Unable to remove Malware from the Recycle Bin

  • Article ID: 118835
  • Updated: 27 May 2014

Issue

Malware has been detected in the Recycle Bin and the Sophos Endpoint is unable to remove/Clean up the detection.
You may see the following actions when attempting to clean up the Malware: 'Clean up failed' or 'No actions, reboot required'
A reboot and a full system scan will still not allow you to clean up the infection.

Cause

The Sophos Endpoint may have problems cleaning Malware from the recycle bin for another logged on user account

What To Do

The following set of instructions will allow you to locate the username where the Malware resides 

  1. Confirm the location of the detection the can be found in the Quarantine of the Endpoint or by opening the Sophos Anti-Virus log:

    Windows 2000/2003/XP: C:\Documents and Settings\All Users\ApplicationData\Sophos\Sophos Anti-Virus\Logs\SAV.txt
    Windows Vista and above: C:\ProgramData\Sophos\Sophos Anti-Virus\logs\SAV.txt

    Here is an example detection:

    20121207 004312 Virus/spyware 'Mal/Sirefef-AA' has been detected in "C:\RECYCLER\S-1-5-21-1726743747-1974153486-9522986-20761\$b4b3dd3457bfa52d1a820a60f56e9aa9\n\FILE:0000"

  2. Open a command prompt - Start>Run type cmd
  3. Type the following command: wmic useraccount get name,sid

    One of the users should match this value located in the SAV.txt file e.g. S-1-5-21-1726743747-1974153486-9522986-20761

  4. Log on as this user and attempt the clean up
  5. If the user does not exist you can attempt to unhide the file

    For Windows 2000/2003/XP: 

      • Open Explorer and select Tools>Folder options
      • Select the view tab
      • Locate 'Hide protected operating system files' and uncheck
      • Click apply and close
      • The user can now attempt to navigate to c:\recycler and remove the infected file

    For Windows Vista and above:

      • Open Explorer and select Organise>Folder and search options
      • Select the view tab
      • Locate ''Hide protected operating system files' and uncheck
      • Click apply and close
      • The user can now attempt to navigate to c:\$recycle.bin and remove the infected file

  6. If the user does not exist try running the following command to empty all user's recycling bins on the local machine:

    Open a command prompt Start>Run type cmd
For Windows 2000/2003/XP type: rd /s c:\recycler
For Windows Vista and above: rd /s c:\$Recycle.Bin

More information can be found in the following article:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa379649%28v=vs.85%29.aspx

 

 




 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments