Hello,

We discovered the following path on our system:
C:\Windows\MsApps\MSINFO\msinfo.exe

"msinfo.exe" is spyware according to entries on the Internet, for example:
http://www.spyany.com/program/article_ad_rm_Global_Finder.html

An examination of our seven original floppy disks of "Microsoft Word 6.0C" shows that floppy disk number six contains a single file called: "Word6.cab" 1,676 KB 09/09/1994, 00:09 and one of its 67 files is:
"msinfo.exe" the Properties for which include: "8 September 1994 09:09:08; File version 1.00A; Comments: Microsoft System Information Browser."

"msinfo.exe" plus its entries in "win.ini" have been manually removed, but we hope you can comment on the following two questions please:

1) Assuming the "msinfo.exe" installed by Word 6 is the spyware pointed up on the Internet, how could spyware apparently be installed from "Word 6" disks by Microsoft?

2) Why was the "msinfo.exe" never detected neither by "Spybot Search & Destroy" nor by "Ad-Aware" on our system, during scans, although on the Internet "msinfo.exe" is clearly pointed up as spyware?

Look forward to hearing from you.

Regards,

Hello

To put things into perspective for our helpers please follow the instructions in this sticky topic:
BEFORE you post and who will advise you. Preliminary Steps (http://forums.spybot.info/showthread.php?t=288)
Copy paste the logs into this topic and a helper will advise you as soon as available.

Cheers.

Hello Tashi,

Thanks for your message. I have read the "sticky" to which you refer and believe my message is consistant with it. If however, you mean the message I posted is lacking in some way regarding your rules, do let me know in what way and what I should do to obtain a full reply.

The version of SS&D which I have is 1.4.
My message explained that the malware in question has been removed.
The issues I raised in my message I believe to be reasonably significant and deserving of consideration and which may assist others.

I look forward to obtaining a substantive response to the two queries I raised.

Best regards,

Did you see this >


Copy paste the logs into this topic and a helper will advise you as soon as available.

1) Assuming the "msinfo.exe" installed by Word 6 is the spyware pointed up on the Internet, how could spyware apparently be installed from "Word 6" disks by Microsoft?

The information from that link you posted (spyany) is frankly hogwash

However we still ask that you post the logs mention in that sticky as was pointed out

Thanks LonnyRJones for your two responses.

In your first response you ask if I read the "Sticky" - However, my previous message said that I had read it.

In your second response you ask that I post the logs requested in the "Sticky" - This I will do - to follow.
(The PC in question is occupied at the moment).

You also said:
"The information from that link you posted (spyany) is frankly hogwash". However, please could you take a look at the following additional four separate links I just found quickly on Google:

http://www.processlibrary.com/directory/files/msinfo/

http://www.justtext.com/processes-tasks/msinfo-exe.html

http://www.fbmsoftware.com/spyware-net/process/msinfo_exe/773/

http://www.maxpc.co.uk/tips/default.asp?pagetypeid=2&articleid=30091&subsectionid=719


In addition, please consider the following copy newsgroup message, from the old Microsoft Public: "win98.gen_discussion" newsgroup:

- - copy of copy newsgroup message starts - -:

"Subject: Re: msinfo.exe win.ini not found
From: "Richard G. Harper [MVP Win9x]" <rgharper@email.com>
Sent: 9/22/2003 6:06:04 PM

MSINFO.EXE is not a virus, it's an adware/spyware program. What protection
are you using against such? Probably none?
Download a copy of AdAware, install it, update it. If the system is too
unstable to get it running in normal mode, start up in Safe Mode. Run the
program and clean all the pests off your system, then restart the system and
run AdAware again. Repeat as necessary until your system is clean.
Richard G. Harper (MVP Win9x) rgharper@email.com
* PLEASE post all messages and replies to the newsgroup so all may
* benefit from the discussion. Private mail is usually not replied to.
Help US help YOU ... http://www.dts-l.org/goodpost.htm

"Josh mitoska" <Mitoska@hotmail.com> wrote in message
news:0a7201c38169$db296c20$a301280a@phx.gbl...
> When I load up I get teh msg that msinfo.exe and win.ini
> are not found, I've had some virus problems, but no longer
> detect any? Any help is appreciated-thanks"

- - copy newsgroup message ends - -


LonnyRJones, I intend to post the logs requested as soon as possible and would appreciate meanwhile your response to this message.

Best regards,

My Mistake
msinfo32 is what I assume you were referring to and it is of course legit

Hello,

LonnyRJones wrote at 20.7.2006, 11.37:
"However we still ask that you post the logs mention in that sticky as was pointed out".

