Question about shell32.dll change

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

This may take a while to explain!

Today I ran an AVG 'system areas' scan (very short) and received a warning
that a change had occurred in C:\\Windows\System32\shell32.dll. I was given
two options - ignore or confirm change - with no other information offered. I
chose 'ignore'.

This seemed odd, because I run a 'complete' AVG test regularly, so I checked
the configuration for the 'complete test', and discovered that the option for
'run system areas test at start' was unchecked (it seems, by default). So all
these months that I've been assuming a complete test was a complete test,
I've been mistaken. (There are times when the sheer obscurity of the AVG
interface drives me nuts!)

What this means, then, is that sometime in the last couple of months (i.e.
since I last ran a simple 'AVG system areas test'), a change has occurred to
the Shell32.dll file, but AVG has only today detected it because it hasn't
been doing the system areas scan that I assumed it was doing whenever I ran a
'complete' scan. Finally I ran the scan again, this time chose 'confirm
change' when the warning came up, and now it doesn't make a fuss.

But I have no idea what the shell32.dll file is, nor whether this belatedly
detected change (whatever it was) is of any significance, nor whether I've
done the right thing. I should add that none of my other scanners - Defender,
a-squared, Adaware, Spybot, and Superantispyware) have found anything
unusual. Can anyone advise, please?
 
Alan D said:
Can anyone advise, please?
Click to expand...

I think I can now at least partly advise myself! Googling around, I see that
AVG puzzles a lot of users with this response. My understanding now is that
shell32.dll can be changed by a number of legitimate processes, including
Windows updates; so I'm pretty sure that's what's being recorded here by AVG.
I scanned the file at Virustotal as an extra check, and of course it came up
clean.

This is another of those communications areas where AVG does very badly,
generating needless fuss purely because of the obfuscatory character of its
messages.
 
Hi Alan,

KB928255 changed the "shell32.dll" file to patch it's latest vulnerability.
The patched version of this file is 6.00.2900.3051. I don't use your
Antivirus product, but you can safely confirm the change to this file.

Donald Anadell
 
Hi Alan, Donald I was going to ask Robin about this thinking it was a
problem i had developed. This is what my scan shows:

File Result/ Infection Path
Kernal32.dll Change C:\Windows\System\Kernal32.dll
shell Change C:\
Windows\System\Shell32.dll
Hosts Change
C:\Windows\System32\Drivers\Etc\Hosts

Donald is this related to your answer ? Thank you, Ron
 
Donald Anadell said:
KB928255 changed the "shell32.dll" file to patch it's latest vulnerability. ...
you can safely confirm the change to this file.
Click to expand...

Thanks Donald. It's very helpful to get that confirmation.

Incidentally, the AVG history log labels the change to this file as 'Virus',
just as it does when it finds cookies! I wish they'd get these basic
communications sorted out.....
 
Hi Ron,

Perhaps Robbie can answer your querry in more detail about this particular
scan detection:
"AVG detects shell32.dll and kernal32.dll"

But the answer here(By dp, Microsoft Security MVP / 2004-2007 Feb 5, 2007)
seems to indicate that this is of no concern:
http://www.castlecops.com/t170605-AVG_7_5_detects_sporder_dll_as_trojan_true_or_not.html

Not sure about the Hosts file change, are you using a third party hosts file
that you've changed manually, or another third party security app that
changes||updates your Hosts file? If so that would most likely explain the
entry in scan results.

Good luck,

Donald Anadell
 
Donald Its very excellent the amount of help you offer people, I feel very
comfortable with your advice. Point me in robbie's direction and thank you
again Ron
 
Back
Top