TechGenix and SolarWinds have partnered to provide a fully-functional, free 21-day trial version of SolarWinds ipMonitor, the WindowsNetworking.com Readers' Choice Award Winner for monitoring applications, servers, and network devices to all visitors who join Security Forums. Sign up to Security Forums and get your copy today! Existing members can pick up a copy from the Members Area.
| View previous topic :: View next topic |
| Author |
Message |
eliazar
New Member
Joined: 21 Apr 2004
Posts: 26
Location: NJ
|
 Posted: Sat Jul 10, 2004 5:55 pm Post subject: Nice of MSI to keylog your system when you get their drivers |
 |
|
Hey guys,
I encountered this issue some time ago, but I just saw some stuff about keyloggers and thought I'd ask.
I got an MSI video card and downloaded the new drivers from MSI. It was smooth sailing ... until I ran Spybot S&D and found a keylogger on my system called WinSys. I struggled with deleting it, it told me access was denied etc, but eventually broke it by ending the process that was running, erasing files it depended on and then rebooting and deleting it. I determined it came from MSI drivers.
I verified that fact by downloading the same driver package (which was a Zip file), unzipping it and found WinSys in the folder I unzipped to. This time, I deleted it before running the "Setup.exe" for the drivers and when I ran setup, it said it encountered an error when trying to install WinSys. It installed drivers ok anyway, but definitely tried to stick me with the keylogger at installation time.
I emailed MSI and got no response ...ever.
Anyone else run across this? What's the deal with that? Get video drivers and it installs a keylogger?!?!?!?  It doesn't seem that there would be a legitimate reason for that to be there, does it?
I have since then downloaded drivers straight from NVidia ... no keyloggers there. 
_________________
Faithful are the wounds of a friend, But the kisses of an enemy are deceitful.
|
|
| Back to top |
|
 |
ZATRiX
Frequent Member
Joined: 22 Jul 2003
Posts: 106
Location: Canada
|
| Posted: Sat Jul 10, 2004 10:34 pm Post subject: Re: Nice of MSI to keylog your system when you get their dri |
|
|
| eliazar wrote: |
Hey guys,
I encountered this issue some time ago, but I just saw some stuff about keyloggers and thought I'd ask.
I got an MSI video card and downloaded the new drivers from MSI. It was smooth sailing ... until I ran Spybot S&D and found a keylogger on my system called WinSys. I struggled with deleting it, it told me access was denied etc, but eventually broke it by ending the process that was running, erasing files it depended on and then rebooting and deleting it. I determined it came from MSI drivers.
I verified that fact by downloading the same driver package (which was a Zip file), unzipping it and found WinSys in the folder I unzipped to. This time, I deleted it before running the "Setup.exe" for the drivers and when I ran setup, it said it encountered an error when trying to install WinSys. It installed drivers ok anyway, but definitely tried to stick me with the keylogger at installation time.
I emailed MSI and got no response ...ever.
Anyone else run across this? What's the deal with that? Get video drivers and it installs a keylogger?!?!?!? It doesn't seem that there would be a legitimate reason for that to be there, does it?
I have since then downloaded drivers straight from NVidia ... no keyloggers there. |
mistaken identity? maybe spybot was wrong? 
_________________
http://www.zatrixsolutions.com
|
|
| Back to top |
|
|
eliazar
New Member
Joined: 21 Apr 2004
Posts: 26
Location: NJ
|
| Posted: Mon Jul 12, 2004 7:31 pm Post subject: |
|
|
| Quote: |
| mistaken identity? maybe spybot was wrong? |
That would be a nice thought, but I looked up WinSys on Google and, alas, it is a commercially available keylogger (I should have mentioned that before). So yeah, MSI gives you keyloggers, no bueno.
_________________
Faithful are the wounds of a friend, But the kisses of an enemy are deceitful.
|
|
| Back to top |
|
|
mjuarez
Regular Member
Joined: 15 Jun 2004
Posts: 98
|
| Posted: Mon Jul 12, 2004 7:38 pm Post subject: |
|
|
| eliazar wrote: |
| Quote: |
| mistaken identity? maybe spybot was wrong? |
That would be a nice thought, but I looked up WinSys on Google and, alas, it is a commercially available keylogger (I should have mentioned that before). So yeah, MSI gives you keyloggers, no bueno. |
Maybe it's really an MSI utility, but it's got the same exact name as the keylogger? This could happen you know. I'm pretty sure Ad-Aware, Spybot, et al., don't have an MD5 database of every piece of spyware out there.
MSI not giving a prompt response is spooky, however.
Marcos
|
|
| Back to top |
|
|
eliazar
New Member
Joined: 21 Apr 2004
Posts: 26
Location: NJ
|
| Posted: Tue Jul 13, 2004 7:20 pm Post subject: |
|
|
| Quote: |
| Maybe it's really an MSI utility, but it's got the same exact name as the keylogger? |
I never really thought of that, who knows? Like you said, spooky nonetheless.
_________________
Faithful are the wounds of a friend, But the kisses of an enemy are deceitful.
|
|
| Back to top |
|
|
caesardog
Just Arrived
Joined: 01 Aug 2004
Posts: 1
|
| Posted: Sun Aug 01, 2004 8:30 pm Post subject: Re: Nice of MSI to keylog your system when you get their dri |
|
|
| eliazar wrote: |
Hey guys,
I encountered this issue some time ago, but I just saw some stuff about keyloggers and thought I'd ask.
I got an MSI video card and downloaded the new drivers from MSI. It was smooth sailing ... until I ran Spybot S&D and found a keylogger on my system called WinSys. I struggled with deleting it, it told me access was denied etc, but eventually broke it by ending the process that was running, erasing files it depended on and then rebooting and deleting it. I determined it came from MSI drivers.
I verified that fact by downloading the same driver package (which was a Zip file), unzipping it and found WinSys in the folder I unzipped to. This time, I deleted it before running the "Setup.exe" for the drivers and when I ran setup, it said it encountered an error when trying to install WinSys. It installed drivers ok anyway, but definitely tried to stick me with the keylogger at installation time.
I emailed MSI and got no response ...ever.
Anyone else run across this? What's the deal with that? Get video drivers and it installs a keylogger?!?!?!? It doesn't seem that there would be a legitimate reason for that to be there, does it?
I have since then downloaded drivers straight from NVidia ... no keyloggers there. |
I installed the newest MSI Nvidia VGA drivers (61.21) this weekend and noticed the same thing -- winsys.exe.
However, upon experimentation, it appears that this file is related to the Dynamic Overclocking Technology utility -- which is part of the MSI driver set.
I know this, because I disabled winsys.exe -- and then noticed the Dynamic Overclocking Utility wasn't working. When I re-enabled it, it worked again.
So I think this is simply a case of an unfortunate naming of a file. I can hardly see why MSI would care about keylogging its users.
Indeed, winsys.exe is also identified as a worm by symantec (which also appears to be a coincidence).
So I'm pretty confident this is benign, but I emailed MSI nonetheless. If they don't respond I will KEEP on emailing and bothering them so much, that they will have to respond.
There are two things about this file that worry me. If you look at the date of it compared to all of the other driver files, its date is way off all of the other dates. Secondly, this winsys.exe appears in the "run" key in the registry so that it starts at boot -up -- yet it does not show up in "msconfig" when you look at all of the start-up files under the "startup" tab.
So although it is in the "run" registry key for startup files, why does it NOT appear under "startup" tab in "msconfig" (a utility on winxp). But everything else in the "run" registry key appears in the startup tab.
|
|
| Back to top |
|
|
RogWA3FLE
Just Arrived
Joined: 11 Feb 2005
Posts: 1
Location: Bridgeport, PA
|
| Posted: Fri Feb 11, 2005 7:00 am Post subject: Check the file's properties--its "original name" i |
|
|
Glad I found somebody who verifies this for me, but I already had a good idea about it. Winsys.exe was flagged by Pest Patrol but after deleting it, I could no longer play MPEG files. Looked at the file's Properties and found the following:
File Version: 1,0,0,1
Description: DOT MFC Application
Copyright: Copyright (C) 2003
Other version information
CompanyName (
Internal Name DOT
Language English (United States)
Legal Trademarks
Original Filename DOT.EXE
Product Name DOT Application
Product Version 1,0,0,1
DOT, I assume, refers to Dynamic Overclocking Technology, as stated above. Only thing is. after deleting it, it didn't seem to change anything, although I don't know how you determine if it's working or not anyway.
BTW, Win98SE, XP-2400+ Mobile@2300MHz, 1GB Corsair VS, MSI FX5700VTD128, v.61.72 MSI drivers.
73, RM
_________________
-----------------------------------------------------------------------
Copyright(c)2005 Richard Moncrief - All Rights Reserved.
email: 2qeoxtn02@sneakemail.com
"90% of success is just showing up"--Woody Allen.
-----------------------------------------------------------------------
|
|
| Back to top |
|
|
weicui
New Member
Joined: 24 Feb 2005
Posts: 26
|
| Posted: Fri Feb 25, 2005 4:15 am Post subject: |
|
|
yea, always always download from original vendors of hardware etc.
anyone can easily attach anything to a exe file or an extension of it
|
|
| Back to top |
|
|
|
