WinSys2.exe -- Virus?

Discussion in 'Computer Help' started by thespeakerbox, Apr 10, 2007.

  1. thespeakerbox

    thespeakerbox Platinum Member

    Joined:
    Nov 19, 2004
    Messages:
    2,656
    Likes Received:
    0
    something called WinSys2.exe hung on after log in. Comodo says it changed the .exe on firefox and google talk. .......... i dont know whats going on now

    I did a scan on it with AVS and it shows no threats. Its running under my login and not system....
     
  2. Loading...

    Similar Threads - WinSys2 Virus Forum Date
    Destructive Virus: reformat options Computer Help Mar 15, 2017
    Virus switches off safemode etc. Computer Help Sep 7, 2015
    Computer still running slowly after removing viruses, malware Computer Help Feb 2, 2015
    Free Anti-Virus. Any suggestion? Computer Help Dec 2, 2014

  3. mechBgon

    mechBgon Super Moderator<br>Elite Member

    Joined:
    Oct 31, 1999
    Messages:
    30,699
    Likes Received:
    0
    Upload a copy into VirusTotal for analysis if possible? Post what it gets detected as, if anything?

    Also, any ideas on how a malicious file could've gotten in the door like that? Did you just download & run anything new, visit a new website, notice anything weird, or execute any email attachments that could've brought malware in the door? Is your system all patched up (check at Secunia)?
     
  4. John

    John Moderator Emeritus<br>Elite Member

    Joined:
    Oct 9, 1999
    Messages:
    33,944
    Likes Received:
    0
  5. erickj92

    erickj92 Banned

    Joined:
    Jan 3, 2007
    Messages:
    309
    Likes Received:
    0
    What i would do (this may not be the best idea) find the location of the file and go into safe mode as the administrator and delete the file...
     
  6. Medea

    Medea Golden Member

    Joined:
    Dec 5, 2000
    Messages:
    1,606
    Likes Received:
    0
    What do you mean when you say that the file is not running on your "system." It's likely located in the C:\Windows\system32\ folder.

    To answer your question, you need to make sure that "hidden files and folders" is enabled before you boot into Safe Mode.

    However, when people say delete a file, unfortunately that doesn't always fix things. You may have other malware on your system that downloads it again. Also, just deleting a file can, in many cases, still leaves the registry entry behind which can in many cases just morph the file back.

    You should post a HijackThis log.
     
  7. imported_nocturne

    imported_nocturne Senior member

    Joined:
    Jun 21, 2005
    Messages:
    567
    Likes Received:
    0
    Everything I find about it say basically nobody knows what it does but they always recommend deleting it...

    Just be sure to back it up if you do delete it... (you can always put in AV quarantine dir so it has no access rights)
     
  8. Medea

    Medea Golden Member

    Joined:
    Dec 5, 2000
    Messages:
    1,606
    Likes Received:
    0
    Yeah, it's a strange one alright. It can either be the first one or second one below.

    FIRST
    Product contains: Dynamic Overclocking Technology Application
    File name contains: WINDOWS\system32\WinSys2.exe

    SECOND
    winsys2.exe is a process which is registered as a BACKDOOR TROJAN. This trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.

    FALSU.A:
    http://www.trendmicro.com/vinfo/virusen...lt5.asp?VName=WORM%5FFALSU%2EA&VSect=T
    http://www.sarc.com/avcenter/venc/data/w32.falsu.a.html
     
  9. thespeakerbox

    thespeakerbox Platinum Member

    Joined:
    Nov 19, 2004
    Messages:
    2,656
    Likes Received:
    0
    I wonder how I got it.

    I run the AOL-Kapersky Virus and Comodo 24/7, and I'm religiously cautious when browsing, downloading etc.

    Would any of you consider this worthy of a reformat? Should I have other software running to better prevent these types of things from happening.
     
  10. MrGenie

    MrGenie Member

    Joined:
    Jul 30, 2007
    Messages:
    50
    Likes Received:
    0
    i dont know what to say.
    i have looked around enough for this file!!!!! its really frustrating ... some say (majority) its a Trojan.. some say it aint!!!!
    the surprising news is that i found where i got it from!!!!

    when i bought my MSI Nvidia NX8500 GT card the installation CD has those files under the installation folder!!! so can i suspect those are viruses or Trojans???



    thanks all.
     
