"Recycler" & "System Volume Information"

[Toby28]

I have got a serious spyware / virus problem on my computer. I have searched 40 pages of google and still haven't found the solution so if you can sort this out you are probably a genius.

On my C, D, and H drives two folders have mysteriously appeared - it may have been some time ago - apparently they were created in June 06. They are called "System Volume Information" and "Recycler". Apparently they are duplicates of Windows system folders.

I have tried various spyware removal programs but to no avail.

I can't open the SVI folder but the Recycler folder is definitely a problem. What appears to be happening is that when I send a file to the Recycle Bin, it will also appear in the above folders in all of my C, D and H drives. So if I delete a 3mg file, it takes up 12mg of space in (i) the Recycle Bin, (ii) C / Recycler, D / Recycler, and H / "Recycled" (not "Recycler").

No idea how to get rid of this problem - can anyone help??!!

 

[Emperor_nero]

Post a hijackthis log.

 

[Toby28]

Here goes:

By the way, I created a large 1 gb file on the C drive and checked the free space on all of my drives. After creating the file, the readings were : C: 5 gig free, D: 15; H: 100. When I deleted the file, the readings were the same. I expected there to be more space free on the C drive after deleting the file but the size on C stayed the same after the deletion. I am an amateur, but does that mean that the Recycle bin exists partially on all the drives, rather than as a separate drive? That would explain why there is a recyler folder on all the drives...


Logfile of HijackThis v1.99.1
Scan saved at 02:03:38, on 16/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTserv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\sony\VAIO Media Integrated Server\VMISrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\sony\vaio power management\SPMgr.exe
C:\Program Files\sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\sony\vaio update 2\VAIOUpdt.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VMConsole.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ATK0100\Hcontrol.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Utimaco\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\TOBYCO~1\LOCALS~1\Temp\Rar$EX03.747\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\sony\vaio power management\SPMgr.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [VMConsole.exe] C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VMConsole.exe /windowmin
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [PDService.exe] C:\Program Files\Utimaco\SafeGuard PrivateDisk\pdservice.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Recherche AOL Toolbar - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://D:\OFFICE11\EXCEL.EXE/3000
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134569129271
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/sites/errorsafe.com/www/pages/scanner/ErrorSafeFreeInstall.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LXBTCustomerConnect - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTserv.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment Task Scheduler - Sony Corporation - C:\Program Files\sony\vaio entertainment\VzTaskScheduler.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

 

[Toby28]

... so could someone maybe go to folders, options, and enable show "system folders"?? If "recycler" appears on your C or D directory then possibly it is meant to??

 

[PC eye]

One thing I could suggest if you were a Linux user would be booting up with a Live for cd distro and clubbering the folders while "nothing" at all was running on the system there. Safe mode may or may not be a help since your registry is probably polluted.

Or you simply have other user accounts setup and are seeing these while logged on as administrator. Microsoft has one page with a pair of links applying to NT seen at http://support.microsoft.com/kb/171694/EN-US/

Trashman is a freeware used for cleaning the files you are gone for good when the recycle bin is emptied but with additional user accounts especially remains in of all things recycler folders. That would explain the extra space taken up. http://www.freewarefiles.com/program_9_95_17167.html

Those folders simply appear to be created for use with different user accounts. One method for removing the "leftovers"? when these folders are created for different user accounts lead to one possible answer discussed at http://mobile.vnunet.com/personal-computer-world/features/2171571/rid-folders-left-behind-recycle

FindExpAcc as it is named is a freeware for finding expired user accounts and removing the folders for them. Somehow the folders there usually hidden from view are now visible. http://www.joeware.net/win/free/tools/findexpacc.htm These are the most likely while still not ruling out some type of malware. It's nice having a combined search tool that combines different engines like Yahoo, Look, Ask, and Google since the last two links were found on the Google engine. http://infospace.abcnews.com/_1_ZKCTJW04MY46NU__info.abcnws.toolbar/search/web/Recycler%2Bfolders

 

[Toby28]

no, i don't have any other user accounts - thanks though.

 

[Toby28]

As a postscript, I have noticed the following:

When I send a file to the recycle bin and then do a search for that file, it shows up in the recycler folder on all three drives.

Is that normal? Perhaps someone could enable the "show system files" option, do what i have done, and let me know if it is the same for them?

Would be much appreciated!!

 

[PC eye]

The continued search just keeps coming up with additional user accounts as the explaination for the folder even being seen. It's by no means normal without ever having created additional accounts. Your default user name is then the same account set for administrator. The hide protected system files option is always unchecked here. And this is one problem that has never been seen on this end.

The advice before assuming a virus or malware is to try the freeware for removing the extra folders. But the idea of a new type of trojan to create hidden accounts is another though at the same time. A look at the log shows that you may have had one or more trojans on the system at some point. One finding shows an odditty with:
"O4 - HKLM\..\Run: [VMConsole.exe] C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VMConsole.exe /windowmin" The name of the program matching the name of the file does seem suspicious. The following are possibles which still wouldn't explain the oddity with the recycler folders to any degree.
"C:\Program Files\sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" should be seen in "C:\programme\fichiers communs\sony shared\vaio media platform\"

"C:\Program Files\sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe" This should also be seen in the same folder.

"C:\Program Files\Apoint\Apntex.exe" should be seen in "C:\programme\apoint2k\" by default.

"C:\Program Files\Sony\HotKey Utility\HKserv.exe" should be seen in "c:\program files\sony\hotkey utility\"

The one confirmed "bug" is "O8 - Extra context menu item: &Recherche AOL Toolbar - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML" This involves the &Recherche AOL Toolbar. Most of the addon tool bars are fodder for adwares/spywares anyways.

EDIT:

Do you have Windows installed on the other drives or simply on the primary? Upon a quick browse of the drives with the primary running XP Home and second running XP Pro the recycler folders are seen on both drives. There are two recycle bin items in each one of those. How? By multiple installations of Windows you create multiple administrator accounts. The system volume information shouild be hidden from view usually with files like the boot.ini being faded in color. Those are protected information stored by Windows by default. That would hard drive and partition information there. This is why no prior mention was made. The registry values do show something may be on the drive if those locations are not seen with the default Vaio installation.

Upon trying the download known as FindExpAcc no results were seen here in removing the recycler folders. The dual OSing with the two 32bit versions of XP on the two hard drives here saw those created. The attributes on those are set to "read only" by Windows itself. Expect to see "access denied" if you try manually removing them.

 

[Toby28]

I have decided not to pursue the issue - I think one of the spyware programs has rectified the issue even if the folders still appear.

 

[PC eye]

I had forgotten the recycler folders were seen here after putting XP Pro back on the second hard drive after having run Linux there for a period. Those appeared out of nowhere. The primary is OSed with the Home version. The installation on either of the other drives would also see the folders popup so that's nothing to worry about.

The registy values found refer to something on or that was on at one time. Besides running a remover or two a free registry cleaner would the now useless entries. RegCleaner is found at http://www.majorgeeks.com/RegCleaner_d460.html

Another one often recommended is the CCleaner found at http://www.ccleaner.com/ Just be carefull that it doesn't remove something besides useless clutter on the drive itself if you decide to use it. That's one drawback that was seen with that one.