I need to know the easyest way to get back MADCHOOK.DLL

I get an error for winsys2.exe when I boot up my computer and it asks for this MADCHOOK.DLL.
I must have deleted it during the false positives yesterday. I know, it was bad. Everything else (eh, one file) did go to the Chest before I found out that all was false positives .

It is the only file I have left to fix. Everything else is back (from Virus Chest).

So, the best and easyest way to find this MADCHOOK.DLL? And to what folder do I have to put it if there is one I can download from somewhere, or just get from my Vista cd.

Edit: (Vista 64 bit)

winsys2.exe belongs to the NVIDIA graphic card drivers AFAIK.
So I’d suggest reinstalling the NVIDIA drivers - chances are it will resolve the issue.

Thanks
Vlk

tjena grabben will this help you?

Windows Vista Repair
http://ezinearticles.com/?Windows-Vista-Repair&id=485947

I don’t think. Again, it’s a 3rd party software component (NVIDIA in this case).

Nice, I reinstall Nvidia gfx drivers and report back…
(Tjena Pondus hehe)

No, it didn’t work.

I still get that popup when I start.
It says, up on top: “winsys2.exe - Can’t find a component” (or something. I have a Swedish ver of Vista).
And the main text says something like this: This program could’t start due to MADCHOOK.DLL wasn’t found. This can be fixed by reinstalling the program.

Well, I don’t know what program it is hehe.

More help? It would be a lot of work if I have to start all over again just due to this one file

Don’t start over.
Search your hard drive for the file (winsys2.exe) to find out which program it belongs to. Then reinstall the program.

(BTW: there are even some real viruses that use this file name; so it would be interesting to see what is this winsys2.exe of yours about).

Thanks
Vlk

winsys2.exe:

File Description: TODO
Company name: TODO
Fileversion: 1.0.0.1
Created: 2008-08-28 11:45
Size: 212 kB

Latest changend: 2006-10-03 13:37
Type: Program

And it is in folder: C:\Windows\SysWOW64

But MADCHOOK.DLL, I don’t have a clue?

MADCHOOK.DLL http://spywaredlls.prevx.com/RRHFIH605677/MADCHOOK.DLL.html

Although it doesn’t help him find the software that installed it, that file was made and is distributed (under licence) by this guy, here :- http://www.madshi.net/madCodeHookDescription.htm.

I downloade MADCHOOK.DLL and put in to “C:\Windows\System32”.
I had to try. It was a little bit scary but it looks like it worked. I didn’t get any errors when I logged into Vista anyway.

(Thanks Tgell)

Your copy of winsys2.exe actually looks quite fishy to me.
Can you try uploading it to www.virustotal.com and see what it says?

Thanks
Vlk

winsys2.exe was trojan component i saw it sometime ago … but could be that it used name of something innocent again

Maybe he has a MSI motherboard.

http://forum-en.msi.com/index.php?topic=131028.msg986554

Well, I don’t have the “winsys2.exe” file in “C:\Windows\SysWOW64 anymore”.

But I still had that “madCHook.dll” I downloaded. Now when I didn’t find the “winsys2.exe” I renamed it to “AAAAAAAAAAAAAAAmadCHook.dll” and there wasn’t an error message when I booted. I am going to move it completely from where it is now and delete it when I see that everything is ok.

Mainboard is an ASUS but I have MSI GFX cards in SLI (nvidia). I unistalled a couple of programs for those cards. One of them was MSI StarOSD and I think it might had something to do with it.
(MSI StarOSD = to adjust the contrast, brightness, overclocking and temperature according to each user’s individual preference).
I also unistalled some other programs I don’t even remember what they were hehe. I have never used them anyway.

Edit: I did wrote the wrong filename. Now it is “winsys2.exe”, as it should

Wasn’t it winsys2.exe that we are looking for in your previous posts and not winsys32.exe ?

Sorry for that… Yes it was all about “winsys2.exe” I go back and edit that post. Must be my big fingers hehe.

Hello,

I just recently did a scan with Malbytes and the results were

Malwarebytes’ Anti-Malware 1.43
Database version: 3490
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/3/2010 11:34:46 PM
mbam-log-2010-01-03 (23-34-43).txt

Scan type: Full Scan (C:|)
Objects scanned: 174069
Time elapsed: 1 hour(s), 14 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrolpanel (Hijack.ControlPanelStyle) → No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\madCHook.dll (Worm.Messenger) → No action taken.

as you can see I have a madchook file. The Force classic c panel is fine I checked, but I am not sure about the madchook. I have been to the website www.madshi.net and have read their concerns about this program. I am going to remove it and see what happens.

Also…the winsys2.exe can be dangerous. read here http://www.what-is-exe.com/filenames/winsys2-exe.html

I did a scan at virustotal.com of the madchook file and this was the result.

