Help with msmsg,exe issues under NIS 05 & XP Firewalls please.

I'm having a few problems with my AMD Athlon 2400+ 2Ghz System trying to get the pc setup reconfigured since an updated version of NT4 to "Windows" aka NT 5.1 on an XP SP2 Standalone system.

PC now thinks it's a Network and has re-installed the infamous Messenger ( not Windows Messenger nor of course, MSN's ) - msmsg,exe has gone ahead to create a total of 16 connections on both UDP and TCP protocols - most being local host and a few being this computers' Name and it's NT ID/Name.

To clarify, "Messenger" is disabled according to the Windows MMC as per the default of XP SP2, yet since the installation of the updated version of NT/Windows, the msmsg,exe program is constantly seeking new connections within the pc (although still listed as Disabled according to MMC) - and asking for acceptance of new Automatic NIS 2005 Firewall Rules - yet as explained below, I can only find "Windows Messenger" in the NIS Firewall Rules.

I want to remove it or disable it entirely, as I see only risks in having this program connect to some of the most notorious ports and constantly being blocked by NIS 2005 under default Trojan rules due, I gather, to the ports it chooses to access. I cannot find "Messenger" in my NIS firewall rules only "Windows Messenger" which is listed as msmsg,exe.

The only connections I've found for this msmsg,exe is in the Windows XP Firewall that runs in conjunction with the NIS 05 one. In the Windows XP Firewall, all the TCP & UDP connections are listed and checkboxes are ticked. Will simply unticking these free me from this annoying program?

OK - I've just tried using NIS Firewall rules to Block "Windows Messenger" yet NIS is still asking for approval of new Firewall Rules for "msmsg.exe" so that doesn't seem to have helped any and has apparently caused the vanishing of my ATM 2 connection to BroadBand (ADSL ) - yet the ISP is still connecting which it has never done before without the ATM 2 being active... (ATM 2 is reporting a cable unplugged yet no hardware changes have been made nor cables altered ) So it appears that the program resides within the Windows Firewall as far as I can tell - just want to check with folks who know what they are doing before making major changes.

I also want to return the pc to a standalone system rather than deal with all these Servers I do not have the knowledge to protect fully nor have need of. My biggest error as far as I know, was in making Microsoft a "Trusted Site" which resulted in it now auto-updating as per instructions but it also commenced "self-updating" which it never did before the Trusted Site error on my part. It is the self-updating which is adding on all the stuff I don't want nor can I find out how to stop it even though the trusted status has been removed months ago.

I am severely physically disabled and the pc is my lifeline to the outside world so I need to keep it as secure as possible, simple enough to manage and functional. It is an OEM so I don't have the disks to do a clean install from scratch unfortunately... Any help would be deeply appreciated and I hope I've put this in the right forum, apologies to the Mods if I've erred in this. Please forgive the verbose explanation but the intent is to make the problem clear - believe it or not. So much to learn, so few brain cells left to do it with

Thanks in advance for any help.

Contantly Learning

 

Hi,
First, you say Windows aka NT 5.1 on Windows XP SP2. This confuses me a bit. Do you mean you use Windows XP SP2?
Now...
I don't think Microsoft is installing anything on their own. If configured as trusted, you will at most receive standard Windows updates. I have not yet encountered inadvertent installs by Microsoft, for all their notoriety.
As to Messenger ...
Try the following:
Create a restore point in system restore.
Click Start > Control Panel > Administrative Tools > Services.
Locate a service called Messenger.
What does it say? Is it disabled?
If not, right-click, Properties, under startup type choose Disabled, click Apply, exit and reboot your machine.
Please report back what happens.
If this does not help, we'll try something more rigorous.

Option 2 - only if above does not help!
First, don't forget system restore!
Click Start > Run, type gpedit.msc
You will see now Group Policy.
Under Local Computer Policy > Computer Configuration
Select Administrative Templates > Windows Components > Window Messenger.
In the right pane, you have two options:
Do not allow Windows Messenger to be run
Do not automatically start ...
Near both options should be a 'not configured' written on the right side.
Right-click each option, Properties, select enabled.
Reboot.
And please report what happens.
If this does not help, we'll move on to option 3.
But that's for later.
Cheers,
Mrk

P.S. I just noticed you run BOTH NIS and Windows Firewall. Not good. ONLY one firewall at any given time - so either NIS OR Windows Firewall, but not both. This can cause lots of conflicts and problems.

