homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Local / Foo
Forum Library, Charter, Moderators: incrediBILL & lawman

Foo Forum

scumware / spyware
Beware of files that have shs file extensions

10+ Year Member

Msg#: 4044 posted 11:36 pm on Jan 11, 2003 (gmt 0)

I just read Marcia's post about a scumware toolbar that replaced her Google toolbar. It reminded me of a little known Windows based vulnerability. It is possible to hide scumware / spyware (and other malicious executables) with .shs file extensions.

Shs files can contain any type of file similar to zipped or rarred files. Potentially, a user can open up an execuable file without knowing about it. The specific danger of .shs file extensions is that they do not show in Windows Explorer even if advanced options are set to display all file extensions. The file can appear to be safe because file.txt.shs is displayed as file.txt even though it is a .shs file that may contain an executable file.

The default for the Windows setting is buried in the Registry under the HKEY_CLASSES_ROOT key. Delete the value in the .shs folder that says NeverShowExt.




WebmasterWorld Senior Member jdmorgan us a WebmasterWorld Top Contributor of All Time 10+ Year Member

Msg#: 4044 posted 1:31 am on Jan 12, 2003 (gmt 0)

Interestingly, I find no such "NeverShowExt" keyname related to .shs files in my registry. Several keys exist for the shell scrap file type, but all are empty. I do find the NeverShowExt keyname in several context handlers and classes, however.

This (my current) machine is WinME. What version(s) of Windoze does this apply to?



10+ Year Member

Msg#: 4044 posted 1:53 am on Jan 12, 2003 (gmt 0)

Hi Jim,

I run Win2000 and it was present on my machine. I guess this is a change they finally made in the last 2 years with WinME and WinXP. Of note though, is that their service packs never addressed this vulnerability.



WebmasterWorld Senior Member jdmorgan us a WebmasterWorld Top Contributor of All Time 10+ Year Member

Msg#: 4044 posted 2:04 am on Jan 12, 2003 (gmt 0)


Thanks - Poking around in the classid's, it looked to me as if WinME has a specific dll to be used to handle shell scraps - maybe they put hooks in that dll to prevent further problems. I hope so, because I was fervently hunting for that keyname under the various .shs keys, and was not happy when I couldn't find it!

I seem to remember (vaguely) some discussion of this shell scrap vulnerability, but can't for my life remember where. I'll post if that synapse reactivates sometime soon.

Moral - Don't let Windoze "hide" anything!



WebmasterWorld Senior Member ann us a WebmasterWorld Top Contributor of All Time 10+ Year Member

Msg#: 4044 posted 8:05 am on Jan 13, 2003 (gmt 0)


Just went through some heavy duty spyware take over on my brothers machine which I had to clean....after spending fourteen hours and two days working on it manually I went home and surfed for some help!

Found net intergration,com where you can get a continually updated spybot search and distroy, free.

Then came accross spywareinfo,com support forum and there you will find some of the most helpful people on the planet! As well as more software....like HijackThis

I used to rec. lavasoft adaware but not anymore....if you surf around these sites you will see why.

I tried spybot s&d on my computer..I had just done a reformat and restored everything then ran adaware which said I was spyware free...HA!

S&D found about 6 lurking...

Just trying to help out...all this stuff is for free and like I said, they are really helpful folks.


Global Options:
 top home search open messages active posts  

Home / Forums Index / Local / Foo
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved