shelldrv.exe

Has anyone seen this "shelldrv.exe" in C:\Windows\system32 ?

It does not show up as a virus (AVG).

But it's running without showing up in the Task Manager, which is
suspicious.

System was a little slow, and I'd get a popup at login which lasted barely
long enough to read the file name along with some other text.

I could not delete it from Windows, so I went in with Safe Mode to get rid
of it. (I saved a copy.)

When running, it creates a file called "shelldrv" in C:\Windows\system32,
which seems to keep a log of recently run programs. If you delete that file,
it builds a new one.

A search on microsoft.com turned up nothing about "shelldrv.exe". Nor did
Google.

Does anyone have the answer?

From: "Papageno" <papa@geno.com>

| Has anyone seen this "shelldrv.exe" in C:\Windows\system32 ?
|
| It does not show up as a virus (AVG).
|
| But it's running without showing up in the Task Manager, which is
| suspicious.
|
| System was a little slow, and I'd get a popup at login which lasted barely
| long enough to read the file name along with some other text.
|
| I could not delete it from Windows, so I went in with Safe Mode to get rid
| of it. (I saved a copy.)
|
| When running, it creates a file called "shelldrv" in C:\Windows\system32,
| which seems to keep a log of recently run programs. If you delete that file,
| it builds a new one.
|
| A search on microsoft.com turned up nothing about "shelldrv.exe". Nor did
| Google.
|
| Does anyone have the answer?
|


Please submit a sample of "shelldrv.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:scan@virustotal.com?subject=SCAN

When you get the report, please post back the exact results.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:CQ_Nh.4207$xE.1496@trnddc08...
> From: "Papageno" <papa@geno.com>
> | Has anyone seen this "shelldrv.exe" in C:\Windows\system32 ?
> | It does not show up as a virus (AVG).
> | But it's running without showing up in the Task Manager, which is
> | suspicious.
> | System was a little slow, and I'd get a popup at login which lasted
> barely
> | long enough to read the file name along with some other text.
> | I could not delete it from Windows, so I went in with Safe Mode to get
> rid
> | of it. (I saved a copy.)
> | When running, it creates a file called "shelldrv" in
> C:\Windows\system32,
> | which seems to keep a log of recently run programs. If you delete that
> file,
> | it builds a new one.
> | A search on microsoft.com turned up nothing about "shelldrv.exe". Nor
> did
> | Google.

> Please submit a sample of "shelldrv.exe" to Virus Total --
> http://www.virustotal.com/flash/index_en.html
> The submission will then be tested against many different AV vendor's
> scanners.
> That will give you an idea what it is and who recognizes it. In addition,
> unless told
> otherwise, Virus Total will provide the sample to all participating
> vendors.

Thanks for the info.
Okay, did that.

It's a bad boy ... but I still don't know what kind of mischief it does.
Anyway, I now **do** know that I have to purge it. And also the registry key
that it created:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
{15A74989-5015-B6D4-0008-080602010204}]

Here are the results.

AntiVir 7.3.1.44 3/26/2007 ADSPY/DollarRvenue.J
ClamAV devel-20070312 3/27/2007 Trojan.Pakes-248
Fortinet 2.85.0.0 3/26/2007 suspicious
Ikarus T3.1.1.3 3/26/2007 Backdoor.VB.EV
Sunbelt 2.2.907.0 3/24/2007 VIPRE.Suspicious
Webwasher-Gateway 6.0.1 3/26/2007 Ad-Spyware.DollarRvenue.J