S.Sengupta said:
Hi,
shell.dll is an integral part of the Windows.Start>Run and type in
"sfc /scannow">Enter
regards,
ssg MS-MVP
pronetworks.org
An interesting thing was found by another poster, Joe Parish. Here's a
bit of his post:
".. concrete difference I've been able to find is a service with a
display name of "Network Security Service" called "__NS_SERVICE_3". I
only have before logs on 8 other machines. Out of all 10 machines 7
have that service, named "__NS_SERVICE", "__NS_SERVICE_2", or
"__NS_SERVICE_3" with what appears to be a randomly named EXE in c
\windows\system32. Right now it's the only real good lead I've seen.
Trendmicro calls it TROJ_AGENT.Z2, but the tech details make no mention
of shell.dll. I've done a bit of digging, but not come up with anything
else to tie and TROJ_AGENT variants to this problem."
As I said in that post, apparently this service is coming from the
CoolWeb Search malware, which makes itself into this service. This
explains why we've been seeing a rash of "shell.dll" missing posts in
the newsgroup lately. So I'd disable the service in Safe Mode and do
all the "normal" spyware removal steps (which are getting longer and
more complicated), i.e.:
Remove spyware with Spybot Search & Destroy from
www.safer-networking.org and Ad-aware from
www.lavasoftusa.com. Be sure
to update these programs before running them. These programs are free,
so run them both since they complement each other. It is best to run
antivirus and spyware removal tools in Safe Mode. You may also need to
run CWShredder and HijackThis from
http://www.spywareinfo.com/~merijn/index.html . Please read the
instructions carefully and do not post your HijackThis log in this
newsgroup. A great resource for dealing with spyware is the forum on
http://www.spywareinfo.com. Also, make sure you've visited Windows
Update and applied all security patches. Make sure you are running a
firewall and a current antivirus with updated definitions.
Malke