The following thr_ee logs are pasted in this m_essage further down:

BitDefender Online scan log:
"bdoscan 20_7_2006.log".

Spybot Search & Destroy 1.4 scan (carried out in Safe mode) log:
"Checks.060720-2303.txt".

HijackThis log:
"hijackthis_20_7_2006.log".


- - Start of BitDefender Online scan log_ "bdoscan 20_7_2006.log" - -

[General]
App = "BitDefender Online Scanner v8"
Date = 20:07:2006
Time = 21:47:09
Scan Path = A:\;C:\;E:\;Q:\;

[Engines Info]
Virus Definitions = 416036
Engine build = "AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)"
Scan plugins = 13
Archive plugins = 38
Unpack plugins = 5
E-mail plugins = 6
System plugins = 1

[Scan Statistics]
Folders = 4878
Files = 435769
Archives = 3511
Packed files = 64369
Identified viruses = 0
Infected files = 0
Warnings = 0
Suspect files = 0
Disinfected files = 0
Deleted files = 0
Copied files = 0
Moved files = 0
Renamed files = 0
I/O Errors = 2

[Scan Settings]
FirstAction = Report
Heuristics = 1
Enable Warnings = 1
Exclude Ext =
Extensions = *;
Scan Emails = 1
Scan Archives = 1
Scan Packed = 1
Scan Files = 1
Scan Boot = 1
Verify Memory = 0

[Scan Results]
Line00000000 = "No problems found."

- - End of BitDefender Online scan log "bdoscan 20_7_2006.log" - -


- - Start of Spybot Search & Destroy 1.4 scan (carried out in Safe mode) log "Checks.060720-2303.txt" - -

--- Report generated: 2006-07-20 23:03 ---

Congratulations!: No immediate threats were found. ()



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-08-15 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-11-30 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-07-14 Includes\Cookies.sbi (*)
2006-07-14 Includes\Dialer.sbi (*)
2006-07-14 Includes\Hijackers.sbi (*)
2006-07-14 Includes\Keyloggers.sbi (*)
2006-07-14 Includes\Malware.sbi (*)
2006-07-14 Includes\Revision.sbi (*)
2006-07-14 Includes\Security.sbi (*)
2006-07-14 Includes\Spybots.sbi (*)
2006-07-14 Includes\Trojans.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-07-14 Includes\PUPS.sbi (*)

- - End of Spybot Search & Destroy 1.4 scan (carried out in Safe mode) log "Checks.060720-2303.txt" - -


- - Start of HijackThis log "hijackthis_20_7_2006.log" - -

Logfile of HijackThis v1.99.1
Scan saved at 23:24:34, on 20/07/2006
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\ROXIO\GOBACK\GBPOLL.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\CCPXYSVC.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUSCHEDULERSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\GSICON.EXE
C:\WINDOWS\SYSTEM\DSLAGENT.EXE
C:\PROGRAM FILES\BT BROADBAND HELP\SMARTBRIDGE\BTHELPNOTIFIER.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\IGFXTRAY.EXE
C:\WINDOWS\SYSTEM\HKCMD.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\INTEL\INTEL PSNCU\CPUNUMBER.EXE
C:\PROGRAM FILES\ROXIO\GOBACK\GBTRAY.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 4.0\DISTILLR\ACROTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.de/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.de/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\gi2tpcvt.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\gi2tpcvt.slt\prefs.js)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [RemHelp] remhelp.exe
O4 - HKLM\..\Run: [MXO Auto Loader] A:\DRIVERS\USB\MXOALDR.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~2\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [iamapp] c:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Onscreen Display] C:\Program Files\Netropa\Onscreen Display\OSD.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Roxio\GoBack\GBPoll.exe
O4 - HKLM\..\RunServices: [RNBOStart] c:\WINDOWS\SYSTEM\sentstrt.exe
O4 - HKLM\..\RunServices: [nisserv] c:\Program Files\Norton Internet Security\NISSERV.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [Nisum] c:\Program Files\Norton Internet Security\NISUM.EXE
O4 - HKLM\..\RunServices: [ccPxySvc] c:\PROGRA~1\NORTON~3\CCPXYSVC.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ALU Scheduler Service] C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O4 - HKLM\..\RunOnce: [ Privacy Eraser Pro] C:\PROGRAM FILES\PRIVACYERASER COMPUTING\PRIVACY ERASER PRO\PRIVACYERASER.EXE /ErIEIndex
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\SCANSOFT\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [IntelProcNumUtility] "C:\Intel\Intel PSNCU\CpuNumber.exe" /nosplash
O4 - HKCU\..\Run: [Privacy Eraser Pro] C:\PROGRAM FILES\PRIVACYERASER COMPUTING\PRIVACY ERASER PRO\PRIVACYERASER.EXE /Startup
O4 - HKCU\..\RunOnce: [ Privacy Eraser Pro] C:\PROGRAM FILES\PRIVACYERASER COMPUTING\PRIVACY ERASER PRO\PRIVACYERASER.EXE /ErIEIndex
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Startup: Automachron.lnk = C:\Program Files\One Guy Coding\Automachron\achron.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: PsiWin 2.3 Connection Server .lnk = C:\Program Files\Psion\PsiWin\Psconsv.exe
O4 - Startup: System Monitor.lnk = C:\Windows\SYSMON.EXE
O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - User Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - User Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - User Startup: Automachron.lnk = C:\Program Files\One Guy Coding\Automachron\achron.exe
O4 - User Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - User Startup: PsiWin 2.3 Connection Server .lnk = C:\Program Files\Psion\PsiWin\Psconsv.exe
O4 - User Startup: System Monitor.lnk = C:\Windows\SYSMON.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientInstall/7.20.0003/OCI/setup.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

