Author Topic: Suspicious File Found: WINSYS2.EXE  (Read 45008 times)

0 Members and 1 Guest are viewing this topic.

drakester

  • Guest
Re: Suspicious File Found: WINSYS2.EXE
« Reply #30 on: September 27, 2008, 09:16:33 PM »
I already had Avast do a complete scan (at boot) and also scanned the entire WINDOWS\SYSTEM32 directory, and it found nothing. Again Avast reported the file based on heuristics, namely, the sneaky behavior of the program.

I renamed the file and haven't noticed any ill effects, and the warnings from Avast have not reoccurred.

The file may or may not be a trojan, but why take a chance? Especially if it does not appear to be a necessary process.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86506
  • No support PMs thanks
Re: Suspicious File Found: WINSYS2.EXE
« Reply #31 on: September 27, 2008, 10:20:39 PM »
Yes, but what we are trying to establish now is, has this detection been corrected. Right clicking on the renamed file and from the context menu select scan, this is the most thorough of the avast scans to see if it is still detected.

If not then it would be relatively safe to change back to the original name and boot to see if avast detects in this rootkit scan. Otherwise you will never know and if it is a genuine MSI file as is suggested by many you would have lost that functionality by renaming it.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.2.6003 (build 22.2.7013.717) UI 1.0.697/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

drakester

  • Guest
Re: Suspicious File Found: WINSYS2.EXE
« Reply #32 on: September 28, 2008, 05:45:07 AM »
okay, this virus alert has been an on-going issue, for me, for the past two days. A scan of the individual file (WINSYS2.exe) turns up nothing. A scan of the file on virustotal gets 3 hits, from Panda and two other antiviruses, for an 8.34% hit percentage. Avast does NOT detect any virus, when doing a boot-time scan. The only time it detects WINSYS2.EXE is when WINSYS2.EXE decides, on its own, for unknown reasons, to execute, to "come alive." Avast detects based upon heuristics.

So, there is nothing to be gained by renaming backupWinSys2.EXE to WINSYS2.EXE in order to see whether Avast will now detect it. Avast will not detect it. A scan will not detect it. If Winsys2.exe decides, on its own, for unknown reasons, to activate, to behave in a virus-like manner, then based upon heuristics, Avast *might* detect it. However, I've been running 12 hours without issue so I intend to leave WINSYS2.exe renamed and presumably deactivated and neutralized. If the system doesn't really need it, or uses it merely to make the video colors more vivid, as I have concluded from google research, then I can live without it, and I think most people can. It may or may not be a trojan or malware, but I'd rather be safe than sorry.

Avast isn't the only product out there claiming that Winsys2.exe is suspicious - there are three other antiviruses that also have arrived at this conclusion. Granted, the majority don't think so. But in this case, I'm willing to listen to the minority voice, until someone gives a persuasive case as to why Winsys2.exe is *not* malware.

wyrmrider

  • Guest
Re: Suspicious File Found: WINSYS2.EXE
« Reply #33 on: September 28, 2008, 05:52:42 AM »
well try a couple of things
Jotti has some different scanners- upload to jotti
google up the suspect name and see how bad it is and if there are any files or registry enteries listed which would give it away

run the panda on line scan and see if panda finds any associated hits

where was this thing found  PATH

have you run the usual anti spyware/ malware scans? (just to cross check?)

I have NOT recently gone through this whole thread so I appoliges if this is redundant

drakester

  • Guest
Re: Suspicious File Found: WINSYS2.EXE
« Reply #34 on: September 28, 2008, 10:38:28 AM »
I ran Avast (boot-time scan of complete system) and Ad-Aware scan, and neither found anything. I also ran Panda's, F-Protect, and TrendMicro's anti-rootkit programs, and they came up with nothing. So in all likelihood, this is much ado about nothing. Probably the fault of MSI for poor programming practices that raise the hackles of anti-virus programs. On the other hand... you never know. If it's MSI, the question is, why does this alert come up all of a sudden, now, when it's been a year since I installed any MSI drivers. Perhaps because I tweaked the NVIDIA controls to use the Vivid option, suddenly activating WINSYS2.exe to come alive? Anyway this whole issue has really sent a lot of people all over the world for a loop. Searching on google, there are people on at least a dozen different forums asking this exact same question.


colebn

  • Guest
Re: Suspicious File Found: WINSYS2.EXE
« Reply #35 on: September 28, 2008, 10:42:40 AM »
well try a couple of things
Jotti has some different scanners- upload to jotti



google up the suspect name and see how bad it is and if there are any files or registry enteries listed which would give it away
I've googled it without much success. There appears to be no definitive answer anywhere.

run the panda on line scan and see if panda finds any associated hits
Panda detects it as Trj/Agent.ISR. That is consistent with Jotti and Virustotal's results.

where was this thing found  PATH
C:/Windows/System32 folder

have you run the usual anti spyware/ malware scans? (just to cross check?)