 

Thanks for the suggestions & sorry, I must not have made myself clear.

I am running XP with SP2, it also runs NT4 to handle the NTFS file systems as per standard with XP & also handles the fast switching between users/identities on the standalone PC.

It is the NT4 that was upgraded to 5.1 - the NT side of the XP OS .

Option one was covered in the original post MMC ( Microsoft Management Console ) reports under Services, that Messenger is disabled.

Yet Messenger is running on this pc and making a growing list of connections back to the PC and/or Local Host since the NT 5.1 update.

Windows Messenger is not the problem as far as I can discern, it is the inbuilt "Messenger" that was used for the Alerter services ( also disabled by default and left that way in MMC aka Administrator Tools > Services ) etc between the NT and the XP side of the OS.

I have not yet tried option 2 so have still to report on that but as it is targeted at "Windows Messenger" which is, afaik, NOT the problem but "Messenger" itself - I'm unsure if it would be helpful. Disabling Windows Messenger via the NIS made no difference in the number of "popups/alerts" informing me that NIS has made automatic rules for msmsg,exe as it attempts yet another connection.

Windows Firewall and NIS Firewall are configured and designed to run as a shared Firewall, otherwise the windows firewall would have been turned off long ago. I have never experienced any conflict between them and in the literature of both MS and Symantec utilising both firewalls as a shared system is reccomended if you have them.

I will go check out the Group Policy ( thanks ) and let you know the result & I won't forget the Restore Point

From what I've found though, it seems the simplest and most direct method for disabling this program is to delete the permissions ie the checkboxes in the Windows Firewall side of things as that is the only place I've so far found a list of the connections it is making. If I make a restore point prior to doing this, is there any reason it would not be safe to try disabling the program this way? Then when the NIS asks me what I want to do on it's first connection, I could choose the "always block" option which could solve my issues.


In the 20 mins or so taken to type this reply, I've had over 16 "popups" to tell me NIS is/has created another Rule for msmsg,exe and waiting for me to click the OK which I'm not doing for obvious reasons.

Hope I made myself and situation a little clearer and sorry for any confusion I may inadvertantly caused, thanks for helping

CL

 

Hi,
I still don't follow you.
Do you mean you run a dual boot?
Fast switching is a service in Windows XP.
Do you use Outlook Express / IE for day to day work?
Mrk

 

Hi,

No, I am not running a dual boot. NT 4 ( aka NT AUTHORITY ) is the feature that allows the fast-switching function in XP - with or without SP2. It is an integral part of XP according to all the help files and handles the file system so there is choice between FAT32 or NTFS for file handling over multiple users on the same PC irrespective of online/offline status. When XP was loaded NT4 came with it to enable the Workstation option & RPC etc.

My original NT4 was upgraded to NT5.1 and since then Messenger has become active again & a problem.

As I type it is still "automatically creating preconfigured rules for Microsoft msmsg,exe" according to the NIS notifier. The only place I can find a list of the connections - apart from seeing them listed in the NIS Statistics "more info" tab where I can see the msmsg connections and the ports being used by them - is the Windows Firewall, when looking at the settings of the connections to the outside world where every one of them is listed in the tickboxes and active.

I went back and checked the status of Messenger after creating a restore point and found to my surprise that it has somehow been enabled at Admin Tools> services level with "interact with desktop" checked which is entirely new, yet it's disabled on the only 2 hardware profiles on the PC - probably added the desktop part etc when I blocked it in NIS I'm guessing, as I'd checked it just prior to doing that and it was disabled as far as Adminstrative tools was concerned. Apart from the "Computer Browser" all it's dependencies are disabled by default or Security settings ie I hadn't disabled them.