- - End of HijackThis log "hijackthis_20_7_2006.log" - -


I look forward to receiving your coments upon my first message in this thread of 19.7.2006, 01:27.

Regards,

Thanks, logs look OK

Prior to taking action did you have any symtoms of a hijack, search redirects, home page changes, uncommon repeated popups, PC problems etc etc ?

Next time please submit suspect file's at either of these services and to your
antivirus vender
Submit a file--VirusTotal: http://www.virustotal.com/flash/index_en.html
Jotti Online malware scan: http://virusscan.jotti.org/

Hello,

Further to my first message in this thread of 19.7.2006, 01:27, please see the following "System File Checker" log of 6th December 2004.
This "System File Checker" scan was carried out straight after "Microsoft Word 6" was installed and as you will note from the log the file "msinfo.exe" was installed as part of the installation of Word 6.

In any event, no doubt anyone still owning "Word 6.0C" floppies can see "msinfo.exe" within the "Word6.cab" of floppy number six.

(The reason why Word 6 was installed was to satisfy Setup of the "Update" version of "Microsoft Office 2000 Professional" which was installed after Word 6.)


- - Start of System File Checker log: - -

Microsoft System File Checker

Log file generated on 12/6/04 at 6:11 PM

Started verify scan using verification data file:
"C:\WINDOWS\Default.sfc"

Previous Previous New New CRC
File Change Version Date Version Date Match
---------------- ----------- ----------- --------- ----------- --------- ------
[C:\WINDOWS\SYSTEM]
riched20.dll Added 5.30.11.241 6/23/99
ctl3dv2.dll Updated 2.31.000 4/23/99 2.05 9/8/94 No
ODBCINST.DLL Added 1.05.0923 9/8/94
OLE2PROX.DLL Added 2.01 9/8/94
SDM.DLL Added 3.0.2201 9/8/94
SHARERES.DLL Added 1.20.0050 9/8/94
TTEMBED.DLL Added 0.916 9/8/94
COMMTB.DLL Added 01.01.00.00 9/8/94
MSTOOLBR.DLL Added 9/8/94
PUBOLE.DLL Added 1.01 9/8/94
MSISYS.VXD Updated 4.03 12/6/04 4.03 12/6/04 Yes
[C:\WINDOWS\MsApps\Grphflt]
IFFTIFF.DLL Added 3.15 9/8/94
[C:\DRIVERS\CDROM]
OAKCDROM.SYS Added 6/4/98
[C:\WINDOWS\MsApps\PROOF]
MSSPEL2.DLL Added 1.60.0001 9/8/94
MSTHES.DLL Added 6.0 9/8/94
[C:\WINDOWS\MsApps\MSINFO]
MSINFO.EXE Added 1.00A 9/8/94
[C:\WINDOWS\MsApps\WORDART]
WORDART2.EXE Added 2.0a 9/8/94
[C:\Program Files\WINWORD]
WINWORD.EXE Added 6.0 9/8/94
WWINTL.DLL Added 6.0 9/8/94
GRAM.DLL Added 3.0 9/8/94
WORDCBT.DLL Added 1.06 9/8/94
WORDHELP.DLL Added 1.12.002 9/8/94
WORDRES.DLL Added 1.10.009 9/8/94
HYPH.DLL Added 1.30.0002 9/8/94
[C:\Program Files\WINWORD\SETUP]
SETUP.EXE Added 1.1 9/8/94
_MSSETUP.EXE Added 9/8/94
MSCPYDIS.DLL Added 2.6 9/8/94
MSSETUP.DLL Added 2.6 9/8/94
WORD_BB.DLL Added 1.0 9/8/94
[C:\Program Files\WINWORD\WORDCBT]
CBTLIB4.DLL Added 1.22 9/8/94
FX.DLL Added 1.01 9/8/94

468 folders examined.
2028 files examined.
29 files added to verification data file.
0 files removed from verification data file.
2 files updated in verification data file.
0 files restored.
0 file changes ignored.

