Author Topic: Suspicious File Found: WINSYS2.EXE  (Read 46958 times)

0 Members and 1 Guest are viewing this topic.

alisonnic

  • Guest
Suspicious File Found: WINSYS2.EXE
« on: September 23, 2008, 11:50:14 PM »
Avast has begun giving me a warning that it has found a suspcious file:

  File Name: C:\WINDOWS\System32\WINSYS2.EXE
  Type: Rootkit: hidden process

It says this was detected using a heuristic method.

It gives me the option of ether deleting or ignoring it, and its recommended action is Ignore.

I chose Ignore, and Avast immediately gave me a message saying:

avast has detected a virus in the operating memory.  Since it is very dangerous to work with the computer while the virus is active, it is strongly recommended that you restart the computer and let avast! scan all your data in the boot phase, before the virus can be activated.  Do you want to schedule the boot-time scan and restart the computer?

I chose Yes, and the boot time scan found no viruses on my hard drive.

But after booting I got the same message about the suspicious file.

What do I do now?
« Last Edit: September 23, 2008, 11:54:23 PM by alisonnic »

Offline Marc57

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1944
  • KISS Rules The World!!!
    • KISS Army
Re: Suspicious File Found: WINSYS2.EXE
« Reply #1 on: September 24, 2008, 12:29:26 AM »
Follow Tech's suggestions in the second post and see if that helps.

http://forum.avast.com/index.php?topic=36473.0
You Wanted the Best You Got the Best the Hottest Band in the World KISS!!!

alisonnic

  • Guest
Re: Suspicious File Found: WINSYS2.EXE
« Reply #2 on: September 24, 2008, 01:00:33 AM »
Follow Tech's suggestions in the second post and see if that helps.

http://forum.avast.com/index.php?topic=36473.0

Thanks!  Good information.

My suspicious file turned up all negatives on Virustotal.  (At least, that's what I think it means when every one of Virustotal's tests has a dash (-) in the result column.  So I'll be submitting a False Positive report to avast!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Suspicious File Found: WINSYS2.EXE
« Reply #3 on: September 24, 2008, 01:16:37 AM »
Well this google search doesn't back up that result, http://www.google.co.uk/search?q=WINSYS2.EXE.

The file name and location look suspicious to me even before I did a google search for it.

It is possible that the file might be protected in some way and 0 bytes actually gets uploaded. Try uploading it again and this time post the URL to the results (copy and paste it from the address bar).

Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm. Try these as they are some of the more efficient and user friendly anti-rootkit tools.
- Panda Rootkit Cleaner - http://research.pandasoftware.com/blogs/images/AntiRootkit.zip.
- Trend Micro RootkitBuster - http://www.trendmicro.com/download/rbuster.asp
- F-Secure Blacklight may not always be available, http://www.f-secure.com/blacklight
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Jtaylor83

  • Guest
Re: Suspicious File Found: WINSYS2.EXE
« Reply #4 on: September 24, 2008, 04:07:02 AM »
This is definitely a rookit.

http://www.prevx.com/filenames/X1470474490683438331-0/WINSYS2.EXE.html

I suggest you follow DavidR's instructions.

Offline Maxx_original

  • Avast team
  • Super Poster
  • *
  • Posts: 1479
Re: Suspicious File Found: WINSYS2.EXE
« Reply #5 on: September 24, 2008, 09:56:31 AM »
winsys2.exe is not a false positive, it has been analysed already.. there could be dependencies to other modules (look at the google results), we're trying to get the other possibly related files...

colebn

  • Guest
Re: Suspicious File Found: WINSYS2.EXE
« Reply #6 on: September 24, 2008, 02:49:04 PM »
I've just had exactly the same problem as the OP, same messages, same results.

I downloaded the Trend Micro Rootkit buster from the link kindly provided by DavidR. I ran the file, it asked me to restart the PC which I did and since then nothing (I can't see any new program installed or anything). The Avast! message as outlined in the OP still pops up.

Should I try the other rootkit thingies?

And how do you submit a file to Avast!? Is it automatic?

