Sys.exe

Ok, As it was getting confusing for you guys, I’ve made a new topic here.
I’ll be posting my HJT Log right after this post, Guys just check and tell me whats is really going wrong.

Moreover, today while i was searching Sys.exe on my laptop, i found i have a copy this file on every drive.
All these files are identical in size.

C:\Program files\Internet Explorer\Stm.exe is another Suspicious file.

P3@C3

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:33:13, on 5/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Airtel\NetXpert\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BILSYNCCHAT\bin\tgsrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\admin\Desktop\SmitfraudFix\Policies.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - D:\New Folder\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {80454064-54FC-49E4-AEAC-40E1E5B529C3} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - (no file)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM..\Run: [ISTray] “C:\Program Files\Spyware Doctor\pctsTray.exe”
O4 - HKLM..\Run: [egui] “C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe” /hide /waitservice
O4 - HKLM..\RunOnce: [avp6_post_install] msiexec.exe /i"C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Anti-Virus 2009\english\kav.en.msi"
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU..\Run: [SystemManger] C:\Program Files\Internet Explorer\iexplorer.exe
O4 - Startup: taksman.exe
O4 - Startup: taskmgr.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device… - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra ‘Tools’ menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - D:\New Folder\KeyScrambler\KeyScramblerIE.dll
O9 - Extra ‘Tools’ menuitem: &KeyScrambler… - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - D:\New Folder\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra ‘Tools’ menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://nxpchat.airtelbroadband.in/sdccommon/download/tgctlcm.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - E:\SASWINLO.DLL
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsAuxs.exe (file missing)
O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - C:\Program Files\Spyware Doctor\pctsSvc.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (nxpclient) (sprtsvc_nxpclient) - SupportSoft, Inc. - C:\Program Files\Airtel\NetXpert\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: SupportSoft Repair Service (bilsyncchat) (tgsrvc_bilsyncchat) - SupportSoft, Inc. - C:\Program Files\BILSYNCCHAT\bin\tgsrvc.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe


End of file - 7680 bytes

do a scan via a bootable AntiVirus disc to remove active and/or hidden viruses:
The Avira AntiVir Rescue System a linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to repair a damaged system, to rescue data or to scan the system for virus infections. Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer. The Avira AntiVir Rescue System is updated several times a day so that the most recent security updates are always available. You can download it from here. You can learn how to use it from Here.
also, if you want to burn that disc yourself with your own burning tool (Such as Nero or…), you can download the Image File (.iso) from Here.
After burn it to disc, use it to boot your computer and do a full scan and remove anything that it find.

and then Download, install and update these programs:

Malwarebytes Antimalware: http://www.malwarebytes.org/mbam.php
SUPERAntiSpyware: http://www.superantispyware.com/
SpyBot S&D: http://www.spybot.info/

scan your computer using them, also try to immunize your windows using SpyBot S&D. During installation of SpyBot S&D disable all residents.

Update your windows to service Pack 3 and also keep your computer fully patched/up-to-date http://update.microsoft.com/microsoftupate

upgrade your internet explorer to version 8 even if it’s not your main browser.

and since there are so missing file in your computer:
after a long time that you use your computer or when you install and un-install many program, or even sometimes after removing some malware in your computer. these steps can slow down your computer a bit. there are some usual steps that can help you:

Defragment Hard Drive: you can use “Auslogics Disk Defrag”, it’s freeware and you can get it from Here

Clean-up Hard Drive: empty temp folders periodically can be useful, there are a program called CCleaner that can do it for you easily and it’s freeware, you can get it from Here

Clean-up Registry: “Auslogics Registry Cleaner” would remove invalid and those keys that are not needed safely and without any risk. It would fix many problems and of course make your windows a few faster. get it from Here

Defragment Registry: Keeping the registry as compact as possible means better computer performance. As a result, the Registry becomes compact and small, greatly improving your computer performance. “Auslogics Registry Defrag” can do it for you, you can use this as a long time free trial without any problem, get it from Here


An analysis of your HJT log shows the following problems :

Platform: Windows XP SP2 (WinNT 5.01.2600)
A newer version of service pack is available. Service packs increase the safety of your system. Visit Microsoft’s windowsupdate site to download the newest version of the service pack.

