Jump to content

Detected file in $recycle.bin $RIA4II3.DLL

ajitama

By ajitama
in File Detections

 Share

Recommended Posts

ajitama

ajitama

Posted
Posted

malwarebytes recently marked a dll file in $recycle.bin as malicious. I wanted to check on the file manually but the pathing does not exist (the SID folder ending in 1001 does not exist prior to quaratining the file) and when i tried to search up the dll zero results was shown. What could this be? Any help is appreciated thanks. 

MBAM scan 3.txt

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

You can search the Registry to verify

If you open REGEDIT.EXE and open the following key

HKEY_USERS

You should see the following, as well as any other user profiles on the system

image.png

 

As long as the file is not hidden (the $ may indicate that it is hidden) then you should be able to see and restore the file if wanted.

C:\$RECYCLE.BIN\S-1-5-21-1903830019-1637335260-561168280-1001\$RIA4II3.DLL

 

Double-click to open the Recyle-Bin

You can also access it via a DOS command prompt

 

C:\>cd $RECYCLE.BIN

C:\$RECYCLE.BIN>dir /a
 Volume in drive C is OS
 Volume Serial Number is 1ADC-F7D3

 Directory of C:\$RECYCLE.BIN

10/14/2020  03:50 PM    <DIR>          .
10/14/2020  03:50 PM    <DIR>          ..
10/14/2020  03:50 PM    <DIR>          S-1-5-18
05/17/2021  11:02 PM    <DIR>          S-1-5-21-2346648303-3994273596-63345981-1001

 

 

The DIR /A says to show hidden files and folders.

Then you can use CD to go into that folder

CD    S-1-5-21-2346648303-3994273596-63345981-1001

Then you can do a DIR /A again to see what is in there. Be careful manipulating data there though from a DOS command prompt as you can corrupt the Recycle Bin

 

I will move your topic to the False Positive forum and they can review and let you know if it's a false positive or not

 

 

 

Link to post
Share on other sites
ajitama

ajitama

Posted
  • Author
Posted

Thanks for the responses! 

and I do see the file now through cmd, and I did seem to run into a false positive with a qt5qml.dll file just yesterday. Just for confirmation It should be safe to leave the file as is, correct? Thanks in advance.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.