I have been running kaspersky build 6.0.3.837 for a while and the perfromance has been real good. However, we observed on a few PCs that Kaspersky was getting off-loaded at startup and the PC perfromance had become slow. Efforts to manually load kaspersky from Start>Programs>Kaspersky did not yield any results. Searching the PCs revealed that few folders namely Picture, Documents and Photo were created on the drive(s). Further SystemIL2 was added as a link in the Start Menu. Nothing worked to remove these links/folders and kaspersky would just NOT RUN
I searched the blogs for SYSTEMIL2 and it emerged that these anomalies are due to a virus - SYSTEMIL. EXE (AVG and Kaspersky fail to detect this virus). Enter this description on the kaspersky site and the results are ZERO. According to the blogs this virus was first found on 04 Apr 2008 in Inda and the common file size is about 300-400 KB. Further the virus files have no vendor, product or version information specified in the file header. The virus has been the subject of the following behaviour: -
- Added a Registry auto start to load Program on Boot up.
- Created asa process on disk
- Added as a link in the Start Menu
- Terminated as a Process
- Executed as a process
- Disables Access to task Manager
The virus uses the names SYSTEMIL.EXE; SYSTEMIL2.EXE, DOCUMENTS.EXE, PHOTOS.EXE, PICTURES.EXE
I have even tried booting the windows machine using linux and deleting the infected files (whatever i felt were suspicious) and also disabling System Restore, but once the machine is booted up in Windows the situation is the same and kaspersky gets off-loaded everytime.
Need urgent help as there is danger of the infection spreading to other machines.
Full Version: Systemil.exe Virus
hello
send those files to the lab: http://support.kaspersky.ru/virlab/helpdesk.html?LANG=en
and post an avz log: http://forum.kaspersky.com/index.php?showtopic=69276
send those files to the lab: http://support.kaspersky.ru/virlab/helpdesk.html?LANG=en
and post an avz log: http://forum.kaspersky.com/index.php?showtopic=69276
QUOTE(Lucian Bara @ 30.10.2009 19:30) 
hello
send those files to the lab: http://support.kaspersky.ru/virlab/helpdesk.html?LANG=en
and post an avz log: http://forum.kaspersky.com/index.php?showtopic=69276
send those files to the lab: http://support.kaspersky.ru/virlab/helpdesk.html?LANG=en
and post an avz log: http://forum.kaspersky.com/index.php?showtopic=69276
Thanks. I have uploaded the file systemil.gz on the helpdesk link. Having trouble generating the AVZ log and will upload it once am successful. Regards
QUOTE(dgmms @ 31.10.2009 12:35)
Thanks. I have uploaded the file systemil.gz on the helpdesk link. Having trouble generating the AVZ log and will upload it once am successful. Regards
Haven't heard anything from the kaspersky site regarding resolution of systemil.exe virus. How does one know that something will be done or an update has been released...
QUOTE(dgmms @ 1.11.2009 20:52)
Haven't heard anything from the kaspersky site regarding resolution of systemil.exe virus. How does one know that something will be done or an update has been released...
Consequent to my last post, I uploaded the sample virus (systemil.gz) on www.virustotal.com. It emerged that Kaspersky Build 7.0.0.125 detects the virus as Virus.Win32.Agent.dk. however, my current version (build 6.0.3.837) does not detect it. Any Reasons.
The details generated from the website are enclosed the word file.
QUOTE(dgmms @ 2.11.2009 11:23)
Consequent to my last post, I uploaded the sample virus (systemil.gz) on www.virustotal.com. It emerged that Kaspersky Build 7.0.0.125 detects the virus as Virus.Win32.Agent.dk. however, my current version (build 6.0.3.837) does not detect it. Any Reasons.
The details generated from the website are enclosed the word file.
The details generated from the website are enclosed the word file.
Latest scan from Virus Total gives the following on SystemIL.exe
sigcheck:
publisher....: n/a
copyright....: n/a
product......: SYSTEMIL
description..: n/a
original name: SYSTEMIL.exe
internal name: SYSTEMIL
file version.: 1.00
comments.....: This Is For You _IL_ Bandung Indonesia
signers......: -
signing date.: -
verified.....: Unsigned
currently 33/41 detect the virus an improvement since the last post where 28/41 were detecting it.
Kaspersky online scanner doesnt detect it however the virustotal version detects it. MINE DOESN'T
this is odd since the two versions should be using the same databases. did you upload the gz version here: http://www.kaspersky.com/scanforvirus
or the unarchived variant?
or the unarchived variant?
QUOTE(Lucian Bara @ 2.11.2009 19:40)
this is odd since the two versions should be using the same databases. did you upload the gz version here: http://www.kaspersky.com/scanforvirus
or the unarchived variant?
or the unarchived variant?
I find it very odd too. I uploaded the gz variant (containing the file systemil.exe). I did as had been suggested by u i.e. uploaded the file on the Kaspersky support link - but haven't received any reply to date. I tried to use avz to generate the log from the infected PC, however, the program would not run at all, as if something was blocking it.
As a recheck, I parallely uploaded the gz version of the file on the scanforvirus link and virustotal. The former showed the file to be clean, whereas the latter detected the virus under different names. The screen shots of results from kaspersky scanforvirus and virustotal are enclosed for ur reference please.
Just fo info, I managed to clean up the infected files using Norton Recovery tool (run from a CD) with virus definitions of 22 Dec 2008.
Kaspersky has been able to find new malicious software in the file - systemil.exe [Packed.Win32.Salpack.c]. Its detection has been included in the update and so far is working.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.