File madCHook.dll received on 2009.11.16 18:54:57 (UTC)
Current status: finished
Result: 4/41 (9.76%)
Compact
Print results Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.11.16 -
AhnLab-V3 5.0.0.2 2009.11.16 -
AntiVir 7.9.1.65 2009.11.16 -
Antiy-AVL 2.0.3.7 2009.11.16 -
Authentium 5.2.0.5 2009.11.16 -
Avast 4.8.1351.0 2009.11.16 -
AVG 8.5.0.425 2009.11.16 -
BitDefender 7.2 2009.11.16 -
CAT-QuickHeal 10.00 2009.11.16 -
ClamAV 0.94.1 2009.11.16 -
Comodo 2958 2009.11.16 Heur.Packed.Unknown
DrWeb 5.0.0.12182 2009.11.16 -
eSafe 7.0.17.0 2009.11.16 Suspicious File
eTrust-Vet 35.1.7122 2009.11.16 -
F-Prot 4.5.1.85 2009.11.16 -
F-Secure 9.0.15370.0 2009.11.11 -
Fortinet 3.120.0.0 2009.11.16 -
GData 19 2009.11.16 -
Ikarus T3.1.1.74.0 2009.11.16 -
Jiangmin 11.0.800 2009.11.16 -
K7AntiVirus 7.10.897 2009.11.16 -
Kaspersky 7.0.0.125 2009.11.16 -
McAfee 5804 2009.11.16 -
McAfee+Artemis 5804 2009.11.16 -
McAfee-GW-Edition 6.8.5 2009.11.16 Heuristic.BehavesLike.Win32.Obfuscated.A
Microsoft 1.5202 2009.11.16 -
NOD32 4613 2009.11.16 -
Norman 6.03.02 2009.11.16 -
nProtect 2009.1.8.0 2009.11.16 -
Panda 10.0.2.2 2009.11.15 -
PCTools 7.0.3.5 2009.11.16 -
Prevx 3.0 2009.11.16 -
Rising 22.22.00.08 2009.11.16 -
Sophos 4.47.0 2009.11.16 MadCodeHook
Sunbelt 3.2.1858.2 2009.11.12 -
Symantec 1.4.4.12 2009.11.16 -
TheHacker 6.5.0.2.071 2009.11.16 -
TrendMicro 9.0.0.1003 2009.11.16 -
VBA32 3.12.10.11 2009.11.15 -
ViRobot 2009.11.16.2039 2009.11.16 -
VirusBuster 4.6.5.0 2009.11.16 -
Additional information
File size: 61440 bytes
MD5 : c55877060560d165c7c9acf565e3ebaa
SHA1 : 292f335f10e7f8611ff15857fe8b77d92029360c
SHA256: 8a0003b444c577caae683c81255ef91cad66e81a822728b547d871d493fdef0d
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x26E90
timedatestamp…: 0x2A425E19 (Sat Jun 20 00:22:17 1992)
machinetype…: 0x14C (Intel I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
0x1000 0x18000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
0x19000 0xF000 0xE200 7.88 9e8d5d9fb0ab6dda0a66b9868fc22bf8
.rsrc 0x28000 0x1000 0xA00 4.72 cf509194598236c6c02b9ad780d5ee3d

( 4 imports )

advapi32.dll: FreeSid
kernel32.dll: LoadLibraryA, GetProcAddress
oleaut32.dll: SysFreeString
user32.dll: MessageBoxA

( 1 exports )

AddAccessForEveryone, AllocMemEx, AmSystemProcess, AmUsingInputDesktop, AnsiToWide, AutoUnhook, CollectHooks, CopyFunction, CreateGlobalEvent, CreateGlobalFileMapping, CreateGlobalMutex, CreateIpcQueue, CreateIpcQueueEx, CreateProcessExA, CreateProcessExW, CreateRemoteThreadEx, DestroyIpcQueue, FlushHooks, FreeMemEx, GetCallingModule, GetCurrentSessionId, GetInputSessionId, HookAPI, HookCode, InjectLibraryA, InjectLibrarySessionA, InjectLibrarySessionW, InjectLibraryW, InstallMadCHook, IsHookInUse, OpenGlobalEvent, OpenGlobalFileMapping, OpenGlobalMutex, ProcessHandleToId, ProcessIdToFileName, RemoteExecute, RenewHook, SendIpcMessage, StaticLibHelper_Final, StaticLibHelper_Init, UnhookAPI, UnhookCode, UninjectLibraryA, UninjectLibrarySessionA, UninjectLibrarySessionW, UninjectLibraryW, UninstallMadCHook, WideToAnsi,
TrID : File type identification
Win32 EXE Yoda’s Crypter (67.9%)
Win32 Executable Generic (21.8%)
Generic Win/DOS Executable (5.1%)
DOS Executable Generic (5.1%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ssdeep: 1536:4AhCvbneCLf4U9kWqCGOrIsF4pYvfY3UES2pUut:bhWbnL9kWqCbIsFM2w39h
PEiD : -
packers (Kaspersky): UPX
packers (F-Prot): UPX
RDS : NSRL Reference Data Set

Ah…it was winsys32.

http://www.file.net/process/winsys32.exe.html

I am going to check the malware bytes forum as well, but I can across this in a random search to figure out what to do

Any advice would be great…Thanks

A_zad

Before removing - Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and possible undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already in the chest) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.

Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.