Go Back   AnandTech Forums > Hardware and Technology > Computer Help

Forums
· Hardware and Technology
· CPUs and Overclocking
· Motherboards
· Video Cards and Graphics
· Memory and Storage
· Power Supplies
· Cases & Cooling
· SFF, Notebooks, Pre-Built/Barebones PCs
· Networking
· Peripherals
· General Hardware
· Highly Technical
· Computer Help
· Home Theater PCs
· Consumer Electronics
· Digital and Video Cameras
· Mobile Devices & Gadgets
· Audio/Video & Home Theater
· Software
· Software for Windows
· All Things Apple
· *nix Software
· Operating Systems
· Programming
· PC Gaming
· Console Gaming
· Distributed Computing
· Security
· Social
· Off Topic
· Politics and News
· Discussion Club
· Love and Relationships
· The Garage
· Health and Fitness
· Merchandise and Shopping
· For Sale/Trade
· Hot Deals with Free Stuff/Contests
· Black Friday 2013
· Forum Issues
· Technical Forum Issues
· Personal Forum Issues
· Suggestion Box
· Moderator Resources
· Moderator Discussions
   

Reply
 
Thread Tools
Old 04-09-2007, 11:13 PM   #1
thespeakerbox
Platinum Member
 
thespeakerbox's Avatar
 
Join Date: Nov 2004
Posts: 2,656
Default WinSys2.exe -- Virus?

something called WinSys2.exe hung on after log in. Comodo says it changed the .exe on firefox and google talk. .......... i dont know whats going on now

I did a scan on it with AVS and it shows no threats. Its running under my login and not system....
__________________
Ebay: thespeakerbox

HEAT
thespeakerbox is offline   Reply With Quote
Old 04-09-2007, 11:23 PM   #2
mechBgon
Super Moderator
Elite Member
 
mechBgon's Avatar
 
Join Date: Oct 1999
Posts: 30,699
Default WinSys2.exe -- Virus?

Upload a copy into VirusTotal for analysis if possible? Post what it gets detected as, if anything?

Also, any ideas on how a malicious file could've gotten in the door like that? Did you just download & run anything new, visit a new website, notice anything weird, or execute any email attachments that could've brought malware in the door? Is your system all patched up (check at Secunia)?
mechBgon is offline   Reply With Quote
Old 04-10-2007, 10:18 AM   #3
John
Moderator Emeritus
Elite Member
 
Join Date: Oct 1999
Location: West TX
Posts: 33,944
Default WinSys2.exe -- Virus?

Looks rogue to me. Possible entry in HJT should read:
O4 - HKLM\..\Run: [WinSys2] CWINDOWS\system32\winsys2.exe

http://www.liutilities.com/products/...brary/winsys2/
http://pcpitstop.com/spycheck/SWDeta...fn=winsys2.exe

Time to boot to safe mode and start the cleansing process.
John is offline   Reply With Quote
Old 04-10-2007, 04:48 PM   #4
erickj92
Banned
 
Join Date: Jan 2007
Posts: 309
Default WinSys2.exe -- Virus?

What i would do (this may not be the best idea) find the location of the file and go into safe mode as the administrator and delete the file...
erickj92 is offline   Reply With Quote
Old 04-10-2007, 11:41 PM   #5
Medea
Golden Member
 
Join Date: Dec 2000
Posts: 1,606
Default WinSys2.exe -- Virus?

Quote:
Originally posted by: thespeakerbox
Its running under my login and not system....
What do you mean when you say that the file is not running on your "system." It's likely located in the CWindows\system32\ folder.

To answer your question, you need to make sure that "hidden files and folders" is enabled before you boot into Safe Mode.

However, when people say delete a file, unfortunately that doesn't always fix things. You may have other malware on your system that downloads it again. Also, just deleting a file can, in many cases, still leaves the registry entry behind which can in many cases just morph the file back.

You should post a HijackThis log.
Medea is offline   Reply With Quote
Old 04-11-2007, 12:12 AM   #6
imported_nocturne
Senior Member
 
Join Date: Jun 2005
Posts: 566
Default WinSys2.exe -- Virus?

Everything I find about it say basically nobody knows what it does but they always recommend deleting it...

Just be sure to back it up if you do delete it... (you can always put in AV quarantine dir so it has no access rights)
__________________
______________________
=========
(WARNING: Sometimes I don't revisit a thread. Questions can be PMed)

<{Random Reboot / BSOD Guide}>-------<{Dump Debug Guide}>
imported_nocturne is offline   Reply With Quote
Old 04-11-2007, 01:53 AM   #7
Medea
Golden Member
 
Join Date: Dec 2000
Posts: 1,606
Default WinSys2.exe -- Virus?

Yeah, it's a strange one alright. It can either be the first one or second one below.

FIRST
Product contains: Dynamic Overclocking Technology Application
File name contains: WINDOWS\system32\WinSys2.exe

SECOND
winsys2.exe is a process which is registered as a BACKDOOR TROJAN. This trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.

FALSU.A:
http://www.trendmicro.com/vinfo/virusen...lt5.asp?VName=WORM%5FFALSU%2EA&VSect=T
http://www.sarc.com/avcenter/venc/data/w32.falsu.a.html
Medea is offline   Reply With Quote
Old 04-13-2007, 11:31 AM   #8
thespeakerbox
Platinum Member
 
thespeakerbox's Avatar
 
Join Date: Nov 2004
Posts: 2,656
Default WinSys2.exe -- Virus?

I wonder how I got it.

I run the AOL-Kapersky Virus and Comodo 24/7, and I'm religiously cautious when browsing, downloading etc.

