Hello all.

I've had what I've come to understand as a CoolWebSearch problem for months now. I've stumbled around for a solution on this for a long time and finally seem to have things fixed(?) HOWEVER, when I boot up I get an error message saying windows cannot find sysinit32m.exe. I click OK and then the computer finishes booting and all appears normal, except that I can't load any new games for my kids. At least, my IE home page doesn't get hijacked anymore. I have Microsoft AntiSpyware that runs nightly and I've bought Norton Internet Security 2005, but Norton was causing major problems and I uninstalled it. Does anyone have any ideas on what might still be wrong with my system.

Hmmm.

Can we see a HJT log please (follow the instructions @ http://www.short-media.com/forum/showthread.php?t=14915 - first 2 posts)? It will help us see exactly whats up with your system, and whether there may be any other nasties lurking in the background :)

Absolutely, here goes:


Logfile of HijackThis v1.99.1
Scan saved at 8:39:21 PM, on 9/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\wmconnecta\wmtray.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\WMCONN~2\wwm.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/yme/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/yme/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/yme/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://catmx.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://catmx.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/yme/*http://www.yahoo.com
F2 - REG:system.ini: Shell=Explorer.exe sysinit32m.exe
O1 - Hosts: x

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: (no name) - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Wal-Mart Connect Tray Icon.lnk = C:\Program Files\wmconnecta\wmtray.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B9ACE53-D719-41E6-A9D5-AF31374E4811}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe

You need to click on start => run and type regedit and press ok. Perform a full backup :) Then navigate to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell and double-click on the shell value. Leave explorer.exe in there, but remove anything else.

So the contents of the shell value should read:

Explorer.exe

You need to click on start => run and type regedit and press ok. Perform a full backup :) Then navigate to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell and double-click on the shell value. Leave explorer.exe in there, but remove anything else.

So the contents of the shell value should read:

Explorer.exe

MIke, Thanks for the quick response. I went into the registry and there is no directory path that starts with HKLM listed. There are HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS, HKEY_CURRENT_CONFIG and of course all the sub folders found within each of those... Am I just lost or could I have possibly deleted this particular registry folder altogether? I did delete a few things hastily when I was really fed up with things a month or two ago. (My wife and I have been suffering through this CWS problem since June!)

HKEY_LOCAL_MACHINE Is what HKLM is short for :)

Doh! I feel dumb now! I'll give it a shot...

I've followed the directory path down through per your directions (by the way, perform a full backup I took to mean export a copy of the registry file to My Documents) (my important docs and photos are burned to disc but I don't see anything called Shell.

The subfolders under winlogon include Crdentials, GPExtensions, Notify, and Special Accounts.

Wanted to check-in again before I wiped all these out.

I've followed the directory path down through per your directions (by the way, perform a full backup I took to mean export a copy of the registry file to My Documents -- my important docs and photos are burned to disc already) but the problem is I don't see anything called Shell.

The subfolders under winlogon include Crdentials, GPExtensions, Notify, and Special Accounts.

Wanted to check-in again before I wiped all these out.

Bad idea, leave them for the time being. I'll tkae a look when I get back this afternoon. Alternatively, one of the other helpers might come in and sort you out :)

Cheers

OK, you're looking for a key under winlogon, NOT another subfolder :)

Wow, you're gonna need a medal or something after you finish helping me... I get to winlogon and then what do I do? If I right click then a whole bunch of files populate to the right side of the screen. The files are divided into three columns: name, type and data. There are 30-35 files in there. One has an icon with an AB on it and is named Shell. In the data column of that file it reads: Explorer.exe sysinit32m.exe. I'm thinking this is the file that I need to leave? And I delete all the others? The reason I'm not totally confident on this is because its not just explorer.exe. it also has that sysinit32m.exe and that's the file that my computer says is missing everytime it boots up.

:scratch:

Wow, you're gonna need a medal or something after you finish helping me... I get to winlogon and then what do I do? If I right click then a whole bunch of files populate to the right side of the screen. The files are divided into three columns: name, type and data. There are 30-35 files in there. One has an icon with an AB on it and is named Shell. In the data column of that file it reads: Explorer.exe sysinit32m.exe. I'm thinking this is the file that I need to leave? And I delete all the others? The reason I'm not totally confident on this is because its not just explorer.exe. it also has that sysinit32m.exe and that's the file that my computer says is missing everytime it boots up.

:scratch:

Ah, i see the problem :)

You need to edit the shell key to just say "Explorer.exe"

Then reboot :)

Ah, i see the problem :)

You need to edit the shell key to just say "Explorer.exe"

Then reboot :) Excellent!! That seems to have fixed things! I really appreciate your help with all this. I'm running Norton Internet and Microsoft Antispyware now. Hope my system stays clean...

OK, think we can consider this resolved :)