Cannot find Shell.dll

[Steve]

I've recently become aware of this issue...and was
wondering if anybody knew what was causing it/solution for
it.

Basically, the end user tells me that all of a sudden (an
older 16 bit?) doesn't work anymore because it keeps
popping up 'cannot find shell.dll' (or something along
those lines)

I tried to do a newsgroup search but it either doesn't
work very well or it doesn't work very well.

I did a google search and found a number of similar
cases...all relatively recent!

http://www.visualbasicforum.com/showthread.php?
t=172033&highlight=shell.dll

http://www.adventurecompanygames.com/tac/forums/showflat.ph
p?Number=80814

http://forums.us.dell.com/supportforums/board/message?
board.id=sw_winxp&message.id=115553

BTW...the 'problem'-problem is that shell.dll is missing
from SYSTEM32, so the 'solution' is to reload a fresh copy
into SYSTEM32...except that when you reboot...it
disappears from SYSTEM32.

Both SYSTEM/SYSTEM32 is in the PATH var.

I didn't try whether or not copying the shell.dll into the
programs directory would help or not...but in anycase even
if it did work...that would be just a 'workaround'...I
want to know the truth (yes, I think I can handle it)

Thanks,
Steve

 

[Craig]

Steve:

Just had this exact problem myself today. User trying to run an
older 16 bit app, but was missing shell.dll. No problem, copied a
"fresh" one from a working machine onto this one. App opens fine.

Here's the catch: The shell.dll disappears at random throughout the
day. The solution is to continue to copy new versions into place. I
wrote the user a quick and dirty batch file, but that's just a
band-aid.

I'm really stumped by this. No sign of virus, there is something on
the system that's causing pop-ups, and I'm not unwilling to count that
piece of spyware out, but I'm doubtful.

 

[Joe Parish]

Steve, Craig -

I work support for a company here in Florida. I've been researching this
same issue. So far we've had 68 calls since 5/26/04. Of these 68 incidents,
I have 7 copies of the msinfo32 information from a time when the problem is
still present on the machine. Of those 7 files, I hae one that has a
matching .nfo from immediately after a system restore that corrects the
problem on an XP machine.

Here's the interesting similarity I see on 5 of the 7 machines:

Machine 1::
[Services]
Display_Name: Network Security Service
Name: __NS_Service_3
State: Running
Start_Mode: Auto
Service_Type: Share Process
Path: c:\windows\msha32.exe /s
Error_Control: Ignore
Start_Name: LocalSystem
Tag_ID: 0

[Running Tasks]
Name: msha32.exe
Path: c:\windows\msha32.exe
Process_ID: 1408
Priority: 8
Min_Working_Set: 204800
Max_Working_Set: 1413120
Start_Time: 6/18/2004 7:48 AM
Version: Not Available
Size: 9.00 KB (9,216 bytes)
File_Date: 6/3/2004 12:18 PM

[Loaded Modules]
Name: msha32
Version: Not Available
Size: 9.00 KB (9,216 bytes)
File_Date: 6/3/2004 12:18 PM
Manufacturer: Not Available
Path: c:\windows\msha32.exe

Machine 2::
[Services]
Display_Name: Network Security Service
Name: __NS_Service_2
State: Stopped
Start_Mode: Auto
Service_Type: Share Process
Path: c:\windows\sysbj.exe /s
Error_Control: Ignore
Start_Name: LocalSystem
Tag_ID: 0

Machine 3::
[Services]
Display_Name: Network Security Service
Name: __NS_Service
State: Running
Start_Mode: Auto
Service_Type: Share Process
Path: c:\windows\system32\cryh.exe /s
Error_Control: Ignore
Start_Name: LocalSystem
Tag_ID: 0

[Running Tasks]
Name: cryh.exe
Path: c:\windows\system32\cryh.exe
Process_ID: 1772
Priority: 8
Min_Working_Set: 204800
Max_Working_Set: 1413120
Start_Time: 6/16/2004 10:06 AM
Version: Not Available
Size: 8.50 KB (8,704 bytes)
File_Date: 6/12/2004 6:50 AM

[Loaded Modules]
Name: cryh
Version: Not Available
Size: 8.50 KB (8,704 bytes)
File_Date: 6/12/2004 6:50 AM
Manufacturer: Not Available
Path: c:\windows\system32\cryh.exe

Machine 4:::
[Services]
Display Name: Network Security Service
Name: __NS_Service_3
State: Running
Start Mode: Auto
Service Type: Share Process
Path: c:\windows\system32\ipsi32.exe /s
Error Control: Ignore
Start Name: LocalSystem
Tag ID: 0

[Loaded Modules]
Name: ipsi32
Version: Not Available
Size: 9.00 KB (9,216 bytes)
File Date: 6/8/2004 7:40 AM
Manufacturer: Not Available
Path: c:\windows\system32\ipsi32.exe

[Running Tasks]
Name: ipsi32.exe
Path: c:\windows\system32\ipsi32.exe
Process ID: 1404
Priority: 8
Min Working Set: 204800
Max Working Set: 1413120
Start Time: 6/18/2004 4:33 PM
Version: Not Available
Size: 9.00 KB (9,216 bytes)
File Date: 6/8/2004 7:40 AM

