Empty desktop, No explorer, charlie.exe?

Please see post # 19 for regedit instructions.

Is Flash MX 2004 a recent addition? I find it very odd that it's coming up in a directory search, and that it doesn't show a filename, unless H is the filename. Can you browse there and right click>Properties on that file? I'd like whatever info you can find.

 

Sorry, I missed your second post.

Subsystem.txt is as follows:

-------------------------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems]
"Debug "=hex(2):00,00
"Kmode "=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,77,00,\
69,00,6e,00,33,00,32,00,6b,00,2e,00,73,00,79,00,73,00,00,00
"Optional "=hex(7):50,00,6f,00,73,00,69,00,78,00,00,00,00,00
"Posix "=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,70,00,\
73,00,78,00,73,00,73,00,2e,00,65,00,78,00,65,00,00,00
"Required "=hex(7):44,00,65,00,62,00,75,00,67,00,00,00,57,00,69,00,6e,00,64,00,\
6f,00,77,00,73,00,00,00,00,00
"Windows "=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,63,\
00,73,00,72,00,73,00,73,00,2e,00,65,00,78,00,65,00,20,00,4f,00,62,00,6a,00,\
65,00,63,00,74,00,44,00,69,00,72,00,65,00,63,00,74,00,6f,00,72,00,79,00,3d,\
00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,53,00,68,00,61,00,\
72,00,65,00,64,00,53,00,65,00,63,00,74,00,69,00,6f,00,6e,00,3d,00,31,00,30,\
00,32,00,34,00,2c,00,33,00,30,00,37,00,32,00,2c,00,35,00,31,00,32,00,20,00,\
57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,3d,00,4f,00,6e,00,20,00,53,00,75,\
00,62,00,53,00,79,00,73,00,74,00,65,00,6d,00,54,00,79,00,70,00,65,00,3d,00,\
57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,53,00,65,00,72,00,76,00,65,\
00,72,00,44,00,6c,00,6c,00,3d,00,62,00,61,00,73,00,65,00,73,00,72,00,76,00,\
2c,00,31,00,20,00,53,00,65,00,72,00,76,00,65,00,72,00,44,00,6c,00,6c,00,3d,\
00,77,00,69,00,6e,00,73,00,72,00,76,00,3a,00,55,00,73,00,65,00,72,00,53,00,\
65,00,72,00,76,00,65,00,72,00,44,00,6c,00,6c,00,49,00,6e,00,69,00,74,00,69,\
00,61,00,6c,00,69,00,7a,00,61,00,74,00,69,00,6f,00,6e,00,2c,00,33,00,20,00,\
53,00,65,00,72,00,76,00,65,00,72,00,44,00,6c,00,6c,00,3d,00,77,00,69,00,6e,\
00,73,00,72,00,76,00,3a,00,43,00,6f,00,6e,00,53,00,65,00,72,00,76,00,65,00,\
72,00,44,00,6c,00,6c,00,49,00,6e,00,69,00,74,00,69,00,61,00,6c,00,69,00,7a,\
00,61,00,74,00,69,00,6f,00,6e,00,2c,00,32,00,20,00,50,00,72,00,6f,00,66,00,\
69,00,6c,00,65,00,43,00,6f,00,6e,00,74,00,72,00,6f,00,6c,00,3d,00,4f,00,66,\
00,66,00,20,00,4d,00,61,00,78,00,52,00,65,00,71,00,75,00,65,00,73,00,74,00,\
54,00,68,00,72,00,65,00,61,00,64,00,73,00,3d,00,31,00,36,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\CSRSS]
"CsrSrvSharedSectionBase "=dword:7f6f0000

-------------------------------------------------------------------

Flash has been on for a while as part of the Macromedia studio MX, well over a year without any previous problems. The file H is 3.68 KB in size but doesn't have any information on its type. One thing that appears odd to me is that it has a creation date of 23 October 2006, but a modified date of 29 August 2003.

