Help - Search - Members - Calendar
Full Version: System32.exe Error - majorlx's thread
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
majorlx
Mar 23 2004, 02:32 AM
I have the exact same problem as Kim.rasmussen, can someone please assist me as well. Here is my " Hi-jack this" log file.


Logfile of HijackThis v1.97.7
Scan saved at 9:17:24 PM, on 3/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\SPOOLSVC.exe
C:\WINDOWS\System32\PELMICED.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
D:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\WINDOWS\System32\RUNDLL32.EXE
D:\Program Files\AOL Instant Messanger\aim.exe
C:\WINDOWS\System32\SPOOLSVC.exe
D:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
D:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
D:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\tcpsvcs.exe
D:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Osman\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "D:\PROGRA~1\AOLINS~1\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SPOOL Configuration] SPOOLSVC.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] D:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] D:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\RunServices: [SPOOL Configuration] SPOOLSVC.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [AIM] D:\Program Files\AOL Instant Messanger\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SPOOL Configuration] SPOOLSVC.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8066.6930208333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
CalamityJane
Mar 23 2004, 05:59 PM
You have a trojan (or two)

Make sure your PC is configured to show hidden files
How to Show Hidden Files
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

First please go to this site and scan these two files (if found)
Single file check (KAV)
http://www.kaspersky.com/remoteviruschk.html

C:\WINDOWS\System32\System32.exe

C:\WINDOWS\System32\SPOOLSVC.exe<---slight difference in spelling from the legitimate "spoolsv" (no c on the end)

Please copy the report at the end of the scan for each and post the results back here. This is so we can help you identify what trojan you have running and can take appropriate measures.

Then,
Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use C:\Program Files\HijackThis but feel free to use any name or folder you like. Unzip HijackThis again and save the contents (Hijackthis.exe) to the new folder you made. Then navigate to it and run HijackThis from there. This is to ensure it makes the necessary backups for recovery if needed.

In TaskManager (Ctrl-Alt-Delete) if you see the System32.exe and/or spoolsvc.exe (note the extra c on the end of that one) files running, then right-click on it, and End Process. Close TaskManager.

With only HijackThis open, and ALL other browsers and windows closed, put a check beside the following items and click *Fixed checked:

F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe

O4 - HKLM\..\Run: [SPOOL Configuration] SPOOLSVC.exe

O4 - HKLM\..\RunServices: [SPOOL Configuration] SPOOLSVC.exe

O4 - HKCU\..\Run: [SPOOL Configuration] SPOOLSVC.exe

Reboot your PC into SAFE MODE

How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Delete the following files and/or folder named in bold

C:\WINDOWS\System32\System32.exe

C:\WINDOWS\System32\SPOOLSVC.exe

Reboot back into normal mode and I would suggest an online AV scan (prefereably two) to be sure they are all gone:

Panda's Active Scan
http://www.pandasoftware.com/activescan/co...n_principal.htm

Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com

RAV Antivirus Online Scan
http://www.ravantivirus.com/scan/

eTrust AV web scanner (Computer Associates)
http://www3.ca.com/virusinfo/virusscan.aspx

If any infected files are found let them clean or delete them.

Scan once more with HijackThis and post a new log back here please.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.