Machine 5::
[Services]
Display_Name: Network Security Service
Name: __NS_Service
State: Running
Start_Mode: Auto
Service_Type: Share Process
Path: c:\windows\system32\javamu32.exe /s
Error_Control: Ignore
Start_Name: LocalSystem
Tag_ID: 0

[Loaded Modules]
Name: javamu32
Version: Not Available
Size: 8.50 KB (8,704 bytes)
File_Date: 6/9/2004 10:24 PM
Manufacturer: Not Available
Path: c:\windows\system32\javamu32.exe

[Running Tasks]
Name: javamu32.exe
Path: c:\windows\system32\javamu32.exe
Process_ID: 1856
Priority: 8
Min_Working_Set: 204800
Max_Working_Set: 1413120
Start_Time: 6/16/2004 9:25 AM
Version: Not Available
Size: 8.50 KB (8,704 bytes)
File_Date: 6/9/2004 10:24 PM

Note that on all 5 machines there is a service with a Display_Name of
"Network Security Service", each one has a Name that is a variation of
'NS_Service' and thePath is 'c:\windows\system32\<random name>.exe /s'

A quick search on my system here at home, my system at work, and google
returned no hits for any of these file names.

I'm still looking into a few other similarites on these machines, but what's
pegged this as my biggest suspect at the moment is that it is one of the few
things out of the ordinary that I saw while comparing the .NFO file from
before a system restore (while the problem was still present) against the
..NFO from after the restore (went back 2 weeks on that machine and the
problem was gone). None of the other difference items appear to be present
on the other 6 machines

I don't know if I'm on the right track here or what, but I'm sick of having
to send people to MS to have this problem fixed, especially when followup
calls to the affected customers reveals that the MS support reps have been
turning them away, saying it's not a Microsoft issue. In the end, we will
still have to send them elsewhere for a permanant solution, I just want to
be able to give our customers some info to load into their guns when they
get to wherever it is we have to send em.

If either of you two find anything, I'd greatly appreciate if you could let
me know.

Feel free to shoot me an email, but put something eye catching in the
subject or it'll get nuked in my spam filter.

Thanks

Joe Parish
(e-mail address removed)

 

[Gary Smith]

This looks like an infestation by malware to me. For what it's worth,
there are no files named msha32.exe, sysbj.exe, cryh.exe, ipsi32.exe, or
javamu32.exe and no "Network Security Service" on my Win2K system.
(There's also no C:\Windows\system32, but that may not be an issue.)

Locate one of these strange files, right-click on it and select
Properties. If there's no Version tab, the file is not a legitimate
Microsoft component. Although legitimate files can come from other
sources, I now assume that a .dll or .exe file dound in WINNT or any
of its subfolders that lacks a Version tab is spurious, and it gets
quarantined until it is proven innocent, and useful.

----
Gary L. Smith (e-mail address removed)
Columbus, Ohio

Steve, Craig -

I work support for a company here in Florida. I've been researching this
same issue. So far we've had 68 calls since 5/26/04. Of these 68 incidents,
I have 7 copies of the msinfo32 information from a time when the problem is
still present on the machine. Of those 7 files, I hae one that has a
matching .nfo from immediately after a system restore that corrects the
problem on an XP machine.

Here's the interesting similarity I see on 5 of the 7 machines:

Machine 1::
[Services]
Display_Name: Network Security Service
Name: __NS_Service_3
State: Running
Start_Mode: Auto
Service_Type: Share Process
Path: c:\windows\msha32.exe /s
Error_Control: Ignore
Start_Name: LocalSystem
Tag_ID: 0

[Running Tasks]
Name: msha32.exe
Path: c:\windows\msha32.exe
Process_ID: 1408
Priority: 8
Min_Working_Set: 204800
Max_Working_Set: 1413120
Start_Time: 6/18/2004 7:48 AM
Version: Not Available
Size: 9.00 KB (9,216 bytes)
File_Date: 6/3/2004 12:18 PM

[Loaded Modules]
Name: msha32
Version: Not Available
Size: 9.00 KB (9,216 bytes)
File_Date: 6/3/2004 12:18 PM
Manufacturer: Not Available
Path: c:\windows\msha32.exe

Machine 2::
[Services]
Display_Name: Network Security Service
Name: __NS_Service_2
State: Stopped
Start_Mode: Auto
Service_Type: Share Process
Path: c:\windows\sysbj.exe /s
Error_Control: Ignore
Start_Name: LocalSystem
Tag_ID: 0

Machine 3::
[Services]
Display_Name: Network Security Service
Name: __NS_Service
State: Running
Start_Mode: Auto
Service_Type: Share Process
Path: c:\windows\system32\cryh.exe /s
Error_Control: Ignore
Start_Name: LocalSystem
Tag_ID: 0

[Running Tasks]
Name: cryh.exe
Path: c:\windows\system32\cryh.exe
Process_ID: 1772
Priority: 8
Min_Working_Set: 204800
Max_Working_Set: 1413120
Start_Time: 6/16/2004 10:06 AM
Version: Not Available
Size: 8.50 KB (8,704 bytes)
File_Date: 6/12/2004 6:50 AM

