is this a virus?

[Trevor Wright]

My Win XP Home went mad at the weekend. The CD wouldn't stop spinning,
even though it wasn't in use. The pc worked so slowly you couldn't tell
it was working. Folders got moved and duplicated. PCCillin says no
virus. Trend's online scanner says no virus. However, PPCillin won't
update. I press the update button while online and there's no response
at all.

AVG, which will update, says this is a virus:

C:\Program
Files\helpcentre\EHC.ZIP:\ehc\hc2\Printers\Troubles.hoo\images\ep1.bmp.shs
Warning: Hidden extension .shs

This looks like a Zip file or folder; I don't know what it is.

Is this a virus? Could it be having these effects? Why won't the
Pccillin update?

Many thanks.

 

[David H. Lipman]

Based upon what you posted, ep1.bmp.shs was flagged as having a double-extension, not as an
infector. However, a file named as such surely can be.

Please submit the EHC.ZIP to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against several different AV vendor's scanners.

Another way to submit is to send the suspect file to the following email address
scan<at>virustotal.com
{ replace <at> with @ } with only the word SCAN as the subject.

Please post back the EXACT results.

You can also read and follow the instructions in the below URL. Specifically the part about
Adaware.

http://www.claymania.com/removal-trojan-adware.html

--
Dave






| My Win XP Home went mad at the weekend. The CD wouldn't stop spinning,
| even though it wasn't in use. The pc worked so slowly you couldn't tell
| it was working. Folders got moved and duplicated. PCCillin says no
| virus. Trend's online scanner says no virus. However, PPCillin won't
| update. I press the update button while online and there's no response
| at all.
|
| AVG, which will update, says this is a virus:
|
| C:\Program
| Files\helpcentre\EHC.ZIP:\ehc\hc2\Printers\Troubles.hoo\images\ep1.bmp.shs
| Warning: Hidden extension .shs
|
| This looks like a Zip file or folder; I don't know what it is.
|
| Is this a virus? Could it be having these effects? Why won't the
| Pccillin update?
|
| Many thanks.
| --
| Trevor Wright

 

[ed]

Not too sure about is being a virus, looks like a troubleshooting section
for an application, Troubles.hoo was probably generated on a MAC with an
older OS (read "troubleshooting" at that time), when a older PC looks/saves
it, this is what you would get (gereating it's own extension). The actual
file is an SHS object is described as:

"The Shell Scrap Object is part of the Microsoft embed objects inside
objects philosophy. Basically, what happens is that the shell script is
wrapped around an object and the .SHS extension (which normally can't be
seen even with extensions turned on) is added to the file. An .SHS file is
really potentially quite dangerous because it can have anything executable
in it along with a vast collection of dangerous script code in the wrapper.
At least one worm uses the Shell Script object. Note: This file type can
become infected and should be carefully scanned if someone sends you a file
with this extension."

 

[Trevor Wright]

Not too sure about is being a virus, looks like a troubleshooting section
for an application, Troubles.hoo was probably generated on a MAC with an
older OS (read "troubleshooting" at that time), when a older PC looks/saves
it, this is what you would get (gereating it's own extension). The actual
file is an SHS object is described as:

"The Shell Scrap Object is part of the Microsoft embed objects inside
objects philosophy. Basically, what happens is that the shell script is
wrapped around an object and the .SHS extension (which normally can't be
seen even with extensions turned on) is added to the file. An .SHS file is
really potentially quite dangerous because it can have anything executable
in it along with a vast collection of dangerous script code in the wrapper.
At least one worm uses the Shell Script object. Note: This file type can
become infected and should be carefully scanned if someone sends you a file
with this extension."

Yes, interesting

Do oddities like: the folders moving about; the anit-virus refusing to
connect to the update server, suggest a virus?

 

[ed]

Absolutely, But it is really odd that only one AV found it! He should check
his hosts file and see if there are entries directing antivirus addresses to
some other IP.

Also,he should check his sys32 folder and try and find modified files (not
always all virus files will show up though) for the date it first occurred
(sort them and also be sure to turn on viewing of hidden files) and search
their names on google (not always foolproof either).

Lastly check the properties and date of the file in question and see if it
was generated on the date in question.

But that being said and unanswered, I am still not sure it is a virus!

 

[josie]

This may help you:

Stolen from: http://www.helpdesk.umd.edu/virus/security/removeshs.shtml


The OIT Virus Notification Program


Removing the .SHS File Type
Most files on PC machines have what is called a file extension--a
period (".") followed by three letters--that identifies what type of file it
is.

By default, most Windows computers are configured so that the common
file extensions are hidden. This can be a problem because viruses and other
malicious files can appear to be innocent text or document files when in
fact they are not. Fortunately, it is very easy to make file extensions
visible

However, there is one file extension, .SHS, that is never visible in
the filename, so a text file that ends in both the .TXT file extension and
the .SHS file extension (<filename>.TXT.SHS) will appear to be a harmless
text file (<filename>.TXT).

In order to better protect yourself against viruses using the .SHS
extension (such as the Stages worm of June 20, 2000), you should consider
removing the .SHS file extension from Windows. Once that is done, Windows
will not be able to determine what to do with any .SHS file, so the .SHS
file will not execute and will not work. (NOTE: .SHS files are "Scrap
object" files. They are usually only created when you highlight text in
Microsoft Word or Excel and drag the highlighted text to the desktop, where
it becomes a "scrap" that you can insert anywhere in the current document or
another document mulitple times (see Microsoft's article on scrap files).
Since Office 2000 comes with the ability to store 12 items in the clipboard,
this scrap function is no longer necessary).

