Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: alisonnic on September 23, 2008, 11:50:14 PM
-
Avast has begun giving me a warning that it has found a suspcious file:
File Name: C:\WINDOWS\System32\WINSYS2.EXE
Type: Rootkit: hidden process
It says this was detected using a heuristic method.
It gives me the option of ether deleting or ignoring it, and its recommended action is Ignore.
I chose Ignore, and Avast immediately gave me a message saying:
avast has detected a virus in the operating memory. Since it is very dangerous to work with the computer while the virus is active, it is strongly recommended that you restart the computer and let avast! scan all your data in the boot phase, before the virus can be activated. Do you want to schedule the boot-time scan and restart the computer?
I chose Yes, and the boot time scan found no viruses on my hard drive.
But after booting I got the same message about the suspicious file.
What do I do now?
-
Follow Tech's suggestions in the second post and see if that helps.
http://forum.avast.com/index.php?topic=36473.0
-
Follow Tech's suggestions in the second post and see if that helps.
http://forum.avast.com/index.php?topic=36473.0
Thanks! Good information.
My suspicious file turned up all negatives on Virustotal. (At least, that's what I think it means when every one of Virustotal's tests has a dash (-) in the result column. So I'll be submitting a False Positive report to avast!
-
Well this google search doesn't back up that result, http://www.google.co.uk/search?q=WINSYS2.EXE (http://www.google.co.uk/search?q=WINSYS2.EXE).
The file name and location look suspicious to me even before I did a google search for it.
It is possible that the file might be protected in some way and 0 bytes actually gets uploaded. Try uploading it again and this time post the URL to the results (copy and paste it from the address bar).
Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm (http://www.antirootkit.com/software/index.htm). Try these as they are some of the more efficient and user friendly anti-rootkit tools.
- Panda Rootkit Cleaner - http://research.pandasoftware.com/blogs/images/AntiRootkit.zip (http://research.pandasoftware.com/blogs/images/AntiRootkit.zip).
- Trend Micro RootkitBuster - http://www.trendmicro.com/download/rbuster.asp (http://www.trendmicro.com/download/rbuster.asp)
- F-Secure Blacklight may not always be available, http://www.f-secure.com/blacklight (http://www.f-secure.com/blacklight)
-
This is definitely a rookit.
http://www.prevx.com/filenames/X1470474490683438331-0/WINSYS2.EXE.html
I suggest you follow DavidR's instructions.
-
winsys2.exe is not a false positive, it has been analysed already.. there could be dependencies to other modules (look at the google results), we're trying to get the other possibly related files...
-
I've just had exactly the same problem as the OP, same messages, same results.
I downloaded the Trend Micro Rootkit buster from the link kindly provided by DavidR. I ran the file, it asked me to restart the PC which I did and since then nothing (I can't see any new program installed or anything). The Avast! message as outlined in the OP still pops up.
Should I try the other rootkit thingies?
And how do you submit a file to Avast!? Is it automatic?
Edit: Not sure if this is useful or not but... http://www.virustotal.com/analisis/a4498afa5ecb4c44b1f530356d3eabf0 I submitted it there.
-
Same problem here as of yesterday. I did the full virusscan as suggested by Avast, as well as a rootkit check, and no problems were reported.
For your awareness (and to the best of my knowledge): both winsys.exe and winsys2.exe are installed as part of the MSI NVIDIA Geforce videocard driver install process, and are reported as part of the driver pack. I suspect that in my case the Avast message is in error.
-
I have a MSI motherboard and graphics card in my PC as well. I've noticed I have 2 files in the C:/Windows/System32 folder; winsys and winsys2. Both say they are a "DOT MFC Application", whatever that means.
I've since ran the Panda rootkit check and that showed up nothing.
-
Whilst I have a Sparkle, Nvidia GeForce PCI 8600GT I don't have any of those files, though my graphics card isn't by MSI. My motherboard is by MSI, a P35 Neo.
I suggest you upload them to virustotal and check them out.
You could also check the MD5 number reported at the bottom of the VirusTotal link in colebn's post and compare it against the MD5 of your file.
