Messenger Service mysteriously restarting

Craif

Everday, it seems that msmsgs.exe starts on its own, or probably by some other program, of which, I am not aware that is doing this. I am 99% sure that my computer is clean of spyware since I continually run spybot, xcleaner, cwshredder, bazooka, hijackthis, and NAV to keep the crap out. I have gone thru all of the procedures that describe how to turn off msmsgs.exe and double checked it. Even Xcleaner reports that it is turned off. However, it continually restarts. In fact, in the short time it took to write this note, I have "end processed" it, and it has come back, twice. Any clues?

muddocktor

I have also run into the same problem with Windows Messenger, not to be confused with the standalone MSN Messenger Service myself. This is an unneeded app for most people and shouldn't even run unless specifically needed, as it's now being used as an exploit by adware/malware.

This is what I do to get rid of the bugger. First, I go into Administrative Options and disable Messenger Service, then I go to Add/Remove programs and Add/Remove Windows Components and uninstall from there. That isn't enough however, as the damn files are still on your hard drive and can be reactivated. Finally, I go into C:\Program Files and delete the whole Messenger folder. The next time you boot, you will see a message about some dll file being missing (if I remember right) and then Windows will go on about it's merry way.:) You won't be bothered again about it either.

Straight_Man

Craif wrote:

Everday, it seems that msmsgs.exe starts on its own, or probably by some other program, of which, I am not aware that is doing this. I am 99% sure that my computer is clean of spyware since I continually run spybot, xcleaner, cwshredder, bazooka, hijackthis, and NAV to keep the crap out. I have gone thru all of the procedures that describe how to turn off msmsgs.exe and double checked it. Even Xcleaner reports that it is turned off. However, it continually restarts. In fact, in the short time it took to write this note, I have "end processed" it, and it has come back, twice. Any clues?

You are using Task Manager, right (CTRL-ALT-DEL brings up Task Manager)??? But the service is running by default in auto mode, so you kill what IS running but Windows restarts it in auto mode. do the admin tools thing, kill the service in the services pane. right-click, tell it stop, right click, tell it properties, then choose DISABLE. Now use Ok, use apply if there is one first for each dialog box with both apply and Ok buttons. Also, do this as administrator, if you do as user and login as another user, it will be there, and this you want off for the whole box if this box is not in a LAN.

Having done that, exit any running programs, then restart Windows so the change is properly committed to parts of registry that store permanent settings.

Craif

Yes, this is stuff I have tried. That's why I characterized it as a mystery. In "services" it is listed as "stopped" and "disabled" but it is reappearing. I login the same all of the time. I am an administrator.

Guyute

Wow, so I am not the only one...I installed Zone-alarm Friday and ever since then I get messages for the same thing every 30 seconds or so, even after I end-task'd it. I'll have to do a little more work to stop this bugger, because it makes me nervous trying to hook up.

muddocktor

If you follow the directions I posted, you will have no more problems with that on your machine. If you want to use Microsoft's IM, then d/l the MSN Messenger standalone app.

Leonardo

Wouldn't just turning it off, and selecting disable in Services be the easiest solution?

DanG

There's a string of text that you can enter in the run box and it will remove the dll's for windows messenger. It does not affect msn messenger. I have done this on my system and occasionally in the error log it gives me something about not being able to start the messenger service, but no errors on boot.
Open the run box and copy and paste this in and hit enter.
RunDll32 advpack.dll,LaunchINFSection %windir%\inf\msmsgs.inf,BLC.Remove

muddocktor

Leonardo wrote:

Wouldn't just turning it off, and selecting disable in Services be the easiest solution?

It would, but I've still had problems with the damn service still appearing in the systray and running as a process even though I've had it disabled in services. So I just delete the damn thing and no more problems.

Leonardo

Mud, what the heck is running that is invoking it to start? There's something wrong here.

muddocktor

Leonardo wrote:

Mud, what the heck is running that is invoking it to start? There's something wrong here.

That I never could figure out, Leo. But, since Windows Messenger was originally just put in the OS for a Sys Admin on a Lan to send out systemwide messages to all the client computers, it doesn't pertain to either me or the greatest majority of the folks using Windows OS's out there, so I just get rid of the troublemaker.

I do know that I don't have any more problems with it once I zap the sucker off my hard drive though.

profdlp

I agree with Leo. I've had this problem on every WinXP computer that wasn't behind a firewall. It never came back on any of them after I disabled the Windows Messenger service.

Methinks there is something rotten going on to re-enable it behind your back.

Straight_Man

Craif wrote:

Yes, this is stuff I have tried. That's why I characterized it as a mystery. In "services" it is listed as "stopped" and "disabled" but it is reappearing. I login the same all of the time. I am an administrator.