So I did disable Messenger ( used for alerter and net send ) at Admin level as I'd just made a restore point so no harm, no foul it seemed. It has changed a lot of Security Policies and a few other policies as well as apparently making it difficult for some aspects of the bootup procedure to be properly logged. Anyway, result is - apart from policy changes, no difference, Messenger is still active and still seeking to make connections - lots of them and at rather suspect ports.

I don't use Outlook Express at all.

I do use IE a fair bit.

I tried to do option 2 but got the error message "Windows can not find this file ..."etc, so perhaps we are speaking slightly different languages or OS or I just have a pc as strange as its user < most likely option

I don't mean to be confusing, sorry bout that and thanks for trying to help

 

Hi,
Would you mind downloading HijackThis running it and saving a log file, then send me a pm with the log file or post it in this thread?
Download hijackthis at: http://spywarewarrior.com/files/HijackThis.exe
Save this to a unique folder (eg C:\HJT); DO NOT save it on desktop.
Run the exe.
Do a SCAN ONLY. DO NOT FIX ANY ITEMS!
After finished, save the log file.
Open the log file in notepad, copy the text and post here or send me a pm.
Mrk

P.S. One more thing, terminology is crucial for understanding each other. You say things that confuse me a bit - like I disabled Messenger (used for alerter...) at admin level... What do you mean by admin level? What do you mean used for alerter?

P.S.S. How did you update your NT Authority? Because I'm trying to reproduce your results without success. I am familiar with fast user switching feature, and so far it has done nothing it is not supposed to do. Likewise, I did not encounter any takeover-control efforts on behalf of Microsoft updates.

 

Hi ConstantLearning,

Can you clarify the process particulars. You refer to msmsg.exe, have you searched your system and determined where this file is?

Regards,

CrazyM

 

Re: Help with msmsgs,exe issues under NIS 05 & XP Firewalls please.

Hi CrazyM & sorry for taking so long to get back to you, I needed to get accurate information this time and in searching for the file/s it took me deeper as I tried to find the answers to your straightforward question. It has made a lot of the confusion much clearer & have resolved one issue along the way.

I had just finished writing a VERY long post from my multitude of notes written during the week of researching and don't know what key i clicked by accident but it closed the window just as I was about to post. Having just done a small cut n paste to move a sentence, I've no final copy so am starting from scratch again. As a result this will be a shorter post for which I'm sure we will all be thankful!

I must apologise as I made a major error originally in the filename I used, which has only added to the confusion . It is msmsgs.exe that is the problem not "msmsg.exe" as I had posted and I've altered the Thread Title accordingly. I am so sorry for wasting your time and energy by mislaying that final "s" - it was not intentional.

The constant alerts re this Application stated that it is located at C:\Program Files\Messenger\msmsgs.exe which seems simple enough but searching for that Application name along that path returns a " 0 files found" - even with hidden & system files included in the searches. This is why it's taken so long to finally find it. In fact any search of C Drive for msmsgs.exe returns "0 results" which had me stumped for a while

The only related applications I could find on the specified path have .dll extensions. One is named MSMSGSIN.DLL for Application Windows Messenger 4.7.0041. The other msmsgsc.dll & msgslang.dll are Application Extensions to Windows Messenger as far as I can ascertain. One is a language app and I've no idea what the other is.

I found 6 matches in total to the search Covering "My Computer" for msmsgs.exe aka Windows Messenger. Compressed versions are located in the Folders
C:\WINDOWS\$NTServicePackUninstall$ ( Windows Messenger Version 4.7.0.2009 ) ; another lurks in C:\WINDOWS\ServicePackFiles\I386\ Folder - MMSSETUP.CAB ( Can't find the version without extracting the file, it is dated 2002 & appears to be the original version for XP ) Another is located in WINDOWS\$NTUninstallKB887472$ - ( Windows Messenger Application version 4.7.3000 )

Another is WINDOWS\Prefetch ( from the searches I gather as I don't know which program can read such files ) and the most recent version is found in C:\ WINDOWS\$hf-mig$\KB887472\SP2XYZ ( the final 3 characters are not the genuine ones as I don't know what is safe to share and what is not ) it is Version 4.7.3001.

