Solved

Killbox killed Explorer. Now the Explorer shell will not run.

Posted on 2007-03-23
9
604 Views
Last Modified: 2013-12-06
I Used Killbox to unregister and delete a simple DLL that was left behind by Google Desktop after an uninstall. I selected the option to "End Explorer Shell While Killing" in Killbox.

Well, it worked like a charm and deleted the DLL, but upon a reboot of the system, the explorer shell will not run. It will launch, and appear for a split second before seemingly terminating itself. So, the registry entry that sets the shell is fine ( [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe" ) because it is at least trying to launch. I like that it is trying, and I applaud the poor little shell's efforts.

There is no apparent infection (virus, spyware, malware). Scans with Symantec Antivirus Corporate (9.0) as well as AdAware and Spybot find nothing harmful.

I ran the system file checker (sfc /scannow) to see if any protected files needed to be replaced by their original versions.....to no avail.

I booted into safe mode with the same results: The shell launches, and terminates immediately. I have also run diagnostic startups until the cows came home. When they did get home (the cows), they didn't bring any coffee, and my problem also still existed.

I have done a full repair install of Windows XP Professional, and re-applied all updates and Service Packs...to no avail. Explorer Shell will still not run. This leads me to believe that there is nothing wrong with Explorer.exe, but there is a registry entry somewhere that is set to kill explorer.exe whenever it runs.....or there are other files that the shell relies on that have been either corrupted or deleted (don't know how that would have happened...as one would think that any missing files would have been replaced upon either running the system file checker, or after the repair install).

It is funny to me that Killbox was set to "End Explorer Shell While Killing" , and magically, the shell has apparently been killed for good...makes me think that Killbox writes an entry somewhere in the registry, and that entry has not been deleted as it should have been. Or somehow, whatever Killbox did to kill the shell has gotten stuck in an endless loop of killing explorer.exe whenever it runs. Logic tells me this...although I am aware that it is somewhat unlikely to be the case.

No method of launching Explorer.exe will work. (Double click it in xplorer2; run from the command line; run from the task manager) I have also tried launching the instance of explorer.exe that resides inside the "C:\WINDOWS\ServicePackFiles\i386" folder to no avail. Further, trying to run the "Windows" Explorer file manager (explorer.scf) returns the error "There was a problem sending the command to the program". Quite obviously, iExplore.exe (Internet Explorer -> version 6) will not run as well. I don't really care about that, as I use Firefox, but thought it relevant.

I have copied explorer.exe, renamed it, and set the renamed file as the shell..also to no avail.

As you can see, there is a lot of ".....to no avail" going on. I fear that a total format and reinstall of Windows is required. However, as a last gasp at hope, I turn the wonderful folks here for any possible advice.

Thanking you in advance for any reply. Below is a log from Hijack This!

Logfile of HijackThis v1.99.1
Scan saved at 12:18:58 PM, on 23/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Belkin Bulldog\upsd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.ca/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = JDC Workstation
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [FolderShare] "c:\program files\foldershare\foldershare.exe" /background
O4 - Startup: Karen's Replicator.lnk = C:\Program Files\Karen's Replicator\PTReplicator.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: FreedomAudio - http://www.freeworldradio.com/freedomhome/install/win/mv/freedominstaller.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {21C6245C-9408-11D7-BF3B-00E09876DF26} (WebTrain.ctlWebTrain) - http://www.webtrain.com/cabinet/wt0806.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.wroc.nrcan.gc.ca/download/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174566950169
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123766342942
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = <my domain>
O17 - HKLM\Software\..\Telephony: DomainName = <my domain>
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = <my domain>
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: CLKERN.DLL,C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: GetMail Service - Unknown owner - C:\WINDOWS\SYSTEM32\SRVANY.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: UPS - UPSlim Service (UPSlim) - Delta - C:\Program Files\Belkin Bulldog\upsd.exe
0
Comment
Question by:John-D-Chapman
  • 4
  • 3
  • 2
9 Comments
 
LVL 22

Expert Comment

by:orangutang
ID: 18781712
So you can reopen explorer.exe when it's closed in the Task Manager or some other program? If you can, or by some other way, try looking at your event viewer and look in your System and Application logs for anything suspicious for any item relating to explorer.exe.
0
 

Author Comment

by:John-D-Chapman
ID: 18781846
orangutang:
Thanks for the quick reply!