[Loaded Modules]
Name: cryh
Version: Not Available
Size: 8.50 KB (8,704 bytes)
File_Date: 6/12/2004 6:50 AM
Manufacturer: Not Available
Path: c:\windows\system32\cryh.exe

Machine 4:::
[Services]
Display Name: Network Security Service
Name: __NS_Service_3
State: Running
Start Mode: Auto
Service Type: Share Process
Path: c:\windows\system32\ipsi32.exe /s
Error Control: Ignore
Start Name: LocalSystem
Tag ID: 0

[Loaded Modules]
Name: ipsi32
Version: Not Available
Size: 9.00 KB (9,216 bytes)
File Date: 6/8/2004 7:40 AM
Manufacturer: Not Available
Path: c:\windows\system32\ipsi32.exe

[Running Tasks]
Name: ipsi32.exe
Path: c:\windows\system32\ipsi32.exe
Process ID: 1404
Priority: 8
Min Working Set: 204800
Max Working Set: 1413120
Start Time: 6/18/2004 4:33 PM
Version: Not Available
Size: 9.00 KB (9,216 bytes)
File Date: 6/8/2004 7:40 AM

Machine 5::
[Services]
Display_Name: Network Security Service
Name: __NS_Service
State: Running
Start_Mode: Auto
Service_Type: Share Process
Path: c:\windows\system32\javamu32.exe /s
Error_Control: Ignore
Start_Name: LocalSystem
Tag_ID: 0

[Loaded Modules]
Name: javamu32
Version: Not Available
Size: 8.50 KB (8,704 bytes)
File_Date: 6/9/2004 10:24 PM
Manufacturer: Not Available
Path: c:\windows\system32\javamu32.exe

[Running Tasks]
Name: javamu32.exe
Path: c:\windows\system32\javamu32.exe
Process_ID: 1856
Priority: 8
Min_Working_Set: 204800
Max_Working_Set: 1413120
Start_Time: 6/16/2004 9:25 AM
Version: Not Available
Size: 8.50 KB (8,704 bytes)
File_Date: 6/9/2004 10:24 PM

Note that on all 5 machines there is a service with a Display_Name of
"Network Security Service", each one has a Name that is a variation of
'NS_Service' and thePath is 'c:\windows\system32\<random name>.exe /s'

A quick search on my system here at home, my system at work, and google
returned no hits for any of these file names.

I'm still looking into a few other similarites on these machines, but what's
pegged this as my biggest suspect at the moment is that it is one of the few
things out of the ordinary that I saw while comparing the .NFO file from
before a system restore (while the problem was still present) against the
.NFO from after the restore (went back 2 weeks on that machine and the
problem was gone). None of the other difference items appear to be present
on the other 6 machines

I don't know if I'm on the right track here or what, but I'm sick of having
to send people to MS to have this problem fixed, especially when followup
calls to the affected customers reveals that the MS support reps have been
turning them away, saying it's not a Microsoft issue. In the end, we will
still have to send them elsewhere for a permanant solution, I just want to
be able to give our customers some info to load into their guns when they
get to wherever it is we have to send em.

 

[anon]

Gary,

can you tell me how to quarantine an .exe or .dll within a system
folder, (or anywhere for that matter) such as you suggest???

I assume you mean to somehow disable the file from being run/used by the
system, without actually deleting it???

or am i assuming incorrectly???

anon

This looks like an infestation by malware to me. For what it's worth,
there are no files named msha32.exe, sysbj.exe, cryh.exe, ipsi32.exe, or
javamu32.exe and no "Network Security Service" on my Win2K system.
(There's also no C:\Windows\system32, but that may not be an issue.)

Locate one of these strange files, right-click on it and select
Properties. If there's no Version tab, the file is not a legitimate
Microsoft component. Although legitimate files can come from other
sources, I now assume that a .dll or .exe file dound in WINNT or any
of its subfolders that lacks a Version tab is spurious, and it gets
quarantined until it is proven innocent, and useful.

----
Gary L. Smith (e-mail address removed)
Columbus, Ohio

Steve, Craig -

I work support for a company here in Florida. I've been researching this
same issue. So far we've had 68 calls since 5/26/04. Of these 68 incidents,
I have 7 copies of the msinfo32 information from a time when the problem is
still present on the machine. Of those 7 files, I hae one that has a
matching .nfo from immediately after a system restore that corrects the
problem on an XP machine.

