Solved

Hijackthis log shows entry for systen.32/What is it?

Posted on 2006-11-06
7
1,191 Views
Last Modified: 2013-12-04
There is a user at our company that is having problems with his taskbar in windows disappearing.  He is a remote user with a laptop.  I suggested that he run a full virus scan, Ewido (spyware removal) scan.  Virus scan came back clean, but Ewido found over 400 infections that it either cleaned or quarenteened..  I then had him go though add/remove programs to remove any suspicious items from the list as well as his startup group and startup tab within msconfig.  Had him download sysinternals autoruns.  He said that he did not see anything showing within this application that referenced this "systen32.exe" file.  He is is still having the same problem with his taskbar disappearing.  He is able to alt-tab between applications, but he said that his laptop seems to be having performance (speed) problems since this started happening.  I had him download hijackthis and asked that he email me the completed log file.  I am pasting it below.  I could not find anything that looked malicious within the log except for one line, near the bottom, that caught my attention.

O23 - Service: Windows User Mode Driver Fram - Unknown owner - C:\WINDOWS\systen32.exe

What is this systen.32 (notice the "n") ??  Is it anything to be concerned about?  I am even wondering if it is related to the problem that he is having with his taskbar.  I have done a google search trying to find additional information on this file, but have found very little information on what it is and if it is something that needs to be removed and how.  Not really sure what to do at this point to resolve this.  Any suggestions as soon as possible would be greatly appreciated  Thank You.

Hijackthis log file:

Logfile of HijackThis v1.99.1
Scan saved at 2:39:49 AM, on 11/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Centenn.ial\Audit\CAgent32.exe
C:\Centenn.ial\Audit\xferwan.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\PJ Technologies\GOVsrv\GOVsrv.EXE
C:\Program Files\VERITAS NetBackup Professional\System\NBPClientSvcush.exe
C:\OfficeScan NT\ntrtscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\progra~1\softqu~1\remote~1\raclient\raclient.exe
C:\WINDOWS\system32\svchost.exe
C:\OfficeScan NT\tmlisten.exe
C:\Program Files\Common Files\VERITAS Shared\ChangeLog\VChangeLogSvcu.exe
c:\_integra\bin\ccmagent.exe
C:\WINDOWS\TEMP\MCBE49.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\_integra\bin\shstart.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\VERITAS NetBackup Professional\NBPClientush.exe
C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Palm\Palm.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\cob00857\Desktop\hijackthis\HijackThis.exe


F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,c:\_integra\bin\shstart.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NetBackup Professional Client.lnk = ?
O4 - Global Startup: OKI LPR Utility.lnk = C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll


O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: CentennialClientAgent - Centennial UK Ltd.  - C:\Centenn.ial\Audit\CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial UK Ltd.  - C:\Centenn.ial\Audit\xferwan.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoverLAN Service (GOVsrv) - PJ Technologies, Inc. - C:\Program Files\PJ Technologies\GOVsrv\GOVsrv.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VERITAS NetBackup Professional Client Service (NBPClientSvc) - VERITAS Software Corporation - C:\Program Files\VERITAS NetBackup Professional\System\NBPClientSvcush.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: RemoteAgent Client (RemoteAgent) - SoftQuest - c:\progra~1\softqu~1\remote~1\raclient\raclient.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\OfficeScan NT\tmlisten.exe
O23 - Service: VERITAS NetBackup Professional Persistent Change Journal Service (VChangeLogSvc) - VERITAS Software Corporation - C:\Program Files\Common Files\VERITAS Shared\ChangeLog\VChangeLogSvcu.exe
O23 - Service: Symantec LiveState Agent for Windows (WControl) - On Technology Corporation - c:\_integra\bin\ccmagent.exe
O23 - Service: Windows User Mode Driver Fram - Unknown owner - C:\WINDOWS\systen32.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


0
Comment
Question by:pshalm
7 Comments
 
LVL 27

Expert Comment

by:David-Howard
ID: 17883903
Check Startup for malicious entries.
How to use MSConfig (Directions with screen shots)
http://www.netsquirrel.com/msconfig/
For Windows 2000 operating systems you can download and run
MSCONFIG from this location.
http://www.techadvice.com/win2000/m/msconfig_w2k.htm

To check for malware run one or more of these free utilities in Safe Mode.
(Clear your IE temp files first.)

