[Metallica]

There are two that deserve some additional attention.

Do you know where these belong to ?
"{BE865BFA-BFBA-435F-A128-D69976739CF9}"="Registered WCE ActiveX Controls"
"{09B3180C-8982-40FA-AE97-2DD247B5036D}"="Registered ActiveX Controls"

If you do and they belong to a trusted program, copy the part in the CODE box below into notepad and save it as allowext.reg

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"{BE865BFA-BFBA-435F-A128-D69976739CF9} {000214E8-0000-0000-C000-000000000046} 0x401"=dword:00000001
"{09B3180C-8982-40FA-AE97-2DD247B5036D} {000214E8-0000-0000-C000-000000000046} 0x401"=dword:00000001

Doubleclick the file and at the prompt confirm you want to merge it with the registry.

Are NOD32 and TrojanHunter still installed on that computer?

[Advertisements]

Both are in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\AutorunsDisabled. No idea what they are so they're not trusted & I didn't do the allowext.reg thing.
If WCE is Windows CE, a previous user did some development for it, but I don't. I also don't do web development or use IE (unless forced) so I'm not precious about ActiveX controls; I've got a decent net link and assume I'll be prompted to download one again if I ever need it.
TrojanHunter is still installed, NOD32 isn't but I still have the installer...
Cheers

[cso]

Both are in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\AutorunsDisabled. No idea what they are so they're not trusted & I didn't do the allowext.reg thing.
If WCE is Windows CE, a previous user did some development for it, but I don't. I also don't do web development or use IE (unless forced) so I'm not precious about ActiveX controls; I've got a decent net link and assume I'll be prompted to download one again if I ever need it.
TrojanHunter is still installed, NOD32 isn't but I still have the installer...
Cheers

[Metallica]

OK. Then there are a few things that can go.

Copy the part in the CODE box below into notepad and save it as removeleftovers.reg

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions]
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\AutorunsDisabled]
"{B089FE88-FB52-11D3-BDF1-0050DA34150D}"=-
"{BE865BFA-BFBA-435F-A128-D69976739CF9}"=-
"{09B3180C-8982-40FA-AE97-2DD247B5036D}"=-

Doubleclick the file and at the prompt confirm you want to merge it with the registry.
Try to run explorer.exe (the original) and let me know what happens.

Regards,

[cso]

Hello again,
Tried that (& confirmed keys removed) & ran explorer; same message. Restarted, logged in; same message.
Cheers.

[Metallica]

I want to try something. It might help to close down the diagnostic fase.

1. Please download Brute Force Uninstaller to your desktop.

• Right click the BFU folder on your desktop, and choose Extract All
• Click "Next"
• In the box to choose where to extract the files to,
• Click "Browse"
• Click on the + sign next to "My Computer"
• Click on "Local Disk (C:) or whatever your primary drive is
• Click "Make New Folder"
• Type in BFU
• Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

2. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

3. Then, please go to Start > My Computer and navigate to the C:\BFU folder.

• Start the Brute Force Uninstaller by doubleclicking BFU.exe
• Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu
• Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
• Wait for the complete script execution box to pop up and press OK.
• Press exit to terminate the BFU program.

I'm not so worried that you have this infection, but what this script does on a normal functioning computer is unload the shell, then do some cleaning while the shell restarts (it does this automatically on Windows NT machines) and in the end it opens a explorer window.

Can you let me know what happens when you run it on your computer?

[cso]

Hi,
Just before I see the "complete script execution" box, I get the same "explorer failed..." box.
Cheers

[cso]

Hi Metallica,
Snippet of info I just noticed by accident:
If I "copy c:\windows\explorer.exe c:\usr\bin"
The original still fails completely but c:\usr\bin\explorer.exe will run as a basic browser application window (no shell start taskbar stuff).
Just wondered if that was relevant.
Cheers

[Metallica]

We can try if it's willing to work as a shell.


Please run Notepad and paste all the text in the code box below into a new file:

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="c:\usr\bin\explorer.exe"

Save the file to the desktop as changeshell2.reg and make sure the "Save as Type" field says "All Files".
Then please go to the desktop and double-click on changeshell.reg, and click Yes to merge within the registry.
Reboot to test if it will hold. If it does work can you give me the version numbers of both the explorer.exe files?
(Rightclick file > Properties > version tab is where you ca find it)

Regards,

[cso]

Well I'm gobsmacked; my desktop, start menu etc. are back!
Things are a bit disorganized but then I've been doing a fair bit of poking around in the dark with cmd, task manager etc.
Both executables are version 6.0.2900.2180
Do we have any idea what caused / fixed (tho not had time to test out all my usual tasks) this?
Any suggestions for where I go from here?
Thanks for your patient help.
Cheers

[Metallica]

Great!!!!


