KCGame found... NOT!

[LuDean]

I ran a scan using MSAV build 1.0.509 and 5691 sig file. It identified a
single file, winsys.exe, as a KCGame file. It recommended that I quarantine
the file, which I did. None of the other files usually associated with this
trojan were found. After some investigation on my computer, I believe this
file may actually be one of the files assocated with my nVidia video drivers
and/or utilities. I did not notice any change in the ability of my video
to function after quarantining the file. Any one else have a similar
experience? Dare I delete this file?

 

[Bill Sanderson]

When was the last complete antivirus scan you've done, with current
definitions?

You might read this article:

http://www.sophos.com/virusinfo/analyses/w32rbotay.html

The description part is what's relevant.

This bug isn't new, and may not relate to your problem, but it is carefully
designed to look like an Nvidia driver.

You might want to consider reverting to a generic SVGA driver, perhaps, and
removing and then reinstalling from a known source--either Windows Update or
an Nvidia site--the current drivers for your card.

You can see whether you can confirm somehow--via installation media, for
example, that this file is one which came from that installation media
source-but I would definitely check carefully.

 

[plun]

I ran a scan using MSAV build 1.0.509 and 5691 sig file. It identified a
single file, winsys.exe, as a KCGame file. It recommended that I quarantine
the file, which I did. None of the other files usually associated with this
trojan were found. After some investigation on my computer, I believe this
file may actually be one of the files assocated with my nVidia video drivers
and/or utilities. I did not notice any change in the ability of my video
to function after quarantining the file. Any one else have a similar
experience? Dare I delete this file?

YES, probably Bagle Worm

http://www.trendmicro.com/search/google/results.asp?q=winsys.exe

Scan your PC with Trendmicros online scan:

http://housecall.trendmicro.com/housecall/start_corp.asp

Follow this after removal:

http://www.microsoft.com/athome/security/protect/default.mspx

 

[LuDean]

I have Norton Antivirus and have done a complete system scan with the latest
definitions. Nothing turned up. I checked to be sure that no file by that
name is running in system processes, and nothing appears there. The
winsys.exe I refer to seems to be the same file that is included in the
nVidia drivers. This 132 kb file has a little green stick figure as the
icon. This same file shows up in three previous versions of the drivers,
including the original install disk.

 

[plun]

I have Norton Antivirus and have done a complete system scan with the latest
definitions. Nothing turned up. I checked to be sure that no file by that
name is running in system processes, and nothing appears there. The
winsys.exe I refer to seems to be the same file that is included in the
nVidia drivers. This 132 kb file has a little green stick figure as the
icon. This same file shows up in three previous versions of the drivers,
including the original install disk.

I dont have any winsys.exe..... nVidia driver for graphics.

Running ver 66.93

http://www.nvidia.com/object/winxp_2k_66.93

In what folder is winsys.exe ? Properties ? (Right-klick on
file)

Maybe you also have a motherboard from nVidia ?

 

[LuDean]

Hmmmm. I didn't know nVidia made motherboards. My video card was made
however by Microstar, who also makes motherboards. Currently, I am running
the generic drivers from nVidia rather than MSI's, but the drivers I have
downloaded from MSI also have winsys.exe. The file on my machine is found
in the following directory:

E:\Program Files\NVIDIA VGA Driver v6681

File Properties indicates it is not a hidden file. I checked to see if the
file is running on my system, and it isn't, which is probably why it made no
difference to the function of my sytem when I allowed MSAS to quarantine it.
If it's spyware, I don't know how it would be doing it's thing if it's not
running.

I recently read about a virus that masquarades on your computer as an nVidia
driver. Since my virus scanner (with current sig files) did not find it, I
am convinced that the file on my computer identified "winsys.exe" is safe.
Nevertheless, before releasing the file from quarantine, I'm going to check
with MSI and see what they say about the file first!

 

[plun]

Hmmmm. I didn't know nVidia made motherboards. My video card was made
however by Microstar, who also makes motherboards. Currently, I am running
the generic drivers from nVidia rather than MSI's, but the drivers I have
downloaded from MSI also have winsys.exe. The file on my machine is found
in the following directory:

Yes nVidia makes mb also, and I have a MSI mb.

MSI have program with spyware. Its better to run
nVidia generic drivers.

E:\Program Files\NVIDIA VGA Driver v6681

You can delete this folder, everything with drivers should
be within Windows folders.

File Properties indicates it is not a hidden file. I checked to see if the
file is running on my system, and it isn't, which is probably why it made no
difference to the function of my sytem when I allowed MSAS to quarantine it.
If it's spyware, I don't know how it would be doing it's thing if it's not
running.
I recently read about a virus that masquarades on your computer as an nVidia
driver. Since my virus scanner (with current sig files) did not find it, I
am convinced that the file on my computer identified "winsys.exe" is safe.
Nevertheless, before releasing the file from quarantine, I'm going to check
with MSI and see what they say about the file first!

Happy hunting