********************
- - End of System File Checker log - -

Thanks LonnyRJones for your message of 21.7.2006, 00.14.

You wrote:
"Prior to taking action did you have any symtoms of a hijack, search redirects, home page changes, uncommon repeated popups, PC problems etc etc ?"

No. However, if a file exists on a system which is widely identified on the Internet as malware, then it is surprising that the file does not become identifed in malware scans - hence my query about "msinfo.exe".

You also wrote:
"Next time please submit suspect file's at either of these services and to your
antivirus vender
Submit a file--VirusTotal: http://www.virustotal.com/flash/index_en.html
Jotti Online malware scan: http://virusscan.jotti.org/"

That is no problem LonnyRJones, I have just extracted "msinfo.exe" from its Word 6 floppy and submitted it to "http://virusscan.jotti.org/".
However, please note that although described as a "malware scan" the file was subjected to virus checking only. As you know, a "malware" file is
not considered to be "virus" and are generally still not detected by virus engines.

The following was the result of the online scan:

- - Start of report of online scan of "msinfo.exe" at http://virusscan.jotti.org/ - - :

Carried out 21.7.2006:

http://virusscan.jotti.org/

Jotti's malware scan 2.99-TRANSITION TO _3.00-R1

File: Msinfo.exe
Status: OK
MD5: 6d983604d0c8a951cba7749e3d8c9601

Packers detected: -
AntiVir Nothing found
ArcaVir Nothing found
Avast Nothing found
AVG Antivirus Nothing found
BitDefender Nothing found
ClamAV Nothing found
Dr.Web Nothing found
F-Prot Antivirus Nothing found
Fortinet Nothing found
Kaspersky Anti-Virus Nothing found
NOS32 Nothing found
Norman Virus Control Nothing found
UNA Nothing found
VirusBuster Nothing found
VBA32 Nothing found

- - End of report of online scan of "msinfo.exe" at http://virusscan.jotti.org/ - -

Have we addressed all your concerns

Hello LonnyRJones.

Thanks for your message of 21.7.2006, 18.30.

Please could you consider the following and let us have your answers (or another experts answers) to the two queries which appear towards the end of this message:

We discovered the following path on our system:
C:\Windows\MsApps\MSINFO\msinfo.exe

"msinfo.exe" is spyware according to entries on the Internet, for example:
http://www.spyany.com/program/article_ad_rm_Global_Finder.html
Four more URLs for similar such entries are listed earlier in this thread (20.7.2006, 14.02).

An examination of our seven original floppy disks of "Microsoft Word 6.0C" shows that floppy disk number six contains a single file called: "Word6.cab" 1,676 KB 09/09/1994, 00:09 and one of its 67 files is:
"msinfo.exe" the Properties for which include: "8 September 1994 09:09:08; File version 1.00A; Comments: Microsoft System Information Browser."

A System File Checker ("SFC") scan was run immediately before Word 6 was installed and then a new SFC scan was run immediately after Word 6 was installed. The second SFC scan shows that "msinfo.exe" was installed as part of the installation of Word 6.
A copy of the latter SFC scan appears earlier in this thread (21.7.2006, 00.26).

(The "Jotti Online malware scan" <http://virusscan.jotti.org/> which you mentioned one of your earlier messages in this thread, seems strangely to test submitted files only to "virus" and not malware scanners.)

As explained earlier_ in this thread, "msinfo.exe" plus its entries in "win.ini" have been m_anually removed, but we hope you can comment on the following_ two questions please:

1) Assuming the "msinfo.exe" installed by Word 6 is the spyware pointed up on the Internet, how could spyware apparently be installed from "Word 6" disks by Microsoft?

2) Why was the "msinfo.exe" never detected neither by "Spybot Search & Destroy" nor by "Ad-Aware" on our system, during scans, although on the Internet "msinfo.exe" is clearly pointed up as spyware?

Look forward to hearing from you.

Regards,

Hi

If nothing was found at jotties or virus total then there is nothing to worry about, thats true 98% or the time for files submited. yes they would also report malware/trojans/spybots/adware.

I believe that covers both questions .

Thanks LonnyRJones for your reply.

