton protected recycle bin" features are now disabled.


    Now open a Command Prompt window (Start > Run > Cmd) and leave it open. Close all open programs.

    Click Start, Run, enter taskmgr and press OK in order to bring up Task Manager.
    Go to the Processes tab and End Process on Explorer.exe.

    Leave Task Manager open. Go back to the Command Prompt window , and type: rd /s c:\recycler in order to delete your Recycle Bin.
    Answer Yes when prompted to confirm deletion.

    NOTE: that command reads "rd (space)/s (space) c:\recycler"

    Go back to Task Manager, click File > New Task and enter EXPLORER.EXE to restart the GUI shell. Close Task Manager.

    Restart your computer. A new Recycle Bin will automatically be created.

    Now this works for the Recycled folder on Fat32 systems, maybe also for you, unless this is indeed another of these baddies from hell ! :doubt:

    Good luck,
     
  7. crmurr

    crmurr Registered Member

    Joined:
    May 27, 2004
    Posts:
    18
    Tony,

    Thank you for recommending the Recycle Bin deletion procedure.

    I have run the procedure on a WinXP test machine with NTFS filesystem and it works nicely.

    On the PC with the c:\Recycler file that seems immune to deletion also cannot be opened to see what is contained in it. I have seen one case in which a person claimed that deleting the Recycle Bin caused all data on the PC to be deleted.

    Do you think malicious code in a Recycle Bin file could cause that kind of response in Recycle Bin deletion?

    I have a backup of the user data on the problem PC, but cannot afford to lose the system itself. So I wanting to approach this very cautiously.

    Thank you for your help.

    crmurr
     
  8. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    No, that's utter nonsense; C:\Recycler is just the Recycle Bin folder; deleting it is incapable of causing any harm to any other folders, files, or data

    Did you indeed make sure Norton Protection was removed? For that will prevent you from deleting the bin.

    And have you already tried Recovery Console like Pieter suggested?
     
  9. crmurr

    crmurr Registered Member

    Joined:
    May 27, 2004
    Posts:
    18
    Tony,

    Thank you for your further help with this.

    Recovery Console produced an 'access denied' error when I tried to delete the file.

    When I turned off Norton protected file feature I was able to delete the file from Win Explorer. I erred earlier in disabling auto-protect rather than disabling protection in the Norton recycle bin.

    I appreciate your help and Pieter's. This has been a useful learning for me.

    crmurr
     
  10. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    You're welcome; glad we were able to help. :)
     
Thread Status:
Not open for further replies.