Here's the interesting similarity I see on 5 of the 7 machines:

Machine 1::
[Services]
Display_Name: Network Security Service
Name: __NS_Service_3
State: Running
Start_Mode: Auto
Service_Type: Share Process
Path: c:\windows\msha32.exe /s
Error_Control: Ignore
Start_Name: LocalSystem
Tag_ID: 0

[Running Tasks]
Name: msha32.exe
Path: c:\windows\msha32.exe
Process_ID: 1408
Priority: 8
Min_Working_Set: 204800
Max_Working_Set: 1413120
Start_Time: 6/18/2004 7:48 AM
Version: Not Available
Size: 9.00 KB (9,216 bytes)
File_Date: 6/3/2004 12:18 PM

[Loaded Modules]
Name: msha32
Version: Not Available
Size: 9.00 KB (9,216 bytes)
File_Date: 6/3/2004 12:18 PM
Manufacturer: Not Available
Path: c:\windows\msha32.exe

Machine 2::
[Services]
Display_Name: Network Security Service
Name: __NS_Service_2
State: Stopped
Start_Mode: Auto
Service_Type: Share Process
Path: c:\windows\sysbj.exe /s
Error_Control: Ignore
Start_Name: LocalSystem
Tag_ID: 0

Machine 3::
[Services]
Display_Name: Network Security Service
Name: __NS_Service
State: Running
Start_Mode: Auto
Service_Type: Share Process
Path: c:\windows\system32\cryh.exe /s
Error_Control: Ignore
Start_Name: LocalSystem
Tag_ID: 0

[Running Tasks]
Name: cryh.exe
Path: c:\windows\system32\cryh.exe
Process_ID: 1772
Priority: 8
Min_Working_Set: 204800
Max_Working_Set: 1413120
Start_Time: 6/16/2004 10:06 AM
Version: Not Available
Size: 8.50 KB (8,704 bytes)
File_Date: 6/12/2004 6:50 AM

[Loaded Modules]
Name: cryh
Version: Not Available
Size: 8.50 KB (8,704 bytes)
File_Date: 6/12/2004 6:50 AM
Manufacturer: Not Available
Path: c:\windows\system32\cryh.exe

Machine 4:::
[Services]
Display Name: Network Security Service
Name: __NS_Service_3
State: Running
Start Mode: Auto
Service Type: Share Process
Path: c:\windows\system32\ipsi32.exe /s
Error Control: Ignore
Start Name: LocalSystem
Tag ID: 0

[Loaded Modules]
Name: ipsi32
Version: Not Available
Size: 9.00 KB (9,216 bytes)
File Date: 6/8/2004 7:40 AM
Manufacturer: Not Available
Path: c:\windows\system32\ipsi32.exe

[Running Tasks]
Name: ipsi32.exe
Path: c:\windows\system32\ipsi32.exe
Process ID: 1404
Priority: 8
Min Working Set: 204800
Max Working Set: 1413120
Start Time: 6/18/2004 4:33 PM
Version: Not Available
Size: 9.00 KB (9,216 bytes)
File Date: 6/8/2004 7:40 AM

Machine 5::
[Services]
Display_Name: Network Security Service
Name: __NS_Service
State: Running
Start_Mode: Auto
Service_Type: Share Process
Path: c:\windows\system32\javamu32.exe /s
Error_Control: Ignore
Start_Name: LocalSystem
Tag_ID: 0

[Loaded Modules]
Name: javamu32
Version: Not Available
Size: 8.50 KB (8,704 bytes)
File_Date: 6/9/2004 10:24 PM
Manufacturer: Not Available
Path: c:\windows\system32\javamu32.exe

[Running Tasks]
Name: javamu32.exe
Path: c:\windows\system32\javamu32.exe
Process_ID: 1856
Priority: 8
Min_Working_Set: 204800
Max_Working_Set: 1413120
Start_Time: 6/16/2004 9:25 AM
Version: Not Available
Size: 8.50 KB (8,704 bytes)
File_Date: 6/9/2004 10:24 PM

Note that on all 5 machines there is a service with a Display_Name of
"Network Security Service", each one has a Name that is a variation of
'NS_Service' and thePath is 'c:\windows\system32\<random name>.exe /s'

A quick search on my system here at home, my system at work, and google
returned no hits for any of these file names.

I'm still looking into a few other similarites on these machines, but what's
pegged this as my biggest suspect at the moment is that it is one of the few
things out of the ordinary that I saw while comparing the .NFO file from
before a system restore (while the problem was still present) against the
.NFO from after the restore (went back 2 weeks on that machine and the
problem was gone). None of the other difference items appear to be present
on the other 6 machines

I don't know if I'm on the right track here or what, but I'm sick of having
to send people to MS to have this problem fixed, especially when followup
calls to the affected customers reveals that the MS support reps have been
turning them away, saying it's not a Microsoft issue. In the end, we will
still have to send them elsewhere for a permanant solution, I just want to
be able to give our customers some info to load into their guns when they
get to wherever it is we have to send em.

If either of you two find anything, I'd greatly appreciate if you could let
me know.

Feel free to shoot me an email, but put something eye catching in the
subject or it'll get nuked in my spam filter.

Thanks

Joe Parish
(e-mail address removed)

Steve:

Just had this exact problem myself today. User trying to run an
older 16 bit app, but was missing shell.dll. No problem, copied a
"fresh" one from a working machine onto this one. App opens fine.

Here's the catch: The shell.dll disappears at random throughout the
day. The solution is to continue to copy new versions into place. I
wrote the user a quick and dirty batch file, but that's just a
band-aid.

I'm really stumped by this. No sign of virus, there is something on
the system that's causing pop-ups, and I'm not unwilling to count that
piece of spyware out, but I'm doubtful.



"Steve" <[email protected]> wrote in message

I've recently become aware of this issue...and was
wondering if anybody knew what was causing it/solution for
it.

