Windows 2000 and Ie6 XP DLLs

I have a curious problem.
At the company I work in, we recently had about 80% of computers stop working with explorer.exe crashing the second anyone types in their username and password to log onto the AD domain.

After a huge amount of researching over the last couple of weeks I've discovered the problem is related to shlwapi.dll

All of our computers are installed from an image on a RIS server and therefore all have Windows 2000 Service Pack 4 with Internet Explorer 5.5

The two DLL files causing the problem have the version numbers:

6.0.2900.2573
6.0.2900.2627

From researching the Microsoft Support site and Google, I've come to the conclusion that the second DLL above is an upgrade to the first and both DLLs are actually for Windows XP systems running Internet Explorer 6!

I've checked the C:\WINNT directory for log files relating to Hotfixes and the hotfixes which contain these DLLs (KB890923 & KB867282) are not installed by our SUS server (at least there are no KB890923.log and KB867282.log files whereas all our other KB files have logfiles). Looking at the SUS Server Admin page, these KBs have not been Authorised to download from Windows Update in the first place, so cannot have been installed by SUS on our computers.

The first Hotfix applied to our desktop systems (KB890175) tries to overwrite the shlwapi.dll with a 5.50 version:

This is also evidenced in setupapi.log:

I have no idea as yet where these spurious DLL files are coming from. According to the Microsoft website there are only four ways for this DLL (being protected by Windows File Protection) can be overwritten and thats:
1. Windows Service Pack installation using Update.exe
2. Hotfixes installed using Hotfix.exe or Update.exe
3. Operating system upgrades using Winnt32.exe
4. Windows Update

Our Windows Update SUS server only runs Tuesday nights, so it's unlikely to be the culprit. In any case, rebuilding systems many times over the course of that day resulted in the same computer dying as soon as a user logged in.
We are not upgrading to other versions of Windows..
We are not installing any new Service Packs.

The only thing left are Hotfixes, but as I said we have not seen any logs of these KB's with the DLL files in them.

As soon as anyone logs into the computers, we get "Explorer.exe has generated errors and will be closed by Windows ". The computer is then unusable. We are able to fiddle around and get a command prompt. Using the command prompt we have fixed the computers temporarily by:
1. inserting a Win2kSP4 cd and running 'sfc /scannow' which seems to overwrite the bad dll files
2. upgrade to Internet Explorer 6.0SP1 which also overwrites the bad dll files.

The other strange thing is 80% of the computers died around the same time of day on April 22nd. After running either of the above fixes, we've had about 3-4 computers with this problem happening most (but not all) days and not on the same scale as that day.

Any ideas?

TIA

 

The other strange thing is 80% of the computers died around the same time of day on April 22nd. After running either of the above fixes, we've had about 3-4 computers with this problem happening most (but not all) days and not on the same scale as that day.

Once you do a 'fix', does it hold so the machine stays in good working order?

If yes to that, is there any reason you don't want the latest IE version loaded? Lots of security enhancements.

Speaking of security, this whole thing really sound like the sort of thing a virus would do to you. I know that several of the Bagle worm versions played around with that particular .dll file.

 

I don't think installing ie6 guarantees they won't get the DLL file again. It seems this version of the DLL is for XP and not 2K.
We have to wait until 'the power that be' authorise a company branch-wide upgrade to IE6, at any rate, so as to not possibly affect other applications.
I just wonder how an IE6 XP dll can get installed on a IE5.5 2K machine by accident.

 

Sorry - I hadn't looked closely at the version numbers. I don't think those will run on any OS version prior to XP and if I'm not mistaken, 6.0.2900 is XP SP2. So that version is pretty much guaranteed to hose a 2K box.

If This isn't you (check the May 11 entry) then here is another guy with pretty much the same problem.

 

Good searching yeah. That is me

 

WauloK- are you still fighting this?

MS05-020 (KB890923) is probably the source of the files.