Further investigation into IE "manage add ons" informs me that Windows Messenger is Disabled by IE, again I did not configure this. This may well explain why I cannot find msmsgs.exe in the C:\ Program Files\Messenger folder although this is the path that NIS is making the rules for. Perhaps this is why only the msgsgsin application & add-ons can be found in that folder, along that path?

I have apparently solved the ever increasing number of connections issue & the constant Alerts telling me of new Rules for Messenger, by simply going back into NIS Anti-Virus "Options" and un-enabling "protect my Instant Message Programs" which had been added to protect the use of MSN Messenger which I use on rare occasions. It has been approx 10 hours since I made this change and am finally free of the ever growing number of connections, the alerts and this program being read by NIS as attacking this pc!

So simple yet took so long to suss out, nothing unusual there - the answer is always clear once you've found it.

However there remains one issue I would really like to resolve & that is the fact that all 18 of the connections created by this program are still checked in the Windows Firewall, Advanced Tab, "Network Connection Settings" on my broadband ISP. This is one of the few functions still handled by the Windows Firewall side of things as NIS takes care of the vast majority of firewall duties.

Is there any reason I cannot now simply uncheck these potential connections?

Reason being that with them "enabled" so to speak, the program could still use them or they could be a pathway of risk as I would not know if they were accessed by the program or any other that is trusted by NIS.

Many of the ports that Windows Messenger was using are also ports used by Trojans such as Progenic, Portal of Doom, Bla, Backdoor-g etc & other unwelcome creations - this is one reason I've been so desperate to get it disabled and kill the connections it created.

It is a genuinely wonderful sight to check the NIS Statistics, More Details page and see no connections by msmsgs - in fact some of the ports it was using have been taken over by System and Svchost with the overall number of connections dropping significantly.

There are 4 Windows Messenger Rules displayed on NIS 05's "Statistics, More Detail" page where the UDP and TCP connections are displayed along with the NIS Firewall Rules etc.

The other setting I'm unsure about in the "Win Firewall Advanced, NCS, my ISP" is that the "Internet Mail Server (SMTP)" is enabled.
As a basic user of a standalone system, using an online mail service and not using Outlook Express for mail, is there any need for this to be enabled? Would it make a difference to being able to communicate with the ISP's email for example or is there any viable reason for it to be enabled?

POP 3 is enabled on a different internal ATM connection to utilise Outlook Express ( back when it worked reliably ie pre- SP2 ). As well as operating an ELAN, this ATM drives the NDIS miniport for the broadband connection.

If I am now at the stage where I can simply uncheck these "permitted" connections as the program is disabled in IE, has Firewall Rules in NIS 05 and is unused by either user of this pc? The only reason I am aware of for not making it completely unusable, is it's function in Remote Call Procedure/ Remote Call Assistance etc. situations - should they ever arise, in which case it can be rapidly re-enabled via Internet Explorer with a single click

If the answer to this is Yes, I'll be a very happy person indeed

If I have given too much information - sorry, newbie to forums like this one. For the confusion I created by mis-naming the file, I apologise.

Finally, to clarify the OS used & answer Mrkvonic's earlier question, when I read the Properties of "My Computer" it lists it as
"System : Microsoft Windows XP Home Edition (version) Service Pack 2"
yet

When I check "My Computer" System Information it tells me that the OS is "Windows : 5.1 (Build 2600 )" & lists as "Net Clients" - Microsoft Terminal Services, MS Windows Network & Web Client Network & when I click on the Details tab there, under OS, it informs me I am running on Platform 2:Windows NT.

When I check either System Information or Properties via the MMConsole - the response is Windows 5.1 build 2600 XP SP2 client & a registration number for the XP info.

This is where the confusion stepped in, as I understood this as being NT version 5.1 running as System/Network/Admin control - over XP service pack 2. I do not know if this qualifies as "Dual boot".

I hope this clears up the confusion and explains any mis-statements I may have made re the OS.

Thanks you both so much for your time and effort in helping and again, so sorry about the confusion in filenames & OS.

I made sure I have a copy of this post - all of it this time, believe it or not this is actually shorter than the original post!

a very thankful ~
CL