CCE Detects the Recycle Bin as a rootkit.

Chiron494 · July 10, 2013, 2:31am

This is an issue I am seeing with the version of CCE which is bundled with CIS.

I’m not sure what causes this, but I have no reason to believe my computer is infected. Thus, this is either a problem with the engine in CCE or perhaps something which can be fixed with a signature update. I have attached a screenshot of the only two things detected by CCE. I disabled UAC myself.

Please let me know which files to upload, and how to get a hold of them. Also, if this is actually a bug please let me know and I will create a bug report for this.

Thank you.

[attachment deleted by admin]

Chunli · July 10, 2013, 3:50am

Hi,Chiron

Thank you for your submission.
We’ll check it.

Best regards
Chunli.chen

Chiron494 · July 10, 2013, 4:02am

Thank you.

Please let me know if there is any more information which you need for me to submit.

Also, I forgot to mention that this was run on Windows 7 x64 and it only appears when a full scan is run with CCE.

e_xistense · July 10, 2013, 11:31am

Hi Chiron,

Can you please navigate to respective folder and check its properties and content? Can you zip the folder {046C…-…-…116AB} and submit it to us?

Regards,
Ionel

Chiron494 · July 10, 2013, 1:17pm

I have attached a screenshot of what is inside of C:$Recycle.Bin.

I don’t know where that file is that CCE was identifying as a rootkit.

I’ve also attached a screenshot showing that I believe I have told Windows not to hide any folders or files. Thus, what can I do to find that file?

Thank you.

[attachment deleted by admin]

Chiron494 · July 10, 2013, 6:13pm

Wait, I think I managed to get it. Please see the attached zip file. There is no password.

Is this what you were looking for?

Also, I will note that Kaspersky TDSSKiller and GMER find nothing of interest, although GMER also sees this hidden file, but does not flag it as suspicious.

[attachment deleted by admin]

Citizen_K · July 10, 2013, 11:28pm

On a side note. Are you using a multi boot system?

Chiron494 · July 10, 2013, 11:31pm

No. This is a real system running Windows 7 x64. There are no other operating systems installed, and the only other partition is the default recovery partition which came with the laptop.

In addition, I should have mentioned that I have seen this strange detection at least since V6 was released. I can’t remember if I saw it before as well. I just didn’t get around to reporting it until now.

jay2007tech · July 11, 2013, 5:05am

you can always go back to c:\ and at the recycle bin folder. Just take ownership of it then it’ll show whats in the folder instead of a empty folder

Just an idea for future reference. If you like, I have the take ownership.reg file in this post

after installing it, just right click on the folder(recycle bin, unless you already cleaned it out) and click “take ownership” when it’s done, then open it

I apologize in advance if you already know this trick. Also certain folders like "appdat"a is a very bad idea to take ownership of. Trust me I know

[attachment deleted by admin]

Chiron494 · July 11, 2013, 5:50am

Thank you for the hint. I attached a zip file containing what I believe they need. However, if more is needed I will look into this in greater detail. I thought I had taken ownership of it, but perhaps I did not.

Chiron494 · July 13, 2013, 5:38am

Okay, apparently this was likely caused by a corruption of the Recycle Bin. I was not easily able to fix it and thus reinstalled Windows. I am no longer experiencing the detection.

Thus, you can consider this solved.

Thanks.