This is a description of a fix for the systemnt.exe infection.
The most recent copy of this document is available here:



This document describes one solution for removing systemnt.exe from Windows-based systems.

"systemnt.exe" is believed to be a backdoor trojan; the delivery
mechanism is unclear, but at this point it looks like it must be a
worm. It's something new: as of June 24, 2004, this is the only
available documentation on the subject.

systemnt.exe has been found running on both Windows XP Pro and
Windows 2000 Server machines, all of which were fully patched before
the infection. The program is not discovered by AdAware, Spybod S&D
or SpySweeper.

The symptoms of systemnt.exe are:

* Pornographic Internet Explorer popups.
* Serious performance problems.
* One or more instances of systemnt.exe running in the Task Manager.

There may be others; I am not an experienced systems analyst, and
have not done a full diagnosis of what other parts of the system
might be affected.


Once you find out that it's running on the system, you must not log
in to that machine as administrator directly. If you do, the program
will use your privileges to install itself as a service, which will
be running as LOCAL_MACHINE after the next reboot. Instead, follow
the following steps:

1. Log the user out and restart the computer.
2. Hit F8 after the BIOS posts, to get into the WinXP boot menu.
3. Choose "Safe Mode With Command Prompt"
4. From the comand prompt, type:

cd c:\windows\system32\
attrib -s -h -r systemnt.exe
delete systemnt.exe

5. Reboot and log in as administrator normally.
6. Run RegEdit, search for "systemnt.exe" and delete all
registry entries you find. Save and reboot.

Until the actual effects of this program are understood, infected
machines should not be trusted.

I have been informed that if you are using McAfee version 7, you can
take the following steps to prevent reinfection.

1. Open up the "On-access Scan Properties" dialog.
2. click "All Processes" on the left, and choose the Advanced tab.
3. Check the "Unwanted programs" and "Joke programs" options.
4. Close. Couldn't hurt to reboot again; such is the cursed life of the WinAdmin.

This part of the fix has not been verified.

If you don't have McAfee v7 but have some other technique that works,
please e-mail me: mhoye at


Good luck, etc.

Mike Hoye