shell.dll file

[Charles]

I came up with a misssing "shell.dll" file when trying to
use a business program (metroscan for windows).

I found the file on c drive, copied it, opened windows
system 32, and pasted it there. The program then will
open. The problem is that "shell.dll" will not stay in
the system 32 folder and I have to do all of the above
over again. What does it take to keep the file saved in
the system 32 folder?

Thanks!
Charles

 

[Malke]

I came up with a misssing "shell.dll" file when trying to
use a business program (metroscan for windows).

I found the file on c drive, copied it, opened windows
system 32, and pasted it there. The program then will
open. The problem is that "shell.dll" will not stay in
the system 32 folder and I have to do all of the above
over again. What does it take to keep the file saved in
the system 32 folder?

Thanks!
Charles

An interesting thing was found by another poster, Joe Parish. Here's a
bit of his post:

".. concrete difference I've been able to find is a service with a
display name of "Network Security Service" called "__NS_SERVICE_3". I
only have before logs
on 8 other machines. Out of all 10 machines 7 have that service, named
"__NS_SERVICE", "__NS_SERVICE_2", or "__NS_SERVICE_3" with what appears
to be a randomly named EXE in c:\windows\system32. Right now it's the
only real good lead I've seen. Trendmicro calls it TROJ_AGENT.Z2, but
the tech details make no mention of shell.dll. I've done a bit of
digging, but not come up with anything else to tie and TROJ_AGENT
variants to this problem."

Apparently this service is coming from the CoolWeb Search malware, which
makes itself into this service. This explains why we've been seeing a
rash of "shell.dll missing" posts in the newsgroup lately. So I'd
disable the service in Safe Mode and do all the "normal" spyware
removal steps (which are getting longer and more complicated):

Remove spyware with Spybot Search & Destroy from
www.safer-networking.org and Ad-aware from www.lavasoftusa.com. Be sure
to update these programs before running them. These programs are free,
so run them both since they complement each other. It is best to run
antivirus and spyware removal tools in Safe Mode. You may also need to
run CWShredder and HijackThis from
http://www.spywareinfo.com/~merijn/index.html.

Please read the instructions carefully and do not post your HijackThis
log in this newsgroup. A great resource for dealing with spyware is the
forum on http://www.spywareinfo.com and the forums on www.aumha.org.
Also, make sure you've visited Windows Update and applied all security
patches. Make sure you are running a firewall and a current antivirus
with updated definitions.


Malke

 

[Joe Blow]

I have tried removing CoolWeb from my system but this still didn't
help me. And I have the same problem as Charles. I have been scouring
the web and newsgroups for a solution and still haven't found one.
This issue seems to be happening to A LOT of people too. I'm surprised
I haven't found an answer yet.