Shell.exe and spoolvs.exe are components of trojan known as TROJ_RENOS.BX, Trojan.Win32.Qhost.abh , Trojan.Dropper, TR/Crypt.XDR.Gen, W32/Blocker-based!Maximus, Mal/TinyDL-T.
Shell.exe and spoolvs.exe trojan symptoms:
- Start > Settings -> Control panel is missing
- Task bar icons informing you of an infection and taking you to legit looking security panel
- System pop ups and IE pop ups
- When you start PC, you can get a message: “Windows cannot find ‘C:\Windows\shell.exe’ Make sure you typed the file name correctly….”
Use the following instructions to remove shell.exe and spoolvs.exe trojan.
1. Run SDFix.
- Download SDFix.
- Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix).
- Boot your PC in Safe Mode.
1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode - Open the SDFix folder and double-click RunThis.bat.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard).
2. Run Malwarebytes Anti-malware.
- Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
- Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select “Perform Quick Scan”, then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Shell.exe, spoolvs.exe trojan trojan creates the following files and folders.
%AllUsersProfile%\desktop.exe
%AllUsersProfile%\favorites.exe
%AppData%\printer.exe
%AppData%\windows\csrss.exe
%AppData%\windows\lsass.exe
%AppData%\windows\services.exe
%AppData%\windows\smss.exe
%AppData%\windows\winlogon.exe
%CommonDesktopDir%\desktop.exe
%CommonFavorites%\favorites.exe
%CommonPrograms%\startup\autorun.exe
%CommonStartMenu%\programs.exe
%DesktopDir%\desktop.exe
%Favorites%\links.exe
%ProgramFiles%\batch image\batch-image.exe
%ProgramFiles%\bifrost\server.exe
%ProgramFiles%\infinitybox\shell\shell.exe
%ProgramFiles%\internet explorer\signup.exe
%ProgramFiles%\messenger.exe
%ProgramFiles%\messenger\messenger.exe
%ProgramFiles%\messengerdiscovery\shell.exe
%ProgramFiles%\microsoft frontpage\version3.0.exe
%ProgramFiles%\microsoft frontpage\version3.0\bin.exe
%ProgramFiles%\microsoft frontpage\version3.0\bin\bin.exe
%ProgramFiles%\microsoft frontpage\version3.0\version3.0.exe
%ProgramFiles%\msn gaming zone\windows.exe
%ProgramFiles%\msn gaming zone\windows\windows.exe
%ProgramFiles%\msn.exe
%ProgramFiles%\msn\msnia.exe
%ProgramFiles%\msn\msninstaller.exe
%ProgramFiles%\netmeeting.exe
%ProgramFiles%\web publish\logfiles.exe
%ProgramFiles%\windows nt\accessories.exe
%ProgramFiles%\winrar\formats\unacev2.dll
%ProgramFiles%\xloader10181.exe
%Programs%\startup\findfast.exe
%System%\bifrost\shell.exe
%System%\destruction.scr
%System%\drivers\netdrv.exe
%System%\mrhelloween.scr
%System%\oobe.exe
%System%\oobe\oobe.exe
%System%\printer.exe
%System%\shell.exe
%System%\spoolvs.exe
%System%\sys.exe
%System%\system\system.exe
%System%\system32.exe
%Temp%\nark\blastcln.exe
%UserProfile%\cookies.exe
%UserProfile%\desktop.exe
%UserProfile%\favorites.exe
%Windir%\.exe.exe.exe
%Windir%\250mb.exe
%Windir%\brr.exe
%Windir%\config.exe
%Windir%\cricket.exe
%Windir%\cursors.exe
%Windir%\cursors\cursors.exe
%Windir%\debug.exe
%Windir%\debug\debug.exe
%Windir%\debug\usermode.exe
%Windir%\debug\usermode\usermode.exe
%Windir%\documents.exe
%Windir%\help\8ed74b367405.exe
%Windir%\help\aa304e150d0c.exe
%Windir%\help\b7c8a6484ee3.exe
%Windir%\help\be924c2c.exe
%Windir%\help\hlps.exe
%Windir%\media\wma.exe
%Windir%\megabyte.exe
%Windir%\pchealth.exe
%Windir%\pchealth\helpctr.exe
%Windir%\pchealth\helpctr\temp.exe
%Windir%\registration.exe
%Windir%\registration\crmlog.exe
%Windir%\registration\crmlog\crmlog.exe
%Windir%\registration\registration.exe
%Windir%\repair.exe
%Windir%\resources.exe
%Windir%\resources\resources.exe
%Windir%\resources\themes.exe
%Windir%\resources\themes\luna.exe
%Windir%\resources\themes\luna\luna.exe
%Windir%\resources\themes\luna\shell.exe
%Windir%\resources\themes\luna\shell\metallic.exe
%Windir%\resources\themes\luna\shell\normalcolor.exe
%Windir%\resources\themes\luna\shell\normalcolor\normalcolor.exe
%Windir%\resources\themes\luna\shell\shell.exe
%Windir%\resources\themes\themes.exe
%Windir%\shell.exe
%Windir%\system32.exe
%Windir%\tasks.exe
%Windir%\tasks\tasks.exe
%Windir%\vxds.exe
%Windir%\web\shell.exe
%Windir%\windows.exe
%Windir%\winme.exe
c:\.exe.exe.exe
c:\brr.exe
If you need help with the instructions, then post your questions in our Spyware Removal forum.
Thanks fix problems nicely!!!!!!!!!!!
thanks myantispyware.com, your solution fixed the problem with no harm done. I’ll recommend your site to anyone in need. Cheers
Thanks – your procedure helped and saved me a lot of headaches! However, I might have other \’by-product\’ of the restoration and don\’t know if it is somehow related to the spyware removal. I cannot Change/remove software from the \’Add or Remove programs\’ panel. I am going to post the logs to the help forum now.
hi i have had this problem for a while and was very excited when saw this walk through but i cant seem to find vundofix anywhere does anyone have any ideas on where to go for it? thanks
Richard, vundofix home site unavailable now, try download later
Procedure does a great job….just wonder why the need to download HiJack This. It is not used in the procedure.
HijackThis needs only for one, if procedure don`t work, then you should post all logs,include a hijackthis log.
Thank you. This site is great. No where else was I able to find the answer to this problem.
There are 2 accounts on my computer: mine and my dad’s. Both of our accounts were infected. I successfully removed shell.exe from my account after following these instructions, though it took much longer than the programs indicated. Then realized that shell.exe was still on my dad’s account. I tried to follow these instructions to clean my dad’s account the same way as I did mine, however, I could not find my dad’s account when I rebooted the computer to safe mode.
Now, the worst part is the spyware is back on my account too! Any help would be appreciated.
Exasperated,
Priscilla
Priscilla, I would recommend you follow these instructions.