WinSys2.exe -- Virus?

[thespeakerbox]

something called WinSys2.exe hung on after log in. Comodo says it changed the .exe on firefox and google talk. .......... i dont know whats going on now

I did a scan on it with AVS and it shows no threats. Its running under my login and not system....

 

[mechBgon]

Upload a copy into VirusTotal for analysis if possible? Post what it gets detected as, if anything?

Also, any ideas on how a malicious file could've gotten in the door like that? Did you just download & run anything new, visit a new website, notice anything weird, or execute any email attachments that could've brought malware in the door? Is your system all patched up (check at Secunia)?

 

[John]

Looks rogue to me. Possible entry in HJT should read:
O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\system32\winsys2.exe

http://www.liutilities.com/products/wintaskspro/processlibrary/winsys2/
http://pcpitstop.com/spycheck/SWDetail.asp?fn=winsys2.exe

Time to boot to safe mode and start the cleansing process.

 

[erickj92]

What i would do (this may not be the best idea) find the location of the file and go into safe mode as the administrator and delete the file...

 

[Medea]

Originally posted by: thespeakerbox
Its running under my login and not system....

What do you mean when you say that the file is not running on your "system." It's likely located in the C:\Windows\system32\ folder.

To answer your question, you need to make sure that "hidden files and folders" is enabled before you boot into Safe Mode.

However, when people say delete a file, unfortunately that doesn't always fix things. You may have other malware on your system that downloads it again. Also, just deleting a file can, in many cases, still leaves the registry entry behind which can in many cases just morph the file back.

You should post a HijackThis log.

 

[imported_nocturne]

Everything I find about it say basically nobody knows what it does but they always recommend deleting it...

Just be sure to back it up if you do delete it... (you can always put in AV quarantine dir so it has no access rights)

 

[Medea]

Yeah, it's a strange one alright. It can either be the first one or second one below.

FIRST
Product contains: Dynamic Overclocking Technology Application
File name contains: WINDOWS\system32\WinSys2.exe

SECOND
winsys2.exe is a process which is registered as a BACKDOOR TROJAN. This trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.

FALSU.A:
http://www.trendmicro.com/vinfo/virusen...lt5.asp?VName=WORM%5FFALSU%2EA&VSect=T
http://www.sarc.com/avcenter/venc/data/w32.falsu.a.html

 

[thespeakerbox]

I wonder how I got it.

I run the AOL-Kapersky Virus and Comodo 24/7, and I'm religiously cautious when browsing, downloading etc.

Would any of you consider this worthy of a reformat? Should I have other software running to better prevent these types of things from happening.

 

[MrGenie]

i dont know what to say.
i have looked around enough for this file!!!!! its really frustrating ... some say (majority) its a Trojan.. some say it aint!!!!
the surprising news is that i found where i got it from!!!!

when i bought my MSI Nvidia NX8500 GT card the installation CD has those files under the installation folder!!! so can i suspect those are viruses or Trojans???



thanks all.

 

[mechBgon]

Originally posted by: MrGenie
i dont know what to say.
i have looked around enough for this file!!!!! its really frustrating ... some say (majority) its a Trojan.. some say it aint!!!!
the surprising news is that i found where i got it from!!!!

when i bought my MSI Nvidia NX8500 GT card the installation CD has those files under the installation folder!!! so can i suspect those are viruses or Trojans???



thanks all.

Upload copies of the files directly from the CD to VirusTotal.com and have them analyzed there. Copy & paste the results if there are any detections. MSI's website was repeatedly hacked a while ago, so it isn't completely out of the question for infected files to get onto CDs.

 

[RadiclDreamer]

Might also want to try tend micros online scanner to see if it picks it up. http://housecall.antivirus.com

 

[btcomm1]

So you are saying that the official installation cd that you got with your nx8500 gt has those files? Why would you think it's a trojan then? Unless it was a burned cd by a second hand seller.

 

[MrGenie]

Originally posted by: mechBgon

Upload copies of the files directly from the CD to VirusTotal.com and have them analyzed there. Copy & paste the results if there are any detections. MSI's website was repeatedly hacked a while ago, so it isn't completely out of the question for infected files to get onto CDs.

done...
and here is the result

File winsys2.exe received on 08.02.2007 13:12:15 (CET)
Current status: finished
Result:
Loading server information...
.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2007.8.2.0 2007.08.02 -
AntiVir 7.4.0.57 2007.08.02 -
Authentium 4.93.8 2007.08.02 -
Avast 4.7.1029.0 2007.08.02 -
AVG 7.5.0.476 2007.08.01 -
BitDefender 7.2 2007.08.02 -
CAT-QuickHeal 9.00 2007.08.01 -
ClamAV 0.91 2007.08.01 -
DrWeb 4.33 2007.08.02 -
eSafe 7.0.15.0 2007.07.31 -
eTrust-Vet 31.1.5026 2007.08.02 -
Ewido 4.0 2007.08.01 -
FileAdvisor 1 2007.08.02 -
Fortinet 2.91.0.0 2007.08.02 -
F-Prot 4.3.2.48 2007.08.01 -
F-Secure 6.70.13030.0 2007.08.02 -
Ikarus T3.1.1.8 2007.08.02 -
Kaspersky 4.0.2.24 2007.08.02 -
McAfee 5088 2007.08.01 -
Microsoft 1.2704 2007.08.02 -
NOD32v2 2432 2007.08.02 -
Norman 5.80.02 2007.08.02 -
Panda 9.0.0.4 2007.08.02 -
Prevx1 V2 2007.08.02 -
Rising 19.34.30.00 2007.08.02 -
Sophos 4.19.0 2007.08.01 -
Sunbelt 2.2.907.0 2007.08.02 -
Symantec 10 2007.08.02 -
TheHacker 6.1.7.160 2007.08.01 -
VBA32 3.12.2.2 2007.08.01 -
VirusBuster 4.3.26:9 2007.08.02 -
Webwasher-Gateway 6.0.1 2007.08.02 -

Additional information
File size: 217088 bytes
MD5: 431a18c5e9f8827193afcb74e3880888
SHA1: c7cf0efdde387f2f9bf0b679efc3457fb2b4f007

ATENTION ATENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

 

[sapreaper]

fyi- If you have a mobo with Nvidia chipset or video card, (Nvidia/MSI), You will have winsys2.exe under system32.
Official quote from MSI
"MSI Tech. 09/19/2007
No, this is a MSI utility info which required when running MSI based utility. If you do not want to install this file, you can download and install/use Nvidia's reference driver which can also work as well: http://www.nvidia.com/object/winxp_2k_162.18.html"