Basically, the end user tells me that all of a sudden (an
older 16 bit?) doesn't work anymore because it keeps
popping up 'cannot find shell.dll' (or something along
those lines)

I tried to do a newsgroup search but it either doesn't
work very well or it doesn't work very well.

I did a google search and found a number of similar
cases...all relatively recent!

http://www.visualbasicforum.com/showthread.php?
t=172033&highlight=shell.dll

http://www.adventurecompanygames.com/tac/forums/showflat.ph
p?Number=80814

http://forums.us.dell.com/supportforums/board/message?
board.id=sw_winxp&message.id=115553

BTW...the 'problem'-problem is that shell.dll is missing
from SYSTEM32, so the 'solution' is to reload a fresh copy
into SYSTEM32...except that when you reboot...it
disappears from SYSTEM32.

Both SYSTEM/SYSTEM32 is in the PATH var.

I didn't try whether or not copying the shell.dll into the
programs directory would help or not...but in anycase even
if it did work...that would be just a 'workaround'...I
want to know the truth (yes, I think I can handle it)

Thanks,
Steve

 

[Joe Parish]

There are several things that suggest that these are a problem, just
not enough to suggest that they are indeed *the* problem. As for the
files themselves, I have no doubt that they are some sort of malware
that uses a randomly generated filename.

I just found this particular link on the systems this weekend, I'll
need to contact a few of the customers this week and see what I can
see as far as disabling/removing them to see if they are the cause.

Another point of interest:
I mentioned that our calls started coming in on 5/26/04, if you do
some digging around in this newsgroup, and its XP equivalent, people
first started asking about this problem around about the same time.
Not sure if it means anything, but I'm looking for all the clues I can
find.

As for your lack of c:\windows\system32, well, lets call it
%windir%\system32


Joe

This looks like an infestation by malware to me. For what it's worth,
there are no files named msha32.exe, sysbj.exe, cryh.exe, ipsi32.exe, or
javamu32.exe and no "Network Security Service" on my Win2K system.
(There's also no C:\Windows\system32, but that may not be an issue.)

Locate one of these strange files, right-click on it and select
Properties. If there's no Version tab, the file is not a legitimate
Microsoft component. Although legitimate files can come from other
sources, I now assume that a .dll or .exe file dound in WINNT or any
of its subfolders that lacks a Version tab is spurious, and it gets
quarantined until it is proven innocent, and useful.

----
Gary L. Smith (e-mail address removed)
Columbus, Ohio

Steve, Craig -

I work support for a company here in Florida. I've been researching this
same issue. So far we've had 68 calls since 5/26/04. Of these 68 incidents,
I have 7 copies of the msinfo32 information from a time when the problem is
still present on the machine. Of those 7 files, I hae one that has a
matching .nfo from immediately after a system restore that corrects the
problem on an XP machine.

Here's the interesting similarity I see on 5 of the 7 machines:

Machine 1::
[Services]
Display_Name: Network Security Service
Name: __NS_Service_3
State: Running
Start_Mode: Auto
Service_Type: Share Process
Path: c:\windows\msha32.exe /s
Error_Control: Ignore
Start_Name: LocalSystem
Tag_ID: 0

[Running Tasks]
Name: msha32.exe
Path: c:\windows\msha32.exe
Process_ID: 1408
Priority: 8
Min_Working_Set: 204800
Max_Working_Set: 1413120
Start_Time: 6/18/2004 7:48 AM
Version: Not Available
Size: 9.00 KB (9,216 bytes)
File_Date: 6/3/2004 12:18 PM

[Loaded Modules]
Name: msha32
Version: Not Available
Size: 9.00 KB (9,216 bytes)
File_Date: 6/3/2004 12:18 PM
Manufacturer: Not Available
Path: c:\windows\msha32.exe

Machine 2::
[Services]
Display_Name: Network Security Service
Name: __NS_Service_2
State: Stopped
Start_Mode: Auto
Service_Type: Share Process
Path: c:\windows\sysbj.exe /s
Error_Control: Ignore
Start_Name: LocalSystem
Tag_ID: 0

Machine 3::
[Services]
Display_Name: Network Security Service
Name: __NS_Service
State: Running
Start_Mode: Auto
Service_Type: Share Process
Path: c:\windows\system32\cryh.exe /s
Error_Control: Ignore
Start_Name: LocalSystem
Tag_ID: 0

[Running Tasks]
Name: cryh.exe
Path: c:\windows\system32\cryh.exe
Process_ID: 1772
Priority: 8
Min_Working_Set: 204800
Max_Working_Set: 1413120
Start_Time: 6/16/2004 10:06 AM
Version: Not Available
Size: 8.50 KB (8,704 bytes)
File_Date: 6/12/2004 6:50 AM

[Loaded Modules]
Name: cryh
Version: Not Available
Size: 8.50 KB (8,704 bytes)
File_Date: 6/12/2004 6:50 AM
Manufacturer: Not Available
Path: c:\windows\system32\cryh.exe

Machine 4:::
[Services]
Display Name: Network Security Service
Name: __NS_Service_3
State: Running
Start Mode: Auto
Service Type: Share Process
Path: c:\windows\system32\ipsi32.exe /s
Error Control: Ignore
Start Name: LocalSystem
Tag ID: 0

