Solved

Hijackthis log shows entry for systen.32/What is it?

Posted on 2006-11-06
7
1,195 Views
Last Modified: 2013-12-04
There is a user at our company that is having problems with his taskbar in windows disappearing.  He is a remote user with a laptop.  I suggested that he run a full virus scan, Ewido (spyware removal) scan.  Virus scan came back clean, but Ewido found over 400 infections that it either cleaned or quarenteened..  I then had him go though add/remove programs to remove any suspicious items from the list as well as his startup group and startup tab within msconfig.  Had him download sysinternals autoruns.  He said that he did not see anything showing within this application that referenced this "systen32.exe" file.  He is is still having the same problem with his taskbar disappearing.  He is able to alt-tab between applications, but he said that his laptop seems to be having performance (speed) problems since this started happening.  I had him download hijackthis and asked that he email me the completed log file.  I am pasting it below.  I could not find anything that looked malicious within the log except for one line, near the bottom, that caught my attention.

O23 - Service: Windows User Mode Driver Fram - Unknown owner - C:\WINDOWS\systen32.exe

What is this systen.32 (notice the "n") ??  Is it anything to be concerned about?  I am even wondering if it is related to the problem that he is having with his taskbar.  I have done a google search trying to find additional information on this file, but have found very little information on what it is and if it is something that needs to be removed and how.  Not really sure what to do at this point to resolve this.  Any suggestions as soon as possible would be greatly appreciated  Thank You.

Hijackthis log file:

Logfile of HijackThis v1.99.1
Scan saved at 2:39:49 AM, on 11/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Centenn.ial\Audit\CAgent32.exe
C:\Centenn.ial\Audit\xferwan.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\PJ Technologies\GOVsrv\GOVsrv.EXE
C:\Program Files\VERITAS NetBackup Professional\System\NBPClientSvcush.exe
C:\OfficeScan NT\ntrtscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\progra~1\softqu~1\remote~1\raclient\raclient.exe
C:\WINDOWS\system32\svchost.exe
C:\OfficeScan NT\tmlisten.exe
C:\Program Files\Common Files\VERITAS Shared\ChangeLog\VChangeLogSvcu.exe
c:\_integra\bin\ccmagent.exe
C:\WINDOWS\TEMP\MCBE49.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\_integra\bin\shstart.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\VERITAS NetBackup Professional\NBPClientush.exe
C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Palm\Palm.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\cob00857\Desktop\hijackthis\HijackThis.exe


F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,c:\_integra\bin\shstart.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NetBackup Professional Client.lnk = ?
O4 - Global Startup: OKI LPR Utility.lnk = C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll


O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: CentennialClientAgent - Centennial UK Ltd.  - C:\Centenn.ial\Audit\CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial UK Ltd.  - C:\Centenn.ial\Audit\xferwan.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoverLAN Service (GOVsrv) - PJ Technologies, Inc. - C:\Program Files\PJ Technologies\GOVsrv\GOVsrv.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VERITAS NetBackup Professional Client Service (NBPClientSvc) - VERITAS Software Corporation - C:\Program Files\VERITAS NetBackup Professional\System\NBPClientSvcush.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: RemoteAgent Client (RemoteAgent) - SoftQuest - c:\progra~1\softqu~1\remote~1\raclient\raclient.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\OfficeScan NT\tmlisten.exe
O23 - Service: VERITAS NetBackup Professional Persistent Change Journal Service (VChangeLogSvc) - VERITAS Software Corporation - C:\Program Files\Common Files\VERITAS Shared\ChangeLog\VChangeLogSvcu.exe
O23 - Service: Symantec LiveState Agent for Windows (WControl) - On Technology Corporation - c:\_integra\bin\ccmagent.exe
O23 - Service: Windows User Mode Driver Fram - Unknown owner - C:\WINDOWS\systen32.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


0
Comment
Question by:pshalm
7 Comments
 
LVL 27

Expert Comment

by:David-Howard
ID: 17883903
Check Startup for malicious entries.
How to use MSConfig (Directions with screen shots)
http://www.netsquirrel.com/msconfig/
For Windows 2000 operating systems you can download and run
MSCONFIG from this location.
http://www.techadvice.com/win2000/m/msconfig_w2k.htm

To check for malware run one or more of these free utilities in Safe Mode.
(Clear your IE temp files first.)

