AVG: HOSTS reading error.

[C J.]

Was helping a friend with their PC lastnight, and the situation seemed
unusual enough for me to ask about here for some feedback. This Person is
running XP Pro Sp2 on a Intel PC Clone fully patched, with its unused
services disabled, and ZA Pro firewall and AVG Professional installed.

Recently, they indicated to me they had been experiencing a lot of page type
"clicking or ticking" going on - while their PC was connected to the
internet with their browser closed. So lastnight - I ran a custom check of
the system areas and an empty folder with AVG.

One item came back as "changed " Shell32 - and HOSTS returned a Read
Error. On closer inspection of the \System32\drivers\etc folder... found
HOSTS.bak but no Hosts so I replaced the file. But now I'm wondering about
Shell32... does it always change? Normal viral and spyware scans detect
nothing.

 

[YoKenny]

C J. typed:

Was helping a friend with their PC lastnight, and the situation seemed
unusual enough for me to ask about here for some feedback. This
Person is running XP Pro Sp2 on a Intel PC Clone fully patched, with
its unused services disabled, and ZA Pro firewall and AVG
Professional installed.
Recently, they indicated to me they had been experiencing a lot of
page type "clicking or ticking" going on - while their PC was
connected to the internet with their browser closed. So lastnight -
I ran a custom check of the system areas and an empty folder with AVG.

One item came back as "changed " Shell32 - and HOSTS returned a Read
Error. On closer inspection of the \System32\drivers\etc folder...
found HOSTS.bak but no Hosts so I replaced the file. But now I'm
wondering about Shell32... does it always change? Normal viral and
spyware scans detect nothing.

Read about Shell32:
http://process.networktechs.com/Shell32.dll.php

It can change but usually does not unless it gets infected with a virus or
worm.

Found with Google in 0.37 seconds.

 

[Noel Paton]

C J. typed:

Read about Shell32:
http://process.networktechs.com/Shell32.dll.php

It can change but usually does not unless it gets infected with a virus or
worm.

The Shell32.dll file gets updated in MANY Windows updates - it's one of the
main libraries used by Windows.
The version in a fully-updated Win98SE system is 4.72.3812.600

--
Noel Paton (MS-MVP 2002-2006, Windows)

Nil Carborundum Illegitemi
http://www.crashfixpc.com/millsrpch.htm

http://tinyurl.com/6oztj

Please read on how to post messages to NG's

 

[Virus Guy]

The Shell32.dll file gets updated in MANY Windows updates - it's
one of the main libraries used by Windows.
The version in a fully-updated Win98SE system is 4.72.3812.600

Just to be sure, I went to windows-updates and installed 3 updates
that were waiting for me. My version of shell32.dll remained
unchanged:

Size: 1,400,832 bytes
Date: April 23, 1999 10:22:00 pm
Version: 4.72.3612.1700

I believe that is the original version for win-98se.

I went to another win-98 machine and found it had this version:

Size: 1,388,816
Date: December 6, 2001 11:25:08 pm
Version: 4.72.3812.600

Hmmm. So why does one machine have the original, and another has this
2001 version?

There must have been an old update (circa early 2002 ?) that was the
source of the newer file, with no updates since (if, as you claim, the
..600 version is the last). If so, then I would question the claim
that there have been *many* updates to this file.

So, can I simply swap the old file for the new one?

Anyone know how many versions of Shell32.dll have been issued by MS
for Win-98se?

 

[Noel Paton]

The 600 is the subversion - the version number is
4.72 - which is the same for Win and Win98SE
the minor version number is 3812 in mine - and 3612 in yours.

The minor version may be dependent on IE version number - I'm not sure


--
Noel Paton (MS-MVP 2002-2006, Windows)

Nil Carborundum Illegitemi
http://www.crashfixpc.com/millsrpch.htm

http://tinyurl.com/6oztj

Please read on how to post messages to NG's

 

[glee]

No.....it came from this update:
Unchecked Buffer in Windows Shell Could Lead to Code Running (Q313829)
http://support.microsoft.com?kbid=313829

(It's the update that broke TweakUI's ability to hide shortcut arrows)

 

[Virus Guy]

The 600 is the subversion - the version number is ...

Um, your reply was not terribly information-rich.

These questions remain:

- why do some fully updated win-98se systems have version
4.72.3612.1700, yet others have 4.72.3812.600 ?

- were the above two versions the only versions of shell32.dll
to ever be released by MS for Win-98se?

- Can the newer version (3812.600) be substituted for the older
one (3612.1700) via simple file-substitution?

Bonus question:

- what specific update(s) from MS includes updating shell32.dll?

 

[Virus Guy]

No.....it came from this update:
Unchecked Buffer in Windows Shell Could Lead to Code Running
(Q313829)
http://support.microsoft.com?kbid=313829

Yes, that does lead to a link to Version: 4.72.3812.600:

http://download.microsoft.com/download/ie4095/actdesk/4.01_sp2/w9XNT4/en-us/q313829.exe

So it looks like that's the one and only patch/update that changes
shell32.dll.

Meaning that a valid (non-corrupted) version should be 1,388,816 bytes
and have a date-stamp of December 6, 2001.

 

[glee]

Um, your reply was not terribly information-rich.

These questions remain:

- why do some fully updated win-98se systems have version
4.72.3612.1700, yet others have 4.72.3812.600 ?

Because some systems have the update installed, while others don't. Some users
removed the update to fix the TweakUI hidden shortcut arrow tweak. It's a pretty
silly reason (a minor cosmetic issue) to remove critical security update, IMO.

- were the above two versions the only versions of shell32.dll
to ever be released by MS for Win-98se?

I never checked, but they are the only two I have come across when updating 98SE

- Can the newer version (3812.600) be substituted for the older
one (3612.1700) via simple file-substitution?

Probably, if done from a DOS boot, but I would install the update instead.

Bonus question:

- what specific update(s) from MS includes updating shell32.dll?

Unchecked Buffer in Windows Shell Could Lead to Code Running (Q313829)
http://support.microsoft.com?kbid=313829