How to delete unwanted context menu on Recycle Bin?

Toggle sidebar Toggle sidebar
R

rush21hit

Honorable
Mar 5, 2012
580
0
11,160
So a friend came to me to fix his laptop which apparently infected by some kind of malware using Chinese language. Due to language barrier, I opted to use Malwarebytes Anti-Malware and Ad-Cleaner to remove it. Then I found out that the .dll file still affects explorer.exe. So, I enter safe mode trying to manually delete its entire folder and as expected 3 files popped out refused to be deleted. So while still in safe mode, I rename the file extension from .dll to .jpg and try to delete the folder again with success.

Apparently, some part of the malware still remains stuck in my Recycle Bin context menu like so:
9ZPu3Jv.jpg


I've tried to track the location within registry and shellview, but I'm honestly have no idea what I actually look for.

Can anyone help me on how to remove this?
 
Solution
L
From googling and looking at it, I believe you should be looking at
HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}

My keys there look like this:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}]
@="Recycle Bin"
"AppID"="{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}"
"InfoTip"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\
6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\
00,73,00,68,00,65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,\
2d,00,32,00,32,00,39,00,31,00,35,00,00,00
"LocalizedString"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,\...
Sort by date Sort by votes
L

little_me

Splendid
May 9, 2015
1,670
39
21,740
From googling and looking at it, I believe you should be looking at
HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}

My keys there look like this:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}]
@="Recycle Bin"
"AppID"="{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}"
"InfoTip"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\
6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\
00,73,00,68,00,65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,\
2d,00,32,00,32,00,39,00,31,00,35,00,00,00
"LocalizedString"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,\
6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,73,00,68,00,65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,\
2c,00,2d,00,38,00,39,00,36,00,34,00,00,00
"SortOrderIndex"=dword:00000078

[HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,69,00,6d,00,\
61,00,67,00,65,00,72,00,65,00,73,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,00,35,\
00,35,00,00,00
"Empty"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,69,00,\
6d,00,61,00,67,00,65,00,72,00,65,00,73,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,\
00,35,00,35,00,00,00
"Full"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,69,00,\
6d,00,61,00,67,00,65,00,72,00,65,00,73,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,\
00,35,00,34,00,00,00

[HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,68,00,\
65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell]

[HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\empty]
"CommandStateHandler"="{c9298eef-69dd-4cdd-b153-bdbc38486781}"
"Description"="@shell32.dll,-31332"
"Icon"="shell32.dll,-254"
"MUIVerb"="@shell32.dll,-10564"

[HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\empty\command]
"DelegateExecute"="{48527bb3-e8de-450b-8910-8c4099cb8624}"

[HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex]

[HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\PropertySheetHandlers\{645FF040-5081-101B-9F08-00AA002F954E}]

[HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder]
"Attributes"=hex:40,01,00,20
"FolderValueFlags"=dword:00000200

[HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\tabsets]
"location"=dword:00000100
"selection"=dword:00000100
but.. since I'm using windows 10, I also have pin to start and pin to start menu lines which the keys themselves don't really make abundantly clear.

Edit:
My less than great logic knowledge on the matter suspects that said things are in top-down order, so it should be after the "empty recyclebin" part.
 
Upvote 0 Downvote
Solution
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom