whehost.exe

Hello… I’m new here.

Wanna to ask one question. I have a problem regarding to windows automatic updates. The taskbar showing that I haven’t turn on the automatic updates, but actually it’s already turn on when I set it in manual. One of unknown file show up in my window task manager.

  • whehost.exe *

I could not trace it using avast. Sometime it reset the explorer when I try to close the whehost.exe file. Also I have found this file is in system32 folder.

Anyone have similar problem with me?

This is my hijackthis report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:27 AM, on 7/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
H:\Backup\Software\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM..\Run: [SoundMAX] “C:\Program Files\Analog Devices\SoundMAX\Smax4.exe” /tray
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Acrobat Assistant 7.0] “C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe”
O4 - HKLM..\Run: [WinSys2] C:\WINDOWS\system32\winsys2.exe
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [Hyper Res] whehost.exe
O4 - HKLM..\RunServices: [Hyper Res] whehost.exe
O4 - HKCU..\Run: [PC Suite Tray] “C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe” -onlytray
O4 - HKCU..\Run: [DAEMON Tools Lite] “C:\Program Files\DAEMON Tools Lite\daemon.exe” -autorun
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe


End of file - 7439 bytes

I need you to upload whehost.exe to VirusTotal and post results.

In your HJT log, you don’t have a third-party firewall. I suggest ZoneAlarm or PC Tools Firewall Plus.

A google search for whehost.exe returns only two hits both in the avast forums, so this is highly suspect for a file in the system32 folder. Also check system32\winsys2.exe at VT and send to avast see #### below. http://www.systemlookup.com/search.php?type=filename&client=malwaresearch-ff&search=winsys2.exe

First HiJackThis should be in its own folder not in a general or temp folder as any changes made can’t be reversed if that location is cleared. I have had a quick look at your log and these ones are obvious.

Fix:
O4 - HKLM..\Run: [Hyper Res] whehost.exe
O4 - HKLM..\RunServices: [Hyper Res] whehost.exe

Suspect:
O4 - HKLM..\Run: [WinSys2] C:\WINDOWS\system32\winsys2.exe
Also check winsys2.exe at VT and send to avast see below. See http://www.google.com/search?q=winsys2.exe and http://www.systemlookup.com/search.php?type=filename&client=malwaresearch-ff&search=winsys2.exe

Acrobat is way out of date and vulnerable to exploit, so you should get the latest version.

You don’t appear to have an active firewall - It should be capable of blocking unauthorised outbound Internet Connections. - What is your firewall ?

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

If detected by multiple scanners send the sample to avast.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.

Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

I have uploaded the file through virustotal and the result is :