I have NOT recently gone through this whole thread so I appoliges if this is redundant
I've run A-squared, several rootkits (including; Avast!, Panda (which interestingly detected nothing), Trend Micro and a couple of others), Super Antispyware, Trend Micro's online scanner as well as Panda's (see results above).

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86506
  • No support PMs thanks
Re: Suspicious File Found: WINSYS2.EXE
« Reply #36 on: September 28, 2008, 02:02:36 PM »
okay, this virus alert has been an on-going issue, for me, for the past two days. A scan of the individual file (WINSYS2.exe) turns up nothing. A scan of the file on virustotal gets 3 hits, from Panda and two other antiviruses, for an 8.34% hit percentage. Avast does NOT detect any virus, when doing a boot-time scan. The only time it detects WINSYS2.EXE is when WINSYS2.EXE decides, on its own, for unknown reasons, to execute, to "come alive." Avast detects based upon heuristics.
<snip>

OK, I'm having a hard time getting my head round what is actually happening here, the next time it happens, can you take a screenshot of the alert window.

Since there are numerous posts relating to this being an MSI motherboard/graphics driver then it isn't winsys2.exe deciding to run, it can't do that on its own, there has to be either a run command in registry or something that you are doing that would initiate it to start some feature set, etc.

So when it happens next apart from the screenshot, document what you were doing when it happened.

Other than that I'm at a loss, but I would certainly fire off another copy of this file to avast as a possible false positive.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.2.6003 (build 22.2.7013.717) UI 1.0.697/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

colebn

  • Guest
Re: Suspicious File Found: WINSYS2.EXE
« Reply #37 on: September 28, 2008, 05:56:34 PM »
DavidR,

Maybe I can help as I'm having the same problem.

If you right back to the original post that started this thread you'll see a description of what happens. As drakester has mentioned it pops up kind of randomly. I've found that it can pop up 1 minute after starting up the machine but it can take 20 mins before you get the pop up. I've since selected the "always ignore" option on that pop up so I don't get it anymore, not sure how to "un"-ignore it to be honest! Otherwise I would post a screenshot for you.

After you close that pop up you get another pop up window asking you if you want to schedule a boot scan at start up and you can only choose yes or no. I think like others I have selected yes, only to find that avast finds nothing and boots into windows normally and then a few minutes later you get that pop up and you're back to square one....

I've noticed it when I have a browser window open, I use both FF and IE7, both have the latest patches and I have all other updates from Microsoft as well. I know recently there was a new update for .NET from Microsoft and in the last few days FF has updated itself. No updates for IE as I recall.

I know the copy I uploaded (to which I sent them a download link for) to avast has not been downloaded. I don't think they have managed to get around to this just yet.


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86506
  • No support PMs thanks
Re: Suspicious File Found: WINSYS2.EXE
« Reply #38 on: September 28, 2008, 07:19:57 PM »
Thanks, I think we are in the hands of avast to see if they can come up with why it is detected. As an avast user there is little I can do to try and test this as neither of my two systems has those files.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.2.6003 (build 22.2.7013.717) UI 1.0.697/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

drakester

  • Guest
Re: Suspicious File Found: WINSYS2.EXE
« Reply #39 on: September 28, 2008, 08:48:29 PM »
DavidR,

Maybe I can help as I'm having the same problem.

If you right back to the original post that started this thread you'll see a description of what happens. As drakester has mentioned it pops up kind of randomly. I've found that it can pop up 1 minute after starting up the machine but it can take 20 mins before you get the pop up. I've since selected the "always ignore" option on that pop up so I don't get it anymore, not sure how to "un"-ignore it to be honest! Otherwise I would post a screenshot for you.

After you close that pop up you get another pop up window asking you if you want to schedule a boot scan at start up and you can only choose yes or no. I think like others I have selected yes, only to find that avast finds nothing and boots into windows normally and then a few minutes later you get that pop up and you're back to square one....

I've noticed it when I have a browser window open, I use both FF and IE7, both have the latest patches and I have all other updates from Microsoft as well. I know recently there was a new update for .NET from Microsoft and in the last few days FF has updated itself. No updates for IE as I recall.

I know the copy I uploaded (to which I sent them a download link for) to avast has not been downloaded. I don't think they have managed to get around to this just yet.

My experience is the same as colebn's. Winsys2.exe activates at startup (or used to, before I renamed it). Other than that, it may activate when I am watching a video. This is fairly consistent with what you might expect in a video card utility. There are all kinds of system processes linked to Nvidia; nwiz, etc. that control about fifty different things, I don't even know what all they do. As for a screenshot, there isn't much on the screen, only that Avast has detected a hidden rootkit process, that is acting like a malicious file. The options are Delete or Ignore. I have always Ignored, but never clicked "Always Ignore," because I'm not THAT confident that it's a false positive. I run a fairly secure system (Windows firewall as well as router firewall), but do a lot of surfing and download and run a lot of different programs. Recently I discovered Yahoo toolbar was installed on my PC and I have no idea how that happened (and I uninstalled it). Maybe it came in stealthily with Firefox's latest update.

