[Bobo]

Hi Pieter! I have open my computer after my work day and guess what? Yes... My recycle bin is f***** up again! :mad:

Yesterday I forgot to tell you that I'm receiving E-mails from somebody I don't know. The [bleep] keeps changing is adress, their is no message, no attachment and no subject... Maybe that the reason why I keep getting that f... problem again and again. Do you think so?

This is a new Find It log if you can help me again :
________________________________________
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Anti-virus-malware\Find It NT-2K-XP

------- System Files in System32 Directory -------
Le volume dans le lecteur C s'appelle Premier
Le num‚ro de s‚rie du volume est 08BB-7D10

R‚pertoire de C:\WINDOWS\System32

12/01/2005 03:00 <REP> dllcache
06/12/2004 15:00 56 F2AF79BDFA.sys
12/03/2003 12:13 7ÿ168 Thumbs.db
15/10/2002 22:18 <REP> Microsoft
2 fichier(s) 7ÿ224 octets
2 R‚p(s) 9ÿ577ÿ050ÿ112 octets libres

------- Hidden Files in System32 Directory -------

Le volume dans le lecteur C s'appelle Premier
Le num‚ro de s‚rie du volume est 08BB-7D10

R‚pertoire de C:\WINDOWS\System32

12/01/2005 03:00 <REP> dllcache
06/12/2004 15:00 56 F2AF79BDFA.sys
04/07/2004 18:57 508 ws045380.ocx
12/03/2003 12:13 7ÿ168 Thumbs.db
25/05/2002 14:24 8ÿ628 Ridger.GID
22/01/2002 18:10 10ÿ833 Cnbjhlp.GID
22/12/2001 14:46 488 WindowsLogon.manifest
22/12/2001 14:46 488 logonui.exe.manifest
22/12/2001 14:45 749 nwc.cpl.manifest
22/12/2001 14:45 749 ncpa.cpl.manifest
22/12/2001 14:45 749 sapi.cpl.manifest
22/12/2001 14:45 749 cdplayer.exe.manifest
22/12/2001 14:45 749 wuaucpl.cpl.manifest
12 fichier(s) 31ÿ914 octets
1 R‚p(s) 9ÿ577ÿ046ÿ016 octets libres

---------- Files Named "Guard" -------------

Le volume dans le lecteur C s'appelle Premier
Le num‚ro de s‚rie du volume est 08BB-7D10

R‚pertoire de C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Le volume dans le lecteur C s'appelle Premier
Le num‚ro de s‚rie du volume est 08BB-7D10

R‚pertoire de C:\WINDOWS\System32

14/03/2004 14:00 59 E_S86.tmp
06/02/2002 14:24 59 E_SA7.tmp
28/08/2001 04:00 3ÿ072 CONFIG.TMP
3 fichier(s) 3ÿ190 octets
0 R‚p(s) 9ÿ577ÿ041ÿ920 octets libres

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Hints]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"StartShell"="NavStartShellEvent"
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"Logoff"="NavLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
f2af79~1.sys Mon 6 Dec 2004 15:00:52 ..SHR 56 0,05 K

1 item found: 1 file, 0 directories.
Total of file sizes: 56 bytes 0,05 K

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\system32\HDBHO.dll: .aspack
C:\WINDOWS\system32\ntdll.dll: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="\"C:\\Program Files\\Fichiers communs\\Real\\Update_OB\\realsched.exe\" -osboot"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



___________________________________

Thanks a lot

Regards.

Bobo

[Advertisements]

Whatever it is it ain't VX2

Click Start > Run > type or copy&paste sfc /scannow > OK

Windows will check if any system files are missing or got corrupted.
Let me know.

Regards,

Pieter

[Metallica]

Whatever it is it ain't VX2

Click Start > Run > type or copy&paste sfc /scannow > OK

Windows will check if any system files are missing or got corrupted.
Let me know.