File whehost.exe received on 2009.07.15 03:30:08 (UTC)
Antivirus Version Last Update Result
a-squared 4.5.0.22 2009.07.15 Backdoor.Win32.SdBot!IK
AhnLab-V3 5.0.0.2 2009.07.14 -
AntiVir 7.9.0.215 2009.07.14 -
Antiy-AVL 2.0.3.7 2009.07.15 -
Authentium 5.1.2.4 2009.07.14 -
Avast 4.8.1335.0 2009.07.14 -
AVG 8.5.0.387 2009.07.14 SHeur2.AMCF
BitDefender 7.2 2009.07.15 -
CAT-QuickHeal 10.00 2009.07.14 -
ClamAV 0.94.1 2009.07.15 -
Comodo 1654 2009.07.15 -
DrWeb 5.0.0.12182 2009.07.14 -
eSafe 7.0.17.0 2009.07.14 -
eTrust-Vet 31.6.6615 2009.07.14 -
F-Prot 4.4.4.56 2009.07.14 -
F-Secure 8.0.14470.0 2009.07.15 -
Fortinet 3.120.0.0 2009.07.15 -
GData 19 2009.07.15 -
Ikarus T3.1.1.64.0 2009.07.15 Backdoor.Win32.SdBot
Jiangmin 11.0.706 2009.07.14 -
K7AntiVirus 7.10.792 2009.07.14 -
Kaspersky 7.0.0.125 2009.07.15 -
McAfee 5676 2009.07.14 -
McAfee+Artemis 5676 2009.07.14 -
McAfee-GW-Edition 6.8.5 2009.07.14 Heuristic.LooksLike.Win32.SuspiciousPE.H
Microsoft 1.4803 2009.07.14 -
NOD32 4244 2009.07.15 -
Norman 6.01.09 2009.07.14 -
nProtect 2009.1.8.0 2009.07.15 Backdoor/W32.SdBot.1163264
PCTools 4.4.2.0 2009.07.14 -
Prevx 3.0 2009.07.15 -
Rising 21.38.14.00 2009.07.14 -
Sophos 4.43.0 2009.07.15 -
Sunbelt 3.2.1858.2 2009.07.15 -
Symantec 1.4.4.12 2009.07.15 -
TheHacker 6.3.4.3.367 2009.07.14 Backdoor/SdBot.mvu
TrendMicro 8.950.0.1094 2009.07.14 -
VBA32 3.12.10.8 2009.07.15 -
ViRobot 2009.7.14.1835 2009.07.15 -
VirusBuster 4.6.5.0 2009.07.14 Worm.SdBot.AIUH
Additional information
File size: 1163264 bytes
MD5…: dfcdcc4467055a07e100ab8de626dd4d
SHA1…: 8469cdb40cf473827a5f1528ad0f1bd7fe209638
SHA256: 788d094dec78642f6d0303dc14aa3ef133e3b53a8ff9d77806167c0a5f4b8b50
ssdeep: 24576:N+8YwcDswejOSCvGw+KTrim55e+1FDFRgOxoAFDLHJ+sx:QtS5BKTLPFDF
3oAFDMsx

PEiD…: -
TrID…: File type identification
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xce000
timedatestamp…: 0x4a31b50d (Fri Jun 12 01:53:17 2009)
machinetype…: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
.bmhyw 0x1000 0x21236 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rmovke 0x23000 0xbb58 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.miptc 0x2f000 0x2ec84 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.zmehal 0x5e000 0x70000 0x63000 7.98 6b394d44f3366fc479f2c5522837081b
.coexap 0xce000 0x10000 0xd000 7.01 29695e1a65f3744ee96f7a8f24dfdae1
.ehjg 0xde000 0x30000 0x15000 4.63 3aea429c6382c9646756bfa6c41132cb
.bcpy 0x10e000 0xa0000 0x95000 8.00 d08cd24486ca2c24ae44a6fc63d1da9a
.weyc 0x1ae000 0x1000 0x1000 0.35 07af49a2df3f1f49c5f34d43d3808b05

