Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

shell32.dll trying to add toolbar to IE


  • Please log in to reply
2 replies to this topic

#1 mortod

mortod

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 09 February 2009 - 11:24 AM

Is this a problem - Windows Defender is reporting the following:

Summary:
Internet Explorer Add-ons change occurred.

This agent monitors additions to IE, such as new toolbars, browser helper objects, and ActiveX controls. These add-ons can automatically run when IE is started.

Path:
C:\WINDOWS\system32\SHELL32.dll

Detected changes:
clsid:
HKLM\SOFTWARE\CLASSES\CLSID\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}

regkey:
HKLM\SOFTWARE\CLASSES\CLSID\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}

regkey:
HKCU@S-1-5-21-789336058-287218729-1417001333-1015\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}

ieexplorerbar:
HKCU@S-1-5-21-789336058-287218729-1417001333-1015\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}

file:
C:\WINDOWS\system32\SHELL32.dll

Advice:
Permit this detected item only if you trust the program or the software publisher.


Note that I have recently modified shell32.dll to make my XP icons more Vista like (hence I do not automatically trust it). However, rather than just download one of the shell32.dll files readily available, I instead modified the original with resHacker, copying resources over from one of those downloaded shell32.dll files. But I suppose it is possible for a resource to be the source of an infection too?

Is it normal for shell32.dll to change the registry as above? If not, then I'll attempt to re-create my shell32.dll again. Any input appreciated.

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:01:46 PM

Posted 09 February 2009 - 08:50 PM

Is it normal for shell32.dll to change the registry as above? If not, then I'll attempt to re-create my shell32.dll again. Any input appreciated.

I would say no, but I'm not positive. I just wanted to bump this so it wouldn't get buried
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:01:46 PM

Posted 10 February 2009 - 07:20 AM

I would presume that, if you've modified shell32.dll, then anything that relies on using it would generate the changes.
For example, I suspect that this CLSID affects the MRU list for your search history (can't quite pin it down with google yet).
If that is the case, then any changes in the MRU list will generate an access in shell32.dll.
If shell32.dll has been changed, then it's likely that this'll continue to happen.

So, what to do? - well, first do a bunch of scans to ensure that you're not infected. Here's a listing of free online scans: http://www.bleepingcomputer.com/blogs/usas...?showentry=1252

Once you're sure that you're not infected, then I'd cautiously accept the advice:

Advice:
Permit this detected item only if you trust the program or the software publisher.


My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users