Weird Problem with Recycle Bin - Help

Discussion in 'Windows Desktop Systems' started by colinm1, Dec 28, 2004.

  1. colinm1

    colinm1 OSNN Junior Addict

    Messages:
    15
    Location:
    NE UK
    A weird problem has just started with my Recycle Bin

    If I delete files from C: HDD to recycle bin they do not show up in bin, also shows 0 bytes in bin. However if I right click and ask to empty bin, usual message askes " Do you want to delete these 7 files".

    If I delete files from my second HDD D: they show up no problem, with appropriate no of bytes.

    I have not installed any software and made no alteration to any of my window settings.

    Have checked everything but this has got me beat, only started yesterday out of the blue, would appreciate any help on resolving this as very confusing not knowing if recycle bin contains any files awaiting deletion.

    Thanks for your help.
     
  2. mac1

    mac1 OSNN Addict

    Messages:
    97
    Location:
    Planet Earth, Scottish Highlands
    you could try this, it's actully for if the recycle bin is missing from the desktop, but you never know it might work.

    copy the text below "between the lines" into notepad and save as a .reg file to somewhere like the desktop, then click it to run which will enter the details into the registry, reboot.

    ........................................................................

    Windows Registry Editor Version 5.00

    [-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}]

    [HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon]
    @="Shell32.dll,31"
    "Full"="Shell32.dll,32"
    "Empty"="Shell32.dll,31"
    ............................................................................

    mac1
     
  3. yoyo

    yoyo _________________

    Messages:
    1,557
    Do you by chance also get random IE popups since the problem started?

    This recycle bin problem may be a side effect of a VX2 infection.

    Copy and paste this command into Start - Run:

    cmd /c more C:\Recycler\desktop.ini >> "%userprofile%\desktop\look.txt"

    That should create a file look.txt on your desktop. Post the content here.
     
  4. ksgareau

    ksgareau OSNN One Post Wonder

    Messages:
    8
    Recycle-less bin...

    Hi, I have the same problem on my WIN2K box. Here are my results...

    [.ShellClassInfo]
    CLSID={645FF040-5081-101B-9F08-00AA002F954E}
    <IDone>{1E555F55-542A-4B7F-BC87-B105FCCF8B6D}</IDone>
    <IDtwo>VT00</IDtwo>
    <VERSION>200</VERSION>


    What does it mean?



     
  5. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    yep, you have the latest and greatest VX2 infection, it is a pain to remove.

    Download the following file:

    http://castlecops.com/zx/Zupe/Find It NT-2K-XP.zip

    Extract it to your desktop, then run the find.bat inside. It will take a while. Post the output.txt here.
     
  6. ksgareau

    ksgareau OSNN One Post Wonder

    Messages:
    8
    Please forgive me for asking this... how do I know I can safely run this? I suppose it's a matter of trust... please give me a warm and fuzzy abuout this.
     
  7. VenomXt

    VenomXt Blame me for the RAZR's Folding Team

    Messages:
    3,453
    Location:
    Houston, Texas
    i vouch for him. everyone here wants to help. we dont get pleasure out of messing up your comp more.. you would just have to post more about it.
     
  8. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    read the batch file, nothing mailicious. All it does is search for known string values for this spyware in system files.
     
  9. ksgareau

    ksgareau OSNN One Post Wonder

    Messages:
    8
    Got it.. thanks, I'll post the results. Sorry, I'm just a little head-shy...
     
  10. ksgareau

    ksgareau OSNN One Post Wonder

    Messages:
    8
    Hey Rocky, watch me pull a rabbit out of my hat....

    Here's the output...
    :rolleyes:

    Warning! This utility will find legitimate files in addition to malware.
    Do not remove anything unless you are sure you know what you're doing.
    Find.bat is running from: C:\Documents and Settings\kgareau\Desktop\Find It NT-2K-XP

    ------- System Files in System32 Directory -------

    Volume in drive C is Local Disk
    Volume Serial Number is BCB1-2535

    Directory of C:\WINNT\System32

    12/06/2004 11:32a <DIR> dllcache
    0 File(s) 0 bytes
    1 Dir(s) 12,581,941,248 bytes free

    ------- Hidden Files in System32 Directory -------

    Volume in drive C is Local Disk
    Volume Serial Number is BCB1-2535

    Directory of C:\WINNT\System32

    12/06/2004 11:32a <DIR> dllcache
    07/13/2001 01:19p <DIR> GroupPolicy
    07/13/2001 12:36p 21,692 folder.htt
    07/13/2001 12:36p 271 desktop.ini
    2 File(s) 21,963 bytes
    2 Dir(s) 12,581,941,248 bytes free

    ------------ Files Named "Guard" ---------------

    Volume in drive C is Local Disk
    Volume Serial Number is BCB1-2535

    Directory of C:\WINNT\System32


    ------ Temp Files in System32 Directory ------

    Volume in drive C is Local Disk
    Volume Serial Number is BCB1-2535

    Directory of C:\WINNT\System32

    05/21/2003 09:18a 44,032 msxml3r.tmp
    05/21/2003 09:18a 24,576 msxml3a.tmp
    12/19/2002 12:06p 1,129,472 msxml3.tmp
    12/07/1999 04:00a 2,577 CONFIG.TMP
    4 File(s) 1,200,657 bytes
    0 Dir(s) 12,581,941,248 bytes free