  11. mechBgon

    mechBgon Super Moderator<br>Elite Member

    Joined:
    Oct 31, 1999
    Messages:
    30,699
    Likes Received:
    0
    Upload copies of the files directly from the CD to VirusTotal.com and have them analyzed there. Copy & paste the results if there are any detections. MSI's website was repeatedly hacked a while ago, so it isn't completely out of the question for infected files to get onto CDs.

     
  12. RadiclDreamer

    RadiclDreamer Diamond Member

    Joined:
    Aug 8, 2004
    Messages:
    8,500
    Likes Received:
    2
  13. btcomm1

    btcomm1 Senior member

    Joined:
    Sep 7, 2006
    Messages:
    943
    Likes Received:
    0
    So you are saying that the official installation cd that you got with your nx8500 gt has those files? Why would you think it's a trojan then? Unless it was a burned cd by a second hand seller.
     
  14. MrGenie

    MrGenie Member

    Joined:
    Jul 30, 2007
    Messages:
    50
    Likes Received:
    0
    done...
    and here is the result

    File winsys2.exe received on 08.02.2007 13:12:15 (CET)
    Current status: finished
    Result:
    Loading server information...
    .

    You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
    Email:

    Antivirus Version Last Update Result
    AhnLab-V3 2007.8.2.0 2007.08.02 -
    AntiVir 7.4.0.57 2007.08.02 -
    Authentium 4.93.8 2007.08.02 -
    Avast 4.7.1029.0 2007.08.02 -
    AVG 7.5.0.476 2007.08.01 -
    BitDefender 7.2 2007.08.02 -
    CAT-QuickHeal 9.00 2007.08.01 -
    ClamAV 0.91 2007.08.01 -
    DrWeb 4.33 2007.08.02 -
    eSafe 7.0.15.0 2007.07.31 -
    eTrust-Vet 31.1.5026 2007.08.02 -
    Ewido 4.0 2007.08.01 -
    FileAdvisor 1 2007.08.02 -
    Fortinet 2.91.0.0 2007.08.02 -
    F-Prot 4.3.2.48 2007.08.01 -
    F-Secure 6.70.13030.0 2007.08.02 -
    Ikarus T3.1.1.8 2007.08.02 -
    Kaspersky 4.0.2.24 2007.08.02 -
    McAfee 5088 2007.08.01 -
    Microsoft 1.2704 2007.08.02 -
    NOD32v2 2432 2007.08.02 -
    Norman 5.80.02 2007.08.02 -
    Panda 9.0.0.4 2007.08.02 -
    Prevx1 V2 2007.08.02 -
    Rising 19.34.30.00 2007.08.02 -
    Sophos 4.19.0 2007.08.01 -
    Sunbelt 2.2.907.0 2007.08.02 -
    Symantec 10 2007.08.02 -
    TheHacker 6.1.7.160 2007.08.01 -
    VBA32 3.12.2.2 2007.08.01 -
    VirusBuster 4.3.26:9 2007.08.02 -
    Webwasher-Gateway 6.0.1 2007.08.02 -

    Additional information
    File size: 217088 bytes
    MD5: 431a18c5e9f8827193afcb74e3880888
    SHA1: c7cf0efdde387f2f9bf0b679efc3457fb2b4f007

    ATENTION ATENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
     
  15. sapreaper

    sapreaper Junior Member

    Joined:
    Sep 20, 2007
    Messages:
    1
    Likes Received:
    0
    fyi- If you have a mobo with Nvidia chipset or video card, (Nvidia/MSI), You will have winsys2.exe under system32.
    Official quote from MSI
    "MSI Tech. 09/19/2007
    No, this is a MSI utility info which required when running MSI based utility. If you do not want to install this file, you can download and install/use Nvidia's reference driver which can also work as well: http://www.nvidia.com/object/winxp_2k_162.18.html"