I opened the file with notepad, and have poted it below. It appears to be genuine Adobe distributed code.
-------------------------------------------------------------------
%!PS-Adobe-3.0 Resource-CMap
%%DocumentNeededResources: ProcSet (CIDInit)
%%IncludeResource: ProcSet (CIDInit)
%%BeginResource: CMap (H)
%%Title: (H Adobe Japan1 1)
%%Version: 10.001
%%Copyright: -----------------------------------------------------------
%%Copyright: Copyright 1990-1998 Adobe Systems Incorporated.
%%Copyright: All Rights Reserved.
%%Copyright:
%%Copyright: Patents Pending
%%Copyright:
%%Copyright: NOTICE: All information contained herein is the property
%%Copyright: of Adobe Systems Incorporated.
%%Copyright:
%%Copyright: Permission is granted for redistribution of this file
%%Copyright: provided this copyright notice is maintained intact and
%%Copyright: that the contents of this file are not altered in any
%%Copyright: way from its original form.
%%Copyright:
%%Copyright: PostScript and Display PostScript are trademarks of
%%Copyright: Adobe Systems Incorporated which may be registered in
%%Copyright: certain jurisdictions.
%%Copyright: -----------------------------------------------------------
%%EndComments

/CIDInit /ProcSet findresource begin

12 dict begin

begincmap

/CIDSystemInfo 3 dict dup begin
/Registry (Adobe) def
/Ordering (Japan1) def
/Supplement 1 def
end def

/CMapName /H def

/CMapVersion 10.001 def
/CMapType 1 def

/UIDOffset 280 def
/XUID [1 10 25335] def

/WMode 0 def

1 begincodespacerange
<2121> <7E7E>
endcodespacerange

100 begincidrange
<2121> <217e> 633
<2221> <222e> 727
<223a> <2241> 741
<224a> <2250> 749
<225c> <226a> 756
<2272> <2279> 771
<227e> <227e> 779
<2330> <2339> 780
<2341> <235a> 790
<2361> <237a> 816
<2421> <2473> 842
<2521> <2576> 925
<2621> <2638> 1011
<2641> <2658> 1035
<2721> <2741> 1059
<2751> <2771> 1092
<2821> <2821> 7479
<2822> <2822> 7481
<2823> <2823> 7491
<2824> <2824> 7495
<2825> <2825> 7503
<2826> <2826> 7499
<2827> <2827> 7507
<2828> <2828> 7523
<2829> <2829> 7515
<282a> <282a> 7531
<282b> <282b> 7539
<282c> <282c> 7480
<282d> <282d> 7482
<282e> <282e> 7494
<282f> <282f> 7498
<2830> <2830> 7506
<2831> <2831> 7502
<2832> <2832> 7514
<2833> <2833> 7530
<2834> <2834> 7522
<2835> <2835> 7538
<2836> <2836> 7554
<2837> <2837> 7511
<2838> <2838> 7526
<2839> <2839> 7519
<283a> <283a> 7534
<283b> <283b> 7542
<283c> <283c> 7508
<283d> <283d> 7527
<283e> <283e> 7516
<283f> <283f> 7535
<2840> <2840> 7545
<3021> <307e> 1125
<3121> <317e> 1219
<3221> <327e> 1313
<3321> <337e> 1407
<3421> <347e> 1501
<3521> <357e> 1595
<3621> <367e> 1689
<3721> <377e> 1783
<3821> <387e> 1877
<3921> <397e> 1971
<3a21> <3a7e> 2065
<3b21> <3b7e> 2159
<3c21> <3c7e> 2253
<3d21> <3d7e> 2347
<3e21> <3e7e> 2441
<3f21> <3f7e> 2535
<4021> <407e> 2629
<4121> <417e> 2723
<4221> <427e> 2817
<4321> <437e> 2911
<4421> <447e> 3005
<4521> <457e> 3099
<4621> <467e> 3193
<4721> <477e> 3287
<4821> <487e> 3381
<4921> <497e> 3475
<4a21> <4a7e> 3569
<4b21> <4b7e> 3663
<4c21> <4c7e> 3757
<4d21> <4d7e> 3851
<4e21> <4e7e> 3945
<4f21> <4f53> 4039
<5021> <507e> 4090
<5121> <517e> 4184
<5221> <527e> 4278
<5321> <537e> 4372
<5421> <547e> 4466
<5521> <557e> 4560
<5621> <567e> 4654
<5721> <577e> 4748
<5821> <587e> 4842
<5921> <597e> 4936
<5a21> <5a7e> 5030
<5b21> <5b7e> 5124
<5c21> <5c7e> 5218
<5d21> <5d7e> 5312
<5e21> <5e7e> 5406
<5f21> <5f7e> 5500
<6021> <607e> 5594
<6121> <617e> 5688
<6221> <627e> 5782
<6321> <637e> 5876
endcidrange