-
Hi I too am getting same message on 2 msi computers with windows xp.
I also have a 3rd computer but running windows vista 32bit.
The message has not occurred on the vista machine yet.
All 3 computers have the same mother board and graphics card.
The graphics card is nvidia geforce 8800 sold by msi.
The motherboard is nvidia nforce 570 sli chipset based - k9n sli platinum also sold by msi.
-
I am also getting this message.
MD5 on Virustotal matches that posted earlier.
I have the MSI GeForce 8500 GT. Date winsys.exe and winsys2.exe was created is 5-30-2008, which is the date I built this computer.
System scan on boot shows no viruses, various rootkit detection programs do not pick up anything.
-
My friend have the same problem also.
He have an MSI GeForce 8500 GT video card and the winsys2.exe is on his installation CD.
Avast see it as a rootkit only since yesterday.
http://www.virustotal.com/analisis/1244f460b0869f4ab321a320b0b099e2
-
This is a different MD5 number to that in colebn virus total link so is different to the file he submitted.
-
Ok, I submitted the file to Virustotal again and here is the result:
http://www.virustotal.com/reanalisis.html?de47e4757ce157707d9e825e62a6c174
It says it scanned 208896 bytes so the upload appears to have been successful. And all the tests were negative.
I, too have an MSI NVIDIA card, in my case an 8800GT. I am looking at the CD right now and both winsys2.exe and winsys.exe are on the CD, in the folder R:\nVIDIA\Win2K-XP\V169.02.
These two files have the same dates and sizes as the two files of the same name in my Windows/System32 folder. So I am confident that they came from the CD when I installed the MSI NVIDIA driver from it.
So the question is, did MSI ship a driver with a rootkit in it, or is avast! mis-identifying a legitimate driver file as a rootkit?
Has anyone at avast! had a chance to look at the file I emailed to you yesterday to see if it's the same as a known rootkit, or different?
Should someone at avast! contact MSI to let them know they are shipping a file with a name that's the same as a known rootkit?
-
can you remember this thread? http://forum.avast.com/index.php?topic=35761.msg302364#msg302364
it's quite similar, don't you think? regarding the google hits, i believe there's something strange.. and it seems, that the (anti)rootkit detection is valid, but i can ask someone else from our team to validate it again...
btw: some files which arived at our viruslab have an overlay full of zeros and maybe other modifications against the valid ones...
-
Ok, I just completed a scan of Windows/System32 using F-Secure's online scanner. It found five tracking cookies but no other malware.
I am re-running F-Secure now on the entire system. But I must admit that it looks to me like the WINSYS2.EXE from the MSI driver CD is not a rootkit. If it were, surely F-Secure or one of the virus scanners on Virustotal would have picked it up.
avast - over to you. You've got the copy of the file I sent you yesterday. I can send it again if necessary. Can you please compare it to a copy of the known rootkit and see if it's the same?
-
I would suggest sending it again, as Maxx_original said some of the samples were full of zeros or other modifications.
-
can you remember this thread? http://forum.avast.com/index.php?topic=35761.msg302364#msg302364
it's quite similar, don't you think? regarding the google hits, i believe there's something strange.. and it seems, that the (anti)rootkit detection is valid, but i can ask someone else from our team to validate it again...
btw: some files which arived at our viruslab have an overlay full of zeros and maybe other modifications against the valid ones...
I did a search on Google as well, just after I started this thread. That search led me to a thread on AnandTech in which a number of other people with MSI NVIDIA cards found the same files on their driver CD's.
Here's a link to the thread:
http://forums.anandtech.com/messageview.aspx?catid=32&threadid=2032070&enterthread=y
At the bottom of the thread is a quote, supposedly from MSI:
Official quote from MSI
"MSI Tech. 09/19/2007
No, this is a MSI utility info which required when running MSI based utility. If you do not want to install this file, you can download and install/use Nvidia's reference driver which can also work as well: http://www.nvidia.com/object/winxp_2k_162.18.html"
Ok, so I could uninstall the MSI driver and install a different driver, but doesn't it seem like an awfully big coincidence that a lot of people in this thread and a lot of those on the Anand thread that have this file also have MSI NVIDIA drivers installed?
