Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Systm.exe owns my computer :)

Started by Chas , Dec 04 2004 11:28 PM

  • Please log in to reply

#1
Chas
Posted 04 December 2004 - 11:28 PM

Chas

    New Member

  • Member
  • Pip
  • 4 posts
I have run Adaware, Search & Destroy, ZoneAlarms virus checker and Windows Update. Very interested in learning more about Hijackthis - finally a simple program that tells me what my computer is doing - although I'll follow your instructions and post a log rather than guessing. Looking forward to your suggestions and how do I learn more (ie. to maintain it myself in future)?



Logfile of HijackThis v1.98.2
Scan saved at 9:17:13 PM, on 12/4/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\ZoneLabs\isafe.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\systm.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\systm.exe
C:\WINNT\mdm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\OpenOffice.org1.1.2\program\soffice.exe
C:\WINNT\system32\crss.exe
C:\Documents and Settings\OEM\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://access3.interiorhealth.ca/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Search Bar - {0A8CE102-FA03-4612-9BEE-7FE5452F4CB1} - C:\WINNT\system32\srchbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Configuration Loader] msgfix.exe
O4 - HKLM\..\Run: [winlog] newweb.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SysTM Security] systm.exe
O4 - HKLM\..\Run: [Win USB] crss.exe
O4 - HKLM\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O4 - HKLM\..\Run: [satmat] C:\WINNT\satmat.exe
O4 - HKLM\..\RunServices: [winlog] newweb.exe
O4 - HKLM\..\RunServices: [SysTM Security] systm.exe
O4 - HKLM\..\RunServices: [Win USB] crss.exe
O4 - HKLM\..\RunOnce: [Win USB] crss.exe
O4 - HKCU\..\Run: [Configuration Loader] msgfix.exe
O4 - HKCU\..\Run: [Win USB] crss.exe
O4 - HKCU\..\Run: [SysTM Security] systm.exe
O4 - HKCU\..\Run: [System Configurator] systemconfig.exe
O4 - HKCU\..\Run: [Microsoft Synchronization Manager] explore.exe
O4 - HKCU\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O4 - HKCU\..\Run: [Clock] C:\WINNT\w32tm.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OpenOffice.org 1.1.2.lnk = C:\Program Files\OpenOffice.org1.1.2\program\quickstart.exe
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://access3.inter...th.ca/msrdp.cab
  • 0

Advertisements

#2
admin
Posted 05 December 2004 - 01:46 PM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Welcome to GTG Chas. First temporarily disable TeaTimer click here for instructions

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.
R3 - Default URLSearchHook is missing
O3 - Toolbar: Search Bar - {0A8CE102-FA03-4612-9BEE-7FE5452F4CB1} - C:\WINNT\system32\srchbar.dll
O4 - HKLM\..\Run: [Configuration Loader] msgfix.exe
O4 - HKLM\..\Run: [winlog] newweb.exe
O4 - HKLM\..\Run: [SysTM Security] systm.exe
O4 - HKLM\..\Run: [Win USB] crss.exe
O4 - HKLM\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O4 - HKLM\..\Run: [satmat] C:\WINNT\satmat.exe
O4 - HKLM\..\RunServices: [winlog] newweb.exe
O4 - HKLM\..\RunServices: [SysTM Security] systm.exe
O4 - HKLM\..\RunServices: [Win USB] crss.exe
O4 - HKLM\..\RunOnce: [Win USB] crss.exe
O4 - HKCU\..\Run: [Configuration Loader] msgfix.exe
O4 - HKCU\..\Run: [Win USB] crss.exe
O4 - HKCU\..\Run: [SysTM Security] systm.exe
O4 - HKCU\..\Run: [System Configurator] systemconfig.exe
O4 - HKCU\..\Run: [Microsoft Synchronization Manager] explore.exe
O4 - HKCU\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O4 - HKCU\..\Run: [Clock] C:\WINNT\w32tm.exe

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):
C:\WINNT\system32\srchbar.dll
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\newweb.exe
C:\WINNT\system32\systm.exe
C:\WINNT\system32\crss.exe
C:\Program Files\WebSpecials <- this folder
C:\WINNT\satmat.exe
C:\WINNT\system32\newweb.exe
C:\WINNT\system32\systm.exe
C:\WINNT\system32\crss.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\systemconfig.exe
C:\WINNT\system32\explore.exe
C:\WINNT\w32tm.exe

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. <_<

If you would like to learn more about Hijack This, and helping others, see this topic
  • 0

#3
Chas
Posted 06 December 2004 - 12:21 AM

Chas

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Completed above steps, here is revised log:

Logfile of HijackThis v1.98.2
Scan saved at 10:12:40 PM, on 12/5/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\ZoneLabs\isafe.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\OpenOffice.org1.1.2\program\soffice.exe
C:\Documents and Settings\OEM\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://access3.interiorhealth.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OpenOffice.org 1.1.2.lnk = C:\Program Files\OpenOffice.org1.1.2\program\quickstart.exe
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://access3.inter...th.ca/msrdp.cab

Computer seems to start up and shut down much faster. Also used to have computer hang during startup about every three times (reboot would fix) - no longer occurs. Thank you. Couple of comments:
- In c:\winnt\system32 folder, there was also the file "srchbar.dll.manifest" - I deleted this also.
- Your list of files to delete after rebooting in safe mode had four repeats (eg. 3rd item is same as 8th, 4th same as 9th).
- Did not file "explorer.exe" in system 32 folder, but I did find it in the following folder (in which I did not delete) c:\winnt\servicepackfiles\i386
- Found and deleted w32tm.exe in c:\winnt folder, but also found a copies in the following three folders (but I did not delete these other copies):
c:\winnt\$ntuninstallkb835732$
c:\winnt\servicepackfiles\i386
c:\winnt\system32

Not sure whether above is of concern. Thanks again for your help.
  • 0

#4
admin
Posted 06 December 2004 - 12:35 AM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts

Your list of files to delete after rebooting in safe mode had four repeats (eg. 3rd item is same as 8th, 4th same as 9th).

It's late. <_<

Congratulations! Your system is CLEAN :D

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use) Click Here.

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox Posted Image.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats. :D
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP