Welcome to WebmasterWorld Guest from 54.147.158.28

Forum Moderators: incrediBILL & lawman

Message Too Old, No Replies

scumware / spyware

Beware of files that have shs file extensions

     
11:36 pm on Jan 11, 2003 (gmt 0)

Preferred Member

10+ Year Member

joined:Nov 26, 2002
posts:520
votes: 0


I just read Marcia's post about a scumware toolbar that replaced her Google toolbar. It reminded me of a little known Windows based vulnerability. It is possible to hide scumware / spyware (and other malicious executables) with .shs file extensions.

Shs files can contain any type of file similar to zipped or rarred files. Potentially, a user can open up an execuable file without knowing about it. The specific danger of .shs file extensions is that they do not show in Windows Explorer even if advanced options are set to display all file extensions. The file can appear to be safe because file.txt.shs is displayed as file.txt even though it is a .shs file that may contain an executable file.

The default for the Windows setting is buried in the Registry under the HKEY_CLASSES_ROOT key. Delete the value in the .shs folder that says NeverShowExt.

Ted

1:31 am on Jan 12, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
posts:25430
votes: 0


Interestingly, I find no such "NeverShowExt" keyname related to .shs files in my registry. Several keys exist for the shell scrap file type, but all are empty. I do find the NeverShowExt keyname in several context handlers and classes, however.

This (my current) machine is WinME. What version(s) of Windoze does this apply to?

Thanks,
Jim

1:53 am on Jan 12, 2003 (gmt 0)

Preferred Member

10+ Year Member

joined:Nov 26, 2002
posts:520
votes: 0


Hi Jim,

I run Win2000 and it was present on my machine. I guess this is a change they finally made in the last 2 years with WinME and WinXP. Of note though, is that their service packs never addressed this vulnerability.

Ted

2:04 am on Jan 12, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
posts:25430
votes: 0


nny'er,

Thanks - Poking around in the classid's, it looked to me as if WinME has a specific dll to be used to handle shell scraps - maybe they put hooks in that dll to prevent further problems. I hope so, because I was fervently hunting for that keyname under the various .shs keys, and was not happy when I couldn't find it!

I seem to remember (vaguely) some discussion of this shell scrap vulnerability, but can't for my life remember where. I'll post if that synapse reactivates sometime soon.

Moral - Don't let Windoze "hide" anything!

Jim

ann

8:05 am on Jan 13, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Jan 25, 2002
posts:2605
votes: 0


Hi,

Just went through some heavy duty spyware take over on my brothers machine which I had to clean....after spending fourteen hours and two days working on it manually I went home and surfed for some help!

Found net intergration,com where you can get a continually updated spybot search and distroy, free.

Then came accross spywareinfo,com support forum and there you will find some of the most helpful people on the planet! As well as more software....like HijackThis

I used to rec. lavasoft adaware but not anymore....if you surf around these sites you will see why.

I tried spybot s&d on my computer..I had just done a reformat and restored everything then ran adaware which said I was spyware free...HA!

S&D found about 6 lurking...

Just trying to help out...all this stuff is for free and like I said, they are really helpful folks.

Ann

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members