Maxx, the thread you posted the link to says that a file can somehow masquerade as another file, or something to that effect. If that's indeed what's happening here, how do I fix it?
Also, thanks for having someone take another look at the file I sent. I'm looking forward to hearing what you find out.
-
Ok, I just found my original MSI Driver disk that came with my MSI 8600GT graphics card.
I did a search of the CD and sure enough I found the Winsys2 (and Winsys) applications. I then went to virustotal.com and uploaded it from the CD (not my machine):- http://www.virustotal.com/analisis/bd46e1e0e8e21616f2c167581b67e94b
Those results are identical to the one I posted earlier. So either MSI have shipped CD's with a virus on them or Avast! is wrong, which is it? ???
Edit:- I have emailed you a download location for that file to virus@avast.com
If it is a trojan, why has avast! started picking up on it just recently?
Trend Micro's online scanner did not pick up on it either, neither did A-squared's free download.
-
Ok, I just re-zipped and re-sent my WINSYS2.EXE to the avast support team. This time I zipped it using Windows' Compressed Folder utility rather than 7-Zip, which is what I used before.
Hopefully this will help them determine what's going on. ???
-
I have an MSI video card and MSI mobo and AVAST reports WINSYS2.EXE's suspicious behavior. I think this is a false positive due to all the people reporting it having MSI hardware. This message just started popping up yesterday. No other problems on my machine--no flaky behavior etc.
So far, I have ignored these warnings because I think they are bogus.
Either Avast is right and ALL the other antivirus programs in the world are wrong. Or Avast is giving a false positive.
Maybe someone tightened the heuristics scanning a little too much on the development team. I would like to know either way.
The file date on WINSYS2.EXE is 04-29-2006.
The File information says DOT MFC. It is used by MSI software.
Googling WINSYS2.EXE shows similar discussions as this being held in at least two other forums.
-
I think winsys2.exe is Dynamic Overclock Technology (DOT) MFC from MSI. It is used with the MSI video card.
I did an online Kapersky virus scan just now and it did not find any virus in the Critical Areas or in windows/system32 (I ran both scans).
If this is really a virus then it should have been identified by this date, rather than an anonymous heuristic scan. The Last Modified date on winsys2.exe is 04-29-2006.
-
Is there any chance we can get an update on this? Has this been determined as a trojan or not?
I notice that the download link I sent has not been used, but I believe others have sent their files as well.
-
http://www.bleepingcomputer.com/forums/lofiversion/index.php/t99121.html
This is a relativly short thread that has a lot of information about the same question, and comes to the conclusion that it comes from the driver CD. the driver CD does, in fact, have a file by the same name on it. The thread is from the middle of last year so obviously its meaningful
I have an NVIDIA MSI card as well, and at the moment I have found no other issues rather than a seemingly unrelated trojan I need to look into. It's the fact it's started picking it up so suddenly that worries me.
I'm going to leave it at the moment, but would LOVE a confirmation from avast about this.
-
I don't know if we're going to get any additional info from Avast. It's hard to say whether a program is or is not a virus/trojan. They would have to disassemble it and look at the assembly code. Not fun. And the chances are they might miss something.
Bottom line for me is that NO ONE reporting this file has said, "I do not run MSI hardware." That for me would be a red flag. But everyone is saying they have an MSI video card. I remember going to the MSI web site and downloading their video driver, and yeah, I tinkered with it and tried to maximize the performance.
Also, the fact that Kapersky Online Scan showed nothing, after scanning C:\WINDOWS\SYSTEM32.
Avast does not have a problem with WINSYS2.EXE as a file, only that it "acts" like a virus sometimes, based on heuristic methods. I happen to know that MSI programming methodology is not all that. They are sloppy programmers to begin with so I can readily believe their program would trigger Avast. That is a sign of a sloppy programmer. Heck maybe it is some kind of spyware, who knows what MSI has up its sleeves, but probably not as dangerous as a criminal virus from the wild.
I have no idea how to uninstall or even if uninstalling would be safe and not mess up my video. I can imagine uninstalling WINSYS2.EXE and then not being able to see anything.