So that I get this straight. The files are identical, but the one in your c:\usr\bin\ folder works as a shell and the one in the Windows directory doesn't?

Can you post a fresh HijackThis log?
And have a good look at the properties of both files and the folders they are in. Let me know if you spot any differences

[cso]

Yes, the two are identical but one works, the other doesn't.
HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 15:55:09, on 2006-09-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\clipsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wuauclt.exe
c:\usr\bin\explorer.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\svchost.exe
C:\Usr\CsO\Install\AMal\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
F2 - REG:system.ini: Shell=c:\usr\bin\explorer.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O15 - Trusted Zone: http://*.update.microsoft.com 
O15 - Trusted Zone: http://www.windowsupdate.com
O15 - Trusted Zone: http://download.windowsupdate.com 
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1156951267656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155803984156
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Many thanks!

[Metallica]

I am asking around at the moment to find out if there are any reasons to do additional work or if we can leave it like this.

Let me know if you experience any problems.
And, should you post the log in the future or in another thread, most people will tell you to fix:
F2 - REG:system.ini: Shell=c:\usr\bin\explorer.exe

Don't fix it and point them here to explain that we made that entry on purpose.

I will leave this thread open so we can both alert each other here if necessary.

Regards,

[Metallica]

Two things I'd like you to do (just for investigating purposes)

Copy the code below into notepad and save it as lookup.bat
Set Filetype to "All files"

dir %Systemdrive%\explorer.* /a h /s > files.txt
start notepad files.txt

Start the file by doubleclicking lookup.bat
That will open a file called files.txt. Post the content of that file.

• Download the Registry Search Tool.
• Unzip the contents of RegSrch.zip to a convenient location.
• Double-click on RegSrch.vbs.
• If you have an anti-virus installed it might prompt you about a running script. Please ignore this warning and allow the script to run.
• In the "Enter search string (case insensitive) and click OK..." box paste this string:
  • explorer.exe
• Click "OK" to search the registry for that string.
• Wait for a few minutes while it completes the search.
• Click "OK" to open the results in WordPad.
• Copy and paste the entire results into your next post.

Regards,

[cso]

Hello again, sorry about the delay I've been away from the machine for a few days...

Here is the file list (btw the dir command gave a 'file not found'):

 Volume in drive C is XPPro
 Volume Serial Number is 08FB-1CFB

 Directory of C:\Documents and Settings\Colin\Local Settings\Temp\WER4a7d.dir00

2006-09-06  09:16				 0 explorer.exe.mdmp
			   1 File(s)			  0 bytes

 Directory of C:\pebuilder3110a\BartPE\I386

2004-08-04  13:00		 1,032,192 EXPLORER.EXE
			   1 File(s)	  1,032,192 bytes

 Directory of C:\Program Files\Microsoft Platform SDK\Samples\Com\Administration\Explore.Vb

2005-04-04  18:45			43,781 Explorer.Frm
2005-04-04  18:45			13,498 Explorer.Frx
			   2 File(s)		 57,279 bytes

 Directory of C:\Program Files\Microsoft Visual Studio\Common\Graphics\Bitmaps\Outline\NoMask

1998-04-24  00:00			   246 EXPLORER.BMP
			   1 File(s)			246 bytes

 Directory of C:\Program Files\Microsoft Visual Studio\Common\Graphics\Bitmaps\Outline\RedMask

1998-04-24  00:00			   246 EXPLORER.BMP
			   1 File(s)			246 bytes

 Directory of C:\Program Files\Microsoft Visual Studio\Common\Graphics\Icons\Win95

1998-04-24  00:00			 1,078 EXPLORER.ICO
			   1 File(s)		  1,078 bytes

 Directory of C:\Program Files\Microsoft Visual Studio\MSDN\2001OCT\1033\SAMPLES\VB98\WcDemo

1999-07-26  00:00			20,278 EXPLORER.BMP
			   1 File(s)		 20,278 bytes

 Directory of C:\Program Files\Microsoft Visual Studio .NET 2003\Common7\Graphics\bitmaps\Outline\NoMask