Edit: Not sure if this is useful or not but... http://www.virustotal.com/analisis/a4498afa5ecb4c44b1f530356d3eabf0 I submitted it there.
« Last Edit: September 24, 2008, 03:04:18 PM by colebn »

Brammert

  • Guest
Re: Suspicious File Found: WINSYS2.EXE
« Reply #7 on: September 24, 2008, 03:17:06 PM »
Same problem here as of yesterday. I did the full virusscan as suggested by Avast, as well as a rootkit check, and no problems were reported.

For your awareness (and to the best of my knowledge): both winsys.exe and winsys2.exe are installed as part of the MSI NVIDIA Geforce videocard driver install process, and are reported as part of the driver pack. I suspect that in my case the Avast message is in error.

colebn

  • Guest
Re: Suspicious File Found: WINSYS2.EXE
« Reply #8 on: September 24, 2008, 03:32:08 PM »
I have a MSI motherboard and graphics card in my PC as well. I've noticed I have 2 files in the C:/Windows/System32 folder; winsys and winsys2. Both say they are a "DOT MFC Application", whatever that means.

I've since ran the Panda rootkit check and that showed up nothing.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Suspicious File Found: WINSYS2.EXE
« Reply #9 on: September 24, 2008, 03:40:01 PM »
Whilst I have a Sparkle, Nvidia GeForce PCI 8600GT I don't have any of those files, though my graphics card isn't by MSI. My motherboard is by MSI, a P35 Neo.

I suggest you upload them to virustotal and check them out.

You could also check the MD5 number reported at the bottom of the VirusTotal link in colebn's post and compare it against the MD5 of your file.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

nickb01

  • Guest
Re: Suspicious File Found: WINSYS2.EXE
« Reply #10 on: September 24, 2008, 03:56:44 PM »
Hi I too am getting same message on 2 msi computers with windows xp.
I also have a 3rd computer but running windows vista 32bit.
The message has not occurred on the vista machine yet.
All 3 computers have the same mother board and graphics card.
The graphics card is nvidia geforce 8800 sold by msi.
The motherboard is nvidia nforce 570 sli chipset based - k9n sli platinum also sold by msi.

aSDafDa

  • Guest
Re: Suspicious File Found: WINSYS2.EXE
« Reply #11 on: September 24, 2008, 06:03:48 PM »
I am also getting this message. 

MD5 on Virustotal matches that posted earlier.

I have the MSI GeForce 8500 GT.  Date winsys.exe and winsys2.exe was created is 5-30-2008, which is the date I built this computer.

System scan on boot shows no viruses, various rootkit detection programs do not pick up anything.

Xunau

  • Guest
Re: Suspicious File Found: WINSYS2.EXE
« Reply #12 on: September 24, 2008, 08:57:37 PM »
My friend have the same problem also.
He have an MSI GeForce 8500 GT video card and the winsys2.exe is on his installation CD.

Avast see it as a rootkit only since yesterday.

http://www.virustotal.com/analisis/1244f460b0869f4ab321a320b0b099e2

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Suspicious File Found: WINSYS2.EXE
« Reply #13 on: September 24, 2008, 10:49:31 PM »
This is a different MD5 number to that in colebn virus total link so is different to the file he submitted.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

alisonnic

  • Guest
Re: Suspicious File Found: WINSYS2.EXE
« Reply #14 on: September 24, 2008, 10:56:26 PM »
Ok, I submitted the file to Virustotal again and here is the result:

http://www.virustotal.com/reanalisis.html?de47e4757ce157707d9e825e62a6c174

It says it scanned 208896 bytes so the upload appears to have been successful.  And all the tests were negative.

I, too have an MSI NVIDIA card, in my case an 8800GT.  I am looking at the CD right now and both winsys2.exe and winsys.exe are on the CD, in the folder R:\nVIDIA\Win2K-XP\V169.02.

These two files have the same dates and sizes as the two files of the same name in my Windows/System32 folder.  So I am confident that they came from the CD when I installed the MSI NVIDIA driver from it.

So the question is, did MSI ship a driver with a rootkit in it, or is avast! mis-identifying a legitimate driver file as a rootkit?

Has anyone at avast! had a chance to look at the file I emailed to you yesterday to see if it's the same as a known rootkit, or different?

Should someone at avast! contact MSI to let them know they are shipping a file with a name that's the same as a known rootkit?