KD Johnson
asked on
Explorer.exe The application was unable to start correctly (0xc0000022).
I have a client's HP notebook running Windows 7 Home Premium X64 from which I have removed a variety of malware using MalwareBytes, SuperAntiSpyware and ComboFix - all operated from Safe Mode.
Any attempt to login in standard mode produces the above error message and, while I can C.A.D. running TaskMgr produces the same reponse.
I have reset file and registry permissions using SECEDIT, SubInACL and CACLS routines as found in various on-line sources. SFC found and replaced a few problems. There is no evidence that CA AntiVirus has been installed on here, it did have Bullguard on it, which I uninstalled - apparently successfully - from Safe Mode.
Any further suggestions, other than bin it and reinstall?
TIA
KD
Any attempt to login in standard mode produces the above error message and, while I can C.A.D. running TaskMgr produces the same reponse.
I have reset file and registry permissions using SECEDIT, SubInACL and CACLS routines as found in various on-line sources. SFC found and replaced a few problems. There is no evidence that CA AntiVirus has been installed on here, it did have Bullguard on it, which I uninstalled - apparently successfully - from Safe Mode.
Any further suggestions, other than bin it and reinstall?
TIA
KD
Do a clean boot and check whether u get explorer error.
Clean boot process
Start-type - msconfig- click on startup tab- click disable all...then click services tab- put a check on hide all microsoft services ...and then click disable all....click ok and then restart the computer in normal mode.
If everything works fine in clean boot then enable five startup items and services at a time to find the faulty software.
Can also try a new user account.
Ded9
Clean boot process
Start-type - msconfig- click on startup tab- click disable all...then click services tab- put a check on hide all microsoft services ...and then click disable all....click ok and then restart the computer in normal mode.
If everything works fine in clean boot then enable five startup items and services at a time to find the faulty software.
Can also try a new user account.
Ded9
Try runing this Fixit by Microsoft.
http://support.microsoft.com/kb/950505
If you can't get to it on the infected computer, save it to a flash drive using another computer.
http://support.microsoft.com/kb/950505
If you can't get to it on the infected computer, save it to a flash drive using another computer.
AutoRuns
http://live.sysinternals.com/autoruns.exe
I would like a .ARN export, to see what is still starting with the machine......
Additionally.....
CTRL+SHIFT+ESC should bring up the Task Manager..... If it does, File>New Task>Explorer.exe.... (not sure if your comment "while I can C.A.D. running TaskMgr produces the same response. " covers this.....)
Does your desktop/background appear?
"HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows NT\CurrentVersion\Winlogon "
Make sure that nothing is jacking with the SHELL value, which should be Explorer.exe
Also, make sure that the UserInit value is "C:\windows\system32\useri nit.exe,"
Also check to see if a subkey exists under here called....
HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
If so, kill it.....
HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\App Paths\explorer.exe
If the path is anything BUT c:\windows\explorer.exe, back it up and kill it....
Check your logs for an application error, might give more insight to the Explorer failure....
Explorer.exe should be in C:\Windows, and have a file size of about 2553kb (No SP1) or 2805 (SP1).....
http://live.sysinternals.com/autoruns.exe
I would like a .ARN export, to see what is still starting with the machine......
Additionally.....
CTRL+SHIFT+ESC should bring up the Task Manager..... If it does, File>New Task>Explorer.exe.... (not sure if your comment "while I can C.A.D. running TaskMgr produces the same response. " covers this.....)
Does your desktop/background appear?
"HKEY_LOCAL_MACHINE\SOFTWA
Make sure that nothing is jacking with the SHELL value, which should be Explorer.exe
Also, make sure that the UserInit value is "C:\windows\system32\useri
Also check to see if a subkey exists under here called....
HKEY_LOCAL_MACHINE\SOFTWAR
If so, kill it.....
HKEY_LOCAL_MACHINE\SOFTWAR
If the path is anything BUT c:\windows\explorer.exe, back it up and kill it....
Check your logs for an application error, might give more insight to the Explorer failure....
Explorer.exe should be in C:\Windows, and have a file size of about 2553kb (No SP1) or 2805 (SP1).....
ASKER
No can't bring up Task Manager - it gets the same error code.
