• Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Rogue Anti Spyware
    • Virus
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools

My AntiSpyware

Free antispyware software, Online Scanners, Instructions on how to remove spyware and malware.

Menu
  • Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Rogue Anti Spyware
    • Virus
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools
Home › Trojan › Tutorials - HowTo › How to remove shell.exe, spoolvs.exe trojan

How to remove shell.exe, spoolvs.exe trojan

Myantispyware team November 26, 2007     10 Comments    

Shell.exe and spoolvs.exe are components of trojan known as TROJ_RENOS.BX, Trojan.Win32.Qhost.abh , Trojan.Dropper, TR/Crypt.XDR.Gen, W32/Blocker-based!Maximus, Mal/TinyDL-T.

Shell.exe and spoolvs.exe trojan symptoms:

  • Start > Settings -> Control panel is missing
  • Task bar icons informing you of an infection and taking you to legit looking security panel
  • System pop ups and IE pop ups
  • When you start PC, you can get a message: “Windows cannot find ‘C:\Windows\shell.exe’ Make sure you typed the file name correctly….”

Use the following instructions to remove shell.exe and spoolvs.exe trojan.

1. Run SDFix.

  • Download SDFix.
  • Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix).
  • Boot your PC in Safe Mode.

    1. Restart your computer
    2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    3. Instead of Windows loading as normal, a menu should appear
    4. Select the first option, to run Windows in Safe Mode

  • Open the SDFix folder and double-click RunThis.bat.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard).

2. Run Malwarebytes Anti-malware.

  • Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
  • Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select “Perform Quick Scan”, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

Shell.exe, spoolvs.exe trojan trojan creates the following files and folders.

%AllUsersProfile%\desktop.exe
%AllUsersProfile%\favorites.exe
%AppData%\printer.exe
%AppData%\windows\csrss.exe
%AppData%\windows\lsass.exe
%AppData%\windows\services.exe
%AppData%\windows\smss.exe
%AppData%\windows\winlogon.exe
%CommonDesktopDir%\desktop.exe
%CommonFavorites%\favorites.exe
%CommonPrograms%\startup\autorun.exe
%CommonStartMenu%\programs.exe
%DesktopDir%\desktop.exe
%Favorites%\links.exe
%ProgramFiles%\batch image\batch-image.exe
%ProgramFiles%\bifrost\server.exe
%ProgramFiles%\infinitybox\shell\shell.exe
%ProgramFiles%\internet explorer\signup.exe
%ProgramFiles%\messenger.exe
%ProgramFiles%\messenger\messenger.exe
%ProgramFiles%\messengerdiscovery\shell.exe
%ProgramFiles%\microsoft frontpage\version3.0.exe
%ProgramFiles%\microsoft frontpage\version3.0\bin.exe
%ProgramFiles%\microsoft frontpage\version3.0\bin\bin.exe
%ProgramFiles%\microsoft frontpage\version3.0\version3.0.exe
%ProgramFiles%\msn gaming zone\windows.exe
%ProgramFiles%\msn gaming zone\windows\windows.exe
%ProgramFiles%\msn.exe
%ProgramFiles%\msn\msnia.exe
%ProgramFiles%\msn\msninstaller.exe
%ProgramFiles%\netmeeting.exe
%ProgramFiles%\web publish\logfiles.exe
%ProgramFiles%\windows nt\accessories.exe
%ProgramFiles%\winrar\formats\unacev2.dll
%ProgramFiles%\xloader10181.exe
%Programs%\startup\findfast.exe
%System%\bifrost\shell.exe
%System%\destruction.scr
%System%\drivers\netdrv.exe
%System%\mrhelloween.scr
%System%\oobe.exe
%System%\oobe\oobe.exe
%System%\printer.exe
%System%\shell.exe
%System%\spoolvs.exe
%System%\sys.exe
%System%\system\system.exe
%System%\system32.exe
%Temp%\nark\blastcln.exe
%UserProfile%\cookies.exe
%UserProfile%\desktop.exe
%UserProfile%\favorites.exe
%Windir%\.exe.exe.exe
%Windir%\250mb.exe
%Windir%\brr.exe
%Windir%\config.exe
%Windir%\cricket.exe
%Windir%\cursors.exe
%Windir%\cursors\cursors.exe
%Windir%\debug.exe
%Windir%\debug\debug.exe
%Windir%\debug\usermode.exe
%Windir%\debug\usermode\usermode.exe
%Windir%\documents.exe
%Windir%\help\8ed74b367405.exe
%Windir%\help\aa304e150d0c.exe
%Windir%\help\b7c8a6484ee3.exe
%Windir%\help\be924c2c.exe
%Windir%\help\hlps.exe
%Windir%\media\wma.exe
%Windir%\megabyte.exe
%Windir%\pchealth.exe
%Windir%\pchealth\helpctr.exe
%Windir%\pchealth\helpctr\temp.exe
%Windir%\registration.exe
%Windir%\registration\crmlog.exe
%Windir%\registration\crmlog\crmlog.exe
%Windir%\registration\registration.exe
%Windir%\repair.exe
%Windir%\resources.exe
%Windir%\resources\resources.exe
%Windir%\resources\themes.exe
%Windir%\resources\themes\luna.exe
%Windir%\resources\themes\luna\luna.exe
%Windir%\resources\themes\luna\shell.exe
%Windir%\resources\themes\luna\shell\metallic.exe
%Windir%\resources\themes\luna\shell\normalcolor.exe
%Windir%\resources\themes\luna\shell\normalcolor\normalcolor.exe
%Windir%\resources\themes\luna\shell\shell.exe
%Windir%\resources\themes\themes.exe
%Windir%\shell.exe
%Windir%\system32.exe
%Windir%\tasks.exe
%Windir%\tasks\tasks.exe
%Windir%\vxds.exe
%Windir%\web\shell.exe
%Windir%\windows.exe
%Windir%\winme.exe
c:\.exe.exe.exe
c:\brr.exe

