sysinit32m.exe file is missing

Unknown
edited October 2005 in Spyware & Virus Removal
Hello all.

I've had what I've come to understand as a CoolWebSearch problem for months now. I've stumbled around for a solution on this for a long time and finally seem to have things fixed(?) HOWEVER, when I boot up I get an error message saying windows cannot find sysinit32m.exe. I click OK and then the computer finishes booting and all appears normal, except that I can't load any new games for my kids. At least, my IE home page doesn't get hijacked anymore. I have Microsoft AntiSpyware that runs nightly and I've bought Norton Internet Security 2005, but Norton was causing major problems and I uninstalled it. Does anyone have any ideas on what might still be wrong with my system.

Comments

  • Mike1901Mike1901
    edited September 2005
    Hmmm.

    Can we see a HJT log please (follow the instructions @ http://www.short-media.com/forum/showthread.php?t=14915 - first 2 posts)? It will help us see exactly whats up with your system, and whether there may be any other nasties lurking in the background :)
  • *aloha_jared*
    edited September 2005
    Absolutely, here goes:


    Logfile of HijackThis v1.99.1
    Scan saved at 8:39:21 PM, on 9/28/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\QUICKENW\QAGENT.EXE
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\wmconnecta\wmtray.exe
    C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
    C:\WINDOWS\System32\mrtMngr.EXE
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINDOWS\System32\PackethSvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\PROGRA~1\WMCONN~2\wwm.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/yme/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/yme/*http://www.yahoo.com/ext/search/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/yme/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://catmx.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://catmx.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/yme/*http://www.yahoo.com
    F2 - REG:system.ini: Shell=Explorer.exe sysinit32m.exe
    O1 - Hosts: x
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
    O3 - Toolbar: (no name) - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Wal-Mart Connect Tray Icon.lnk = C:\Program Files\wmconnecta\wmtray.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9B9ACE53-D719-41E6-A9D5-AF31374E4811}: NameServer = 205.188.146.145
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe
    O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
  • Mike1901Mike1901
    edited September 2005
    You need to click on start => run and type regedit and press ok. Perform a full backup :) Then navigate to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell and double-click on the shell value. Leave explorer.exe in there, but remove anything else.

    So the contents of the shell value should read:

    Explorer.exe
  • *aloha_jared*
    edited September 2005
    Mike1901 wrote:
    You need to click on start => run and type regedit and press ok. Perform a full backup :) Then navigate to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell and double-click on the shell value. Leave explorer.exe in there, but remove anything else.

    So the contents of the shell value should read:

    Explorer.exe

    MIke, Thanks for the quick response. I went into the registry and there is no directory path that starts with HKLM listed. There are HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS, HKEY_CURRENT_CONFIG and of course all the sub folders found within each of those... Am I just lost or could I have possibly deleted this particular registry folder altogether? I did delete a few things hastily when I was really fed up with things a month or two ago. (My wife and I have been suffering through this CWS problem since June!)
  • Mike1901Mike1901
    edited September 2005
    HKEY_LOCAL_MACHINE Is what HKLM is short for :)
  • *aloha_jared*
    edited September 2005
    Doh! I feel dumb now! I'll give it a shot...
  • *aloha_jared*
    edited September 2005
    I've followed the directory path down through per your directions (by the way, perform a full backup I took to mean export a copy of the registry file to My Documents) (my important docs and photos are burned to disc but I don't see anything called Shell.

    The subfolders under winlogon include Crdentials, GPExtensions, Notify, and Special Accounts.

    Wanted to check-in again before I wiped all these out.
  • *aloha_jared*
    edited September 2005
    I've followed the directory path down through per your directions (by the way, perform a full backup I took to mean export a copy of the registry file to My Documents -- my important docs and photos are burned to disc already) but the problem is I don't see anything called Shell.

    The subfolders under winlogon include Crdentials, GPExtensions, Notify, and Special Accounts.

    Wanted to check-in again before I wiped all these out.
  • Mike1901Mike1901
    edited September 2005
    Bad idea, leave them for the time being. I'll tkae a look when I get back this afternoon. Alternatively, one of the other helpers might come in and sort you out :)

    Cheers
  • Mike1901Mike1901
    edited September 2005
    OK, you're looking for a key under winlogon, NOT another subfolder :)
  • *aloha_jared*
    edited October 2005
    Wow, you're gonna need a medal or something after you finish helping me... I get to winlogon and then what do I do? If I right click then a whole bunch of files populate to the right side of the screen. The files are divided into three columns: name, type and data. There are 30-35 files in there. One has an icon with an AB on it and is named Shell. In the data column of that file it reads: Explorer.exe sysinit32m.exe. I'm thinking this is the file that I need to leave? And I delete all the others? The reason I'm not totally confident on this is because its not just explorer.exe. it also has that sysinit32m.exe and that's the file that my computer says is missing everytime it boots up.

    :scratch:
  • Mike1901Mike1901
    edited October 2005
    *aloha_jared* wrote:
    Wow, you're gonna need a medal or something after you finish helping me... I get to winlogon and then what do I do? If I right click then a whole bunch of files populate to the right side of the screen. The files are divided into three columns: name, type and data. There are 30-35 files in there. One has an icon with an AB on it and is named Shell. In the data column of that file it reads: Explorer.exe sysinit32m.exe. I'm thinking this is the file that I need to leave? And I delete all the others? The reason I'm not totally confident on this is because its not just explorer.exe. it also has that sysinit32m.exe and that's the file that my computer says is missing everytime it boots up.

    :scratch:

    Ah, i see the problem :)

    You need to edit the shell key to just say "Explorer.exe"

    Then reboot :)
  • *aloha_jared*
    edited October 2005
    Mike1901 wrote:
    Ah, i see the problem :)

    You need to edit the shell key to just say "Explorer.exe"

    Then reboot :)
    Excellent!! That seems to have fixed things! I really appreciate your help with all this. I'm running Norton Internet and Microsoft Antispyware now. Hope my system stays clean...
  • Mike1901Mike1901
    edited October 2005
    OK, think we can consider this resolved :)
This discussion has been closed.