Anti-Malware suites.
Spybot:
http://www.safer-networking.org/en/download/index.html
AdAware:
http://www.lavasoftusa.com/products/ad-aware_se_personal.php
You might also want to try Ewido:
http://www.ewido.net/en/
Microsoft also has a free suite.
http://www.microsoft.com/athome/security/spyware/software/default.mspx
I normally use two or three suites together for more complete scans.

Go here for a wide varitey of free anti-malware and anti-virus suites.
http://www.freebyte.com/antivirus/

The systen32 is listed within an area of Windows NT Services.
I was unable to locate any malicious activity associated with this file.
0
 

Author Comment

by:pshalm
ID: 17889195
Thank you for your comments, but as I stated in the original post, we had already gone through msconfig.  Ewido has been run in safe mode as well as spybot and lavasoft adaware.  Using 'Autoruns', he removed the checkbox by systen.32 and rebooted.  After running hijackthis again, there is no longer a reference to it, but he is still having a problem with his taskbar disappearing.  Starting to wonder if this is spyware or virus related at all...  Just to satisfy my own curiosity, does anyone know what this systen32.exe file is and/or what it is related to?  If anyone else has any suggestions about the taskbar disappearing, that would be helpful as well.  I believe that I forgot to mention in the original post that this is a Dell Latitude D810 laptop running WinXp Pro on SP2.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 17894029
The real "Windows User Mode Driver Framework" 023 entry has a service name --> UMWdf

the one showing in your log not only has a wrong display name -->Windows User Mode Driver Fram
it also has a very distinguishing malware name --> C:\WINDOWS\systen32.exe

SDBot/IRCBot normally has this similar signatures, so I'd say that service is a bad service. Even if it is the real UMWdf(which I doubt very much) it is still safe to disable.

Stop and disable the service and rename the file and see if it helps and then run RBot/SDBot scanners like MS Malicious Removal tool or other reliable scanners, microsoft sometimes doesn't detect them.
http://support.microsoft.com/?kbid=890830


C:\WINDOWS\systen32.exe <-- the best would be to have this file submitted to jotti.org for a check.
http://virusscan.jotti.org/
0
Save on storage to protect fatherhood memories

You're the dad who has everything. This Father's Day, make sure your family memories are protected. My Passport Ultra has automatic backup and password protection to keep your cherished photos and videos safe. With up to 3TB, you have plenty of room to hold the adventures ahead.

 
LVL 66

Expert Comment

by:johnb6767
ID: 17894203
Also, does this c:\_integra\bin\shstart.exe look familiar to you? If not remove it.Could be related to teh Taskbar. Also, are you using Roaming profiles or any other types of Folder Redirection?

F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,c:\_integra\bin\shstart.exe


Also remove
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)


Also, are you using Roaming profiles or any other types of Folder Redirection?

Here is a free utility to help with alot of Toolbar problems...

Taskbar Repair Tool Plus!
http://www.kellys-korner-xp.com/taskbarplus!.htm
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 17894246
As for the Systen32.exe, rpggamergirl said it best about the similar signatures.
Anything that morphs itself into a misspelled Service is usually bad.
0
 

Author Comment

by:pshalm
ID: 17899139
Great information...  Thank you.

I am going to give the above options a try and will post the results as soon as I have them.
0
 

Author Comment

by:pshalm
ID: 17903681
Johnb6767.  Thank you for your help.  Fortunately, we did not have to use the taskbar utility that you mentioned, but good to know about.  The entries that you mentioned are related to our corporate laptop configurations.

Rpggamergirl...you rock!!  After disabling the service that you referenced, this seemed to take care of the problem.  His taskbar has not disappeared since.  Thank You.  :-)
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…
Many functions in Excel can make decisions. The most simple of these is the IF function: it returns a value depending on whether a condition you describe is true or false. Once you get the hang of using the IF function, you will find it easier to us…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now