2000-11-21  02:18			   246 EXPLORER.BMP
			   1 File(s)			246 bytes

 Directory of C:\Program Files\Microsoft Visual Studio .NET 2003\Common7\Graphics\bitmaps\Outline\RedMask

2000-11-21  02:18			   246 EXPLORER.BMP
			   1 File(s)			246 bytes

 Directory of C:\Program Files\Microsoft Visual Studio .NET 2003\Common7\Graphics\icons\Win95

2000-11-21  02:39			 1,078 EXPLORER.ICO
			   1 File(s)		  1,078 bytes

 Directory of C:\Program Files\Microsoft Visual Studio .NET 2003\SDK\v1.1\Samples\Technologies\Interop\Basic\InternetExplorer

2001-08-27  21:39			 8,982 Explorer.cs
			   1 File(s)		  8,982 bytes

 Directory of C:\Program Files\Microsoft Visual Studio .NET 2003\SDK\v1.1\Tool Developers Guide\Samples\adepends\gui

2001-06-26  19:14			 7,336 explorer.cs
			   1 File(s)		  7,336 bytes

 Directory of C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\ItemTemplatesCache\VisualBasic\1033

2005-03-22  10:35	<DIR>		  Explorer.zip
			   0 File(s)			  0 bytes

 Directory of C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\ItemTemplatesCache\VisualBasic\1033\Explorer.zip

2004-04-21  15:04			33,165 explorer.designer.vb
2004-04-01  11:49			41,569 explorer.resx
2004-04-01  11:49			13,964 explorer.vb
2004-04-01  11:49			 2,224 explorer.vstemplate
			   4 File(s)		 90,922 bytes

 Directory of C:\Usr\Bin

2004-08-04  13:00		 1,032,192 explorer.exe
			   1 File(s)	  1,032,192 bytes

 Directory of C:\WINDOWS

2004-08-04  13:00		 1,032,192 explorer.exe
2004-08-04  13:00		 1,032,192 explorer.exe.orig
2004-08-04  13:00				80 explorer.scf
			   3 File(s)	  2,064,464 bytes

 Directory of C:\WINDOWS\Prefetch

2006-08-25  09:23			 8,556 EXPLORER.EXE-082F38A9.pf
2006-09-01  11:33			39,994 EXPLORER.EXE-0C648EA3.pf
2006-09-06  09:53			86,604 EXPLORER.EXE-2722A18E.pf
			   3 File(s)		135,154 bytes

 Directory of C:\WINDOWS\Symbols\exe

2004-08-03  23:17		   994,304 explorer.pdb
			   1 File(s)		994,304 bytes

 Directory of C:\WINDOWS\system32\dllcache

2004-08-04  13:00		 1,032,192 explorer.exe
			   1 File(s)	  1,032,192 bytes

and here is the registry search:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "explorer.exe" 2006-09-06 10:03:26