[Loaded Modules]
Name: ipsi32
Version: Not Available
Size: 9.00 KB (9,216 bytes)
File Date: 6/8/2004 7:40 AM
Manufacturer: Not Available
Path: c:\windows\system32\ipsi32.exe

[Running Tasks]
Name: ipsi32.exe
Path: c:\windows\system32\ipsi32.exe
Process ID: 1404
Priority: 8
Min Working Set: 204800
Max Working Set: 1413120
Start Time: 6/18/2004 4:33 PM
Version: Not Available
Size: 9.00 KB (9,216 bytes)
File Date: 6/8/2004 7:40 AM

Machine 5::
[Services]
Display_Name: Network Security Service
Name: __NS_Service
State: Running
Start_Mode: Auto
Service_Type: Share Process
Path: c:\windows\system32\javamu32.exe /s
Error_Control: Ignore
Start_Name: LocalSystem
Tag_ID: 0

[Loaded Modules]
Name: javamu32
Version: Not Available
Size: 8.50 KB (8,704 bytes)
File_Date: 6/9/2004 10:24 PM
Manufacturer: Not Available
Path: c:\windows\system32\javamu32.exe

[Running Tasks]
Name: javamu32.exe
Path: c:\windows\system32\javamu32.exe
Process_ID: 1856
Priority: 8
Min_Working_Set: 204800
Max_Working_Set: 1413120
Start_Time: 6/16/2004 9:25 AM
Version: Not Available
Size: 8.50 KB (8,704 bytes)
File_Date: 6/9/2004 10:24 PM

Note that on all 5 machines there is a service with a Display_Name of
"Network Security Service", each one has a Name that is a variation of
'NS_Service' and thePath is 'c:\windows\system32\<random name>.exe /s'

A quick search on my system here at home, my system at work, and google
returned no hits for any of these file names.

I'm still looking into a few other similarites on these machines, but what's
pegged this as my biggest suspect at the moment is that it is one of the few
things out of the ordinary that I saw while comparing the .NFO file from
before a system restore (while the problem was still present) against the
.NFO from after the restore (went back 2 weeks on that machine and the
problem was gone). None of the other difference items appear to be present
on the other 6 machines

I don't know if I'm on the right track here or what, but I'm sick of having
to send people to MS to have this problem fixed, especially when followup
calls to the affected customers reveals that the MS support reps have been
turning them away, saying it's not a Microsoft issue. In the end, we will
still have to send them elsewhere for a permanant solution, I just want to
be able to give our customers some info to load into their guns when they
get to wherever it is we have to send em.

If either of you two find anything, I'd greatly appreciate if you could let
me know.

Feel free to shoot me an email, but put something eye catching in the
subject or it'll get nuked in my spam filter.

Joe Parish
(e-mail address removed)

 

[Jeff]

We too have been seeing a lot of these Missing Shell.DLL errors when
lanuching 16-bit applications. It does seem to be tied to a browser
hijacker that the normal spyware removal tools are unable to clean.
It does delete shell.dll from %windir%\system32 at random times but no
where else. Shell.dll is still listed in %windir%\system.

To help get past these errors, I copied shell.dll into %windir% (so it
is found by the path statement) and then removed SHELL.DLL from the
KnownDLLs key in the following registry location and it seems to
resolve the error even through the Malware/Spyware is still active:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW]

 

[Gary Smith]

can you tell me how to quarantine an .exe or .dll within a system
folder, (or anywhere for that matter) such as you suggest???

I assume you mean to somehow disable the file from being run/used by the
system, without actually deleting it???

What I did on my system is to make a folder name Quarantine, just to
remind me why it's there. Usually it's sufficient to move a suspect file
into that folder from wherever you located it. Sometimes you'll find that
you can't access the file, in which case you may need to take ownership of
the file or kill the process has it open. In the worst case, you may need
to use a "move on boot" program to relocate it.

Another approach is to rename the file. I prefer to change only the
extension, for example making somefile.exe somefile.ex+ or even
somefile.exe.disabled.

 

[Stan]

I've got the same problem - with all the same file names, but I didn't
notice the 16-bit part because we don't use 16-bit apps, however, we
do use the HOSTS file under C:\WINNT\SYSTEM32\DRIVERS\ETC, and this is
deleted ONCE A MINUTE by this thing. Stopping and disabling the
Network Security Service, removing all __NS_Security entries from the
registry and deleting all of the aforementioned EXE files gets rid of
it for that session, but next time you reboot - its back, so there's
something hidden/obscured running that watching for just such a
situation, and it restores it. Has anyone successfully removed it for
good?

 

[bluesky_theman]

We too have been seeing a lot of these Missing Shell.DLL errors when
lanuching 16-bit applications. It does seem to be tied to a browser
hijacker that the normal spyware removal tools are unable to clean.
It does delete shell.dll from %windir%\system32 at random times but no
where else. Shell.dll is still listed in %windir%\system.