I clicked "Send file to Avast" so I assume they got it somehow. The file info reads "DOT MFC". I did a regedit and the registry also makes reference to DOT, which is Dynamic Overclocking Technology. But who really knows what it is, except possibly MSI... or a virus writer. There's no requirement that the programmer be honest about the program description.

If it's malware or some kind of trojan, it's very well done, eluding detection from full system scans by fully updated antivirus and antispyware programs.

Since renaming WINSYS2.EXE, it has not popped up anymore, and I haven't noticed any ill effects. My PC has been running about 72 hours straight, ripping some dvd's. Avast's pretty blue dots are active and just as happy as they could be, twiddling their thumbs finding nothing.

abba12

  • Guest
Re: Suspicious File Found: WINSYS2.EXE
« Reply #40 on: September 29, 2008, 10:37:26 AM »
Like the others im not brave enough to say always ignore, and if it hasnt already been done ill post a screenshot when i boot up tomorow.

My guess is in the last avast update the anti-rootkit was tweaked and made aware of new things, and something in this driver matches the new tweaking. It started at the same time for everyone on avast, but after googling other virus scanners had the same issues of it as early as 2006, suddenly appearing for all users at the same time in at least one other case. I don't think any spyware is smart enough to time activate depending on the scanner you run, lol! and if its only just become detectable, then its been running on all our comptuers for up to three years, with seemingly no effect except a little more email spam.

avast may like to add this to an exceptions list somewhere though. it would help.
« Last Edit: September 29, 2008, 10:39:23 AM by abba12 »

Sunrise

  • Guest
Re: Suspicious File Found: WINSYS2.EXE
« Reply #41 on: September 29, 2008, 10:21:11 PM »
Hi, folks!

Since past week I had exactly the same problem with this mysterious alert for winsys2.exe, as is reported here. I found that this file definitely came with my MSI video card (Nvidia GeForce 8400GS), but I coudn't figure out what it is worth for. Very confusing!

Finally my solution was to uninstall the out-of-date Nvidia display driver and to install a more actual one, which I got from the Nvidia website. Attention: if there is a choice between different Nvidia components, select only the display driver for uninstalling. At the new installation the winsys2.exe didn't show up and everything works fine. Problem solved.

Greetings, Sunrise
« Last Edit: September 29, 2008, 10:33:41 PM by Sunrise »

drakester

  • Guest
Re: Suspicious File Found: WINSYS2.EXE
« Reply #42 on: September 30, 2008, 10:38:58 PM »
Since renaming WINSYS2.EXE to backupWINSYS2.EXE, I haven't had anymore alerts, and have done not one but two boot-time Avast scans, finding nothing related to WINSYS2.EXE. It did find two infected files in the System Restore directory, and a corrupted archive. I notice no ill effects from renaming WINSYS2.EXE so I have to conclude its function is pretty minor in regards to the video card. Although I have not run any graphically intense video games lately... I also found a thread here about this very same issue :

http://forums.whatthetech.com/explorer_exe_keeps_restarting_t93067.html

It's a very interesting read, because WINSYS2.EXE is detected by a user who has the file scanned at Jotti, with the same results that colebn received. The technical support guy responded that WINSYS2.EXE was CLEAN, despite Panda finding Trj/Agent.ISR.

Maybe Panda has a problem with false positives? I've heard that is often the case.

Anyway this is the last I will post on this thread, unless I get bitten in the ass by a virus.

crazydaveorama

  • Guest
Re: Suspicious File Found: WINSYS2.EXE
« Reply #43 on: March 12, 2009, 10:35:31 AM »
If you have this file right click on it and choose Properties. Look under version and if it says "DOT MFC Application" then it is part of MSI's Nvidia graphics card to do with overclocking. DOT means Dynamic Overclocking Technology Seems when the driver is updated it does not remove the original file "WinSys.exe so renames the new file with a 2 at the end of the file's name. This is to allow rolling back the driver if required.

henryvii

  • Guest
Re: Suspicious File Found: WINSYS2.EXE
« Reply #44 on: March 23, 2009, 10:41:23 PM »
Thanks for everybodys contributions which helped lead me in the right direction to assure myself with confidence that this is not a problem.

Having read the posts here I opened both winsys.exe and winsys2.exe in Notepad and looked for any Ascii text that would help put this to bed. Both files contain the text "NVIDIA Corporation\RIVA TNT\NVTweak " which is good enough for me.