I have a problem which involves the shell.dll

When initiating a specific program the message shell.dll missing comes up. I copied the shell.dll from system32 to system, and the program worked OK.

I then re-booted, and tried again - same problem shell.dll missing. Tried again several times, and same result.

Any help much appreciated.

Regards,

Rannoch

this is a post i found re: the same problem as yours:

Apparently this service is coming from the CoolWeb Search malware, which
makes itself into this service. This explains why we've been seeing a
rash of "shell.dll missing" posts in the newsgroup lately. So I'd
disable the service in Safe Mode and do all the "normal" spyware
removal steps (which are getting longer and more complicated),
i.e.:Remove spyware with Spybot Search & Destroy from
www.safer-networking.org and Ad-aware from www.lavasoftusa.com. Be sure
to update these programs before running them. These programs are free,
so run them both since they complement each other. It is best to run
antivirus and spyware removal tools in Safe Mode. You may also need to
run CWShredder and HijackThis from
http://www.spywareinfo.com/~merijn/index.html. Please read the
instructions carefully and post your HijackThis log in this
forum. Also, make sure you've visited Windows
Update and applied all security patches. Make sure you are running a
firewall and a current antivirus with updated definitions.

Downloaded Spybot, Ad-Adware and CWShredder.

Disabled the service.

Ran Spybot and Ad-Adware and found various programs, and references to the Coolweb Search mentioned. A trojan was also found startpage.9.ay
Zapped all problems (not the trojan), and then ran CWShredder.


Made sure shell.dll was in system and system32.

Shut down machine, and then booted up.

Everything worked OK. The program which didn't execute, and had the "shell.dll missing" message worked OK - no shell.dll missing message.

As a final precaution ran AVG which found startpage.9.ay but couldn't zap.

Tried to execute the program again OK - no missing shell.sll message.

Shut down machine, and re-started.

Oh dear (or words to that effect) the problem is back.

Ran spybot and ad-aware. Ad-aware sees the Coolweb files - supposedly zaps them, and I re-boot.
Ran spybot and ad-aware again. Ad-aware again sees the Coolweb files.
Can't get rid of them.

Ran hijackthis - log below.

Any advice much appreciated.

Thanks,

Rannoch

Logfile of HijackThis v1.97.7
Scan saved at 11:37:19, on 27/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\ACTIV Software\ACTIVdriver\ActivDRVservice.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\WHAND3.INI:docdr
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Apps\ActivBoard\MMKeybd.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\ACTIV Software\ACTIVdriver\ACTIVcontrol.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\syswf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Faither\Application Data\My-disgo\MyKey disgo.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Apps\ActivBoard\OSD.exe
C:\Program Files\Starfish\TrueSync\TSTool.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\sllights.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\System32\wuauclt.exe
D:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\swhpr.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\swhpr.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\swhpr.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\swhpr.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\swhpr.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\swhpr.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\swhpr.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {147910CC-E564-44A8-2EDA-3D0FCD283F61} - C:\WINDOWS\apixw32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [ActivDRVAutostart] C:\Program Files\ACTIV Software\ACTIVdriver\ACTIVcontrol.exe /startup
O4 - HKLM\..\Run: [ACTIVfilter] C:\Program Files\ACTIV Software\ACTIVdriver\ACTIVfilter.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [syswf.exe] C:\WINDOWS\system32\syswf.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [My-disgo] C:\Documents and Settings\Faither\Application Data\My-disgo\MyKey disgo.exe
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: TrueSync Launcher.lnk = C:\Program Files\Starfish\TrueSync\TSTool.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.co...966.0080902778
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B82637D2-6CEB-45C6-9AFC-2DC3085E6732}: NameServer = 195.92.195.94 195.92.195.95

Could it be that your dll is being re-enstated on each boot from the i386 lib?


Windows XP

size - 5,120

date - 8/17/2001

loc: \i386

This line looks a bit odd but I can't find any reference to it anywhere:

C:\WINDOWS\WHAND3.INI:docdr


Close all running programs and run HiJackThis again. Select the following entries to be fixed:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\swhpr.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\swhpr.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\swhpr.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\swhpr.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\swhpr.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\swhpr.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\swhpr.dll/sp.html#96676

Reboot. Is it fixed?

Reboot again. Is it still fixed?!

If you still have the problem, it may be worth downloading and running Bazooka Adware and Spyware Scanner from here: http://www.kephyr.com/spywarescanner/index.html. I haven't used it myself (so do so at your own risk) but it does detect a number of variants of CoolWebSearch and has been updated quite regularly.

Let us know if that helps

Ooops, how did I end up in here?! - I thought I was helping with a Windows 2000 problem, lol !

.....hopefully that brief exposure to Windows XP won't cause me any permanent damage ......

Just glanced at your HJT after seeing references to BackOffice whilst answering your question, when I saw this:

backWeb-7288971.exe

Now I'm no virus or HJT wizard, but I'd repost this in the HJT arena:
Spyware adware etc.

SORRY - Read up on it = OK program, just a daft name to give it really.

DJ - That made me feel a whole lot better, so it's not just me then :-)

Hello DJNafey,

Followed your instructions.

The missing shell.dll problem has been eradicated.

Many thanks,

Rannoch

Excellent - thanks for the update