shellexp.exe popup

Discussion in 'malware problems & news' started by doug52, Aug 23, 2003.

Thread Status:
Not open for further replies.
  1. doug52

    doug52 Registered Member

    Joined:
    Aug 23, 2003
    Posts:
    1
    I have recently been getting a shellexp.exe popup. Here is the hijack this log. Any help would be appreciated.

    Logfile of HijackThis v1.96.1
    Scan saved at 11:04:54 AM, on 8/23/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\PROGRAM FILES\NETIQ\ENDPOINT\ENDPOINT.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\WINDOWS\SYSTEM\SHELLEXP.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
    C:\PROGRAM FILES\SONY CORPORATION\IMAGE TRANSFER\SONYTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\HIJACK\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www2.sbmu.net/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ok-search.com/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchxp.com/search.php?qq=%s
    R3 - URLSearchHook: (no name) - {F08555B0-9CC3-11D2-AA8E-000000000000} - (no file)
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
    O2 - BHO: Activater - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F} - (no file)
    O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\WINDOWS\WINSHOW.DLL (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [srng] \Program Files\Srng\Srng.exe
    O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [NetIQ Endpoint] C:\PROGRA~1\NETIQ\ENDPOINT\ENDPOINT.EXE
    O4 - HKCU\..\Run: [Explorer] C:\WINDOWS\SYSTEM\shellexp.exe en
    O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD.EXE
    O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O15 - Trusted Zone: *.msn.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.104/15a7ea4aba5da0e61d17/netzip/RdxIE.cab
    O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://www.berkeley.edu/webcams/camera.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37772.2074305556
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = sbmu.net
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 65.174.26.9,199.170.121.15
    O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Hi doug,

    Well, the first thing you should do is terminate the running instance of shellexp.exe. Go into the task manager and end the C:\WINDOWS\SYSTEM\SHELLEXP.EXE process.

    Once it's stopped, you'll be able to delete that file out of the SYSTEM folder. And, of course, you can use HijackThis to check and fix this entry:

    O4 - HKCU\..\Run: [Explorer] C:\WINDOWS\SYSTEM\shellexp.exe en

    Now, as to where else it may be hiding... From this other thread on shellexp.exe there may be a related file you could look for: comctl_32.exe, though it wasn't present on that person's system.

    Two of your search strings look bad to me and should be fixed. You should close all Internet Explorer windows, (well actually, closing all windows and apps other than HijackThis is recommended when fixing things), prior to fixing these with HijackThis...

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ok-search.com/search.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchxp.com/search.php?qq=%s

    That, unfortunately is as much as I know about this since hijacked browsers isn't my specialty. You could fix these, reboot, and see if that has helped. It would be good to generate a new HijackThis log and post it here for when the experts on other hijacks arrive.
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi doug,

    After following LowWaterMark's advise on shellexp.exe, which is the most urgent matter, please continue as follows.

    Download, unzip and run: http://www.spywareinfoforum.com/~merijn/files/cwshredder.zip

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R3 - URLSearchHook: (no name) - {F08555B0-9CC3-11D2-AA8E-000000000000} - (no file)

    O2 - BHO: Activater - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F} - (no file)
    O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\WINDOWS\WINSHOW.DLL (file missing)

    O4 - HKLM\..\Run: [srng] \Program Files\Srng\Srng.exe

    O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.104/15a7ea4aba5da0e61d17/netzip/RdxIE.cab

    Reboot after doing so, preferably into safe mode
    and delete:
    C:\Program Files\Srng <= entire folder

    Please also do a Find files for comctl_32.exe and if you find it mail it to the addy in my profile. Been trying to get my hands on that file for weeks now. :(

    What surprises me is that you noticed shellexp.exe, but not complained about internet actions being terribly slow (CWShredder will take care of that).

    Regards,

    Pieter
     
  4. solcomputer

    solcomputer Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    1
    :D Hello people

    Since tonight I'm a member of this forum.
    Thanks to all off you I got rigd off the shellexp.exe.
    Well explained, even for a newcomer like me.
    Maybe I can contribute some help with translation,
    I'm german with fluid english and spanish.

    Have a good night
    Pura vida

    Matthias :)
     
  5. Rev.Bob

    Rev.Bob Guest

    Thanks for the pointer, I got the shellexp in our system too. "God Bless You and Hijack this..."
     
  6. pepperh

    pepperh Registered Member

    Joined:
    Nov 3, 2003
    Posts:
    2
    Trying to get rid of shellexp.exe in my nephew's computer. I can no longer start in safe mode. I continue to delete shellexp.exe from windows\system but when rebooting in safe mode the system stops loading at the windows background with no processes running after very briefly displaying something about explorer in the lower left corner. Now, whenever I boot to safe mode shellexp.exe is again created in windows\system. I guess I need a method to remove it's creation from a DOS prompt.

    At one time I was able to boot into safe mode and remove the shellexp.exe in HKCU\...\run. I also removed msapp.exe from HKLM\...\run and removed the adware folder at the same time.
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi pepperh,

    Welcome at Wilders. :)
    Could you post your HijackThis log
    Download, Unzip and run HijackThis. Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
    Don´t fix anything yet. Most of what it finds is harmless.

    Regards,

    Pieter
     
  8. pepperh

    pepperh Registered Member

    Joined:
    Nov 3, 2003
    Posts:
    2
    Thanks for the response Pieter. At the time of my original post, I was not able to run the Windows GUI even in safe mode. I also don't have the HijackThis program. However, since my first post, I have been able to remove shellexp.exe without it returning and all looks fine for now.

    Again, thanks for the reply.
     
Thread Status:
Not open for further replies.