Thread: Why does msinfo32.exe take 49.9 of resources and freeze the computer?
View Single Post
  #23  
Old December 20th 17, 09:18 PM posted to alt.windows7.general
pyotr filipivich
external usenet poster
  
Posts: 752
Default Why does msinfo32.exe take 49.9% of resources and freeze the computer?
Paul on Wed, 20 Dec 2017 14:23:13 -0500 typed
in alt.windows7.general the following:
pyotr filipivich wrote:
VanguardLH on Tue, 19 Dec 2017 22:12:00 -0600 typed in
alt.windows7.general the following:
pyotr filipivich wrote:
VanguardLH:
pyotr filipivich wrote:
I am not starting msinfgo32.exe something else is, and I have no
idea what it is.
So follow the instructions already provided to you on how to
investigate and find startup items. We're not there. You'll have
to do the work. You'll have to find the startup item that loads
msinfo32.exe and delete or disable it.
Sorry, my problem is that far too often, by the time I can "do"
anything - msinfo has completed its task and closed down.
That won't affect that it is either a startup program (so use the tools
mentioned to find it) or malware (so do a scan using something better
than what Microsoft dumps in Windows). Is there a reason you won't
check the startup programs or do an AV scan?

the AV scans say I'm good (malwarebites, avast, comodo)

there is nothing in the startup menus which I can determine starts
msinfo32.exe. Part of the problem is, I've yet to find out why
msinfo32.exe is being run _at all_, other than apparently because MS
thinks it a neat idea to run it.

Why do you assume Microsoft is doing this ?

I have to start somewhere.

You do realize that a *lot* of Windows malfunctions are
caused by third parties, not Microsoft.

This is true too. But MS has done enough over the years to make
me miss command lines and directory trees.

I've still not seen your analysis of what is
actually running. Is it *really* a copy of msinfo32.exe
from the System folder ? Or is it a third party
program with that name, running from your
Downloads folder ?

Downloads is empty. I keep it hat way mostly. Have other places
where I pre-sort things I download.

Using Process Hacker - msinfo32 is not running now.

From prior experience, msinfo32.exe is/was apparently called by
cmdagent.exe , from "C:\Program Files\COMODO\COMODO Internet
Security"
cmdagent ( was started one hour and seven minutes ago (when I
rebooted the computer)) by "services.exe" (from windows\system32).
Services is called by wininit.exe, also in system32.

If there is a rootkit present on your machine (3% of
malware uses rootkits), then they can change the *appearance*
of virtually any file. They can be running a copy of
msinfo32 which does not have the same byte content
as the copy on the disk drive. You can upload the
file to virustotal, and it will scan clean, because
it isn't actually the file that is currently running
on the computer. So there will be some cases,
where you will be confused by what owns the machine,
and will never get a clear picture of the situation.

If you boot a Linux LiveCD, that allows an offline analysis
of the disk content. If you find a copy of msinfo32.exe then,
the rootkit is not actively modifying it. But at shutdown,
the rootkit can leave things in a state, so there are
"few tracks" left of what it has done.

Some malware, stores content outside of data clusters,
up in the last fraction of 8MB of the partition. This
is not officially part of the file system, and a
great place to store things.

One of the reasons I've zeroed entire drives, before
doing an OS restore, is so that the end of the partition
will be clean, and a canary indication of trouble if
it ends up dirty again.

Clever. I shall make a note of that.

Example of a tool for rootkits.

https://support.kaspersky.com/viruses/solutions/5353

The TDSS rootkit modifies the atapi.sys file, and
changes some stuff on the fly. So it modifies some
things in such a way, that *your* attempts to scan
it while the OS runs, always reveal a clean copy,
while the copy the OS is using, is infected.

https://en.wikipedia.org/wiki/Alureon

It's highly unlikely this is running on your machine...
but the howls of grief when Microsoft pushed out
a change to atapi.sys, indicates that there are
people out there with active copies of that running
on the computer. The incidence is not zero. And
even if they put some guys in jail, others will
continue using the vector.

Summary: It could be a totally naive instance, of
eight copies of an obscure utility deciding
to "run on their own". But this ignores the
other extreme possibilities, of what it might
be. I'm not a malware expert, but I've read enough
discouraging reports to never discount any
possibility when it comes to computer
malfunctions. Keep an open mind while you
work on this. What you're seeing is not normal.

From what I've been able to sus out - msinfo gets run "to gather
information about your computer, to diagnose issues with your
computer, or to access other tools"

When you see processes doing a lot of work on the computer,
watch your hard drive LED. If the processes are doing
a lot of reads and writes, that could be ransomware.
If it is Ransomware, your files will magically
end up with new file extensions...

"When first released, the extension used for encrypted
files was .Locky. Other versions utilized the .zepto,
.odin, .****, .thor, .aesir, and .zzzzz extensions
for encrypted files. The current version, released
in December 2016, utilizes the .osiris extension
for encrypted files."

I first looked up that article, when someone in the other
groups, started seeing ".osiris" extensions on his files.
And by then, it was too late. It took *months* to undo
the damage, reinstall OSes and so on. The individual
did not have complete system backups, just a few copies
of his Downloads folder.

Thanks.

Paul
--
pyotr filipivich
Next month's Panel: Graft - Boon or blessing?
Ads