To help get past these errors, I copied shell.dll into %windir% (so it
is found by the path statement) and then removed SHELL.DLL from the
KnownDLLs key in the following registry location and it seems to
resolve the error even through the Malware/Spyware is still active:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW]

This is also happening on a 2k system on my network. No other system
on the network is effected (yet). This issue started immediately after
a reboot for a microsoft.com windows update install. Maybe its just a
coincidence but I have seen at least one other post in google that
mentions this starting after a windows update...

 

[B Creed]

Here is what I have discovered for removing this SpyWare piece:

1) It creates a "Network Security Service" in the
HKLM\System\ControlSet00x\Services section of the registry. This calls
an executable which is apparently randomly named at installation, make
note of the executable's name. In my case it was "appbj32.exe". This
piece is actually in the middle of it's startup execution process. Go
ahead and delete this key from the registry. It will appear in
ControlSet001, ControlSet002, etc, so do a search for "Network
Security Service".

2) If you had looked into the subkeys of that Network Security
Service, you'd see it reference a Root\___NS_SERVICES device. What
happens as best I can tell is that this Malware creates a Legacy
Driver that is first loaded by the system, when then recreates the
Network Security Service if it is missing. If you do a search for
"ns_services" in the registry you will find the source of this problem
(Again in ControlSet001, and 002). You will most likely need to [Edit]
the [Permissions] for the key to Everyone/Full Control so that you can
delete it. To verify that it is gone, or even if it is present in the
first place, you can see if it exists on your system by going to the
System Properties Menu (from control panel) then Device Manager. In
Device Manager go to "View", down to "Show hidden devices" and this
will make viewable the "Non-plug & play drivers" branch in the device
manager. Expand that and you'll see near the top the __NS_SERVICE
legacy driver (or whatever it was called). That tells you if the
Malware was loaded on startup or not.

3) Now go ahead and hunt down that executable that the service was
calling and delete/quarantine it. You'll find a couple Class
references to it in the registry, but with the executable gone and the
2 pieces listed in Steps 1 & 2, it shouldn't matter, but delete them
anyways if it makes you feel better.

4) Might want to find and run HijackThis and look for anything odd
hanging around. What keyed me into whether or not I had this problem
resolved was an "ieid32.dll" file that was being reloaded as a Browser
Helper Object after I rebooted each time. I did also have a executable
that was being directly launched from within the Registry on boot, in
my case named iphy32.exe. I'm guessing this is the secondary execution
method for this Malware. So look for something odd like that. The file
size of these executables seems to be at about 9k, so that may help.
(On a side note, there were a total of 4 9k executables I ended up
quarantining from my System32 directory: iphy32.exe, appbj32.exe,
apirc32.exe, and a qvwin.exe - Not sure the relation or function of
the last two, but they were a aprt of the whole package) Since
removing the Service and Legacy drivers described above, this Malware
has not returned after multiple reboots.


Sorry for any confusing statements, I didn't take any notes during
this process.

- Brandan Creed
Swift Office Solutions
www.sosnet.com

 

[NTidd]

I believe I have found the answer, it is a downloader trojan called
"downloader.agent.bf" AVG by Grisoft seemed to pick it up, somehow
the file is executed just about everytime you open something.

This looks like an infestation by malware to me. For what it's worth,
there are no files named msha32.exe, sysbj.exe, cryh.exe, ipsi32.exe, or
javamu32.exe and no "Network Security Service" on my Win2K system.
(There's also no C:\Windows\system32, but that may not be an issue.)

Locate one of these strange files, right-click on it and select
Properties. If there's no Version tab, the file is not a legitimate
Microsoft component. Although legitimate files can come from other
sources, I now assume that a .dll or .exe file dound in WINNT or any
of its subfolders that lacks a Version tab is spurious, and it gets
quarantined until it is proven innocent, and useful.

----
Gary L. Smith (e-mail address removed)
Columbus, Ohio

Steve, Craig -

I work support for a company here in Florida. I've been researching this
same issue. So far we've had 68 calls since 5/26/04. Of these 68 incidents,
I have 7 copies of the msinfo32 information from a time when the problem is
still present on the machine. Of those 7 files, I hae one that has a
matching .nfo from immediately after a system restore that corrects the
problem on an XP machine.

Here's the interesting similarity I see on 5 of the 7 machines:

Machine 1::
[Services]
Display_Name: Network Security Service
Name: __NS_Service_3
State: Running
Start_Mode: Auto
Service_Type: Share Process
Path: c:\windows\msha32.exe /s
Error_Control: Ignore
Start_Name: LocalSystem
Tag_ID: 0

[Running Tasks]
Name: msha32.exe
Path: c:\windows\msha32.exe
Process_ID: 1408
Priority: 8
Min_Working_Set: 204800
Max_Working_Set: 1413120
Start_Time: 6/18/2004 7:48 AM
Version: Not Available
Size: 9.00 KB (9,216 bytes)
File_Date: 6/3/2004 12:18 PM

[Loaded Modules]
Name: msha32
Version: Not Available
Size: 9.00 KB (9,216 bytes)
File_Date: 6/3/2004 12:18 PM
Manufacturer: Not Available
Path: c:\windows\msha32.exe

