What I did (and will never do again...). Downloaded a "game pack" which was supposed to contain some "old favorites" from the retro 16-32 bit era. Decided to look into the pack to see. The loader puts out a selection panel. It loads partially but SpyBot S&D 1.6 barfs and reports a process trying to install a BHO. It's stopped while I choose "Deny". Interestingly, and FWIW I thought the term BHO stood for "Browser Hijack Object" at that moment only find out BHO stands for Browser Helper Object. The deny yields another SpyBot warning with a slightly different registry value cited, I deny that. A third pops up, I deny; and a fourth, I deny and so forth. Well I got really tired of continuous clicking so I asked SpyBot to remember my answer. And now a whole stream/plethora of SpyBot warnings ensue. I let it run but after a half hour of this, I'm convinced I'm stuck in loop. So Ctl-Alt-Del and kill Spybot. System is hung. Ctl-Alt-Del again and request a reboot. Reboot occurs but SpyBot is still warning and we're still in the loop. Reboot a third time. This time I say "Allow" and remember the change so I can move on but SpyBot is stuck on "Deny" for some reason. Ctl-Alt-Del to look for the process that's causing this. Can't find anything out of the ordinary. Reboot. Note: This was a "game pack" offered off of a user group BBS I frequent. I know you're all thinking what a dumbo but 3 other independent users there have confirmed (after I posted to warn about this issue) that the game pack is not viral nor does it contain spyware. So I attrribute this mess strictly to "pilot error".
I was also able to just barely scan the pack with my version of NOD32 ESS. Came up nil. In Safe Mode (see below) I was just able to ge SpyBot to scan the system for baddies. It found three and cleared them, rescanned, found none: System is clean. Able to get chkdsk to run all 5 modules. Nothing found. System has not BSOD'd.
What's happening now is this: Let Windows boot regularly. I get the desktop, wallpaper and task bar. Disk is running looks normal. After a moment or two disk fires up, the desktop icons and task bar both disappear. A moment later they'll re-appear for about 10-15 seconds then disappear. A moment later they'll re-appear for about 10-15 secs then disappear. After seven or eight cycles of this behavior activity stops with just the wallpaper showing. Ctl-Alt-Del works. I found in that applet that I can Run a New Task called "desktop" (to call the DT to the fore) and the icons/task bar reappear. Once again, after a moment or two the desktop icons and task bar both disappear. A moment later they'll re-appear for about 10-15 seconds then disappear. A moment later they'll re-appear for about 10-15 secs then disappear... I won't go on but you get the pattern here. Some unknown process is calling for some file to be loaded. When I call the desktop to the fore, Windows reports that it cannot locate '/idlist,:0:1124,C:\Documents' (looks like a corrupted reference) This box dismisses after a moment, followed by you-guessed-it...
I have almost the same exact behavior in Safe Mode. Except that Windows puts up its Safe Mode warning box. I can either click Yes or wait 10 secs and the box self-clears and we resume the cycle of no_desktop & no_icons and the Safe Mode warning box returns. Wait or click Yes and it loops back again. I have it up now in regular Windows "Diagnostic Mode" with the same behavior. Again, I can pull up the desktop if it escapes I can use Task Mgr to call it back.
The big problem: I only get about 10 seconds to launch an app or hit something in either Reg or Safe Mode before that is interrupted by this no_desktop/no_icon behavior. Once something is launched, it will run for a while but usually I wind up with a hung app. I can see in Task Mgr that the process "explorer.exe" is running when the desktop/taskbar appear normal but when they disappear, explorer.exe vanishes from Task Mgr. When the desktop/icons reappear, explorer.exe returns to Task Mgr. This is a significant clue, I believe. Because explorer dies, I'm unable to work with my folders/files though I can see them until explorer dies. I managed to put up Add/Remove Progs only to find nothing out of the ordinary installed. I can succesfully work in a DOS-box uninterrupted. I am logged on although probably only partially - as the systems' drives are fully reachable via my router-based network. Again, the big problem here is that I can't get a detailed look at my processes that are running. Task Mgr doesn't give me deep enough detail and everything that it shows looks legit in my experience. Because I only have 10 seconds or less to do something, I'm unable to use a prog like Winternals or Mike Lin's StartUp utility to look any deeper at the processes running to evaluate what's going on. Why not? Because unless I can quickly (and I mean quickly) launch something and get it running, the cycle breaks the launch and we're back to no icons/no task bar, yada-yada.
Restore it? Uh-uh because all my restore points are gone! Quite unbeknownst to me something cleared them out (maybe it was CCleaner which I use regularly) and I only have one from 8/27 at 8:15 AM around the time I was mussing with my game pack. (Restoring restore points and trying to figure out what caused them to clear is number one on my list to check out when I get this back...)
Are you thinking repair install at this moment? I'd like to try to fix this without repair install if I can. So can I get some additional suggestions for things I can try?
Update at 3:15 PM. I left this on the desktop for the afternoon and came back from errands after about 3 hours. Look (I said), it's almost working! I don't see explorer disappear from the task mgr. I can launch Windows Explorer (Win-E) and it sticks! Here's another hint - when I hit Win-E, rundll.exe appears in Task Mgr. When I kill it, the Explorer window completes loading showing the directory tree on the left and so forth. This reminds me that "Run rundll.exe as an application" was part of the warning stream put out by SpypBot. If I could just get to that rogue application that is calling to run rundll as an app, I'll bet that would solve this. Agree? What do I use to thoroughly review what's being launched at startup?
Edited by whftherb, 28 August 2008 - 02:22 PM.