( 3 imports )
> KERNEL32.dll: CreateThread, GlobalUnlock, GlobalLock, GlobalAlloc, GetTickCount, WideCharToMultiByte, IsBadReadPtr, GlobalAddAtomA, GlobalAddAtomW, GetModuleHandleA, GlobalFree, GlobalGetAtomNameA, GlobalDeleteAtom, GlobalGetAtomNameW, FreeConsole, GetEnvironmentVariableA, VirtualProtect, VirtualAlloc, GetProcAddress, GetLastError, LoadLibraryA, SetLastError, SetThreadPriority, GetCurrentThread, SetEnvironmentVariableA, ReleaseMutex, WaitForSingleObject, CreateMutexA, OpenMutexA, SetErrorMode, GetCurrentThreadId, FindClose, FindFirstFileW, VirtualQueryEx, GetExitCodeProcess, ReadProcessMemory, VirtualProtectEx, ContinueDebugEvent, ResumeThread, OutputDebugStringA, OutputDebugStringW, SetThreadContext, GetThreadContext, WaitForDebugEvent, WriteProcessMemory, UnmapViewOfFile, SuspendThread, DebugActiveProcess, MapViewOfFile, DuplicateHandle, GetCurrentProcess, CreateFileMappingA, SetEvent, CreateEventA, MultiByteToWideChar, CloseHandle, CreateProcessA, GetStartupInfoA, GetCommandLineA, GetSystemTimeAsFileTime, ExitProcess, LocalFree, FlushFileBuffers, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, FormatMessageA, GetConsoleMode, GetConsoleCP, SetFilePointer, GetLocaleInfoW, GetStringTypeW, GetStringTypeA, IsValidLocale, EnumSystemLocalesA, GetLocaleInfoA, GetUserDefaultLCID, QueryPerformanceCounter, GetFileType, SetHandleCount, GetEnvironmentStringsW, Sleep, EnterCriticalSection, LeaveCriticalSection, GetVersionExA, InitializeCriticalSection, GetCurrentProcessId, GetModuleFileNameW, GetShortPathNameW, GetModuleFileNameA, CreateFileA, GetShortPathNameA, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, InterlockedIncrement, InterlockedDecrement, InterlockedExchange, DeleteCriticalSection, RtlUnwind, RaiseException, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapFree, HeapAlloc, GetProcessHeap, GetCPInfo, LCMapStringA, LCMapStringW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, WriteFile, GetStdHandle, HeapSize, GetACP, GetOEMCP, IsValidCodePage, HeapDestroy, HeapCreate, VirtualFree, HeapReAlloc
> USER32.dll: LoadStringW, IsWindow, PostMessageA, GetDesktopWindow, MoveWindow, SetPropA, EnumThreadWindows, GetPropA, GetMessageA, BeginPaint, KillTimer, GetAsyncKeyState, GetSystemMetrics, SetTimer, SetWindowTextA, GetDlgItem, CreateDialogIndirectParamA, ShowWindow, UpdateWindow, LoadStringA, EndPaint, FindWindowA, WaitForInputIdle, DestroyWindow, MessageBoxA, InSendMessage, UnpackDDElParam, FreeDDElParam, DefWindowProcW, DefWindowProcA, LoadCursorA, RegisterClassW, CreateWindowExW, RegisterClassA, CreateWindowExA, GetWindowThreadProcessId, SendMessageW, SendMessageA, PeekMessageA, TranslateMessage, DispatchMessageA, EnumWindows, IsWindowUnicode, PackDDElParam, PostMessageW
> GDI32.dll: SelectObject, BitBlt, DeleteObject, CreatePalette, CreateDCA, SelectPalette, RealizePalette, CreateDIBitmap, DeleteDC, CreateCompatibleDC

( 0 exports )

PDFiD.: -
RDS…: NSRL Reference Data Set

packers (F-Prot): Armadillo

That is enough to confirm my suspicions and the file should be sent to avast as laid out above to help improve detections. Fix the entries in HJT if you haven’t already done so.

If you haven’t yet uploaded winsys2.exe to VT you should do so and just post the link to the Results (copy the URL from the address bar in the results page), that saves you having to copy and paste the content of the results.

