PDA

View Full Version : Problems with shell.dll and shell32.dll

jnbro
March 5th, 2004, 02:38 AM
I am having a strange problem within the last few months that probably is the result of a virus, or someone hacking in to my network workstation. I am running Windows 2k and have been trying to clean up a strange trojan-type infection that automatically tries to download full length, french subtitled movies into various contrived directories in my \WINNT system directory. A number of different problems popped up at the same time. I get a script error message whenever I try to open that directory (WINNT) which says there is a problem in the folder.htt file. Also, every few minutes an error message pops up saying "Cannot find SHELL.DLL". Also, whenever I open or save files in a program (other than Windows Explorer) my folder icons don't show up. According to my folder options tool, this icon is found in SHELL32.DLL.
So I tried to copy these files (shell.dll and shell32.dll) to my system directory from another machine.
Whether by email, or disk, or moving from a network directory, I can't copy these files onto my computer. I get an error saying they are invalid files or URL's. I can copy them onto other machines just fine. If I rename them something else I can get them on my machine but then it won't let me name them back to their original names. When I try to name them back to SHELL or SHELL32 in the system directory I get a message saying the file already exists, even though a search of the entire system doesn't find them on my machine. Any ideas on what to try? Please don't say reload Windows!
Murf
March 5th, 2004, 03:07 AM
Welcome to CTH

1. Download SpyBot (http://www.cybertechhelp.com/html/downloads/download.php/id/36) run it and let it fix what it finds.

After running spybot reboot if that doesn't fix it then download HiJackThis (http://www.spychecker.com/program/hijackthis.html), if you need help in what to let it fix, cut and paste the log here.
jnbro
March 5th, 2004, 09:44 PM
I ran those two. Spybot found and cleaned a few things that Pest Patrol and AdAware didn't find. But the problem is still there. I'll past the results of the log file from Hijack This. It is sort of lengthy. Thanks, JB
Logfile of HijackThis v1.97.5
Scan saved at 1:37:30 PM, on 3/5/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\OfficeScan NT\ntrtscan.exe
C:\WINNT\System32\ofps.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\PROGRA~1\Caere\OMNIPA~1.0\opware32.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\ImageMate CompactFlash USB\SandIcon.Exe
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\PestPatrol\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ifagent.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Palm\HOTSYNC.EXE
C:\WINNT\system32\ntvdm.exe
C:\TEMP\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ttusdprojects.org/index.htm
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Program Files\Netscape\Users\jbritto\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [OmniPage] C:\PROGRA~1\Caere\OMNIPA~1.0\opware32.exe
O4 - HKLM\..\Run: [SandIcon] C:\ImageMate CompactFlash USB\SandIcon.Exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe"
O4 - HKLM\..\Run: [TaskMan] C:\WINNT\SYSTEM32\RUNDLL32.EXE
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: ifagent.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Open using &Advanced JPEG Compressor - C:\Program Files\Advanced JPEG Compressor\ajcieex.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://i.rn11.com/iwasher/pptproactauthmirror/internetwasherpro.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38042.482974537
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash4/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C064967-D300-4E19-9824-1F0A52F39142}: NameServer = 137.164.164.5,137.164.164.6,137.164.164.50
O17 - HKLM\System\CS1\Services\Tcpip\..\{2C064967-D300-4E19-9824-1F0A52F39142}: NameServer = 137.164.164.5,137.164.164.6,137.164.164.50
O17 - HKLM\System\CS2\Services\Tcpip\..\{2C064967-D300-4E19-9824-1F0A52F39142}: NameServer = 137.164.164.5,137.164.164.6,137.164.164.50