For the time being I am just having Avast ignore the problem when it comes up, but continue alerting me about it. Hopefully we will read more info in this forum from other knowledgeable people. The more people who come on here, and say they have MSI video cards, the better.
-
Okay, I did a scan at virustotal, and three antivirus products decided it was a trojan:
http://www.virustotal.com/analisis/58cbe86b8023ed329c52c2d57b80b51d
File WinSys2.exe received on 09.27.2008 16:46:40 (CET)
Result: 3/36 (8.34%)
Antivirus Version Last Update Result
AhnLab-V3 2008.9.25.0 2008.09.26 -
AntiVir 7.8.1.34 2008.09.26 -
Authentium 5.1.0.4 2008.09.27 -
Avast 4.8.1195.0 2008.09.26 -
AVG 8.0.0.161 2008.09.26 -
BitDefender 7.2 2008.09.27 -
CAT-QuickHeal 9.50 2008.09.27 -
ClamAV 0.93.1 2008.09.27 -
DrWeb 4.44.0.09170 2008.09.27 -
eSafe 7.0.17.0 2008.09.25 -
eTrust-Vet 31.6.6110 2008.09.26 -
Ewido 4.0 2008.09.27 -
F-Prot 4.4.4.56 2008.09.27 -
F-Secure 8.0.14332.0 2008.09.27 -
Fortinet 3.113.0.0 2008.09.27 -
GData 19 2008.09.27 -
Ikarus T3.1.1.34.0 2008.09.27 -
K7AntiVirus 7.10.476 2008.09.27 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2008.09.27 -
McAfee 5393 2008.09.27 -
Microsoft 1.3903 2008.09.27 -
NOD32 3476 2008.09.27 -
Norman 5.80.02 2008.09.26 -
Panda 9.0.0.4 2008.09.27 Trj/Agent.ISR
PCTools 4.4.2.0 2008.09.26 -
Prevx1 V2 2008.09.27 Worm
Rising 20.63.52.00 2008.09.27 -
SecureWeb-Gateway 6.7.6 2008.09.26 -
Sophos 4.34.0 2008.09.27 -
Sunbelt 3.1.1675.1 2008.09.27 -
Symantec 10 2008.09.27 -
TheHacker 6.3.0.9.094 2008.09.25 -
TrendMicro 8.700.0.1004 2008.09.26 -
VBA32 3.12.8.6 2008.09.27 -
ViRobot 2008.9.26.1394 2008.09.26 -
VirusBuster 4.5.11.0 2008.09.26 -
That's enough for me. I am uninstalling this piece of crap before it does anymore damage. I'm using Panda's anti-rootkit.
-
drakester, it seems a false positive of that programs...
-
Well, I ran Panda, F-Secure and Trend Micro anti-Rootkit utilities. And none of them picked up anything.
The only other option I have is to actually delete WINSYS2.EXE.
Instead of doing that, I'm just going to rename the file to backupWinSYS2.EXE and see if the warning messages from Avast go away. (And if any impact to the video display.)
-
That is a safer bet than deletion, as what ever would run this wouldn't be able to find the original file name, so it shouldn't be running when avast's rootkit scan takes place and hopefully wouldn't detect the renamed file.
However, since avast doesn't detect this in the virustotal results and that was using a recent VPS version 080926-0, right click on the file and select scan, I believe avast will no longer detect it (as the VPS may have been corrected) ?
If that is the case there is no need to rename it, you could revert to the normal name and see if avast detects it on the next reboot.
-
I already had Avast do a complete scan (at boot) and also scanned the entire WINDOWS\SYSTEM32 directory, and it found nothing. Again Avast reported the file based on heuristics, namely, the sneaky behavior of the program.
I renamed the file and haven't noticed any ill effects, and the warnings from Avast have not reoccurred.
The file may or may not be a trojan, but why take a chance? Especially if it does not appear to be a necessary process.
-
Yes, but what we are trying to establish now is, has this detection been corrected. Right clicking on the renamed file and from the context menu select scan, this is the most thorough of the avast scans to see if it is still detected.
