*RESOLVED*--msmsgs.exe--Is this a virus or what? What do I do?

bovinda

Senior member
Nov 26, 2004
692
0
0
Resolved--the only solution was to delete (or rename, probably) the Messenger folder in C:\Program Files. Thank you to everyone for the help.:beer:




Original Post: Twice now after I've left my computer on for awhile without using it I've found the CPU at 100% and the computer acting really sluggish. When taskmaster finally came on it showed that msmsgs.exe was using 97-100% of the CPU. I don't think it's Windows messenger because I uninstalled that when I first built this computer. So I ended the process in task manager. The computer was okay for about a minute, then the CPU went back up to 100%, this time it was explorer.exe! So I ended that one, and it happened again, this time it was something like rundll32 or something, I just killed it too. Now there's nothing on the screen except the wallpaper.

Norton AV (set according to MechBgon's guide), AdAware, and SpyBot didn't detect anything when I ran it. A Google search suggests there's a worm by the name of msmsgs.exe, but I can't find instructions how to get rid of it.

I'm stuck--what do I do to get rid of this thing?

Thanks folks,
Jeff
 

PCHPlayer

Golden Member
Oct 9, 2001
1,053
0
0
Sounds like you've done your malware homework. You may want to install ZoneAlarm or something similar to trap outgoing network connections. I had a similar problem a while back and it was a pain to get rid of. Lots of booting into safe mode, registry editing and unloading of dll's so I could delete the offending files. Have you looked at the spyware thread in the Software forum?
 

bovinda

Senior member
Nov 26, 2004
692
0
0
No, I haven't seen the spyware thread yet--thanks, I'll go take a look at it and be back.
 

ScrapSilicon

Lifer
Apr 14, 2001
13,625
0
0
Originally posted by: bovinda
No, I haven't seen the spyware thread yet--thanks, I'll go take a look at it and be back.

you got a bug,,,run some of the online scanners like Panda/Trendmicro...cute bug I found recently on a friend's Dell was hiding under navprotect.exe ..lol
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
What precise version of Norton is it? 2003, 2004, 2005? Have you run both LiveUpdate plus the daily updater from here yet?

Also yeah, get second opinions from some online scanners like ScrapSilicon said, and post a Hijack This 1.99 logfile if you have time.
 

bovinda

Senior member
Nov 26, 2004
692
0
0
Hi guys, I used Norton AV as part of Norton's Internet Security 2005. I haven't used that updater MechBgon--it sounds like it's for larger corporate clients, or am I mistaken? Edit--Oops, I read it wrong, I'll download it right now.

Also, Panda's and Trend Microsystems' scans didn't show anything.

Here's the log file from Hijack This 1.99.00:

Logfile of HijackThis v1.99.0
Scan saved at 11:27:36 AM, on 1/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\MSI\Core Center\CoreCenter.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Documents and Settings\Administrator\Desktop\Installation files\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.micros...site.cab?1104235761031
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840.../housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe
O23 - Service: Sandra Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

I'm not sure I ran it right though, it's the first time I've ever used it, and it's all Greek to me. Can you guys make any sense of it?

Jeff
 

bovinda

Senior member
Nov 26, 2004
692
0
0
Oh yeah, I saw that web page ScrapSilicon, but I wasn't sure if it was real or not. (It seems like there are so many scam spyware sites out there, I've just gotten so wary.) Is that site authentic?
 

ScrapSilicon

Lifer
Apr 14, 2001
13,625
0
0
Originally posted by: bovinda
Oh yeah, I saw that web page ScrapSilicon, but I wasn't sure if it was real or not. (It seems like there are so many scam spyware sites out there, I've just gotten so wary.) Is that site authentic?

don't listen to me take it straight from symantec..p.s. notice the page date on symantec..there are even more variants of Agobot/Gaobot ..now
 

bovinda

Senior member
Nov 26, 2004
692
0
0
I ran NAV again with the updater MechBgon listed, but it still didn't find anything...hmm.
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
1) maybe Windows and MSN Messenger are just being 'tards :confused:

2) run your scan in Safe Mode

3) try Ad-Aware with the VX2 add-on module (http://www.lavasoft.de)

4) what is that eHome item all about, something you recognized? How about that AOL stuff?

