Re: shelldrv.exe

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:CQ_Nh.4207$xE.1496@xxxxxxxxxxx
From: "Papageno" <papa@xxxxxxxx>
| Has anyone seen this "shelldrv.exe" in C:\Windows\system32 ?
| It does not show up as a virus (AVG).
| But it's running without showing up in the Task Manager, which is
| suspicious.
| System was a little slow, and I'd get a popup at login which lasted
barely
| long enough to read the file name along with some other text.
| I could not delete it from Windows, so I went in with Safe Mode to get
rid
| of it. (I saved a copy.)
| When running, it creates a file called "shelldrv" in
C:\Windows\system32,
| which seems to keep a log of recently run programs. If you delete that
file,
| it builds a new one.
| A search on microsoft.com turned up nothing about "shelldrv.exe". Nor
did
| Google.

Please submit a sample of "shelldrv.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's
scanners.
That will give you an idea what it is and who recognizes it. In addition,
unless told
otherwise, Virus Total will provide the sample to all participating
vendors.

Thanks for the info.
Okay, did that.

It's a bad boy ... but I still don't know what kind of mischief it does.
Anyway, I now **do** know that I have to purge it. And also the registry key
that it created:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
{15A74989-5015-B6D4-0008-080602010204}]

Here are the results.

AntiVir 7.3.1.44 3/26/2007 ADSPY/DollarRvenue.J
ClamAV devel-20070312 3/27/2007 Trojan.Pakes-248
Fortinet 2.85.0.0 3/26/2007 suspicious
Ikarus T3.1.1.3 3/26/2007 Backdoor.VB.EV
Sunbelt 2.2.907.0 3/24/2007 VIPRE.Suspicious
Webwasher-Gateway 6.0.1 3/26/2007 Ad-Spyware.DollarRvenue.J


.

Quantcast