shell32.dll

[dan]

So... I ran MSAS for the first time today, and while
toying around System Explorers, I stumbled upon this:

URL Exec Hook
This is an unknown Shell Excecute Hook.

Name: Microsoft Windows Shell Common Dll
Description: Windows Shell Common Dll
Publisher: Microsoft Corporation
File path: C:\WINDOWS\system32\shell32.dll
File version: 6.0.2900.2149

The scan, or those freaky 'agents' say nothing about it,
however. Bottom line, what the heck is this? How can this
be unknown? Did something / someone replace my original
shell32.dll? What puzzles me, first of all is the file
version... still, I believe it got updated along with IE,
or something... but I am not enough of a techie to figure
it out... humm...

 

[Bill Sanderson]

What version of Windows, and what SP? Here's what I get:

URL Exec Hook

This is a known Shell Excecute Hook.

Name: Microsoft Windows Shell Common Dll

Description: Windows Shell Common Dll

Publisher: Microsoft Corporation

File path: E:\WINDOWS\system32\shell32.dll

File version: 6.0.2900.2578

Technical Details:

CLSID: {AEB6717E-7E19-11d0-97EE-00C04FD91972}

Original file name: SHELL32.DLL

MD5: 5db5f53f801b616f4b4b7cae6ee7d1c6

So--I don't think your version numbers are out of line, but it'd be nice to
know why it is listed as unknown. My first thought is not compromise--more
like beta issue--but then I tend to be optimistic, which may not be the
right response with security issues.
(you can click in the right panel and do ctrl-a, ctrl-c to copy--play with
it)

 

[Guest]

Oh... I totally forgot that -- could this be it? I run Win
XP, SP2 *RC 2* (never bothered to install the final, b/c I
have no apparent problems and I somehow thought that a RC
should be almost identical...)

CLSID identical - {AEB6717E-7E19-11d0-97EE-00C04FD91972})

MD5 different - c89c9f7be219976d894feb91bac07277 obviously

(these were not displayed when I posted - had to check a
box in General settings)

Thanks.

 

[Bill Sanderson]

I think that could easily be the explanation--I thought that final set of
digits looked familiar--that'd be a build number, I think.

They probably would intentionally not want to show a beta code release as
"legal"--they are supposed to expire (in terms of the license anyway.)

As I recall, an upgrade of the final over an RC build is supported, so you
can do that, if you want to---I don't know of any issues with staying where
you are, but in fact, the license to use those bits expired some short time
after the SP went gold, as I recall.

 

[Robin Walker [MVP]]

Oh... I totally forgot that -- could this be it? I run Win
XP, SP2 *RC 2* (never bothered to install the final, b/c I
have no apparent problems and I somehow thought that a RC
should be almost identical...)

Aren't the betas and RCs all time-bombed?

 

[Ron Kinner]

I saw the same Unknown Shell32.dll thing on an XP SP2 with
all updates two days ago. The funny thing was that right
beneath it was AntiSpy's own shell hook and it was also
labeled as Unknown!

On my own Win2K SP4 with all updates it recognizes both
today without a problem.

 

[Pug]

I ended up here after encountering a similar problem on a
girlfriend's machine.
shell32.dll and also the ASbeta itself both display as
unknown, yet running it on my machine shows both as known
(I used the same install executable too, which was
downloaded onto my machine before being transferred to
her's by thumbdrive).

I have no explanation for why her ASbeta might be seen as
'modified' but might have a clue about her shell32.dll.
As far as I can tell, she has had an alternative GUI shell
installed at some time in the past (an nVidia one, I
believe) which , when uninstalled, failed to restore her My
Computer, Network Places & Recycle Bin icons.
As I believe these may be linked to shell32.dll, I'm
wondering if it this which flags it as being potentially
modified from the original version.

I did try an 'SFC /SCANNOW' from the command prompt but if
it replaced shell32, it didn't tell me. :-\


[OffTopic] Found two spelling errors so far, too...

 

[Bill Sanderson]

Are both machines on the same definitions level (Help, about?)
Ignore spelling and grammar for the time being--that's being reworked.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

I ended up here after encountering a similar problem on a
girlfriend's machine.
shell32.dll and also the ASbeta itself both display as
unknown, yet running it on my machine shows both as known
(I used the same install executable too, which was
downloaded onto my machine before being transferred to
her's by thumbdrive).

I have no explanation for why her ASbeta might be seen as
'modified' but might have a clue about her shell32.dll.
As far as I can tell, she has had an alternative GUI shell
installed at some time in the past (an nVidia one, I
believe) which , when uninstalled, failed to restore her My
Computer, Network Places & Recycle Bin icons.
As I believe these may be linked to shell32.dll, I'm
wondering if it this which flags it as being potentially
modified from the original version.

I did try an 'SFC /SCANNOW' from the command prompt but if
it replaced shell32, it didn't tell me. :-\


[OffTopic] Found two spelling errors so far, too...

-----Original Message-----
So... I ran MSAS for the first time today, and while
toying around System Explorers, I stumbled upon this:

URL Exec Hook
This is an unknown Shell Excecute Hook.

Name: Microsoft Windows Shell Common Dll
Description: Windows Shell Common Dll
Publisher: Microsoft Corporation
File path: C:\WINDOWS\system32\shell32.dll
File version: 6.0.2900.2149

The scan, or those freaky 'agents' say nothing about it,
however. Bottom line, what the heck is this? How can this
be unknown? Did something / someone replace my original
shell32.dll? What puzzles me, first of all is the file
version... still, I believe it got updated along with IE,
or something... but I am not enough of a techie to figure
it out... humm...
.