If not then it would be relatively safe to change back to the original name and boot to see if avast detects in this rootkit scan. Otherwise you will never know and if it is a genuine MSI file as is suggested by many you would have lost that functionality by renaming it.
-
okay, this virus alert has been an on-going issue, for me, for the past two days. A scan of the individual file (WINSYS2.exe) turns up nothing. A scan of the file on virustotal gets 3 hits, from Panda and two other antiviruses, for an 8.34% hit percentage. Avast does NOT detect any virus, when doing a boot-time scan. The only time it detects WINSYS2.EXE is when WINSYS2.EXE decides, on its own, for unknown reasons, to execute, to "come alive." Avast detects based upon heuristics.
So, there is nothing to be gained by renaming backupWinSys2.EXE to WINSYS2.EXE in order to see whether Avast will now detect it. Avast will not detect it. A scan will not detect it. If Winsys2.exe decides, on its own, for unknown reasons, to activate, to behave in a virus-like manner, then based upon heuristics, Avast *might* detect it. However, I've been running 12 hours without issue so I intend to leave WINSYS2.exe renamed and presumably deactivated and neutralized. If the system doesn't really need it, or uses it merely to make the video colors more vivid, as I have concluded from google research, then I can live without it, and I think most people can. It may or may not be a trojan or malware, but I'd rather be safe than sorry.
Avast isn't the only product out there claiming that Winsys2.exe is suspicious - there are three other antiviruses that also have arrived at this conclusion. Granted, the majority don't think so. But in this case, I'm willing to listen to the minority voice, until someone gives a persuasive case as to why Winsys2.exe is *not* malware.
-
well try a couple of things
Jotti has some different scanners- upload to jotti
google up the suspect name and see how bad it is and if there are any files or registry enteries listed which would give it away
run the panda on line scan and see if panda finds any associated hits
where was this thing found PATH
have you run the usual anti spyware/ malware scans? (just to cross check?)
I have NOT recently gone through this whole thread so I appoliges if this is redundant
-
I ran Avast (boot-time scan of complete system) and Ad-Aware scan, and neither found anything. I also ran Panda's, F-Protect, and TrendMicro's anti-rootkit programs, and they came up with nothing. So in all likelihood, this is much ado about nothing. Probably the fault of MSI for poor programming practices that raise the hackles of anti-virus programs. On the other hand... you never know. If it's MSI, the question is, why does this alert come up all of a sudden, now, when it's been a year since I installed any MSI drivers. Perhaps because I tweaked the NVIDIA controls to use the Vivid option, suddenly activating WINSYS2.exe to come alive? Anyway this whole issue has really sent a lot of people all over the world for a loop. Searching on google, there are people on at least a dozen different forums asking this exact same question.
-
well try a couple of things
Jotti has some different scanners- upload to jotti
(http://img529.imageshack.us/img529/9971/jottiwinsyssm4.th.png) (http://img529.imageshack.us/my.php?image=jottiwinsyssm4.png)(http://img529.imageshack.us/images/thpix.gif) (http://g.imageshack.us/thpix.php)
google up the suspect name and see how bad it is and if there are any files or registry enteries listed which would give it away
I've googled it without much success. There appears to be no definitive answer anywhere.
run the panda on line scan and see if panda finds any associated hits
Panda detects it as Trj/Agent.ISR. That is consistent with Jotti and Virustotal's results.
where was this thing found PATH
C:/Windows/System32 folder
have you run the usual anti spyware/ malware scans? (just to cross check?)
I have NOT recently gone through this whole thread so I appoliges if this is redundant
I've run A-squared, several rootkits (including; Avast!, Panda (which interestingly detected nothing), Trend Micro and a couple of others), Super Antispyware, Trend Micro's online scanner as well as Panda's (see results above).
-
okay, this virus alert has been an on-going issue, for me, for the past two days. A scan of the individual file (WINSYS2.exe) turns up nothing. A scan of the file on virustotal gets 3 hits, from Panda and two other antiviruses, for an 8.34% hit percentage. Avast does NOT detect any virus, when doing a boot-time scan. The only time it detects WINSYS2.EXE is when WINSYS2.EXE decides, on its own, for unknown reasons, to execute, to "come alive." Avast detects based upon heuristics.