This for winsys2.exe

File WinSys2.exe received on 2009.07.16 03:13:33 (UTC)
Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.07.16 -
AhnLab-V3 5.0.0.2 2009.07.16 -
AntiVir 7.9.0.215 2009.07.16 -
Antiy-AVL 2.0.3.7 2009.07.16 -
Authentium 5.1.2.4 2009.07.16 -
Avast 4.8.1335.0 2009.07.16 -
AVG 8.5.0.387 2009.07.15 -
BitDefender 7.2 2009.07.16 -
CAT-QuickHeal 10.00 2009.07.15 -
ClamAV 0.94.1 2009.07.15 -
Comodo 1665 2009.07.16 -
DrWeb 5.0.0.12182 2009.07.16 -
eSafe 7.0.17.0 2009.07.15 -
eTrust-Vet 31.6.6617 2009.07.15 -
F-Prot 4.4.4.56 2009.07.16 -
F-Secure 8.0.14470.0 2009.07.16 -
Fortinet 3.120.0.0 2009.07.16 -
GData 19 2009.07.16 -
Ikarus T3.1.1.64.0 2009.07.16 -
Jiangmin 11.0.706 2009.07.15 -
K7AntiVirus 7.10.793 2009.07.15 -
Kaspersky 7.0.0.125 2009.07.16 -
McAfee 5677 2009.07.15 -
McAfee+Artemis 5677 2009.07.15 -
McAfee-GW-Edition 6.8.5 2009.07.16 -
Microsoft 1.4803 2009.07.16 -
NOD32 4247 2009.07.15 -
Norman 6.01.09 2009.07.15 -
nProtect 2009.1.8.0 2009.07.16 -
Panda 10.0.0.14 2009.07.15 -
PCTools 4.4.2.0 2009.07.15 -
Prevx 3.0 2009.07.16 -
Rising 21.38.24.00 2009.07.15 -
Sophos 4.43.0 2009.07.16 -
Sunbelt 3.2.1858.2 2009.07.15 -
Symantec 1.4.4.12 2009.07.16 -
TheHacker 6.3.4.3.368 2009.07.15 -
TrendMicro 8.950.0.1094 2009.07.15 -
VBA32 3.12.10.8 2009.07.15 -
ViRobot 2009.7.15.1837 2009.07.15 -
VirusBuster 4.6.5.0 2009.07.15 -
Additional information
File size: 208896 bytes
MD5…: 27949ccd505a6be082d15547b1dff90d
SHA1…: 569f27f34d53ec7f3eb0151108f3d4f0b4e54140
SHA256: 7c47e876766ecd62aad68812a40f30bad56a32d994cc16a116b8d3c4ea30ee82
ssdeep: 3072:AQNGGM2V/Oa49QFb+s6+6WKYy2YJfGnFGY2IKmistUtcQrvkpTQ7:APGlk5
9QFbj6+6oyjJfrY2IKHbrMm

PEiD…: -
TrID…: File type identification
Win64 Executable Generic (54.6%)
Win32 Executable MS Visual C++ (generic) (24.0%)
Windows Screen Saver (8.3%)
Win32 Executable Generic (5.4%)
Win32 Dynamic Link Library (generic) (4.8%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10214
timedatestamp…: 0x478ff7fe (Fri Jan 18 00:51:10 2008)
machinetype…: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x20996 0x21000 6.65 2bd762b046ea4317483b547ed7ae2d7f
.rdata 0x22000 0x7cfe 0x8000 4.90 1f93dbb50db9c21acda7c7c1888d93e8
.data 0x2a000 0x8fd4 0x3000 3.31 2bc8669cfae0847f14f5e0b842c89897
CONST 0x33000 0x1f 0x1000 0.09 e1c91d3ead8e57dca21253f563c750c1
.rsrc 0x34000 0x48a8 0x5000 4.41 46abb0b06f7f2c3453dea7320e86064f

