Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

fsystem.exe syswow64


  • Please log in to reply
9 replies to this topic

#1 Original20

Original20

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 12 June 2011 - 06:21 AM

Hi, since april 2011 i got a popup each startup of my system, it is the user account management and says fsystem.exe wants to make changes on my computer. fsystem.exe ist located in the syswow64 folder (Description: SDU Application, Copyright 2009, created march 2011, language korean) and after deleting the process in task manager i was able to delete the file in the syswow64 folder. But seconds later the process and the file were again alive and present.

When i allow the changes made by fsystem.exe i get a small windows-popup in korean described as "message from website" and i can only click the OK button. Since that i don't allow it anymore but it is annoying to see the blinking icon in the system tray waiting for my decision.

No malware or virus found by several scans of different scanners, e.g. "Malwarebytes Anti-Malware, Antivir, Windows Defender, Spybot Search & Destroy...

Please do you know anything about that issue?

BC AdBot (Login to Remove)

 


#2 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:09:26 PM

Posted 12 June 2011 - 07:46 AM

Smells like malware. Upload the file to VirusTotal & see if you get any hits: http://www.virustotal.com/

I would post in AII? Forum, FWIW. http://www.bleepingcomputer.com/forums/forum103.html

#3 Jacee

Jacee

    Bleeping around


  • Malware Response Team
  • 3,716 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:26 PM

Posted 12 June 2011 - 11:20 AM

Is she using, or used an infected USB drive? http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mal~Agent-TM/detailed-analysis.aspx

MS_MVP.gif
MS MVP Windows-Security 2006-2016
Member of UNITE, the Unified Network of Instructors and Trusted Eliminators

Admin PC Pitstop


#4 Original20

Original20
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 13 June 2011 - 03:13 AM

hi,

virustotal said

http://www.virustotal.com/file-scan/report.html?id=f4f0543848436f7646b3bebb85108cd16d4c2e95905fe1dd68415bb667143da3-1307506368

it seems to be a trojan which only can be detected by a few programs if i understood it correctly - am i right? do i have to get and install one of the scanners who can deal with it?

Edited by Original20, 13 June 2011 - 03:23 AM.


#5 Original20

Original20
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 13 June 2011 - 04:27 AM

there's a file called nskusvc.exe sitting in C:\users\username\AppData\Roaming\Microsoft\Windows\Templates\28109_29680

it is also malware according to virustotal.

should i check out which scanner detected both in virustotal's table and get the software?

#6 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:09:26 PM

Posted 13 June 2011 - 04:37 AM

I'm a bit confused. Your original post said you were getting a UAC prompt for "fsystem.exe"
The VirusTotal report you linked to is for the file "systemprot.exe"

...also the date of the VT submission is June 8th, 2011.

[attachment=99685:systemprot.PNG]

EDIT TO ADD: I would STRONGLY suggest you post a new topic in the Am I infected? What do I do? forum. Read the instructions in "Before You Post About A Problem" then start a new topic.

Edited by Union_Thug, 13 June 2011 - 04:48 AM.


#7 Original20

Original20
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 13 June 2011 - 06:54 AM

Problem solved!

i meant i have two processes running, both are korean origin, one called "fsystem.exe" (which was sent to virustotal, which said that file is already known and the link to the old report was the one i posted in my reply - that report was though about the file called "systemprot.exe") and i found out there was another file/process called nskuvsc.exe that also seemed very suspicious.

Well using the suggested virustotal-scan i found out both executables relied to a trojan that a scanner software called AVG Free Antivirus could find, so i installed it and it found the trojan and deleted it completely (two processes, two files, one registry entry)! Since that i don't have any troubles with fsystem.exe, user account management, blinking icons, and so on.

So thank you for bringing me to virustotal,

regards, Original20

#8 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:09:26 PM

Posted 13 June 2011 - 07:23 AM

>>>i found out both executables relied to a trojan that a scanner software called AVG Free Antivirus could find, so i installed it and it found the trojan and deleted it completely<<< (emph added)

I'm pleased you found a solution however I would still err on the side of caution and post in Am I Infected--let a malware removal EXPERT have a deeper look. :)

Also, you wrote that you installed AVG--in your OP you wrote you scanned with Antivir (I assume that's Avira Antivir?). Did you uninstall the Antivir? It's not advisable to be running more than one resident Anti-Virus application.

Just my .02 :)
Good luck.
Regards "Thug"

EDIT TO ADD: At the very least, run another scan with Malwarebytes--Update first then run a scan. :busy:

Edited by Union_Thug, 13 June 2011 - 07:32 AM.


#9 Original20

Original20
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 13 June 2011 - 07:48 AM

problem solved -->

http://www.bleepingcomputer.com/forums/topic403488.html

^^ I have posted the whole story so far in "Am i Infected" ^^

But you are right, gotta check it out several times with more programs.

Yes, i changed from avira antivir to AVG free antivirus 2011 and i think at least in this case that was a good decision, since AVG has very good reputation in protection, near the same level as Norton.

AVG instantly found the Trojan, both processes, registry keys and files and deleted them immediately. That was a pleasure to watch. Since i don't know if i am done with that i will for sure test the machine with other programs as Malwarebyte's stuff.

Thanks again and have a good time.

Mariano

PS: i posted my results and solution for everybody who faces the same buggy popup and doesn't know what to do.

Edited by Original20, 13 June 2011 - 07:52 AM.


#10 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:09:26 PM

Posted 13 June 2011 - 08:16 AM

You're welcome. :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users