Anti-Malware suites.
Spybot:
http://www.safer-networking.org/en/download/index.html
AdAware:
http://www.lavasoftusa.com/products/ad-aware_se_personal.php
You might also want to try Ewido:
http://www.ewido.net/en/
Microsoft also has a free suite.
http://www.microsoft.com/athome/security/spyware/software/default.mspx
I normally use two or three suites together for more complete scans.

Go here for a wide varitey of free anti-malware and anti-virus suites.
http://www.freebyte.com/antivirus/

The systen32 is listed within an area of Windows NT Services.
I was unable to locate any malicious activity associated with this file.
0
 

Author Comment

by:pshalm
ID: 17889195
Thank you for your comments, but as I stated in the original post, we had already gone through msconfig.  Ewido has been run in safe mode as well as spybot and lavasoft adaware.  Using 'Autoruns', he removed the checkbox by systen.32 and rebooted.  After running hijackthis again, there is no longer a reference to it, but he is still having a problem with his taskbar disappearing.  Starting to wonder if this is spyware or virus related at all...  Just to satisfy my own curiosity, does anyone know what this systen32.exe file is and/or what it is related to?  If anyone else has any suggestions about the taskbar disappearing, that would be helpful as well.  I believe that I forgot to mention in the original post that this is a Dell Latitude D810 laptop running WinXp Pro on SP2.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 17894029
The real "Windows User Mode Driver Framework" 023 entry has a service name --> UMWdf

the one showing in your log not only has a wrong display name -->Windows User Mode Driver Fram
it also has a very distinguishing malware name --> C:\WINDOWS\systen32.exe

SDBot/IRCBot normally has this similar signatures, so I'd say that service is a bad service. Even if it is the real UMWdf(which I doubt very much) it is still safe to disable.

Stop and disable the service and rename the file and see if it helps and then run RBot/SDBot scanners like MS Malicious Removal tool or other reliable scanners, microsoft sometimes doesn't detect them.
http://support.microsoft.com/?kbid=890830


C:\WINDOWS\systen32.exe <-- the best would be to have this file submitted to jotti.org for a check.
http://virusscan.jotti.org/
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 66

Expert Comment

by:johnb6767
ID: 17894203
Also, does this c:\_integra\bin\shstart.exe look familiar to you? If not remove it.Could be related to teh Taskbar. Also, are you using Roaming profiles or any other types of Folder Redirection?

F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,c:\_integra\bin\shstart.exe


Also remove
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)


Also, are you using Roaming profiles or any other types of Folder Redirection?

Here is a free utility to help with alot of Toolbar problems...

Taskbar Repair Tool Plus!
http://www.kellys-korner-xp.com/taskbarplus!.htm
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 17894246
As for the Systen32.exe, rpggamergirl said it best about the similar signatures.
Anything that morphs itself into a misspelled Service is usually bad.
0
 

Author Comment

by:pshalm
ID: 17899139
Great information...  Thank you.

I am going to give the above options a try and will post the results as soon as I have them.
0
 

Author Comment

by:pshalm
ID: 17903681
Johnb6767.  Thank you for your help.  Fortunately, we did not have to use the taskbar utility that you mentioned, but good to know about.  The entries that you mentioned are related to our corporate laptop configurations.

Rpggamergirl...you rock!!  After disabling the service that you referenced, this seemed to take care of the problem.  His taskbar has not disappeared since.  Thank You.  :-)
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now