( 8 imports )
> MADCHOOK.DLL: InjectLibraryA, UninjectLibraryA
> KERNEL32.dll: SetErrorMode, HeapAlloc, HeapFree, HeapReAlloc, VirtualAlloc, RtlUnwind, GetCommandLineA, GetProcessHeap, GetStartupInfoA, RaiseException, ExitProcess, HeapSize, VirtualFree, HeapDestroy, HeapCreate, GetStdHandle, TerminateProcess, SetUnhandledExceptionFilter, IsDebuggerPresent, Sleep, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, GetACP, GetConsoleCP, GetConsoleMode, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, GetOEMCP, GetCPInfo, CreateFileA, GetCurrentProcess, GetThreadLocale, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, GlobalFlags, WritePrivateProfileStringA, InterlockedIncrement, TlsFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, TlsAlloc, InitializeCriticalSection, GlobalHandle, GlobalReAlloc, EnterCriticalSection, TlsGetValue, LeaveCriticalSection, LocalAlloc, GlobalGetAtomNameA, GlobalFindAtomA, lstrcmpW, FreeResource, GetCurrentProcessId, GlobalAddAtomA, CloseHandle, GetCurrentThread, GetCurrentThreadId, ConvertDefaultLocale, GetModuleFileNameA, EnumResourceLanguagesA, GetLocaleInfoA, lstrcmpA, GlobalDeleteAtom, FreeLibrary, InterlockedDecrement, GetModuleFileNameW, GetModuleHandleA, GlobalFree, GlobalAlloc, GlobalLock, GlobalUnlock, FormatMessageA, LocalFree, FindResourceA, LoadResource, LockResource, SizeofResource, MulDiv, SetLastError, GetProcAddress, LoadLibraryA, lstrlenA, CompareStringA, GetVersionExA, GetVersion, GetLastError, WideCharToMultiByte, MultiByteToWideChar, InterlockedExchange, UnhandledExceptionFilter
> USER32.dll: UnregisterClassA, LoadCursorA, GetSysColorBrush, EndPaint, BeginPaint, ReleaseDC, GetDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, ShowWindow, SetWindowTextA, IsDialogMessageA, RegisterWindowMessageA, SendDlgItemMessageA, WinHelpA, GetCapture, GetClassLongA, GetClassNameA, SetPropA, GetPropA, RemovePropA, SetFocus, GetWindowTextA, GetForegroundWindow, GetTopWindow, GetMessagePos, MapWindowPoints, SetForegroundWindow, UpdateWindow, GetMenu, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, GetSysColor, AdjustWindowRectEx, CopyRect, PtInRect, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, SetWindowLongA, SetWindowPos, SystemParametersInfoA, GetWindowPlacement, GetWindowRect, GetWindow, GetDesktopWindow, SetActiveWindow, CreateDialogIndirectParamA, DestroyWindow, IsWindow, GetDlgItem, GetNextDlgTabItem, EndDialog, DrawIcon, SendMessageA, GetWindowThreadProcessId, GetWindowLongA, GetLastActivePopup, IsWindowEnabled, MessageBoxA, SetCursor, SetWindowsHookExA, CallNextHookEx, GetMessageA, TranslateMessage, DispatchMessageA, GetActiveWindow, DestroyMenu, GetMessageTime, IsIconic, GetClientRect, SetTimer, KillTimer, LoadIconA, EnableWindow, GetSystemMetrics, GetSubMenu, GetMenuItemCount, GetMenuItemID, GetMenuState, UnhookWindowsHookEx, PostQuitMessage, PostMessageA, IsWindowVisible, GetKeyState, PeekMessageA, GetCursorPos, ValidateRect, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, LoadBitmapA, GetFocus, GetParent, ModifyMenuA, EnableMenuItem, CheckMenuItem
> GDI32.dll: SetWindowExtEx, ScaleWindowExtEx, DeleteDC, GetStockObject, PtVisible, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SelectObject, Escape, ExtTextOutA, TextOutA, GetDeviceCaps, DeleteObject, SetMapMode, RestoreDC, SaveDC, GetObjectA, SetBkColor, SetTextColor, GetClipBox, CreateBitmap, RectVisible
> WINSPOOL.DRV: ClosePrinter, DocumentPropertiesA, OpenPrinterA
> ADVAPI32.dll: RegQueryValueA, RegEnumKeyA, RegDeleteKeyA, RegOpenKeyA, RegOpenKeyExA, RegQueryValueExA, RegCreateKeyExA, RegSetValueExA, RegCloseKey
> SHLWAPI.dll: PathFindFileNameA, PathFindExtensionA
> OLEAUT32.dll: -, -, -

( 0 exports )

PDFiD.: -
RDS…: NSRL Reference Data Set

ThreatExpert info: <a href=‘http://www.threatexpert.com/report.aspx?md5=27949ccd505a6be082d15547b1dff90d’ target=‘_blank’>http://www.threatexpert.com/report.aspx?md5=27949ccd505a6be082d15547b1dff90d&lt;/a&gt;

Pasting the complete results just makes the topic very large which is why I suggested to simply paste the link to the results, the bit at the top of the page in the address bar, so anyone needing to look at it can just check the link.

Since no hits on VT I would say we need to check further:
The winsys2.exe is also reported as associated to nvidia graphics, have you got an nvidia graphics card ?

Try uploading the file to this file analysis site, http://anubis.iseclab.org/?action=home and post the URL to the results.