Blogs

RedMonk

Skip to content

Well, There Goes Three Hours I’ll Never Get Back

About 5:30 last night, I got a call from a local friend of mine who reported that his Windows XP machine was running “really slowly.” After going through a few obvious steps over the phone, such as rebooting, disconnecting non-essential peripherals, and checking the Windows Task Manager to see what was chewing up cycles, it was pretty clear that I couldn’t fix it remotely so I headed over to his house.

Like Jon Udell talks about here, I’m the de facto administrator for many of my friends and family’s networks and PCs, not because I have the skills for it but because I know just enough to be able to tinker. The difficulty I’ve found with many of the non-technical folks I’m supporting is not that they don’t know how to use Google, but because they don’t know what to Google for or what to do with the information even if they found it.

Last night was a perfect example of this, in that via the Task Manager (a non-intuitive interface in and of itself) I discovered that msmsgs.exe was running when it shouldn’t have been. A quick Google recommended that I remove it from the startup items. As Fraxas mentions here, one can simply use the msconfig tool (Start:Run:msconfig) to view the startup items (I typically have used the interface in Spybot), but there are two problems with that approach. One, probably fewer than 1% of non-technical Windows users would know that, and two msconfig also provides tabs for the alteration of the boot.ini file – probably not ideal for folks likely to be poking around uncertainly. So your random user that’s not as comfortable poking around as I might be finds a recommendation on Google, then has no idea how to follow it, or worse does greater damage in the process.

But anyhow, I verified that msmsgs.exe was not among the startup items, then uninstalled it using one of the tabs in Add/Remove programs (as a Windows component, it’s not listed alongside of the general components, but in its own special tab). Rebooted, and curiously found the process running yet again. Killed it, and it restarted. Once, twice, etc. Reboot, same deal.

At this point I’m fairly convinced we’re dealing with some sort of malware; virus, spyware or otherwise. Run a full Norton Antivirus scan, nothing turns up. Full Spybot scan; a few cookies, nothing more. Microsoft AntiSpyware Beta; nothing. Ad-Aware; a few more cookies. Nothing about msmsgs.exe, which is still chugging merrily along doing God only knows what (though I have in theory limited its outbound communications ability via ZoneAlarm).

By now I’m running out of potential ideas; Googling turns up things like this, which are interesting but don’t really solve my problem. A couple of pages include Registry hacks which I mentally add to the “last resort” list. Most resources recommended rather extensive fixes such as updating every driver on the machine, or the usual – reinstall Windows.

Now my point here is not to emphasize the vulnerability of Windows, one because I think that point is sufficiently well documented at this point and two because it’s my belief that Microsoft is at least taking the problem seriously. I’m noting this instead to comment on the lack of resources Microsoft makes available once you’re already infected. Your average user has no idea that right-clicking My Computer and selecting manage is how you get to the Device Manager, or that to view running services you need to right-click the Start menu, click customize and add that option to the menu, or that msconfig even exists.

As my friend put it, without a technical friend or family member, what is one to do? The support options for home users, if the Washington Post is anything to go by, are less than adequate. While my friend and his wife are not likely to switch to Apple (and no, I didn’t get them onto Linux either; my friend’s wife came home and told me that under no circumstances was I to install “Penguindows,” her term for Linux), this kind of experience is all too common.

The worst thing about all of this? I’m stumped, as I don’t know what else to try but a complete machine refresh – and a frustration with that being the only solution to some machine problems of my own was a big reason I originally switched to Linux some 400 posts ago. Having to admit defeat in the face of some Windows misbehavior is a new experience for me, and one that’s likely going to cost me another several hours to backup and rebuild his machine. Suggestions, as always, are appreciated but in the meantime I’m really hoping that the Longhorn folks are fixing some of this. Because while I personally don’t have to deal with this as I use Windows merely for iTunes and Adobe Acrobat, I do by proxy.

Categories: Security.

  • http://www.dehora.net/journal Bill de hOra

    PCHell is a great site:

    http://www.pchell.com/support/removemessenger.shtml

    You might not have a trojan; msmsgs is setup in a way that is agressive, ie it’s hidden by default from add/remove windows components.

  • http://www.redmonk.com/sogrady sogrady

    thx Bill. i don't think that's the problem, as i've both uninstalled it and manually deleted matching .exe's only to have it come back, but appreciate the tip.

  • Robert

    What you’ll probably find is it’s tied to Outlook/Express – both of which have an option to fire up Messenger on load of your mail client.