tudorr
asked on
How to fix this error "The shell stopped unexpectedly and Explorer.exe was restarted"?
Immediately any user logs onto my PC (even new users) explorer starts to restart every 5 seconds with the error below:
Event Type: Information
Event Source: Winlogon
Event Category: None
Event ID: 1002
Date: 26/04/2006
Time: 08:24:34
User: N/A
Computer: CLABERT2
Description:
The shell stopped unexpectedly and Explorer.exe was restarted.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
------
I have checked the event logs and there were some errors relating to the IMAPI.exe service but with that disabled the error still occurs. It seemed to occur on the odd occasion before yesterday but then in the afternoon (not following any particular install) it started failing continually. The only minor change I can think of was removing internet explorer from the quick start area on the task bar.
I have searched for solutions on this site and across the web and I have tried the following:
1) Replace explorer.exe with a new copy from install CD (I replaced the dllcache copy as well to prevent the original coming back)
2) Replace explorer.exe with a working copy from another PC
3) Uninstall any recently installed software
4) Virus scan entire machine
5) Spyware scan entire machine (used Steganos anti-spyware 2006 and AdAware)
If anyone has any suggestions that result in a fix I would be grateful as I really don't want to rebuild from scratch.
Thanks!
Event Type: Information
Event Source: Winlogon
Event Category: None
Event ID: 1002
Date: 26/04/2006
Time: 08:24:34
User: N/A
Computer: CLABERT2
Description:
The shell stopped unexpectedly and Explorer.exe was restarted.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
------
I have checked the event logs and there were some errors relating to the IMAPI.exe service but with that disabled the error still occurs. It seemed to occur on the odd occasion before yesterday but then in the afternoon (not following any particular install) it started failing continually. The only minor change I can think of was removing internet explorer from the quick start area on the task bar.
I have searched for solutions on this site and across the web and I have tried the following:
1) Replace explorer.exe with a new copy from install CD (I replaced the dllcache copy as well to prevent the original coming back)
2) Replace explorer.exe with a working copy from another PC
3) Uninstall any recently installed software
4) Virus scan entire machine
5) Spyware scan entire machine (used Steganos anti-spyware 2006 and AdAware)
If anyone has any suggestions that result in a fix I would be grateful as I really don't want to rebuild from scratch.
Thanks!
> The shell stopped unexpectedly and Explorer.exe was restarted <
If you take a look at this forum and study the last commenty by FKlassen 2005-06-28, 9:14 pm, you'll see reference to "most likely a new Bagle variant"!
http://www.mcse.ms/archive71-2005-6-1700676.html
If it's "Trojan.Tooso.J"as suggested, see this link for help:
http://www.symantec.com/avcenter/venc/data/trojan.tooso.j.html
If you take a look at this forum and study the last commenty by FKlassen 2005-06-28, 9:14 pm, you'll see reference to "most likely a new Bagle variant"!
http://www.mcse.ms/archive71-2005-6-1700676.html
If it's "Trojan.Tooso.J"as suggested, see this link for help:
http://www.symantec.com/avcenter/venc/data/trojan.tooso.j.html
Have put some 'highlights' in the previous url to assist you:
http://66.249.93.104/search?q=cache:b9nL9H6xC3AJ:www.mcse.ms/archive71-2005-6-1700676.html+The+shell+stopped+unexpectedly+and+Explorer.exe+was+restarted+windows+xp&hl=en&gl=uk&ct=clnk&cd=5
You may initially like to try this online Trojan scanner "a-squared Free", which is specialized in Trojans & Dialers removal:
http://www.emsisoft.com/en/software/free/
http://66.249.93.104/search?q=cache:b9nL9H6xC3AJ:www.mcse.ms/archive71-2005-6-1700676.html+The+shell+stopped+unexpectedly+and+Explorer.exe+was+restarted+windows+xp&hl=en&gl=uk&ct=clnk&cd=5
You may initially like to try this online Trojan scanner "a-squared Free", which is specialized in Trojans & Dialers removal:
http://www.emsisoft.com/en/software/free/
ASKER
Thanks for the comments - it appears that the problem was related to ISS BlackIce PC protection (my firewall and intrusion detection software). I used MSCONFIG to stop various things loading and was able to remove / reproduce the error by adding / removing the services. The strange thing is that I simply emptied the firewall logs and restarted and now all is fine - bizare!
Thanks for the update, it could help others.
As you appear to have answered the question yourself you may wish to retrieve your points. Check this link under the heading "Closing Questions":
https://www.experts-exchange.com/help.jsp#hi70
Then ask for a refund with reference to thread Q_21827735 posting a 0 points question here >
https://www.experts-exchange.com/Community_Support/ Thanks.
As you appear to have answered the question yourself you may wish to retrieve your points. Check this link under the heading "Closing Questions":
https://www.experts-exchange.com/help.jsp#hi70
Then ask for a refund with reference to thread Q_21827735 posting a 0 points question here >
https://www.experts-exchange.com/Community_Support/ Thanks.
GranMod,
No objections, PAQ-ing the question and refunding 500 points is fine.
No objections, PAQ-ing the question and refunding 500 points is fine.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks.
I should add that further investigation revealed that the Application Protection component of the software had decided that explorer.exe was a problem as below:
04/27/2006 09:41:24.296 [ 1792]: Notification: explorer.exe (C:\WINDOWS\explorer.exe) has been terminated because it is a privacy violation
It was simply closing down what it thought was a problem application. That information was contained in RAPPAPP.LOG but as there are so many log files I didn't manage to check it earlier!
Hopefully if someone else experiences this they can check the log first.....
In order to fix, I had to re-baseline the system as follows:
Right click the shield in the System Tray and select Stop BlackICE Application Protection. A red slash may appear over the shield. Now, find the Actlcl (may or may not exist) and Checksum .txt files in the BlackICE folder which are within the ISS folder. Delete them and then baseline.
Cheers.
I should add that further investigation revealed that the Application Protection component of the software had decided that explorer.exe was a problem as below:
04/27/2006 09:41:24.296 [ 1792]: Notification: explorer.exe (C:\WINDOWS\explorer.exe) has been terminated because it is a privacy violation
It was simply closing down what it thought was a problem application. That information was contained in RAPPAPP.LOG but as there are so many log files I didn't manage to check it earlier!
Hopefully if someone else experiences this they can check the log first.....
In order to fix, I had to re-baseline the system as follows:
Right click the shield in the System Tray and select Stop BlackICE Application Protection. A red slash may appear over the shield. Now, find the Actlcl (may or may not exist) and Checksum .txt files in the BlackICE folder which are within the ISS folder. Delete them and then baseline.
Cheers.
probably in your burning program you have installed or the burner drivers.