?
Solved

Explorer.exe The application was unable to start correctly (0xc0000022).

Posted on 2011-10-26
14
Medium Priority
?
5,683 Views
Last Modified: 2013-11-22
I have a client's HP notebook running Windows 7 Home Premium X64 from which I have removed a variety of malware using MalwareBytes, SuperAntiSpyware and ComboFix - all operated from Safe Mode.

Any attempt to login in standard mode produces the above error message and, while I can C.A.D. running TaskMgr produces the same reponse.  

I have reset file and registry permissions using SECEDIT, SubInACL and CACLS routines as found in various on-line sources.  SFC found and replaced a few problems.  There is no evidence that CA AntiVirus has been installed on here, it did have Bullguard on it, which I uninstalled - apparently successfully - from Safe Mode.

Any further suggestions, other than bin it and reinstall?

TIA

KD
0
Comment
Question by:KD Johnson
  • 4
  • 4
  • 3
  • +2
14 Comments
 
LVL 8

Expert Comment

by:eXpeLLeD_4RM_heLL
ID: 37030402
Have you tried running Combofix?
Download from www.bleepingcomputers.com
0
 
LVL 30

Expert Comment

by:ded9
ID: 37030467
Do a clean boot and check whether u get explorer error.


Clean boot process

Start-type - msconfig- click on startup tab- click disable all...then click services tab- put a check on hide all microsoft services ...and then click disable all....click ok and then restart the computer in normal mode.

If everything works fine in clean boot then enable five startup items and services at a time to find the faulty software.


Can also try a new user account.




Ded9
0
 
LVL 23

Expert Comment

by:edbedb
ID: 37030540
Try runing this Fixit by Microsoft.
http://support.microsoft.com/kb/950505

If you can't get to it on the infected computer, save it to a flash drive using another computer.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 66

Expert Comment

by:johnb6767
ID: 37030590
AutoRuns
http://live.sysinternals.com/autoruns.exe

I would like a .ARN export, to see what is still starting with the machine......

Additionally.....

CTRL+SHIFT+ESC should bring up the Task Manager..... If it does, File>New Task>Explorer.exe.... (not sure if your comment "while I can C.A.D. running TaskMgr produces the same response.  " covers this.....)

Does your desktop/background appear?

"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

Make sure that nothing is jacking with the SHELL value, which should be Explorer.exe

Also, make sure that the UserInit value is "C:\windows\system32\userinit.exe,"

Also check to see if a subkey exists under here called....

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe

If so, kill it.....

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\explorer.exe

If the path is anything BUT c:\windows\explorer.exe, back it up and kill it....

Check your logs for an application error, might give more insight to the Explorer failure....

Explorer.exe should be in C:\Windows, and have a file size of about 2553kb (No SP1) or 2805 (SP1).....
0
 
LVL 1

Author Comment

by:KD Johnson
ID: 37030945
No can't bring up Task Manager - it gets the same error code.
I have messed it up even more now by overwriting explorer.exe and shell32.dll with verions from my machine.   I now get no shell in safe mode either.  I can reverse out of that the same way I went in using a  Linux distrbution on a USB key.  Does anyone know what the difference is between Explorer.exe and Shell32.dll on Home Premium x64 and Professional x86?

How many copies of Explorer.exe should there be on an x64 machine  - I suppose one in System32 and one in SysWOW64.  Unfortunately I don't have a similar x64 machine to hand.
0
 
LVL 1

Author Comment

by:KD Johnson
ID: 37030980
ComboFix was one of the Malware tools that I ran earlier
0
 
LVL 8

Expert Comment

by:eXpeLLeD_4RM_heLL
ID: 37030995
Could you post the log files of the all the Malware tools that have been run.
0
 
LVL 30

Expert Comment

by:ded9
ID: 37031514
Sounds like operating system files are corrupted..would recommend repair install.

Boot to desktop...insert the windows 7 disc...launch setup...click upgrade option....this will repair your windows install... complete the repair install.

You will not loose any data or programs during the repair install process

http://www.door2windows.com/forum/topic/69-how-to-do-a-repair-install-to-fix-windows-7/




Ded9
0
 
LVL 1

Author Comment

by:KD Johnson
ID: 37032403
Here is the ComboFix log:

  http://www.colehill.co.uk/download/malware/ComboFix.txt

I have tried renaming and copying back in Explorer.exe and Sheel32.Dll but now I can't get a shell in either Safe Mode, nor Standard Mode.  I am goin to see if I can borrow a Home Premium x64 disc from another client to run the repair installation - all I have is a Professional (MAPS Subscription).
0
 
LVL 30

Expert Comment

by:ded9
ID: 37032633
If you have windows 7 Professional disc you can repair windows 7 home premium.

Check this article on how to do it...

http://lifehacker.com/5438005/eicfg-removal-utility-lets-you-use-any-product-key-with-your-windows-7-disc

You need to follow the steps to create a new iso and then with the new iso do a repair install....repair only works if you have genuine copy of windows 7. In you case it is a genuine copy.




Ded9
0
 
LVL 30

Expert Comment

by:ded9
ID: 37032649
You can also check Windows 7 ISO Image Edition Switcher

http://code.kliu.org/misc/winisoutils/




Ded9
0
 
LVL 66

Accepted Solution

by:
johnb6767 earned 2000 total points
ID: 37034042
" Does anyone know what the difference is between Explorer.exe and Shell32.dll on Home Premium x64 and Professional x86?"

They are not compatible.....

Kick off an SFC. First, rename the ones you copied over to explorer.OLD and Shell32.OLD

From an elevated CMD prompt.....

sfc /scannow

Should replace the ones you have copied over..... At least get you back to a Safe Mode working environment.....

0
 
LVL 1

Author Closing Comment

by:KD Johnson
ID: 37034800
Thanks.  That must have been the 3rd or 4th time I had run SFC on this machine, the clincher seems to have been deleting (renaming) the explorer.exe and shell32.dll first - which is not something that was even possible earlier without booting into Linux.
I renamed the files as you suggested, ran the SFC from the Safe Mode Command Prompt and after that it booted back into standard mode for the first time since I took this on.  Now running Windows updates and rerunning MalwareBytes etc to make sure that there's nothing left and hopefully to reset some of those c*cked up and variously fudged and reset registry permissions.
Probably about 10 hours work - and can I charge all that to the customer ....?  (No)
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 37035617
Glad it is resolved. Normally you can rename system files while booted, as windows file protection replaces them instantly. If you have sp1 installed, you could uninstall/reinstall it, which should help ro make sure that the system files are in good shape.... might not be worththe time though....just an extra assurance really....
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question