You will need the following utilities:
- Malwarebytes Anti-Malware (free version)
- Combofix (look for "Next you should download ComboFix from the following URL:")
- Process Explorer
This will allow you to navigate the folders in the recycling bin. Now open your main drive (usually C) and look for the folder recycle(r). Remember, if you go into the recycling bin itself from the desktop, you will not see the folder structure. Within the recycle(r) folder you will see sub-folders with long names similar to: S-1-5-21-1490551801-3880849384-276250268-3182. The files you have deleted will appear in these folders. Browse through the folders to familiarize yourself with the structure.
OK, we're ready to start. Run a Malwarebytes Anti-Malware scan. Choose 'Perform full scan' and let it go. This may take awhile. When Malwarebytes is done, browse through what it found. Most of the time everything will be safe to delete. If Malwarebytes says that you need to reboot, do so. Wait a bit after rebooting to make sure it is finished.
Now run ComboFix. You will need to disable whatever anti-virus software you are running on your system first. This is a strange little program, that may seem like it freezes up at times. Be patient. If it asks to install the recovery console, go ahead and let it. This will help get you back to where you started in case of disaster. When ComboFix is complete (usually after a reboot) it will create a log file. Browse through to see what it deleted.
For Windows XP: (Windows 7 users will not see the correct folder structure this way, and will have to use the command line. I will cover this further down the page.) Empty the recycling bin. Now, browse into the recycle(r) folder as we did above. Look for files that are still showing. Anything left in the folders other than desktop.ini is probably the source of your infection. It may or may not have an EXE, COM, or BAT extension. When you find the file in question, you should NOT be able to delete it. If there are no files here that cannot be deleted, then you may stop at this point and seek outside help, or try looking in the RESTORE structure covered below. Attempt to delete each folder. You will not be able to delete the one(s) containing the offending file(s). You may also find that there are nested folders which can make this more complicated. Delete whatever you can. Open Process Explorer.
Click on the search button (binoculars) and enter the file in question that we found lurking in the recycler. Process Explorer will list the process or processes that this file is attached to. Double click the process in the list and you will see it highlighted in the upper window. Now right click on the process in the upper window and choose "Kill Process" from the pop-up menu. The next part of this needs to be done quickly. You might have to do this more than once so leave Process Explorer open. If you don't perform the next steps fast enough the file may re-launch before you can get rid of it.
Open a command prompt. (Start---> Run---> type CMD, and hit enter). Type the following:
C: <enter>
CD \RECYCLE <enter> (or RECYCLER if that is the name in your case) (We are assuming your system drive is 'C'. If not substitute your drive letter)
Now this:
DIR /AH <enter>
You will get a directory listing showing the folder structure of the recycler as we saw above. You will need to navigate to the folder(s) in question. A trick here is to use the TAB-Autocomplete feature in Windows. Type the first few letters of the folder name, and hit tab. The rest of the name will fill in. You can hit tab more than once to get the next name on the list if necessary. Now type this again:
DIR /AH <enter>
If your file was in the first level you will see it here. If it was another folder level in, you need to repeat this until you see the file in question. At this point, as mentioned above, you might need to kill the process in process explorer again. Now type the following, replacing the string 'OFFENDINGFILE' with the name of the file you are trying to get rid of:
ATTRIB OFFENDINGFILE -R -S -H <enter>
DEL OFFENDINGFILE <enter>
This will unlock and delete the file in question. Repeat this if you are dealing with multiple files. At this point, you can close everything and reboot. If your system is still infected, you will need to back up your important files and re-install windows.
Windows 7: Since we cannot see the folder structure of the recycler from an Explorer window, we will have to use the command line. This needs to be a command line with ADMINISTRATOR PRIVILEGES. I will explain: Click start, and type CMD in the search field. Do not hit Enter yet! Hold the shift key down, and while holding, right click on CMD.EXE which should have appeared from the search. In the pop-up dialogue, choose 'Run as administrator'. This will give you the proper permissions to view and delete the necessary files.
Using the methods above in the XP section, browse the structure and delete whatever you can. The delete command for a folder in Windows is 'RD'. Once you have removed whatever you can, and have identified the missing file, continue as above.
Restore Structure: I have yet to run across one of these that is hiding in the restore system, but if you want to look, go ahead. You will need to turn off system-restore first and reboot, and then navigate the restore folders (usually 'System Volume Information'). You may need to grab full permissions for the folder in order to even look in it. This is a bit more advanced and I recommend getting help if you don't know your way around.
No comments:
Post a Comment