18 begincidrange
<6421> <647e> 5970
<6521> <657e> 6064
<6621> <667e> 6158
<6721> <677e> 6252
<6821> <687e> 6346
<6921> <697e> 6440
<6a21> <6a7e> 6534
<6b21> <6b7e> 6628
<6c21> <6c7e> 6722
<6d21> <6d7e> 6816
<6e21> <6e7e> 6910
<6f21> <6f7e> 7004
<7021> <707e> 7098
<7121> <717e> 7192
<7221> <727e> 7286
<7321> <737e> 7380
<7421> <7424> 7474
<7425> <7426> 8284
endcidrange
endcmap
CMapName currentdict /CMap defineresource pop
end
end

%%EndResource
%%EOF

-------------------------------------------------------------------

 

Registry export seems to be in order. As you said, the H file appears to be legit, though I'm still a bit puzzled as to why it's coming up in directory searches for specific files.

I'm out of ideas as the moment. You may be looking at doing a repair installation.

I'll keep thinking on it, and searching for other things to check, and will post back if I come up with something.

 

I'm thinking that the underlying problem is that csrss is not running, therefore I'm searching for possible reasons as to why.

Below is the part of the startup process where csrss comes into play.

Your log shows us that smss.exe and winlogon.exe are both running, which tells us that the session manager registry key is being processed. The session manager\subsystem registry export and the csrss file search both indicate things are in order there. Taking a logical approach, I would guess that either smss.exe, csrss.exe or win32k.sys is corrupt, or something else is amiss within the session manager registry key.

Lets try the system file checker utility. Open a command prompt and type or paste the following command.

sfc /scannow

Have your XP cd handy. There's a good chance you will be prompted to insert it.

Reboot when complete and see if there's any change.

By chance, have you tried booting using the Last Known Good Configuration?

 

Please check the Task Manager running processes and verify whether or not csrss.exe is running. The log you posted from Deckards System Scanner did not show it, and should have if it was. If it is not running, I'm quite surprised that the machine is not blue screening.

 

Hi Dave,

Sorry I've not posted for a couple of days, had a hectic time with work and the kids!

Anyway, crss.exe is appearing on the task manager as a running process, although I have noticed that no programs apart from cmd appear in the applications tab of the task manager.

As far as a repair installation is concerned, I am prepared for that but would rather get my machine to a fit state to at least do some backups before that.

I have done some exploration of trying to start from the last good configuration but I'm currently dual booting with linux and have been unable to do this via the bootloader.

After some searching I have managed to find my installation cd and am currently running the system file checker, I will post again once that has finished.

Mark

 

Ran the system file checker but no luck. Let it complete, rebooted, but still got the same problem.

Mark

 

Hi Mark,

Open regedit and export the following key, to a text file, then post the contents of that text.

HKEY_LOCAL_MACHINE\SYSTEM\Select

I was just reading over your previous posts again and saw you mentioned Real Player and Google Desktop being installed together just prior to the problem. Did you uninstall Real Player too?

 

No I didn't uninstall real player. Real player has actualy been installed for a while, but when it was run from a different user profile it went through the registration process where it sneaks up on you and installs toolbars as well. I will uninstall it when I get in and see if it helps and also copy the key for you.