In no way can I open explorer.exe. Any method I try has the same result (tries to open, but terminates immediately i.e., I can see the taskbar flash on the screen for a second, but then the shell terminates causing it to disappear).

I use xplorer2 as an alternative file manager, and through there, I can browse to the administrative tools (*.msc files) to launch them (those that can be viewed without requiring Explorer.exe...i.e. the Control Panel can be viewed right inside xplorer2, and the administrative *.msc files don't require explorer.exe).

My event viewer shows only one system error and no warnings on boot. The error appears to give no clue about what may be causing the problem (the error may be a result of my problem, but does not hint at a cause).

The event is: Event ID: 1 - "The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'SAVRT' on the volume 'HarddiskVolume1'.  It has stopped monitoring the volume."

Application log shows no errors or warnings at all on boot.
0
 
LVL 22

Expert Comment

by:orangutang
ID: 18781909
What?! There has to be some event viewer messages relating to your problem! Hmm, this is a weird one. Let me check into this further for you. It's a difficult (at least for me) yet very interesting problem.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 18783494
Hi,

Yeah, very likely that a reg entry is still present and that's whats causing explorer to not launch.
Killbox keeps a backup of every file that has been deleted, did you try restoring it?
And you still have google toolbar installed there right? there's still some google related entries there.
O20 - AppInit_DLLs: CLKERN.DLL,C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

Also check If "explorer.exe" is listed under "Image File Execution Options" key
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
"debugger"="location of google dll here"

You can check this registry key, or just fix the above entry in Hijackthis if you don't mind not launching "Crackloc"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
"AppInit_DLLs"=(delete google related entry here)

0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18783510
If "debugger" value points to the google dll that you deleted, then you need to delete this "explorer.exe" key -->HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
0
 

Author Comment

by:John-D-Chapman
ID: 18795230
rpggamergirl:

Thanks for the reply, and apologies for the delay in responding.

Yes, the google toolbar is still installed, explaining the entry you saw in my Hijack This! log.

I have checked and verified that there is NO "explorer.exe" key located at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

Restoring the deleted DLL from the Killbox backup had no effect, as well as trying the "Tools > Start Explorer Shell:" option from within Killbox.

Certainly is a head scratcher to me. I have a friction burn on my scalp from scratching so much.
0
 

Author Comment

by:John-D-Chapman
ID: 18795342
rpggamergirl:

Sorry, one more thing:

I did check the following key:
 HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows "AppInit_DLLs"

It did in fact have an entry for the deleted DLL. However, upon deleting the entry and rebooting, the problem still persists.
0
 

Author Comment

by:John-D-Chapman
ID: 18851162
Apologies to all. I finally had a chance to delve back into this issue, and found that once I approached it with a fresh mind, a simple re-install, then uninstall of Google Desktop did the trick. So, something must have happened when it was uninstalled the first time.

It is strange that a re-install og google desktop worked, and yet restoring the deleted DLL from Killbox did not. But I digress....while i may not know why or how this occurred, the problem has been remedied.

I am giving the points to rpggamergirl, since she was on the right track, eluding to the fact that the missing DLL had something to do with it (she suggested restoring the deleted DLL). The hint to an answer was there. While restoring the DLL alone did not work, re-installing Google Desktop did.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18863014
Glad to know problem is gone.
You did well troubleshooting and fixing the problem!

Thank you for the points, so generous of you, :)
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I use more than 1 computer in my office for various reasons. Multiple keyboards and mice take up more than just extra space, they make working a little more complicated. Using one mouse and keyboard for all of my computers makes life easier. This co…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now