I have messed it up even more now by overwriting explorer.exe and shell32.dll with verions from my machine. I now get no shell in safe mode either. I can reverse out of that the same way I went in using a Linux distrbution on a USB key. Does anyone know what the difference is between Explorer.exe and Shell32.dll on Home Premium x64 and Professional x86?
How many copies of Explorer.exe should there be on an x64 machine - I suppose one in System32 and one in SysWOW64. Unfortunately I don't have a similar x64 machine to hand.
I have messed it up even more now by overwriting explorer.exe and shell32.dll with verions from my machine. I now get no shell in safe mode either. I can reverse out of that the same way I went in using a Linux distrbution on a USB key. Does anyone know what the difference is between Explorer.exe and Shell32.dll on Home Premium x64 and Professional x86?
How many copies of Explorer.exe should there be on an x64 machine - I suppose one in System32 and one in SysWOW64. Unfortunately I don't have a similar x64 machine to hand.
ASKER
ComboFix was one of the Malware tools that I ran earlier
Could you post the log files of the all the Malware tools that have been run.
Sounds like operating system files are corrupted..would recommend repair install.
Boot to desktop...insert the windows 7 disc...launch setup...click upgrade option....this will repair your windows install... complete the repair install.
You will not loose any data or programs during the repair install process
http://www.door2windows.com/forum/topic/69-how-to-do-a-repair-install-to-fix-windows-7/
Ded9
Boot to desktop...insert the windows 7 disc...launch setup...click upgrade option....this will repair your windows install... complete the repair install.
You will not loose any data or programs during the repair install process
http://www.door2windows.com/forum/topic/69-how-to-do-a-repair-install-to-fix-windows-7/
Ded9
ASKER
Here is the ComboFix log:
http://www.colehill.co.uk/download/malware/ComboFix.txt
I have tried renaming and copying back in Explorer.exe and Sheel32.Dll but now I can't get a shell in either Safe Mode, nor Standard Mode. I am goin to see if I can borrow a Home Premium x64 disc from another client to run the repair installation - all I have is a Professional (MAPS Subscription).
http://www.colehill.co.uk/download/malware/ComboFix.txt
I have tried renaming and copying back in Explorer.exe and Sheel32.Dll but now I can't get a shell in either Safe Mode, nor Standard Mode. I am goin to see if I can borrow a Home Premium x64 disc from another client to run the repair installation - all I have is a Professional (MAPS Subscription).
If you have windows 7 Professional disc you can repair windows 7 home premium.
Check this article on how to do it...
http://lifehacker.com/5438005/eicfg-removal-utility-lets-you-use-any-product-key-with-your-windows-7-disc
You need to follow the steps to create a new iso and then with the new iso do a repair install....repair only works if you have genuine copy of windows 7. In you case it is a genuine copy.
Ded9
Check this article on how to do it...
http://lifehacker.com/5438005/eicfg-removal-utility-lets-you-use-any-product-key-with-your-windows-7-disc
You need to follow the steps to create a new iso and then with the new iso do a repair install....repair only works if you have genuine copy of windows 7. In you case it is a genuine copy.
Ded9
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks. That must have been the 3rd or 4th time I had run SFC on this machine, the clincher seems to have been deleting (renaming) the explorer.exe and shell32.dll first - which is not something that was even possible earlier without booting into Linux.
I renamed the files as you suggested, ran the SFC from the Safe Mode Command Prompt and after that it booted back into standard mode for the first time since I took this on. Now running Windows updates and rerunning MalwareBytes etc to make sure that there's nothing left and hopefully to reset some of those c*cked up and variously fudged and reset registry permissions.
Probably about 10 hours work - and can I charge all that to the customer ....? (No)
I renamed the files as you suggested, ran the SFC from the Safe Mode Command Prompt and after that it booted back into standard mode for the first time since I took this on. Now running Windows updates and rerunning MalwareBytes etc to make sure that there's nothing left and hopefully to reset some of those c*cked up and variously fudged and reset registry permissions.
Probably about 10 hours work - and can I charge all that to the customer ....? (No)
Glad it is resolved. Normally you can rename system files while booted, as windows file protection replaces them instantly. If you have sp1 installed, you could uninstall/reinstall it, which should help ro make sure that the system files are in good shape.... might not be worththe time though....just an extra assurance really....
Download from www.bleepingcomputers.com