Mark

 

HKEY_LOCAL_MACHINE\SYSTEM\Select

_________________________________________________
Key Name: HKEY_LOCAL_MACHINE\SYSTEM\Select
Class Name: <NO CLASS>
Last Write Time: 4/4/2007 - 7:40 PM
Value 0
Name: Current
Type: REG_DWORD
Data: 0x2

Value 1
Name: Default
Type: REG_DWORD
Data: 0x2

Value 2
Name: Failed
Type: REG_DWORD
Data: 0x1

Value 3
Name: LastKnownGood
Type: REG_DWORD
Data: 0x4

 

Just a brief explanation, in case you do not know, before a recommendation (which you can take or leave ).

The export above tells us that if you expand HKEY_LOCAL_MACHINE\SYSTEM you will see at the least;

ControlSet001
ControlSet002
ControlSet004

A control set contains system configuration information, such as device drivers and services. CurrentControlSet is the control set that is currently loaded, and the export shows us that it loads from ControlSet002; that ControlSet002 is the Default control set to load. It also tells us that ControlSet001 failed to boot the system at some point, and should be considered corrupted and unusable. Finally, it shows us that ControlSet004 has been saved as the LastKnownGood control set, the control set that would be loaded if you were able to use the LKG option at the Advanced Start menu. The LKG control set is the last control set that successfully booted Windows, prior to the current Default control set. Using the LKG option loads ONLY the System control set differently, and will have no effect on the Software or User hives that are loaded.

On the chance that your problem might be related to something contained in the ControlSet002 configuration, you can edit the Data for the Values under the Select key so that the LKG control set, ControlSet004, loads on reboot.

• Open the registry editor to HKEY_LOCAL_MACHINE\SYSTEM\Select and click the Select key to select it
• Double click the Default value and enter 4 then click OK
• Double click the LastKnownGood value and enter 2 then click OK
• Close the registry editor and reboot

 

Hi Mark,

I've just recieved a message from someone that had a problem very similar to yours. Their solution was to uninstall not only Google Desktop but the Google Toolbar as well. Once both were gone, problem solved. It sure won't hurt to try at this point, so I'd say go for it!

 

I, too, had no taskbar/desktop/explorer. So, after reading the above, I uninstalled Google Toolbar (problem persisted) and Google Desktop -- voila, taskbar etc. are back! My network connection is not working, I am not sure about Norton Antivirus...anyway it is nice to see my taskbars again. Thanks.

 

Welcome to WindowsBBS Gard

Thanks for your input! I'm happy to hear that worked for you.

If you'd like or need some assistance with your network connection or NAV, feel free to start a new topic in whatever forum you feel appropriate, eg; if you think an infection is involved, create a new topic in this forum with some details of the problem and a fresh HijackThis log. If you think it's just a networking problem, create a new topic in the Networking forum including details. For NAV, a new topic in the Security forum.

 

For anyone else that is having this problem, and have both the GoogleDesktopManager and the Google toolbar installed, please try disabling Active Desktop before uninstalling those apps (if you'd like to keep them) to see if it helps. You can enable/disable Active Desktop with a vbs script from kellys-korner, line 16, left column. A reboot may be necessary for the change to take effect. Please post here with your results.

 

Hi Dave,

Still no luck, checked out that the google stuff was gone and it is definately not appearing on the add/remove lists for any user. I took off real player as well just to check. I have also tried editing the control sets as you suggested, but the problem remains with no sign of change.

Have you any other thoughts or should I go ahead and reinstall the system?

Mark.

 

Did you try the Active Desktop fix I suggested in my last post?

 

I did try the active desktop script, but I'd already uninstalled all the google stuff before I ran that. I did turn off the active desktop before I checked all the other users to ensure that the google stuff was not present on there, but as it didn't appear on any of the lists I don't think that would have made a difference. I also tried a reboot with the active desktop disabled.

Mark.

 

What about FLEXnet? Did you install that shortly after the Google stuff?

 

Flex was put on before the google stuff and has run for a couple of weeks without any problems, as it is a fairly new addition however it may be the root of things. This may also explain why flash is appearing in the reg search.

Would you recomend removing the program through add/remove or should I approach it another way?

Mark