It seems that you don’t use an anti-virus scanner or your scanner is not active. Only an anti-virus scanner can protect you against new viruses.

We didn’t detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall.

C:\Program Files\BILSYNCCHAT\bin\tgsrvc.exe
Entry rated questionable by HJT. It is a Repair Service belonging to SupportSoft Repair Service.
http://www.file.net/process/tgsrvc.exe.html
It does not need to be running at startup.
http://www.backgroundtask.eu/Systeemtaken/Taakinfo.php?ID=18374

C:\Program Files\Internet Explorer\iexplorer.exe
BAD entry that must be fixed!
http://www.file.net/process/iexplorer.exe.html

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
Unnecessary (deactivated) entry that can be fixed - Yahoo Companion.

O2 - BHO: (no name) - {80454064-54FC-49E4-AEAC-40E1E5B529C3} - (no file)
Unknown application. Unnecessary (deactivated) entry that can be fixed.

O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - (no file)
Unnecessary (deactivated) entry that can be fixed. FindeXer.dll - FindeXer, hxxp://tomseffect.com Explorer Bar

O4 - HKCU..\Run: [SystemManger] C:\Program Files\Internet Explorer\iexplorer.exe
BAD entry that must be fixed!
http://www.file.net/process/iexplorer.exe.html

O4 - Startup: taksman.exe
BAD entry that must be fixed. Associated Malware Groups - Worm, System Back Door, Cloaked Malware
http://www.prevx.com/filenames/X43346932334173324-1559271512/TAKSMAN.EXE.html
http://www.threatexpert.com/files/taksman.exe.html

O4 - Startup: taskmgr.exe
Questionable entry. Why is Task Manager running at startup?

O23 - Service: SupportSoft Repair Service (bilsyncchat) (tgsrvc_bilsyncchat) - SupportSoft, Inc. - C:\Program Files\BILSYNCCHAT\bin\tgsrvc.exe
Entry rated questionable by HJT. It is a Repair Service belonging to SupportSoft Repair Service.
http://www.file.net/process/tgsrvc.exe.html
It does not need to be running at startup.
http://www.backgroundtask.eu/Systeemtaken/Taakinfo.php?ID=18374

Overview of running tasks:

smss.exe
System task
Session Manager Subsystem

winlogon.exe
System task
Microsoft Windows Logon Process

services.exe
System task
Windows Service Controller

lsass.exe
System task
Local Security Authority Service

svchost.exe
System task
Microsoft Service Host Process

svchost.exe
System task
Microsoft Service Host Process

btwdins.exe
System task
Microsoft Bluetooth Service

wltrysvc.exe
Application
Broadcom Corporation Wireless Network Tray Applet

bcmwltry.exe
Driver
bcmwltry

spoolsv.exe
System task
Microsoft Printer Spooler Service

agrsmsvc.exe
Driver
Modem Service

cisvc.exe
System task
Microsoft Index Service Helper

ekrn.exe
Virusscan
ESET_Smart_Security

PnkBstrA.exe
Suspicious task
pnkbstra.exe

sprtsvc.exe
Backgroundtask
SupportSoft Agent Service

svchost.exe
System task
Microsoft Service Host Process

tgsrvc.exe
Backgroundtask
Repair Service

wscntfy.exe
System task
Microsoft Windows Security Center

Explorer.EXE
System task
Microsoft Windows Explorer

egui.exe
Virusscan
NeExtender GUI client

ctfmon.exe
System task
Alternative User Input Services

GoogleToolbarNotifier.exe
Backgroundtask
GoogleToolbarNotifier

TeaTimer.exe
Application
Spybot S&D Realtime Scanner

svchost.exe
System task
Microsoft Service Host Process

Policies.exe
Unknown task
Unknown task

firefox.exe
Application
Mozilla Firefox

cidaemon.exe
System task
Microsoft Indexing Service

iexplorer.exe
Adware
AdClicker parasite

NOTEPAD.EXE
Application
Windows Notepad

NOTEPAD.EXE
Application
Windows Notepad

HijackThis.exe
Application
Merijn Hijackthis

2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
Unknown task
Unknown task

AcroIEHelper.dll
Backgroundtask
Adobe Acrobat Reader Helper

KeyScramblerIE.dll
Unknown task
Unknown task

SDHelper.dll
Unknown task
Unknown task

GRA8E1~1.DLL
Unknown task
Unknown task

ssv.dll
Driver
Java Module

2 - BHO: (no name) - {80454064-54FC-49E4-AEAC-40E1E5B529C3} - (no file)
Unknown task
Unknown task