Machine 2::
[Services]
Display_Name: Network Security Service
Name: __NS_Service_2
State: Stopped
Start_Mode: Auto
Service_Type: Share Process
Path: c:\windows\sysbj.exe /s
Error_Control: Ignore
Start_Name: LocalSystem
Tag_ID: 0

Machine 3::
[Services]
Display_Name: Network Security Service
Name: __NS_Service
State: Running
Start_Mode: Auto
Service_Type: Share Process
Path: c:\windows\system32\cryh.exe /s
Error_Control: Ignore
Start_Name: LocalSystem
Tag_ID: 0

[Running Tasks]
Name: cryh.exe
Path: c:\windows\system32\cryh.exe
Process_ID: 1772
Priority: 8
Min_Working_Set: 204800
Max_Working_Set: 1413120
Start_Time: 6/16/2004 10:06 AM
Version: Not Available
Size: 8.50 KB (8,704 bytes)
File_Date: 6/12/2004 6:50 AM

[Loaded Modules]
Name: cryh
Version: Not Available
Size: 8.50 KB (8,704 bytes)
File_Date: 6/12/2004 6:50 AM
Manufacturer: Not Available
Path: c:\windows\system32\cryh.exe

Machine 4:::
[Services]
Display Name: Network Security Service
Name: __NS_Service_3
State: Running
Start Mode: Auto
Service Type: Share Process
Path: c:\windows\system32\ipsi32.exe /s
Error Control: Ignore
Start Name: LocalSystem
Tag ID: 0

[Loaded Modules]
Name: ipsi32
Version: Not Available
Size: 9.00 KB (9,216 bytes)
File Date: 6/8/2004 7:40 AM
Manufacturer: Not Available
Path: c:\windows\system32\ipsi32.exe

[Running Tasks]
Name: ipsi32.exe
Path: c:\windows\system32\ipsi32.exe
Process ID: 1404
Priority: 8
Min Working Set: 204800
Max Working Set: 1413120
Start Time: 6/18/2004 4:33 PM
Version: Not Available
Size: 9.00 KB (9,216 bytes)
File Date: 6/8/2004 7:40 AM

Machine 5::
[Services]
Display_Name: Network Security Service
Name: __NS_Service
State: Running
Start_Mode: Auto
Service_Type: Share Process
Path: c:\windows\system32\javamu32.exe /s
Error_Control: Ignore
Start_Name: LocalSystem
Tag_ID: 0

[Loaded Modules]
Name: javamu32
Version: Not Available
Size: 8.50 KB (8,704 bytes)
File_Date: 6/9/2004 10:24 PM
Manufacturer: Not Available
Path: c:\windows\system32\javamu32.exe

[Running Tasks]
Name: javamu32.exe
Path: c:\windows\system32\javamu32.exe
Process_ID: 1856
Priority: 8
Min_Working_Set: 204800
Max_Working_Set: 1413120
Start_Time: 6/16/2004 9:25 AM
Version: Not Available
Size: 8.50 KB (8,704 bytes)
File_Date: 6/9/2004 10:24 PM

Note that on all 5 machines there is a service with a Display_Name of
"Network Security Service", each one has a Name that is a variation of
'NS_Service' and thePath is 'c:\windows\system32\<random name>.exe /s'

A quick search on my system here at home, my system at work, and google
returned no hits for any of these file names.

I'm still looking into a few other similarites on these machines, but what's
pegged this as my biggest suspect at the moment is that it is one of the few
things out of the ordinary that I saw while comparing the .NFO file from
before a system restore (while the problem was still present) against the
.NFO from after the restore (went back 2 weeks on that machine and the
problem was gone). None of the other difference items appear to be present
on the other 6 machines

I don't know if I'm on the right track here or what, but I'm sick of having
to send people to MS to have this problem fixed, especially when followup
calls to the affected customers reveals that the MS support reps have been
turning them away, saying it's not a Microsoft issue. In the end, we will
still have to send them elsewhere for a permanant solution, I just want to
be able to give our customers some info to load into their guns when they
get to wherever it is we have to send em.

If either of you two find anything, I'd greatly appreciate if you could let
me know.

Feel free to shoot me an email, but put something eye catching in the
subject or it'll get nuked in my spam filter.

Joe Parish
(e-mail address removed)

 

[Craig]

It wasn't the same for me, but similar. Here's what I did:

1) went to services.mmc and set network security service to stopped,
startup is disabled.
2) Went to the task manager, and shut down addzy process
3) Ran HiJackThis, found a file called addzy.dll and addzy.exe.
renamed both, as you cannot delete the files.
3) Opened IE. noticed that the browser was opening msmtm.dll as the
defult page. renamed this file by putting a certain four letter word
as the extension
4) msmtm could also be found in .dat format. renamed this as well.
5) Copy/paste shell.dll from a working computer to the system32
directory.
6) Launched the older app - works fine. Launched IE - blank page.
Launched the old app again...works fine!

7) reboot. everything still working.

I hope this helps someone else. this was a horrible one to figure out.
Thanks Steve and Gary for giving me some paths to look down.

Craig
back_focusatyahoodotcom

 

[NTidd]

If you have the "network security service" keep starting up on you,
set the service to login under a username and password but change the
password after it is set so it won't match.