Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Already?


  • Please log in to reply
17 replies to this topic

#1 Roadblock

Roadblock

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:09:05 AM

Posted 07 July 2007 - 08:05 PM

I just did a fresh windows xp install and already in my sytem config startup items theres a blank entry. with only a location ... should i remove this or leave it..
Thanks



Mod edit ~ Topics have been merged to maintain continuity. Roadblock - please stick with one topic starting another will only confuse your fix. ~ rigel

Edited by rigel, 07 July 2007 - 08:27 PM.


BC AdBot (Login to Remove)

 


#2 Roadblock

Roadblock
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:09:05 AM

Posted 07 July 2007 - 08:10 PM

I just saw WinSys2.exe in my starting proocesses located in the system32 file startup item.. All i see in google search is its a trojan or a virus.. Yet my anti virus doesn't pick it up? Anybody know if this is clean a real program? not a virus cuz NOD32 is not picking it up as a virus when i scanned....
Can anyone please tell me if this can be removed from startup and if its really a virus.

When i go to system 32 folder, the logo on it says MFC and in properties the description is TODO.. the internal name is sw25-rev01.exe


*PS* I also have Winsys.exe in my system32 folder as well

Can i remove this from start up programs....if this isnt a virus and what it is used for please... I thought i read somewhere thats its to do with MSI which would be my video card, but every single site i google this with it comes up as a virus..
Main Concern is the winsys2.exe since its the which is starting up and it is the one in google that says is dangerous >.<
Thanks for your help

Edited by Roadblock, 07 July 2007 - 09:01 PM.


#3 buddy215

buddy215

  • Moderator
  • 13,302 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:05 AM

Posted 07 July 2007 - 09:11 PM

Run a Hijack This scan and see if there are any references as noted in the link below belonging to New.Net
http://www.pchell.com/support/savenow.shtml

Here is the link to download Hijack This
http://www.bleepingcomputer.com/files/hija...s-installer.php
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#4 Roadblock

Roadblock
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:09:05 AM

Posted 07 July 2007 - 09:51 PM

Nope nothing in there for newdotnet... Really just need to know whether winsys2.exe is a known program and should be allowable at the startup"?


Im guessing it is not a virus since no scanner online Nor NOD32 picks it up.. so can i get an advice from a HJT team member please

Thanks for that suggestion Buddy :thumbsup:

Only problem is... although no scanner finds it.. I still see reports and forum comments of Log analysers saying to click off Winsys2.exe in hijackthis..


It would be lovely for a clear answer please

Thanks in advance

Edited by Roadblock, 07 July 2007 - 10:16 PM.


#5 buddy215

buddy215

  • Moderator
  • 13,302 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:05 AM

Posted 07 July 2007 - 10:25 PM

You can submit the file to Virustotal and they will scan with several programs.
http://www.virustotal.com/en/indexf.html

There are legitimate files with that name. See the discussion here.
http://www.wilderssecurity.com/showthread.php?t=168723

And then there is this:
The MFC Reference covers the classes, global functions, global variables, and macros that make up the Microsoft Foundation Class Library version 8.0.

You can also submit a Hijack This log and let the experts check it out. How to do that is in the link below. Be sure to post it in the Hijack This Forum. NOT HERE
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#6 Roadblock

Roadblock
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:09:05 AM

Posted 07 July 2007 - 10:33 PM

I saw a previous post by D-Trojanor telling one of the people who posted here to do 'delete on reboot' for that file... So i tried that... but its still there lol... so i guess that means its meant to be there? I mean i just dont feel safe with the amount of negative comments about it :thumbsup:

Edited by Roadblock, 07 July 2007 - 10:34 PM.


#7 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:06:05 AM

Posted 07 July 2007 - 10:50 PM

Hi, roadblock. Every fix in the hijack this forums are customized for that specific machine. I would recommend that you do a Kapersky Online Scan and see what the results are.

Also, you can follow Buddy215's recommendation.

You can submit the file to Virustotal and they will scan with several programs.
http://www.virustotal.com/en/indexf.html


The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#8 Roadblock

Roadblock
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:09:05 AM

Posted 08 July 2007 - 01:06 AM

I ran every possible online scanner :flowers: didnt find anything besides spyware which i got rid of :trumpet:...... I will try and submit the files to the sites. but i tried before and they were packed had a queue time of 4 hours.. Thanks for your suggestions.. I'm pretty sure it is not a virus though. well atleast i hope not :thumbsup:.

#9 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:06:05 AM

Posted 08 July 2007 - 01:30 AM

I found a little more about this file Two items:

FIRST
Product contains: Dynamic Overclocking Technology Application
File name contains: WINDOWS\system32\WinSys2.exe

SECOND
winsys2.exe is a process which is registered as a BACKDOOR TROJAN. This trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.
http://www.trendmicro.com/vinfo/virusencyc...2EA&VSect=T
http://www.symantec.com/security_response/...-99&tabid=2

first we need to know which it is could you get us the filesize and date? also, check the file name, if you notice the case is different in the first and second.

Edited by oldf@rt, 08 July 2007 - 01:32 AM.

The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#10 Roadblock

Roadblock
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:09:05 AM

Posted 08 July 2007 - 12:02 PM

I submitted Winsys2.exe to virustotal and didn't find anything although still unsure whether to feel safe or not due to the amount of bad responses on various sites....
The information I got from my system for this file is the following:

File Size: 217088 bytes(according to virustotal.com) -- (212kb according to system)
On the logo is printed the letters: MFC in a 3d cube design

Created yesterday at 7:35 P.M.. i know i reformated my computer yesterday just not sure if it was that late
Description says: TODO: <File Description>
Of course it is in my C:\WINDOWS\system32
File version:1.0.0.1
Internal name is : sw25-rev01.exe

Thats the information i got on this file... thanks for any other help you can offer me Oldf@rt... much appreciated

#11 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:06:05 AM

Posted 08 July 2007 - 03:33 PM

If you can, check the other files in system32 for the creation date/time . If this WinSys32 matches, it is not a trojan

Created yesterday at 7:35 P.M


The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#12 Roadblock

Roadblock
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:09:05 AM

Posted 08 July 2007 - 11:56 PM

Well both Winsys.exe and Winsys2.exe were created at the exact same time.. The other files vary :thumbsup:
:flowers:

Edited by Roadblock, 09 July 2007 - 12:02 AM.


#13 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:06:05 AM

Posted 09 July 2007 - 12:03 AM

If they match the date/time that you installed windows, you should be ok.
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#14 Roadblock

Roadblock
  • Topic Starter

  • Members
  • 148 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:09:05 AM

Posted 09 July 2007 - 01:33 AM

I don't remember the exact time it was installed thats the problem..all the other files vary from times of installion maybe you can tell me which specific files in the system32 folder would be reprentative of the windows (initial) installtion... Thanks again
~Roadblock!~

#15 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:06:05 AM

Posted 09 July 2007 - 10:56 AM

according to the startuplist here at BC, the winsys.exe file is a trojan, the WinSys2.exe that you are inquiring about is not, based on both the internal and system name of the file. submit the winsys.exe to jotti and let us know.

as far as the date time stamp, do a folder sort by date. {View}{Arrange Icons By}{Modified}

Edited by oldf@rt, 09 July 2007 - 10:56 AM.

The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users