Regards,

Pieter

[Bobo]

Hi Pieter! After the scan it ask me for the XP Professional CD-ROM but my version is the Family Edition...

[admin]

Installing SP2 should take care of it!

[Bobo]

Thanks Super Geek! I though my head was about to explode...

[Bobo]

Hi! After the installation of SP2 my recycle bin still don't work. I trow something in an it goes only God knows where... I'm becoming insane

[Metallica]

Can you download: www.kellys-korner-xp.com/regs_edits/restorerecyclebin.reg

Doubleclick that file and confirm you want to merge it with the registry.

Then use my recyclerem.bat

Let us know,

Pieter

[Bobo]

Hi Pieter! I just add "restorerecyclebin.reg" to the registery and use "recyclerem.bat" Then my computer have reboot... It work, but when turn the power off/on, the problem reappear...

It's crazy... People are fallowing my story like others fallow soaps opera - should I be happy about that?

Do you have an other solution?

Thanks a million times!!!

Regards.

Bobo

[NORA_de_Argentina]

Bobo, have you finally fix the problem? I've been following this forums cause I have the same problem on a friend's PC and I can't fix it either . I'm seriously thinking on formating and re-installing the whole OS, I wouldn't install XP again... Best luck...

Nora
from Argentina

[Metallica]

Bobo,

Can you try something?

Please surf to http://www.billsway.com/vbspage/ and scroll down to
Registry Search Tool
Download, unzip and run RegSrch.vbs
Put {645FF040-5081-101B-9F08-00AA002F954E} in the dialog box.

After a while a prompt will come up. Click OK to write the results to wordpad and post them.

Regards,

Pieter

Edited by Metallica, 14 January 2005 - 07:56 AM.

[Bobo]

Hi Pieter! Happy that your still their for the sequel...

Before continuing, I would like to thanks Nora for her support... Good luck with your own computer and stay tune for our new episode. It's a sad story but, please, don't cry for me Argentina: super Pieter is their!

_________________________________________ This the log:



REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "{645FF040-5081-101B-9F08-00AA002F954E}" 14/01/2005 21:35:17

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\{645FF040-5081-101B-9F08-00AA002F954E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\PropertySheetHandlers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\PropertySheetHandlers\{645FF040-5081-101B-9F08-00AA002F954E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{645FF040-5081-101B-9F08-00AA002F954E}]

[HKEY_USERS\S-1-5-21-527237240-436374069-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}]

[HKEY_USERS\S-1-5-21-527237240-436374069-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon]

[HKEY_USERS\S-1-5-21-527237240-436374069-1343024091-1004\Software\Microsoft\Windows\ShellNoRoam\DUIBags\ShellFolders\{645FF040-5081-101B-9F08-00AA002F954E}]

_________________________________________________________________


I'm waiting for your verdict Pieter...

Thanks

Bobo

[Bobo]

Intermed

I have found, on an other forum, a guy ho seems to have the same problem. This is his interesting comment:

"One thing I did notice however, is when I delete something from my 2nd hard drive (WHICH HAS NO Operating System installed), it goes to the Recycle Bin."

I have try myself and, yes, he is right!

I don't know if this anecdote could help you but it can't do no harm.

[Metallica]

That is interesting because every drive has it's own Recycler(d) folder.

I wonder if we can copy a working one to the Active drive.

Can you try manually?
If that doesn't work I'll write a little batch-file to do it.

Regards,

Pieter

[Metallica]

Also. Can you send me a copy of:
C:\Windows\System32\F2AF79BDFA.sys

pieterATwilderssecurity.org

If you can't find it and you have hidden files and folder showing I will need a new FindIt log.

Regards,

Pieter

[Metallica]

Thanks for the file.

Try this first:

Open a command prompt (Start > Run > type cmd >OK)

At the prompt type and enter:

rd /s c:\recycled

Repeat the same for

rd /s c:\recycler

if nothing happens on the first.

Then reboot.

Regards,

Pieter