System 32 registry issue

Welcome to Majorgeeks!

Sounds like you may have malware. That files is a CoolWebSearch parasite variant, identified by Kaspersky_antivirus as trojanDropper.Win32.Small.cw

If you have this problem, you could have others. Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
  • Bitdefender
  • Panda Scan
  • HijackThis

.

 

You must attach HijackThis logs from normal boot mode and you must not use msconfig to control startups! Read step 7 and its link again. Please run msconfig and select Normal Startup and then reboot and attach a new HJT log. You have a few issues. One is a WareOut infection!

You must ONLY RUN ONE antivirus program (see step 3 of the READ ME). So if you have more than one install, uninstall ALL BUT ONE.

You said Norton is old! Is it still supported? Do you still get updates for it? If not, it is almost useless!

 

No! You have eTrust and Symantec/Norton. Decide which one (if any of these) you want to keep and uninstall the other. You you do not want to keep either uninstall them both. Then reboot and try using one of the free ones mentioned in this link in step 2:

How to Protect yourself from malware!

Yes using it instead of nothing would be okay. But an outdated antivirus (or antispyware) progam is not too good since many more malware prooblems or variations of old malware problems arrive daily. If you do not stay current, you are just asking for trouble.

If you do not mind buying, Spy Sweeper is highly recommended. It is the best out there! It is far better that the free items. But if you do not want to buy anything, you can get along reasonably well on other tools we recommend.

Okay let's work on you malware problems!

Look in Add/Remove programs for UnSpyPC and uninstall if found (this is commonly found with WareOut. If you don't see it, don't worry about it. Just continue!)

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

• Save it to your desktop and then run it by double clicking on it. It creates a folder named c:\fixwareout.
• Click Next, then Install.
• Then make sure Run fixit is checked (this runs C:\fixwareout\fixit.bat). And then click Finish.
• The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so.
• Your system may take longer than usual to load; this is normal.
• When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items if they still exist:

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://in.webcounter.cc/--/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://in.webcounter.cc/-/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?bzbjr (obfuscated)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F3 - REG:win.ini: run=C:\WINDOWS\System32\services\msxmidi.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O15 - Trusted Zone: *.horse-active.net (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{183D0DD8-5E64-42BE-A5A0-7C843D13B7C1}: NameServer = 85.255.115.54,85.255.112.9
O17 - HKLM\System\CCS\Services\Tcpip\..\{21127B8A-0DA5-40B7-9345-E85CB51F856D}: NameServer = 85.255.115.54,85.255.112.9
O17 - HKLM\System\CCS\Services\Tcpip\..\{E3C80D9D-B190-4DEB-8BD3-0740DFFE7AEB}: NameServer = 85.255.115.54,85.255.112.9
O19 - User stylesheet: C:\WINDOWS\Web\tips.ini (file missing)

After clicking Fix Checked, close HijackThis, and click OK to proceed.

At the end of the fix, reboot into safe mode and use Windows Explorer to double check for the below files and delete if found:
C:\Program Files\PartyPoker <--- delete the whole folder if found
C:\Program Files\UnSpyPC <--- delete the whole folder if found
C:\WINDOWS\System32\services\msxmidi.exe

Now reboot into normal mode and please attach the contents of the logfile C:\fixwareout\report.txt

There could be additional cleanup to do from Wareout and it the log will let us know.

Also attach a new HijackThis log.

 

You did not respond about the two antivirus applications.

Also you did not attach any logs!

 

Shut down Windows Defender before doing the below steps!

NOTE: You more than likely do not use Windows Messenger so I included it in the fixes below so it does not waste any system resources. It can also be a source of popups. If you do use it (99% of all people do not) and don't confuse it with MSN Messenger, just skip those three lines.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but IMPORTANT!!!! DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://in.webcounter.cc/--/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://in.webcounter.cc/-/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?bzbjr (obfuscated)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F3 - REG:win.ini: run=C:\WINDOWS\System32\services\msxmidi.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.horse-active.net (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\services\msxmidi.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.
Tell me whether you locate and find this msxmidi.exe file or not. And if it deleted.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.
NOTE: If you get a message from Windows Defender about changes to Start,Home, or Search pages, make sure you approve the change since we are the ones making the change.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

If your Spy Sweeper version is the paid subscription version (not the free version) then keep it and uninstall MS Windows Defender. Otherwise uninstall Spy Sweeper. You only want one full blocking/scanning/removal antispyware tool like this installed and active.

Covered in my final instructions.

Yes a weekly running would not hurt. These additonal tool are acceptable to keep at the same time as Spy Sweeper (or Windows Defender) because they are only scanners and are not always active. Spybot does provide some other protection due to the Immunize feature but this requires no resources and does not conflict with the other tools.

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!