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\explorer.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\WINWORD.EXE\TaskbarExceptionsIcons\explorer.exe,16]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Briefcase\shell\open\command]
@="explorer.exe %1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}]
"LocalizedString"="@explorer.exe,-7020"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}]
"InfoTip"="@explorer.exe,-7000"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}]
"LocalizedString"="@explorer.exe,-7021"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}]
"InfoTip"="@explorer.exe,-7001"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}]
"LocalizedString"="@explorer.exe,-7022"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}]
"LocalizedString"="@explorer.exe,-7023"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}]
"InfoTip"="@explorer.exe,-7003"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}]
"LocalizedString"="@explorer.exe,-7024"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}]
"InfoTip"="@explorer.exe,-7004"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}]
"LocalizedString"="@explorer.exe,-7025"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}]
"InfoTip"="@explorer.exe,-7005"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}\DefaultIcon]
@="C:\\WINDOWS\\explorer.exe,-103"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E211B736-43FD-11D1-9EFB-0000F8757FCD}\AllDevices\shell\explore\command]
@="Explorer.exe /e,/idlist,%I,/L"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E211B736-43FD-11D1-9EFB-0000F8757FCD}\AllDevices\shell\open\command]
@="Explorer.Exe /idlist,%I,/L"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E211B736-43FD-11D1-9EFB-0000F8757FCD}\Camera\shell\explore\command]
@="Explorer.exe /e,/idlist,%I,/L"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E211B736-43FD-11D1-9EFB-0000F8757FCD}\Camera\shell\open\command]
@="Explorer.Exe /idlist,%I,/L"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E211B736-43FD-11D1-9EFB-0000F8757FCD}\CameraContainerItems\shell\explore\command]
@="Explorer.exe /e,/idlist,%I,/L"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E211B736-43FD-11D1-9EFB-0000F8757FCD}\CameraContainerItems\shell\open\command]
@="Explorer.Exe /idlist,%I,/L"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E211B736-43FD-11D1-9EFB-0000F8757FCD}\Scanner\shell\explore\command]
@="Explorer.exe /e,/idlist,%I,/L"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E211B736-43FD-11D1-9EFB-0000F8757FCD}\Scanner\shell\open\command]
@="Explorer.Exe /idlist,%I,/L"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Publishing Folder\shell\explore\command]
@="explorer.exe /e,/idlist,%I,%L"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Publishing Folder\shell\open\command]
@="explorer.exe /idlist,%I,%L"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SHCmdFile\shell\open\command]
@="explorer.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name"="explorer.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\International]
"explorer.exe"="6.0.2600.0-6.0.9999.9999"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS]
"explorer.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL]
"explorer.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN]
"explorer.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING]
"explorer.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING]
"explorer.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING]
"explorer.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN]
"explorer.exe"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT]
"explorer.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT]
"explorer.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS]
"explorer.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION]
"explorer.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation]
"KillList"="%1;explorer.exe;dvdplay.exe;mplay32.exe;msohtmed.exe;quikview.exe;rundll.exe;rundll32.exe;taskman.exe;bck32api.dll;"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartPanel\MyComp]
"Bitmap"="%SystemRoot%\\explorer.exe,100"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0]
"Icon"="explorer.exe#0100"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"Icon"="explorer.exe#0100"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="c:\\usr\\bin\\explorer.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\explorer.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\Nls\MUILanguages\RCV2\explorer.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\explorer.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"Icon"="explorer.exe#0100"

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"Icon"="explorer.exe#0100"

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"Icon"="explorer.exe#0100"

[HKEY_USERS\S-1-5-21-1454471165-1580436667-839522115-1016\Software\Microsoft\Dependency Walker\Recent File List]
"File1"="C:\\WINDOWS\\explorer.exe"

[HKEY_USERS\S-1-5-21-1454471165-1580436667-839522115-1016\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"q"="c:\\windows\\explorer.exe\\1"

[HKEY_USERS\S-1-5-21-1454471165-1580436667-839522115-1016\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0]
"Icon"="explorer.exe#0100"

[HKEY_USERS\S-1-5-21-1454471165-1580436667-839522115-1016\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"Icon"="explorer.exe#0100"

[HKEY_USERS\S-1-5-21-1454471165-1580436667-839522115-1016\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@explorer.exe,-7023"="&Run..."

[HKEY_USERS\S-1-5-21-1454471165-1580436667-839522115-1016\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@explorer.exe,-7020"="&Search"

[HKEY_USERS\S-1-5-21-1454471165-1580436667-839522115-1016\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@explorer.exe,-7021"="&Help and Support"

[HKEY_USERS\S-1-5-21-1454471165-1580436667-839522115-1016\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@explorer.exe,-7003"="Opens a program, folder, document, or Web site."

[HKEY_USERS\S-1-5-21-1454471165-1580436667-839522115-1016\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"c:\\usr\\bin\\explorer.exe"="Windows Explorer"

[HKEY_USERS\S-1-5-21-1454471165-1580436667-839522115-1016\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\WINDOWS\\explorer.exe"="Windows Explorer"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"Icon"="explorer.exe#0100"

[Metallica]

Thanks. I don't see any problems in there.
It has been suggested that it might be a permissions issue

Can you download SWXCACLS
Please save it directly to the root directory(, so it will end up as C:\swxcacls.exe)

Then copy the content of the CODE block into notepad

cd\
swxcacls "C:\WINDOWS\explorer.exe" /VERBOSE >> perms.txt

and save it as permexplo.bat (prreferably) to the same location.
Doubleclick the file and it should produce the export file perms.txt (in the same location as swxcacls.exe)
Post the content of that file please.

I'm not sure what you meant by this:

(btw the dir command gave a 'file not found')

Regards,