The procedure for removing a file type differs slightly depending on
your version of Windows, so please follow the following steps carefully--you
do not want to accidentally remove a different file type. If you do not
feel comfortable making these changes, ask your local tech support for
assistance.

1.. Click on the Start button, and choose Run from the menu that
appears. In the Run window that appears, type "explorer" (without the
quotation marks) in the Open box and hit the Enter or Return key.
2.. Bring up the Options window:
a.. Windows 95/98/NT: From the menu bar of Windows Explorer,
click on View, and from the menu that appears, click on Folder Options.
b.. Windows 2000/XP: From the menu bar of Windows Explorer,click
on Tools, and from the menu that appears, click on Folder Options.
3.. In the window that appears, click on the tab marked File Types.
4.. You should now see a list of file types recognized by Windows.
Scroll down until you see a file type listed as Scrap Object. Click once on
Scrap Object so that it is highlighted.
5.. Remove the file type:
a.. Windows 95/98/NT: Click on the Remove button. When you are
asked if you really want to do this, click on Yes.
b.. Windows 2000/XP: Click on the Delete button. When you are
asked if you really want to do this, click on Yes.
6.. Click OK at the bottom of the window.

 

[Norman L. DeForest]

Yes, interesting

Even more interesting and an example of Microsoft's stupidity when it
comes to secutity....

As an experiment, I created two scrap objects, one with some text and a
MIDI file dropped in the middle of it and the other with some text and an
an executable program dropped in the middle of it.

If I double-click on the first of the two scrap files, it opens with Word.
If I double-click on the icon for the embedded MIDI file, a dialog box
pops up asking me if I am sure I want to open this as embedded objects can
be unsafe. Of course I'm sure. It's a [bleep]ing MIDI file for $DIETY's
sake!

However, if I double-click on the scrap file with the embedded executable
file, the executable file is run immediately with no warnings or prompts
at all.

Doesn't it seem as though someone at Microsoft got things a bit backwards?

Do oddities like: the folders moving about; the anit-virus refusing to
connect to the update server, suggest a virus?

It sounds suspicious to me. (The cynic in me says, "No, that's just
normal Windows misbehaviour." but I'm refusing to listen to him.)


By the way, *.shs, *.lnk, *.pif and other "special" extensions are
completely visible on my machine. None of this hidden extensions stuff
for me. A series of screenshots of the steps I took to unhide these and
other special extensions and a commented HTML file to display them can
currently be found on my web site at:
http://www.chebucto.ns.ca/~af380/unhide.zip
It's large (577KB) because of the large number of screenshots which
include steps for finding REGEDIT as well as the steps taken to edit the
Windows registry.

Abbreviated version for the graphically impaired:

Search the registry for "NeverShowExt" and change each occurrence to
"AlwaysShowExt". (That way you can always undo your changes later.)

Also repeat this after installing anything. At least one software
installation added a new "NeverShowExt" entry for *.url files when
it wanted to include such files in its directory. The fact that an
"AlwaysShowExt" entry was immediately above it proves that I didn't
just miss that one.

 

[David H. Lipman]

Good advice and information Norman !

Thanx.

--
Dave




|
| Even more interesting and an example of Microsoft's stupidity when it
| comes to secutity....
|
| As an experiment, I created two scrap objects, one with some text and a
| MIDI file dropped in the middle of it and the other with some text and an
| an executable program dropped in the middle of it.
|
| If I double-click on the first of the two scrap files, it opens with Word.
| If I double-click on the icon for the embedded MIDI file, a dialog box
| pops up asking me if I am sure I want to open this as embedded objects can
| be unsafe. Of course I'm sure. It's a [bleep]ing MIDI file for $DIETY's
| sake!
|
| However, if I double-click on the scrap file with the embedded executable
| file, the executable file is run immediately with no warnings or prompts
| at all.
|
| Doesn't it seem as though someone at Microsoft got things a bit backwards?
|
| > Do oddities like: the folders moving about; the anit-virus refusing to
| > connect to the update server, suggest a virus?
|
| It sounds suspicious to me. (The cynic in me says, "No, that's just
| normal Windows misbehaviour." but I'm refusing to listen to him.)
|
|
| By the way, *.shs, *.lnk, *.pif and other "special" extensions are
| completely visible on my machine. None of this hidden extensions stuff
| for me. A series of screenshots of the steps I took to unhide these and
| other special extensions and a commented HTML file to display them can
| currently be found on my web site at:
| http://www.chebucto.ns.ca/~af380/unhide.zip
| It's large (577KB) because of the large number of screenshots which
| include steps for finding REGEDIT as well as the steps taken to edit the
| Windows registry.
|
| Abbreviated version for the graphically impaired:
|
| Search the registry for "NeverShowExt" and change each occurrence to
| "AlwaysShowExt". (That way you can always undo your changes later.)
|
| Also repeat this after installing anything. At least one software
| installation added a new "NeverShowExt" entry for *.url files when
| it wanted to include such files in its directory. The fact that an
| "AlwaysShowExt" entry was immediately above it proves that I didn't
| just miss that one.
|
| --
| Norman De Forest http://www.chebucto.ns.ca/~af380/Profile.html
| (e-mail address removed) [=||=] (A Speech Friendly Site)
| My Usenet 2005 calendar: http://www.chebucto.ns.ca/~af380/Year-2005.txt
| For explanation: http://www.chebucto.ns.ca/~af380/Links.Books.html#TandD
|