<snip>
OK, I'm having a hard time getting my head round what is actually happening here, the next time it happens, can you take a screenshot of the alert window.
Since there are numerous posts relating to this being an MSI motherboard/graphics driver then it isn't winsys2.exe deciding to run, it can't do that on its own, there has to be either a run command in registry or something that you are doing that would initiate it to start some feature set, etc.
So when it happens next apart from the screenshot, document what you were doing when it happened.
Other than that I'm at a loss, but I would certainly fire off another copy of this file to avast as a possible false positive.
-
DavidR,
Maybe I can help as I'm having the same problem.
If you right back to the original post that started this thread you'll see a description of what happens. As drakester has mentioned it pops up kind of randomly. I've found that it can pop up 1 minute after starting up the machine but it can take 20 mins before you get the pop up. I've since selected the "always ignore" option on that pop up so I don't get it anymore, not sure how to "un"-ignore it to be honest! Otherwise I would post a screenshot for you.
After you close that pop up you get another pop up window asking you if you want to schedule a boot scan at start up and you can only choose yes or no. I think like others I have selected yes, only to find that avast finds nothing and boots into windows normally and then a few minutes later you get that pop up and you're back to square one....
I've noticed it when I have a browser window open, I use both FF and IE7, both have the latest patches and I have all other updates from Microsoft as well. I know recently there was a new update for .NET from Microsoft and in the last few days FF has updated itself. No updates for IE as I recall.
I know the copy I uploaded (to which I sent them a download link for) to avast has not been downloaded. I don't think they have managed to get around to this just yet.
-
Thanks, I think we are in the hands of avast to see if they can come up with why it is detected. As an avast user there is little I can do to try and test this as neither of my two systems has those files.
-
DavidR,
Maybe I can help as I'm having the same problem.
If you right back to the original post that started this thread you'll see a description of what happens. As drakester has mentioned it pops up kind of randomly. I've found that it can pop up 1 minute after starting up the machine but it can take 20 mins before you get the pop up. I've since selected the "always ignore" option on that pop up so I don't get it anymore, not sure how to "un"-ignore it to be honest! Otherwise I would post a screenshot for you.
After you close that pop up you get another pop up window asking you if you want to schedule a boot scan at start up and you can only choose yes or no. I think like others I have selected yes, only to find that avast finds nothing and boots into windows normally and then a few minutes later you get that pop up and you're back to square one....
I've noticed it when I have a browser window open, I use both FF and IE7, both have the latest patches and I have all other updates from Microsoft as well. I know recently there was a new update for .NET from Microsoft and in the last few days FF has updated itself. No updates for IE as I recall.
I know the copy I uploaded (to which I sent them a download link for) to avast has not been downloaded. I don't think they have managed to get around to this just yet.
My experience is the same as colebn's. Winsys2.exe activates at startup (or used to, before I renamed it). Other than that, it may activate when I am watching a video. This is fairly consistent with what you might expect in a video card utility. There are all kinds of system processes linked to Nvidia; nwiz, etc. that control about fifty different things, I don't even know what all they do. As for a screenshot, there isn't much on the screen, only that Avast has detected a hidden rootkit process, that is acting like a malicious file. The options are Delete or Ignore. I have always Ignored, but never clicked "Always Ignore," because I'm not THAT confident that it's a false positive. I run a fairly secure system (Windows firewall as well as router firewall), but do a lot of surfing and download and run a lot of different programs. Recently I discovered Yahoo toolbar was installed on my PC and I have no idea how that happened (and I uninstalled it). Maybe it came in stealthily with Firefox's latest update.
I clicked "Send file to Avast" so I assume they got it somehow. The file info reads "DOT MFC". I did a regedit and the registry also makes reference to DOT, which is Dynamic Overclocking Technology. But who really knows what it is, except possibly MSI... or a virus writer. There's no requirement that the programmer be honest about the program description.
If it's malware or some kind of trojan, it's very well done, eluding detection from full system scans by fully updated antivirus and antispyware programs.