Craif, not to insult you, but go on a local-to-box-or-LAN trojan hunt, ok???? Mine went off, stayed off, on XP Pro, just as I described-- but with it turning itself on, is possible that something nasty is using that service and reactivating it. It is just BARELY possible to push a trojan through that pipe or have one activate Windows Messenger. Also, I have Messenger Service disabled and have msmsgs running on computer and it is sending ZERO outbound messages AND receiving ZIP from outside (I know this, my router would tell me by port used, which I do know), it used to be that also gave you normal system messages and that Windows Messenger Service and msmsgs.exe were not exactly same. Messenger Service did USE msmsgs but it was not that exactly or alone.

If a trojan or hybrid gets INSTALLED while the admin ID is active, it can have admin privileges-- default install is to privs of user running at install time. That is not good, but it has happened.

muddocktor

profdlp wrote:

I agree with Leo. I've had this problem on every WinXP computer that wasn't behind a firewall. It never came back on any of them after I disabled the Windows Messenger service.

Methinks there is something rotten going on to re-enable it behind your back.

Nothing rotten that I could find. As a matter of fact, I believe this laptop here was one of my rigs I had the problem with, so I deleted Messenger off of it. Here's a HJT log of what's running on this box and nothing I see there could be causing this to happen.

Logfile of HijackThis v1.97.7
Scan saved at 12:06:10 PM, on 5/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Navnt\alertsvc.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Navnt\POPROXY.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Navnt\navapw32.exe
C:\Trayit\trayit!.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\folding\FAH4Console.exe
C:\folding\FahCore_78.exe
C:\EM3\EMIII.exe
C:\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.overclockers.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=192.168.0.1:83
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POPROXY.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: TrayIt!.lnk = C:\Trayit\trayit!.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021017/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38090.2229166667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

You will notice that I have MSN Messenger installed, which I did after removing Windows Messenger as I do use that IM client. I took it off for a couple of reasons. I don't like processes running for no reason and I don't want to have a potential hole for crap to come into my computers.

MediaMan

Craif,


Here is the 100% simple way to deactivate MESSENGER so it never bothers you again.

Step 1: Right click on the Messenger ICON in the taskbar. Exit it.

Step 2: Open up C:\program files and look for the MESSENGER folder. Rename it to MESSENGEROLD

Step 3: Choose START>RUN and type MSCONFIG.

Step 4: Choose the startup tab and untick the msmsgs entry.

On your next reboot and every reboot thereafter MSN Messenger will never bother you again. Reactivating it is as simple as renaming the MESSENGEROLD folder back to Messenger in step two and rebooting.

It's worked for me on every install of WinXP for over a year. Believe me that I've reinstalled windows enough times. Hope this helps.

Mancabus

Outlook Express loves to run msmsgs.exe when it starts.
So far that is the only program I think runs it by default when started.

I stop it by deleting or renaming the Program Files\Messenger folder. Then doing what it says on this page http://www.tweakxp.com/display.aspx?id=108 to fix the slow opening of OE.

Guyute

Wanna see something interesting? I did a search on my C drive for any program entitled "ms*.exe". So far (it is still running as I type) it has found 3 different copies of "msmsgs.exe"- 2 are the same size file, but different locations,

C:\WINDOWS\ServicePackFiles\i386 and
C:\Program Files\Messenger

The third is a different size, and is contained in a CAB file (don't know what a CAB file is, but I remember I had the omegasearch garbage in one) in the folder

C:\1386\mssetup.cab.

If I right-click on it I don't get the same options as the other two files; I can only "open", "copy" or "extract". so I wonder if we all have some virus in there? Any thoughts?

entropy

ok, i hate that stupid program, but it's still useful for certain apps with msn messenger (remote, app sharing etc). so i got a program that lets you disable it ... and it works and i'm sure exactly what it does, since i haven't really checked all that much, but here it is.

Straight_Man

IF this has a typo in it and should be:

C:\i386\mssetup.cab

I am 90% sure it is OK. Let's explain .cab files real quick:

.CAB is actually the short name for CABinet, and the archive is of type .ZIP of an old kind. Normally Windows .CAB files are floppy sized, and are used to install windows things or the O\S itself. 2000 and XP use the exact thing I listed as correct typing above to install windows and\or from an install update before you have security packs in and get the newer one that was where the other two you said you had of that name live.

YOU CAN look at it with PicoZip or a trial of WinZip and not extract it. So, if you right-click it it also should give you a few dates in the Properties option of that list, and I would like to know the Create and Modified dates 9they should be the same, same as date Windows was installed or the release date for your windows-- ignore access date, and if the properties thing shows up tell me what the size is. I will tell you if legit or not, can look at an XP CD here see size. My guess is it normally should just fit on a floppy.

The reason I am doing this this way is that some malware authors ARE chancing the file type Windows SEES to CAB on things, or adding malware to .CABs and I have seen both happen. Unfortunately there are also viruses that infect CABs, but in this case it should be original if the 1 was really an I or i because if create date and modify date are same it was protected by XP, and if not dated like that it should have been-- stock XP WILL protect this folder C:\i386, the data gets copied and locked rather massively. DO NOT unlock that folder, ok????