GoogleToolbar.dll
Unknown task
Unknown task

swg.dll
Backgroundtask
Browser Helper Object

fastsearch_219B3E1547538286.dll
Unknown task
Unknown task

2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - (no file)
Unknown task
Unknown task

GoogleToolbar.dll
Unknown task
Unknown task

"
Unknown task
Unknown task

" /hide /waitservice
Unknown task
Unknown task

"
Unknown task
Unknown task

ctfmon.exe
System task
Alternative User Input Services

GoogleToolbarNotifier.exe
Backgroundtask
GoogleToolbarNotifier

TeaTimer.exe
Application
Spybot S&D Realtime Scanner

iexplorer.exe
Adware
AdClicker parasite

4 - Startup: taksman.exe
Unknown task
Unknown task

4 - Startup: taskmgr.exe
Unknown task
Unknown task

GPhotos.scr/200
Unknown task
Unknown task

EXCEL.EXE/3000
Suspicious task
EXCEL.EXE/3000

btsendto_ie_ctx.htm
Unknown task
Unknown task

ssv.dll
Driver
Java Module

ssv.dll
Driver
Java Module

ONBttnIE.dll
Unknown task
Unknown task

ONBttnIE.dll
Unknown task
Unknown task

KeyScramblerIE.dll
Unknown task
Unknown task

KeyScramblerIE.dll
Unknown task
Unknown task

REFIEBAR.DLL
Application
Microsoft Office Research Assistant Module

btsendto_ie.htm
Unknown task
Unknown task

btsendto_ie.htm
Unknown task
Unknown task

SDHelper.dll
Unknown task
Unknown task

SDHelper.dll
Unknown task
Unknown task

msmsgs.exe
Application
MSN Messenger

msmsgs.exe
Application
MSN Messenger

nwprovau.dll
Backgroundtask
nwprovau.dll

16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://nxpchat.airtelbroadband.in/sdccommon/download/tgctlcm.cab
Unknown task
Unknown task

Yinsthelper.dll
Unknown task
Unknown task

GR99D3~1.DLL
Unknown task
Unknown task

SASWINLO.DLL
Unknown task
Unknown task

agrsmsvc.exe
Driver
Modem Service

btwdins.exe
System task
Microsoft Bluetooth Service

EHttpSrv.exe
Unknown task
Unknown task

ekrn.exe
Virusscan
ESET_Smart_Security

GoogleUpdaterService.exe
Backgroundtask
Service Component

PnkBstrA.exe
Suspicious task
pnkbstra.exe

pctsAuxs.exe (file missing)
Unknown task
Unknown task

pctsSvc.exe (file missing)
Unknown task
Unknown task

sprtsvc.exe
Backgroundtask
SupportSoft Agent Service

ssrc.exe
Unknown task
Unknown task

tgsrvc.exe
Backgroundtask
Repair Service

wltrysvc.exe
Application
Broadcom Corporation Wireless Network Tray Applet

Your computer seems to have remains of more than one av scanner.


also, in my opinion it’s better you:

replace your eset by avast! antivirus for a better protection.
uninstall eset and install avast! home edition.

SpyBot S&D resident (TeaTimer.exe) has so much impact on your computer performance, go to SpyBot S&D advanced mode and disable it.

Help of your guys is highly appreciated.

I’ll make sure i’ll follow all steps, as you have stated. And Will Submit my New HJT Log.

Thankyou Everyone.

you’re welcome :slight_smile:

Hi Coder.

I think ‘we’ may have solved my problem. I deleted the file on the c:\ and performed a sys restore. So far everything is working. Even my mouse pointer! and i can open the hard drive. but all my bookmarks are gone…??? does anyone on here know how i could get them back??

Hope this helps…