5) I would uninstall SiSoft Sandra if it were me.


Will try to check back later :)
 

bovinda

Senior member
Nov 26, 2004
692
0
0
Wow, how can you tell all that from that? I don't know what the eHome thing is (or where you see it, at the moment), but I'll try and figure it out. I have no idea what all the AOL crapola is either; I just installed AOL and it seems like it puts in a ton of other sh-tuff. I'll try your other suggestions, too. Why would you uninstall SiSoft Sandra?

Edit--btw, your photo guide was immensely helpful when I was building my computer MechBgon. Many thanks for the work you put into it.
 

bovinda

Senior member
Nov 26, 2004
692
0
0
So I restarted in Safe mode, but Norton won't open. I tried clicking on the short-cut, and I tried opening it through the start --> programs menu, but each time the computer thinks for about 20 seconds and then a small box pops up that says "Symantec Integrator has encountered a problem and needs to close. We are sorry for this inconvenience." It also gives me the choice to send an error report to Microsoft.

Also in safe mode and in regular mode, I searched for the file "msmsgs.exe" to see where it is. It shows up in c:\WINDOWS\Prefetch as a 22KB or 26 KB .pf file. The full name of the file is MSMSGS.EXE-2B6052DE.pf.

Is that it? In any event, it's not running in safe mode according to Windows Task Manager, and as seems usual, when I restart, it has no activity. I'm out of ideas for now, and it's not interfering with anything at the moment. I'll try letting the computer sit for awhile and see if it starts up again this evening like it did yesterday and this morning.
 
Sep 21, 2004
75
0
0
I usually disable msmsgs so that it doesn't load at startup. everyone seems to think this is a bug. is it? no one mentioned trying to disable at startup. if you want to try, go to "run" and type in "msconfig" and go to startup. uncheck msmsgs , apply and restart. sorry if i'm suggesting something everyone knows. hope it might help. i've never been able to uninstall msmsgs so though you might've uninstalled, it could still be around. i feel like a dumbass.
 

bovinda

Senior member
Nov 26, 2004
692
0
0
Hey bushman, believe me, I appreciate all suggestions in trying to figure this thing out. I hadn't tried the startup stuff, so I went into msconfig and startup, but msmsgs.exe doesn't show up anywhere as an option to be checked or unchecked. Is that weird?

Also, there's a startup item that has no startup item name or command (both fields are completely blank), but does have a checked box. Is that normal?
 

montag451

Diamond Member
Dec 17, 2004
4,587
0
0
download trojanhunter, uninstall nortons, install any other antivirus - maybe avgfree, run all in safe mode
 

bovinda

Senior member
Nov 26, 2004
692
0
0
Uninstall Norton? Really? Does Norton normally have a problem running in safe mode? I'll download those other programs, and give them a try later this evening if that's the best course of action. Is it necessary to uninstall Norton before using another virus scanner?
 

montag451

Diamond Member
Dec 17, 2004
4,587
0
0
no - norton doesn't have a prob running in safe - but it does sound as if there is a problem with it running at all.

the only way i would use 2 antivirus is if one was an online scan.
Otherwise - you definitely do not want 2 running at the same time.
You wouldn't really have to uninstall if you didn't want to - as long as you configure nav to not start any of its modules at boot - that option would be in nav, and also, just go into msconfig to make sure
 

bovinda

Senior member
Nov 26, 2004
692
0
0
Some more details: The computer is acting up right now, after having left it on for a couple hours. msmsgs.exe is hogging 99-100% of the resources, and the computer is lagging.

When I searched for msmsgs to try and find out where it is, only four results show up, and none are .exe files, as far as I can tell:

msmsgs in C:\WINDOWS\inf (says the type is "Setup Information");
msmsgs.PNF in C:\WINDOWS\inf ("Precompiled Setupt Information");
MSMSGS.EXE-2B6052DE.pf in C:\WINDOWS\Prefectch;
and MSMSGS in C:\WINDOWS\System32\CatRoot\{F750E6C3-38EE-11d1-85E5-ooCo4FC295EE} (says it's a "Security Catalog").

Task Manager also says there is no network utilization.

