Link to home
Start Free TrialLog in
Avatar of pshalm
pshalm

asked on

Hijackthis log shows entry for systen.32/What is it?

There is a user at our company that is having problems with his taskbar in windows disappearing.  He is a remote user with a laptop.  I suggested that he run a full virus scan, Ewido (spyware removal) scan.  Virus scan came back clean, but Ewido found over 400 infections that it either cleaned or quarenteened..  I then had him go though add/remove programs to remove any suspicious items from the list as well as his startup group and startup tab within msconfig.  Had him download sysinternals autoruns.  He said that he did not see anything showing within this application that referenced this "systen32.exe" file.  He is is still having the same problem with his taskbar disappearing.  He is able to alt-tab between applications, but he said that his laptop seems to be having performance (speed) problems since this started happening.  I had him download hijackthis and asked that he email me the completed log file.  I am pasting it below.  I could not find anything that looked malicious within the log except for one line, near the bottom, that caught my attention.

O23 - Service: Windows User Mode Driver Fram - Unknown owner - C:\WINDOWS\systen32.exe

What is this systen.32 (notice the "n") ??  Is it anything to be concerned about?  I am even wondering if it is related to the problem that he is having with his taskbar.  I have done a google search trying to find additional information on this file, but have found very little information on what it is and if it is something that needs to be removed and how.  Not really sure what to do at this point to resolve this.  Any suggestions as soon as possible would be greatly appreciated  Thank You.

Hijackthis log file:

Logfile of HijackThis v1.99.1
Scan saved at 2:39:49 AM, on 11/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Centenn.ial\Audit\CAgent32.exe
C:\Centenn.ial\Audit\xferwan.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\PJ Technologies\GOVsrv\GOVsrv.EXE
C:\Program Files\VERITAS NetBackup Professional\System\NBPClientSvcush.exe
C:\OfficeScan NT\ntrtscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\progra~1\softqu~1\remote~1\raclient\raclient.exe
C:\WINDOWS\system32\svchost.exe
C:\OfficeScan NT\tmlisten.exe
C:\Program Files\Common Files\VERITAS Shared\ChangeLog\VChangeLogSvcu.exe
c:\_integra\bin\ccmagent.exe
C:\WINDOWS\TEMP\MCBE49.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\_integra\bin\shstart.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\VERITAS NetBackup Professional\NBPClientush.exe
C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Palm\Palm.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\cob00857\Desktop\hijackthis\HijackThis.exe


F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,c:\_integra\bin\shstart.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NetBackup Professional Client.lnk = ?
O4 - Global Startup: OKI LPR Utility.lnk = C:\Program Files\Okidata\OKI LPR Utility\okilpr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll


O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: CentennialClientAgent - Centennial UK Ltd.  - C:\Centenn.ial\Audit\CAgent32.exe
O23 - Service: CentennialIPTransferAgent - Centennial UK Ltd.  - C:\Centenn.ial\Audit\xferwan.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoverLAN Service (GOVsrv) - PJ Technologies, Inc. - C:\Program Files\PJ Technologies\GOVsrv\GOVsrv.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: VERITAS NetBackup Professional Client Service (NBPClientSvc) - VERITAS Software Corporation - C:\Program Files\VERITAS NetBackup Professional\System\NBPClientSvcush.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: RemoteAgent Client (RemoteAgent) - SoftQuest - c:\progra~1\softqu~1\remote~1\raclient\raclient.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\OfficeScan NT\tmlisten.exe
O23 - Service: VERITAS NetBackup Professional Persistent Change Journal Service (VChangeLogSvc) - VERITAS Software Corporation - C:\Program Files\Common Files\VERITAS Shared\ChangeLog\VChangeLogSvcu.exe
O23 - Service: Symantec LiveState Agent for Windows (WControl) - On Technology Corporation - c:\_integra\bin\ccmagent.exe
O23 - Service: Windows User Mode Driver Fram - Unknown owner - C:\WINDOWS\systen32.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


Avatar of David-Howard
David-Howard

Check Startup for malicious entries.
How to use MSConfig (Directions with screen shots)
http://www.netsquirrel.com/msconfig/
For Windows 2000 operating systems you can download and run
MSCONFIG from this location.
http://www.techadvice.com/win2000/m/msconfig_w2k.htm

To check for malware run one or more of these free utilities in Safe Mode.
(Clear your IE temp files first.)

Anti-Malware suites.
Spybot:
http://www.safer-networking.org/en/download/index.html
AdAware:
http://www.lavasoftusa.com/products/ad-aware_se_personal.php
You might also want to try Ewido:
http://www.ewido.net/en/
Microsoft also has a free suite.
http://www.microsoft.com/athome/security/spyware/software/default.mspx
I normally use two or three suites together for more complete scans.

Go here for a wide varitey of free anti-malware and anti-virus suites.
http://www.freebyte.com/antivirus/

The systen32 is listed within an area of Windows NT Services.
I was unable to locate any malicious activity associated with this file.
Avatar of pshalm

ASKER

Thank you for your comments, but as I stated in the original post, we had already gone through msconfig.  Ewido has been run in safe mode as well as spybot and lavasoft adaware.  Using 'Autoruns', he removed the checkbox by systen.32 and rebooted.  After running hijackthis again, there is no longer a reference to it, but he is still having a problem with his taskbar disappearing.  Starting to wonder if this is spyware or virus related at all...  Just to satisfy my own curiosity, does anyone know what this systen32.exe file is and/or what it is related to?  If anyone else has any suggestions about the taskbar disappearing, that would be helpful as well.  I believe that I forgot to mention in the original post that this is a Dell Latitude D810 laptop running WinXp Pro on SP2.
ASKER CERTIFIED SOLUTION
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Also, does this c:\_integra\bin\shstart.exe look familiar to you? If not remove it.Could be related to teh Taskbar. Also, are you using Roaming profiles or any other types of Folder Redirection?

F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,c:\_integra\bin\shstart.exe


Also remove
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)


Also, are you using Roaming profiles or any other types of Folder Redirection?

Here is a free utility to help with alot of Toolbar problems...

Taskbar Repair Tool Plus!
http://www.kellys-korner-xp.com/taskbarplus!.htm
As for the Systen32.exe, rpggamergirl said it best about the similar signatures.
Anything that morphs itself into a misspelled Service is usually bad.
Avatar of pshalm

ASKER

Great information...  Thank you.

I am going to give the above options a try and will post the results as soon as I have them.
Avatar of pshalm

ASKER

Johnb6767.  Thank you for your help.  Fortunately, we did not have to use the taskbar utility that you mentioned, but good to know about.  The entries that you mentioned are related to our corporate laptop configurations.

Rpggamergirl...you rock!!  After disabling the service that you referenced, this seemed to take care of the problem.  His taskbar has not disappeared since.  Thank You.  :-)