Would any of you consider this worthy of a reformat? Should I have other software running to better prevent these types of things from happening.
__________________
Ebay: thespeakerbox

HEAT
thespeakerbox is offline   Reply With Quote
Old 07-30-2007, 06:27 AM   #9
MrGenie
Member
 
Join Date: Jul 2007
Posts: 50
Default WinSys2.exe -- Virus?

i dont know what to say.
i have looked around enough for this file!!!!! its really frustrating ... some say (majority) its a Trojan.. some say it aint!!!!
the surprising news is that i found where i got it from!!!!

when i bought my MSI Nvidia NX8500 GT card the installation CD has those files under the installation folder!!! so can i suspect those are viruses or Trojans???



thanks all.
MrGenie is offline   Reply With Quote
Old 07-30-2007, 09:51 AM   #10
mechBgon
Super Moderator
Elite Member
 
mechBgon's Avatar
 
Join Date: Oct 1999
Posts: 30,699
Default WinSys2.exe -- Virus?

Quote:
Originally posted by: MrGenie
i dont know what to say.
i have looked around enough for this file!!!!! its really frustrating ... some say (majority) its a Trojan.. some say it aint!!!!
the surprising news is that i found where i got it from!!!!

when i bought my MSI Nvidia NX8500 GT card the installation CD has those files under the installation folder!!! so can i suspect those are viruses or Trojans???



thanks all.
Upload copies of the files directly from the CD to VirusTotal.com and have them analyzed there. Copy & paste the results if there are any detections. MSI's website was repeatedly hacked a while ago, so it isn't completely out of the question for infected files to get onto CDs.

mechBgon is offline   Reply With Quote
Old 07-31-2007, 09:03 AM   #11
RadiclDreamer
Diamond Member
 
RadiclDreamer's Avatar
 
Join Date: Aug 2004
Posts: 7,983
Default WinSys2.exe -- Virus?

Might also want to try tend micros online scanner to see if it picks it up. http://housecall.antivirus.com
__________________
CCENT, CCNA, A+, Net+
RadiclDreamer is offline   Reply With Quote
Old 08-01-2007, 03:51 AM   #12
btcomm1
Senior Member
 
Join Date: Sep 2006
Posts: 943
Default WinSys2.exe -- Virus?

So you are saying that the official installation cd that you got with your nx8500 gt has those files? Why would you think it's a trojan then? Unless it was a burned cd by a second hand seller.
btcomm1 is offline   Reply With Quote
Old 08-02-2007, 06:21 AM   #13
MrGenie
Member
 
Join Date: Jul 2007
Posts: 50
Default WinSys2.exe -- Virus?

Quote:
Originally posted by: mechBgon

Upload copies of the files directly from the CD to VirusTotal.com and have them analyzed there. Copy & paste the results if there are any detections. MSI's website was repeatedly hacked a while ago, so it isn't completely out of the question for infected files to get onto CDs.
done...
and here is the result

File winsys2.exe received on 08.02.2007 13:12:15 (CET)
Current status: finished
Result:
Loading server information...
.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2007.8.2.0 2007.08.02 -
AntiVir 7.4.0.57 2007.08.02 -
Authentium 4.93.8 2007.08.02 -
Avast 4.7.1029.0 2007.08.02 -
AVG 7.5.0.476 2007.08.01 -
BitDefender 7.2 2007.08.02 -
CAT-QuickHeal 9.00 2007.08.01 -
ClamAV 0.91 2007.08.01 -
DrWeb 4.33 2007.08.02 -
eSafe 7.0.15.0 2007.07.31 -
eTrust-Vet 31.1.5026 2007.08.02 -
Ewido 4.0 2007.08.01 -
FileAdvisor 1 2007.08.02 -
Fortinet 2.91.0.0 2007.08.02 -
F-Prot 4.3.2.48 2007.08.01 -
F-Secure 6.70.13030.0 2007.08.02 -
Ikarus T3.1.1.8 2007.08.02 -
Kaspersky 4.0.2.24 2007.08.02 -
McAfee 5088 2007.08.01 -
Microsoft 1.2704 2007.08.02 -
NOD32v2 2432 2007.08.02 -
Norman 5.80.02 2007.08.02 -
Panda 9.0.0.4 2007.08.02 -
Prevx1 V2 2007.08.02 -
Rising 19.34.30.00 2007.08.02 -
Sophos 4.19.0 2007.08.01 -
Sunbelt 2.2.907.0 2007.08.02 -
Symantec 10 2007.08.02 -
TheHacker 6.1.7.160 2007.08.01 -
VBA32 3.12.2.2 2007.08.01 -
VirusBuster 4.3.26:9 2007.08.02 -
Webwasher-Gateway 6.0.1 2007.08.02 -

Additional information
File size: 217088 bytes
MD5: 431a18c5e9f8827193afcb74e3880888
SHA1: c7cf0efdde387f2f9bf0b679efc3457fb2b4f007

ATENTION ATENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
MrGenie is offline   Reply With Quote
Old 09-20-2007, 11:40 AM   #14
sapreaper
Junior Member
 
Join Date: Sep 2007
Posts: 1
Default WinSys2.exe -- Virus?

fyi- If you have a mobo with Nvidia chipset or video card, (Nvidia/MSI), You will have winsys2.exe under system32.
Official quote from MSI
"MSI Tech. 09/19/2007
No, this is a MSI utility info which required when running MSI based utility. If you do not want to install this file, you can download and install/use Nvidia's reference driver which can also work as well: http://www.nvidia.com/object/winxp_2k_162.18.html"


sapreaper is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 06:31 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.