When I end the process msmsgs.exe, CPU usage drops back to zero, and everything appears fine. So I tried opening up internet explorer, and it doesn't open, but Task Manager shows that IEXPLORE.EXE is now hogging 99-100% of the CPU. Network utilization is still 0%.

When I end IEPLORE.EXE everything gets unstable and lags. Task manager doesn't want to respond to anything anymore, even though it shows CPU as 0%. Nothing is working, so I'm going to restart it. Wait, now it shows CPU as 100%...I'm resetting it now 'cuz everything is lagging so much.



I'll try uninstalling NAV and running another antivirus in safe mode tomorrow, but does this sound like a virus, or does it just sound like something buggy in Windows, like MechBgon suggested? How can I figure out where msmsgs.exe is located if it doesn't show up in the search menu? Is there someway to manually delete it?
 

PlasticJesus

Senior member
Mar 16, 2001
412
0
0
Originally posted by: bushman
I usually disable msmsgs so that it doesn't load at startup. everyone seems to think this is a bug. is it? no one mentioned trying to disable at startup. if you want to try, go to "run" and type in "msconfig" and go to startup. uncheck msmsgs , apply and restart. sorry if i'm suggesting something everyone knows. hope it might help. i've never been able to uninstall msmsgs so though you might've uninstalled, it could still be around. i feel like a dumbass.


I don't know the solution to the OP's problem. As for your being unable to uninstall msmsgs, I can tell you how I do it. Step by step, not knowing who anybody is and who knows what. This assumes WINDOWS is on (C).

My Computer\Tools\Folder Options...\View\Show hidden files and folders\OK
(C)\WINDOWS\inf\sysoc

at this time, go down to the line that starts with msmsgs and delete the word hide, leaving the two commas together; close the file, saving the changes

Start\Settings\Control Panel\Add or Remove Programs\Add/Remove Windows Components

in the Windows Components box you will now see two Windows Messenger selections; uncheck them both; if that second one won't uncheck, don't sweat it; once you've clicked on that check mark and hit Next>, everything will do what it's supposed to do.

Why MS felt the need to hide this is beyond me.

In any case, if all this does nothing for you maybe someone else will find it at least interesting.

edited to remove inadvertantly created emoticons
 

bovinda

Senior member
Nov 26, 2004
692
0
0
PlasticJesus, I thought I'd give that a shot too. Will uninstalling msmsgs.exe remove the program completely, including from when the computer starts up? Maybe that will solve my problem too? We'll see...
 

bovinda

Senior member
Nov 26, 2004
692
0
0
Well...ending the process right when I restart the computer seems to prevent anything from ever getting too crazy. I tried what PlasticJesus suggested, but msmsgs.exe still shows up in task manager when I restart the computer.

So...I don't know what it is. But--I have two questions: is there some way to find and manually delete msmsgs.exe wherever it is, because task manager doesn't give any info on it? Or--is there some way to permanently deactivate it so it doesn't start up, other than the msconfig program (because it doesn't show up on there)?

Or does anyone else have any other advice/ideas?

Thank you to everyone who helped me investigate this...I really appreciate all your guys' time and energy.
 

imported_Phil

Diamond Member
Feb 10, 2001
9,837
0
0
Originally posted by: bovinda
Well...ending the process right when I restart the computer seems to prevent anything from ever getting too crazy. I tried what PlasticJesus suggested, but msmsgs.exe still shows up in task manager when I restart the computer.

So...I don't know what it is. But--I have two questions: is there some way to find and manually delete msmsgs.exe wherever it is, because task manager doesn't give any info on it? Or--is there some way to permanently deactivate it so it doesn't start up, other than the msconfig program (because it doesn't show up on there)?

Or does anyone else have any other advice/ideas?

Thank you to everyone who helped me investigate this...I really appreciate all your guys' time and energy.

Yes. Rename the c:\program files\messenger directory to something like "messengerdisabled", and reboot. Voila, Messenger now cannot start. :)
Don't forget to end msmsgs.exe before doing this or you'll encounter an error.
 

bovinda

Senior member
Nov 26, 2004
692
0
0
D'oh! msmsgs.exe started acting up again, so I just deleted the Messenger folder altogether, and that finally did it. I can see renaming it would have worked as well--thanks for the suggestion Dopefiend. Any reason to keep it around if I'm not using it or ever planning to?