Post by pyotr filipivichPost by VanguardLHPost by pyotr filipivichPost by VanguardLHPost by pyotr filipivichI am not starting msinfgo32.exe something else is, and I have no
idea what it is.
So follow the instructions already provided to you on how to
investigate and find startup items. We're not there. You'll have
to do the work. You'll have to find the startup item that loads
msinfo32.exe and delete or disable it.
Sorry, my problem is that far too often, by the time I can "do"
anything - msinfo has completed its task and closed down.
That won't affect that it is either a startup program (so use the tools
mentioned to find it) or malware (so do a scan using something better
than what Microsoft dumps in Windows). Is there a reason you won't
check the startup programs or do an AV scan?
the AV scans say I'm good (malwarebites, avast, comodo)
there is nothing in the startup menus which I can determine starts
msinfo32.exe. Part of the problem is, I've yet to find out why
msinfo32.exe is being run _at all_, other than apparently because MS
thinks it a neat idea to run it.
Why do you assume Microsoft is doing this ?
You do realize that a *lot* of Windows malfunctions are
caused by third parties, not Microsoft.
I've still not seen your analysis of what is
actually running. Is it *really* a copy of msinfo32.exe
from the System folder ? Or is it a third party
program with that name, running from your
Downloads folder ?
If there is a rootkit present on your machine (3% of
malware uses rootkits), then they can change the *appearance*
of virtually any file. They can be running a copy of
msinfo32 which does not have the same byte content
as the copy on the disk drive. You can upload the
file to virustotal, and it will scan clean, because
it isn't actually the file that is currently running
on the computer. So there will be some cases,
where you will be confused by what owns the machine,
and will never get a clear picture of the situation.
If you boot a Linux LiveCD, that allows an offline analysis
of the disk content. If you find a copy of msinfo32.exe then,
the rootkit is not actively modifying it. But at shutdown,
the rootkit can leave things in a state, so there are
"few tracks" left of what it has done.
Some malware, stores content outside of data clusters,
up in the last fraction of 8MB of the partition. This
is not officially part of the file system, and a
great place to store things.
One of the reasons I've zeroed entire drives, before
doing an OS restore, is so that the end of the partition
will be clean, and a canary indication of trouble if
it ends up dirty again.
Example of a tool for rootkits.
https://support.kaspersky.com/viruses/solutions/5353
The TDSS rootkit modifies the atapi.sys file, and
changes some stuff on the fly. So it modifies some
things in such a way, that *your* attempts to scan
it while the OS runs, always reveal a clean copy,
while the copy the OS is using, is infected.
https://en.wikipedia.org/wiki/Alureon
It's highly unlikely this is running on your machine...
but the howls of grief when Microsoft pushed out
a change to atapi.sys, indicates that there are
people out there with active copies of that running
on the computer. The incidence is not zero. And
even if they put some guys in jail, others will
continue using the vector.
Summary: It could be a totally naive instance, of
eight copies of an obscure utility deciding
to "run on their own". But this ignores the
other extreme possibilities, of what it might
be. I'm not a malware expert, but I've read enough
discouraging reports to never discount any
possibility when it comes to computer
malfunctions. Keep an open mind while you
work on this. What you're seeing is not normal.
When you see processes doing a lot of work on the computer,
watch your hard drive LED. If the processes are doing
a lot of reads and writes, that could be ransomware.
If it is Ransomware, your files will magically
end up with new file extensions...
"When first released, the extension used for encrypted
files was .Locky. Other versions utilized the .zepto,
.odin, .shit, .thor, .aesir, and .zzzzz extensions
for encrypted files. The current version, released
in December 2016, utilizes the .osiris extension
for encrypted files."
I first looked up that article, when someone in the other
groups, started seeing ".osiris" extensions on his files.
And by then, it was too late. It took *months* to undo
the damage, reinstall OSes and so on. The individual
did not have complete system backups, just a few copies
of his Downloads folder.
Paul