    ------------------ User Agent ----------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    "YComp 5.0.0.0"="Yahoo! Companion"


    ------------- Keys Under Notify -------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap]
    "Asynchronous"=dword:00000000
    "DllName"="C:\\WINNT\\system32\\dtnetlib.dll"
    "Impersonate"=dword:00000000
    "Logon"="WinLogon"
    "Logoff"="WinLogoff"
    "Shutdown"="WinShutdown"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
    "DLLName"="wzcdlg.dll"
    "Logon"="WZCEventLogon"
    "Logoff"="WZCEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000000


    ------------- Locate.com Results -------------

    No matches found.

    -------- Strings.exe Qoologic Results --------


    --------- Strings.exe Aspack Results ---------


    -------------- HKLM Run Key ----------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Synchronization Manager"="mobsync.exe /logon"
    "OfficeScanNT Monitor"="\"C:\\Program Files\\OfficeScan NT\\pccntmon.exe\" -HideWindow"
    "CClient"="C:\\PROGRA~1\\TALLYS~1\\TSCensus\\bin\\cclient.exe"
    "Logitech Utility"="Logi_MwX.Exe"
    "SoDA Startup"="C:\\Program Files\\Rational\\SoDAWord\\Wizards\\SodaStartup.exe StartUp"
    "SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_06\\bin\\jusched.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    "NoChange"="1"
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    "Installed"="1"


    
     
  11. ksgareau

    ksgareau OSNN One Post Wonder

    Messages:
    8
    ...um.... hello?

    Was it something I said?:suprised:
     
  12. jw50

    jw50 OSNN Senior Addict

    Messages:
    354
    ksgareau,

    I recommend that you go to the Malware Removal forum at SpyWareInfo, read the FAQ, and then post a HijackThis log there. There is a new tool available for fixing the infection that you most likely have gotten.

    http://forums.spywareinfo.com/index.php?showforum=18
     
  13. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    I just missed your reply I guess.

    Your output.txt log does not show any infection though. We can try the new removal tool though, download:

    http://www.downloads.subratam.org/l2mfix.exe

    Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.
     
  14. ksgareau

    ksgareau OSNN One Post Wonder

    Messages:
    8
    Ok, done.
    Here's the log...

    Just to let you know... my only symptom is that my recycle bin doesn't work (and I can't make it work). There doesn't appear to be any other problem. I'm sure it was caused by some "malware" because this condition began after I went to a "lyrics" site that immediately began downloading files that our corporate anti-virus caught... I quickly baled out of the site before it could finish and immediately began cleaning things up. The corporate AV got really testy about some of the stuff that was being forced at me... Long and short of it is that I was left with a recycle bin that doesn't work but whose icon shows full (permanently)...

    Hope that helps...

    L2MFIX find log 1.01
    These are the registry keys present
    **********************************************************************************
    Winlogon/notify:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
    6c,00,00,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap]
    "Asynchronous"=dword:00000000
    "DllName"="C:\\WINNT\\system32\\dtnetlib.dll"
    "Impersonate"=dword:00000000
    "Logon"="WinLogon"
    "Logoff"="WinLogoff"
    "Shutdown"="WinShutdown"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
    "DLLName"="wzcdlg.dll"
    "Logon"="WZCEventLogon"
    "Logoff"="WZCEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000000

    **********************************************************************************
    useragent:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    "YComp 5.0.0.0"="Yahoo! Companion"

    **********************************************************************************
    Files Found are not all bad files:

    No matches found.
    Locate .tmp files:

    No matches found.
    **********************************************************************************
    Directory Listing of system files:
    Volume in drive C is Local Disk
    Volume Serial Number is BCB1-2535

    Directory of C:\WINNT\System32

    12/06/2004 11:32a <DIR> dllcache
    0 File(s) 0 bytes
    1 Dir(s) 12,561,424,384 bytes free
     
  15. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    ok, that looks fine, can you tell me whether your OS drive is formatted as either NTFS or FAT32?
     
  16. jw50

    jw50 OSNN Senior Addict

    Messages:
    354
    j79zlr,

    The l2mfix is supposed to fix the recycle bin on both NTFS and FAT32 so it might fix the recycle bin even if the malware has already been removed.
     
  17. ksgareau

    ksgareau OSNN One Post Wonder

    Messages:
    8
    One drive, NTFS.
     
  18. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    Ok, try this open up the command prompt, go to Start > Run > "cmd"

    enter the following commands:

    attrib -r -s -h %systemdrive%\Recycler\desktop.ini
    del %systemdrive%\Recycler\desktop.ini


    Reboot, and hopefully your recycle bin should be working now.
     
    wingman411 likes this.
  19. ksgareau

    ksgareau OSNN One Post Wonder

    Messages:
    8
    Well bust my BCNF ‘n call me normalized! This is gooder'n grits. We got us a winner!

    Thank you.

    KSG :-D
     
  20. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    Glad to help ;)
     
    ejn74 likes this.