If you need help with the instructions, then post your questions in our Spyware Removal forum.

Trojan Tutorials - HowTo

Author: Myantispyware team

Myantispyware is an information security website created in 2004. Our content is written in collaboration with Cyber Security specialists, IT experts, under the direction of Patrik Holder and Valeri Tchmych, founders of Myantispyware.com.

10 Comments

  1. Tiff
    ― December 27, 2007 - 8:05 pm  Reply

    Thanks fix problems nicely!!!!!!!!!!!

  2. Luke
    ― December 31, 2007 - 10:24 pm  Reply

    thanks myantispyware.com, your solution fixed the problem with no harm done. I’ll recommend your site to anyone in need. Cheers

  3. alibaba
    ― January 9, 2008 - 8:48 pm  Reply

    Thanks – your procedure helped and saved me a lot of headaches! However, I might have other \’by-product\’ of the restoration and don\’t know if it is somehow related to the spyware removal. I cannot Change/remove software from the \’Add or Remove programs\’ panel. I am going to post the logs to the help forum now.

  4. Richard
    ― January 23, 2008 - 9:50 am  Reply

    hi i have had this problem for a while and was very excited when saw this walk through but i cant seem to find vundofix anywhere does anyone have any ideas on where to go for it? thanks

  5. Patrik
    ― January 23, 2008 - 9:57 am  Reply

    Richard, vundofix home site unavailable now, try download later

  6. Ray
    ― February 7, 2008 - 8:13 am  Reply

    Procedure does a great job….just wonder why the need to download HiJack This. It is not used in the procedure.

  7. Patrik
    ― February 7, 2008 - 8:48 am  Reply

    HijackThis needs only for one, if procedure don`t work, then you should post all logs,include a hijackthis log.

  8. Tim
    ― May 9, 2008 - 4:52 pm  Reply

    Thank you. This site is great. No where else was I able to find the answer to this problem.

  9. Priscilla
    ― September 16, 2008 - 12:18 am  Reply

    There are 2 accounts on my computer: mine and my dad’s. Both of our accounts were infected. I successfully removed shell.exe from my account after following these instructions, though it took much longer than the programs indicated. Then realized that shell.exe was still on my dad’s account. I tried to follow these instructions to clean my dad’s account the same way as I did mine, however, I could not find my dad’s account when I rebooted the computer to safe mode.

    Now, the worst part is the spyware is back on my account too! Any help would be appreciated.

    Exasperated,
    Priscilla

  10. Patrik
    ― September 16, 2008 - 5:15 am  Reply

    Priscilla, I would recommend you follow these instructions.

Leave a Reply to Richard Cancel reply




New Guides

WARNING CRITICAL MESSAGE MSWindows-77X1
SCAM : WARNING CRITICAL MESSAGE, Error # MSWindows-77X1 (Removal Guide)
Streaming plus
How to uninstall Streaming plus from Chrome, Firefox, IE, Edge
Plexdiffeq.online
How to remove Plexdiffeq.online pop-ups (Virus removal guide)
unwanted ads
How to uninstall ActivityConfig app/extension from Mac
Uestinctd.online
How to remove Uestinctd.online pop-ups (Virus removal guide)

Follow US

Search

Useful Guides

How to remove browser hijacker virus (Chrome, Firefox, IE, Edge)
How to reset Google Chrome settings to default
How to reset Mozilla Firefox (Updated Apr. 2018)
ads by adware
How to remove Adware from Windows 10 (Virus removal guide)
Managed by your organization chrome virus
Chrome Managed by your organization malware removal guide

Recent Posts

AD-aware Definition File Update
SpyBot Definition File Update
How to remove beautyscreens.com/jokes.php popups
Combofix has expired! What you can do…
How to remove savetheinformation.com and secirityonpage.com hijackers

MYANTISPYWARE.COM

  • About Us
  • Contact Us
  • Privacy Policy

NEED A HELP ?

If you're seeing unwanted pop-ups or ads in your web-browser, you might have an adware installed on your computer. Use the following guide to stop pop-up ads and remove malicious software. Or ask for help here.

Links

  • Downloads
  • Instructions
  • Questions and Answers
  • Free Malware Removal Tools
Copyright © 2004 - 2020 My AntiSpyware - Free antispyware programs and Spyware Removal Instructions.