Avast has begun giving me a warning that it has found a suspcious file:
File Name: C:\WINDOWS\System32\WINSYS2.EXE
Type: Rootkit: hidden process
It says this was detected using a heuristic method.
It gives me the option of ether deleting or ignoring it, and its recommended action is Ignore.
I chose Ignore, and Avast immediately gave me a message saying:
avast has detected a virus in the operating memory. Since it is very dangerous to work with the computer while the virus is active, it is strongly recommended that you restart the computer and let avast! scan all your data in the boot phase, before the virus can be activated. Do you want to schedule the boot-time scan and restart the computer?
I chose Yes, and the boot time scan found no viruses on my hard drive.
But after booting I got the same message about the suspicious file.
My suspicious file turned up all negatives on Virustotal. (At least, that’s what I think it means when every one of Virustotal’s tests has a dash (-) in the result column. So I’ll be submitting a False Positive report to avast!
The file name and location look suspicious to me even before I did a google search for it.
It is possible that the file might be protected in some way and 0 bytes actually gets uploaded. Try uploading it again and this time post the URL to the results (copy and paste it from the address bar).
Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm. Try these as they are some of the more efficient and user friendly anti-rootkit tools.
winsys2.exe is not a false positive, it has been analysed already… there could be dependencies to other modules (look at the google results), we’re trying to get the other possibly related files…
I’ve just had exactly the same problem as the OP, same messages, same results.
I downloaded the Trend Micro Rootkit buster from the link kindly provided by DavidR. I ran the file, it asked me to restart the PC which I did and since then nothing (I can’t see any new program installed or anything). The Avast! message as outlined in the OP still pops up.
Should I try the other rootkit thingies?
And how do you submit a file to Avast!? Is it automatic?
Same problem here as of yesterday. I did the full virusscan as suggested by Avast, as well as a rootkit check, and no problems were reported.
For your awareness (and to the best of my knowledge): both winsys.exe and winsys2.exe are installed as part of the MSI NVIDIA Geforce videocard driver install process, and are reported as part of the driver pack. I suspect that in my case the Avast message is in error.
I have a MSI motherboard and graphics card in my PC as well. I’ve noticed I have 2 files in the C:/Windows/System32 folder; winsys and winsys2. Both say they are a “DOT MFC Application”, whatever that means.
I’ve since ran the Panda rootkit check and that showed up nothing.
Whilst I have a Sparkle, Nvidia GeForce PCI 8600GT I don’t have any of those files, though my graphics card isn’t by MSI. My motherboard is by MSI, a P35 Neo.
I suggest you upload them to virustotal and check them out.
You could also check the MD5 number reported at the bottom of the VirusTotal link in colebn’s post and compare it against the MD5 of your file.
Hi I too am getting same message on 2 msi computers with windows xp.
I also have a 3rd computer but running windows vista 32bit.
The message has not occurred on the vista machine yet.
All 3 computers have the same mother board and graphics card.
The graphics card is nvidia geforce 8800 sold by msi.
The motherboard is nvidia nforce 570 sli chipset based - k9n sli platinum also sold by msi.
It says it scanned 208896 bytes so the upload appears to have been successful. And all the tests were negative.
I, too have an MSI NVIDIA card, in my case an 8800GT. I am looking at the CD right now and both winsys2.exe and winsys.exe are on the CD, in the folder R:\nVIDIA\Win2K-XP\V169.02.
These two files have the same dates and sizes as the two files of the same name in my Windows/System32 folder. So I am confident that they came from the CD when I installed the MSI NVIDIA driver from it.
So the question is, did MSI ship a driver with a rootkit in it, or is avast! mis-identifying a legitimate driver file as a rootkit?
Has anyone at avast! had a chance to look at the file I emailed to you yesterday to see if it’s the same as a known rootkit, or different?
Should someone at avast! contact MSI to let them know they are shipping a file with a name that’s the same as a known rootkit?
it’s quite similar, don’t you think? regarding the google hits, i believe there’s something strange… and it seems, that the (anti)rootkit detection is valid, but i can ask someone else from our team to validate it again…
btw: some files which arived at our viruslab have an overlay full of zeros and maybe other modifications against the valid ones…
Ok, I just completed a scan of Windows/System32 using F-Secure’s online scanner. It found five tracking cookies but no other malware.
I am re-running F-Secure now on the entire system. But I must admit that it looks to me like the WINSYS2.EXE from the MSI driver CD is not a rootkit. If it were, surely F-Secure or one of the virus scanners on Virustotal would have picked it up.
avast - over to you. You’ve got the copy of the file I sent you yesterday. I can send it again if necessary. Can you please compare it to a copy of the known rootkit and see if it’s the same?
I did a search on Google as well, just after I started this thread. That search led me to a thread on AnandTech in which a number of other people with MSI NVIDIA cards found the same files on their driver CD’s.
At the bottom of the thread is a quote, supposedly from MSI:
Official quote from MSI
“MSI Tech. 09/19/2007
No, this is a MSI utility info which required when running MSI based utility. If you do not want to install this file, you can download and install/use Nvidia’s reference driver which can also work as well: http://www.nvidia.com/object/winxp_2k_162.18.html”
Ok, so I could uninstall the MSI driver and install a different driver, but doesn’t it seem like an awfully big coincidence that a lot of people in this thread and a lot of those on the Anand thread that have this file also have MSI NVIDIA drivers installed?
Maxx, the thread you posted the link to says that a file can somehow masquerade as another file, or something to that effect. If that’s indeed what’s happening here, how do I fix it?
Also, thanks for having someone take another look at the file I sent. I’m looking forward to hearing what you find out.