Okay, but please can you explain why "msinfo.exe" is widely reported on the Internet as malware or as evidence of trojan or virus activity, while at the same time "msinfo.exe" is not detected as such when subjected to anti-malware and anti-virus scanners. If it is not malware then why is it widely reported on the Internet to be so?

Regards,

LonnyRJones,

When you reply to my previous message, please could I invite you to also consider the following copy newsgroup message, from the old Microsoft Public: "win98.gen_discussion" newsgroup:

- - copy of newsgroup message starts - -:

"Subject: Re: msinfo.exe win.ini not found
From: "Richard G. Harper [MVP Win9x]" <rgharper@email.com>
Sent: 9/22/2003 6:06:04 PM

MSINFO.EXE is not a virus, it's an adware/spyware program. What protection
are you using against such? Probably none?
Download a copy of AdAware, install it, update it. If the system is too
unstable to get it running in normal mode, start up in Safe Mode. Run the
program and clean all the pests off your system, then restart the system and
run AdAware again. Repeat as necessary until your system is clean.
Richard G. Harper (MVP Win9x) rgharper@email.com
* PLEASE post all messages and replies to the newsgroup so all may
* benefit from the discussion. Private mail is usually not replied to.
Help US help YOU ... http://www.dts-l.org/goodpost.htm

"Josh mitoska" <Mitoska@hotmail.com> wrote in message
news:0a7201c38169$db296c20$a301280a@phx.gbl...
> When I load up I get teh msg that msinfo.exe and win.ini
> are not found, I've had some virus problems, but no longer
> detect any? Any help is appreciated-thanks"

- - copy newsgroup message ends - -

The information at spyany seams to be describing an old csw infection
http://spywareinfo.com/~merijn/cwschronicles.html#msinfo
"The MSINFO.EXE is installed in a Windows folder where also the legitimate MSINFO32.EXE file resides"
it would have lokked like this in a hjt log
F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\msinfo.exe
F1 - win.ini: run=msinfo.exe
and a file bootconf.exe is involved along with hijack symtoms.
also note the date "Approx date first sighted: August 22, 2003"

Were there any other files or hijack symtoms ?
Always consider symtoms and date of the information found when searching.
If not i think we are finished here

Thanks LonnyRJones for your reply.

You don't seem to have considered the many other results which can be obtained from Google about "msinfo.exe" including the examples given in my message in this thread of 20.7.2006, 14.02, one of which is from:

http://www.processlibrary.com/directory/files/msinfo/

and which states:
"msinfo.exe is an advertising program by Gator. This process monitors your browsing habits and distributes the data back to the author's servers for analysis. This also prompts advertising popups. This program is a registered security risk and should be removed immediately. ..."

The other three examples I gave in this thread of 20.7.2006, 14.02 were:

http://www.justtext.com/processes-tasks/msinfo-exe.html

http://www.fbmsoftware.com/spyware-net/process/msinfo_exe/773/

http://www.maxpc.co.uk/tips/default.asp?pagetypeid=2&articleid=30091&subsectionid=719

You also did not consider in your reply, the copy newsgroup message from "Richard G. Harper [MVP Win9x]" which I pasted into my message in this thread of 20.7.2006, 14.02 and again in my message of 23.7.2006, 02.36.

I look forward to hearing from you regarding the above and hope you will be able to let me know why "msinfo.exe" is widely reported on the Internet as malware or as evidence of trojan or virus activity, while at the same time "msinfo.exe" is not detected as such when subjected to anti-malware and anti-virus scanners. If it is not malware then why is it widely reported on the Internet to be so?

Regards,

LonnyRJones, wish to add the following to the message which I just posted, as it is not possible for me to go back and edit my posted message:

In your message of 23.7.2006, 13.32 you also wrote:

"also note the date "Approx date first sighted: August 22, 2003"
... Always consider symtoms and date of the information found when searching."

You make a fair point. Please therefore could you let me know if you consider there are two files both called "msinfo.exe", one of which is the file that comes with Word 6 and different one but of the same name that is malware?

I look forward to hearing from you.

Regards,

Im sure there are several msinfo.exe's and msinfo32.exe's

Since there are no malware issue's and we are on post 19 and page two or a topic im closing the thread.

Good luck and stay safe.

LonnyRJones,

Reference the thread in this forum:
"A strange case of malware", at:
http://forums.spybot.info/showthread.php?t=5913

You have closed that thread, thus removing the "Reply" option, without allowing me any opportunity to thank you there.

Sincere thanks for all your patient responses.

Best regards,

Your welcome

Sorry i cannot answer more precisely on those questions.

Surf Safe