Since renaming WINSYS2.EXE, it has not popped up anymore, and I haven't noticed any ill effects. My PC has been running about 72 hours straight, ripping some dvd's. Avast's pretty blue dots are active and just as happy as they could be, twiddling their thumbs finding nothing.
-
Like the others im not brave enough to say always ignore, and if it hasnt already been done ill post a screenshot when i boot up tomorow.
My guess is in the last avast update the anti-rootkit was tweaked and made aware of new things, and something in this driver matches the new tweaking. It started at the same time for everyone on avast, but after googling other virus scanners had the same issues of it as early as 2006, suddenly appearing for all users at the same time in at least one other case. I don't think any spyware is smart enough to time activate depending on the scanner you run, lol! and if its only just become detectable, then its been running on all our comptuers for up to three years, with seemingly no effect except a little more email spam.
avast may like to add this to an exceptions list somewhere though. it would help.
-
Hi, folks!
Since past week I had exactly the same problem with this mysterious alert for winsys2.exe, as is reported here. I found that this file definitely came with my MSI video card (Nvidia GeForce 8400GS), but I coudn't figure out what it is worth for. Very confusing!
Finally my solution was to uninstall the out-of-date Nvidia display driver and to install a more actual one, which I got from the Nvidia website. Attention: if there is a choice between different Nvidia components, select only the display driver for uninstalling. At the new installation the winsys2.exe didn't show up and everything works fine. Problem solved.
Greetings, Sunrise
-
Since renaming WINSYS2.EXE to backupWINSYS2.EXE, I haven't had anymore alerts, and have done not one but two boot-time Avast scans, finding nothing related to WINSYS2.EXE. It did find two infected files in the System Restore directory, and a corrupted archive. I notice no ill effects from renaming WINSYS2.EXE so I have to conclude its function is pretty minor in regards to the video card. Although I have not run any graphically intense video games lately... I also found a thread here about this very same issue :
http://forums.whatthetech.com/explorer_exe_keeps_restarting_t93067.html
It's a very interesting read, because WINSYS2.EXE is detected by a user who has the file scanned at Jotti, with the same results that colebn received. The technical support guy responded that WINSYS2.EXE was CLEAN, despite Panda finding Trj/Agent.ISR.
Maybe Panda has a problem with false positives? I've heard that is often the case.
Anyway this is the last I will post on this thread, unless I get bitten in the ass by a virus.
-
If you have this file right click on it and choose Properties. Look under version and if it says "DOT MFC Application" then it is part of MSI's Nvidia graphics card to do with overclocking. DOT means Dynamic Overclocking Technology Seems when the driver is updated it does not remove the original file "WinSys.exe so renames the new file with a 2 at the end of the file's name. This is to allow rolling back the driver if required.
-
Thanks for everybodys contributions which helped lead me in the right direction to assure myself with confidence that this is not a problem.
Having read the posts here I opened both winsys.exe and winsys2.exe in Notepad and looked for any Ascii text that would help put this to bed. Both files contain the text "NVIDIA Corporation\RIVA TNT\NVTweak " which is good enough for me.
-
Please submit it to VirusTotal (http://www.virustotal.com/xhtml/index_en.html) and let us know the result.
-
For what it's worth: I installed an older version of MacAfee Viruscan which found the madchook.dll and placed it in quarantine. I then received an error message when winsys2.exe tried to run during windows XP startup. I also noticed that the NVidia Desktop Manager icon in my Control Panel showed a broken link presumably due to winsys2 not running any more.
Went to the NVidia website and downloaded latest driver software. The NVidia Desktop Manager is now working (new icon appeared in system tray also), but the winsys2.exe file is still set to run on startup. I used MSCONFIG command to turn off winsys2.exe under the startup tab. Although I am not sure how to uninstall drivers that created winsys2.exe in the first place, everything seems to be working as it should...and no more startup error.
Perahps McAfee wants to be cautious and stop files (madchook.dll) that could be viruses even if some are legitimate. NVidia does seem to have stopped its use of madchook.dll and winsys2.exe in the new driver software as well.