Windows XP Windows Messenger...How do I remove it?

[GuyWithAProblem]

Two Programs Acting Wierd.

About two weeks ago, I had a major problem with security online. I won't go any further than that, but ever since then I have been monitoring every single program that runs on startup for suspicious behavior. Two of them have caught my eye.

First is the Windows Messenger. It seems to be eating up my CPU's speed. And even when I try to disable it in msconfig and the administrator tools it still keeps coming up at startup. The only way that I can get rid of it is to end the process in the Task Manager...when it finally comes up. I can't find it in the Add or Remove programs list and I'm not comfortable deleting it straight from the folder. Is there any other way that I can safely uninstall it? Or am I looking in the wrong spot?

Second is this program called LuCallbackProxy.exe. I've had horrendous problems with it the last couple of weeks. I've learned that the file is supposed to be Norton’s process residing as a hidden file in C:\Program Files\Symantec\LiveUpdate. It has a brethren LUCALLBACKPROXY.EXE-29128DB6.pf in C\WINDOWS\prefetch. It’s supposedly used by the Norton suite of programs to update virus and software definitions.

I have an XP SP2 machine hooked up to the Internet by 10 MBPS modem. Whenever I turn the modem on, in short time the LuCallbackProxy.exe spawns itself into 3 to 5 and even 10+ copies and eats up 100% of my CPU resources. Adding insult to injury when combined with the ****ing Windows Messenger. This only goes on for about 10 seconds, Then the processes disappear and I can do work again since my CPU's usage drops down to it's normal baseline of 1 to 5%. But 5 to 30 minutes later we are back to square one. Ending the processes manually using the Windows Task Explorer works, but only temporarily.

I wanted to know if I am dealing with the real Norton’s LuCallbackProxy.exe with perhaps a back door exploited by a hacker or with rogue software pretending to be LuCallbackProxy.exe and hiding somewhere inaccessible in the bowels of the Windows directory.

Can anyone help me out with this? Free ice-cream!

 

[muckshifter]

msmsgs.exe is a Windows Messenger executable which is automatically loaded during XP boot, not to be confused with MSN Messenger (msnmsgr.exe). It is safe to disable and does/should not effect usage of the MSN Messenger.

... disable it as follows:

Start / Programs / Windows Messenger / Tools / Options / Preferences
Uncheck "Run this program when Windows Starts"

or, a little more drastic, but works everytime ... search your hard drive for msmsgs.exe and rename it to msmsgs.sav


lucallbackproxy.exe is a process belonging to Norton/Symantec Internet Security which protects your computer against Internet-bound threats such as spyware and Trojans which can be distributed through e-mail or attack directly to the computer allowing unauthorized access to your computer. This process in particular assist with software updates and is important for the stable and secure running of your computer and should not be terminated.

I would highly recommend removing Symantec (Norton) software in general. However, XPs "Add Remove Software" will NOT remove all the hooks that Norton uses ... you will need to use Symantec's removal tool to do so.

If you are worried you have some nastie lurking in your system, I suggest you download and run HijackThis and post a Log File here so we can see if you have any potential nasties.


Welcome to the forums.

 

[Abarbarian]

http://www.wordsandpeople.com/security/disable-windows-messenger.htm

Follow the link .

 

[Alf]

Here you can find some free alternatives to Norton, you should also grab Spybot S&D and Adaware.
https://www.pcreview.co.uk/forums/thread-2697599.php

 

[GuyWithAProblem]

I'd rather not remove Norton as it has prevented some nasty viruses from harming my computer. But here is the HiJackThis Log. Ran immediately after bootup. Tell me if anything looks suspicious. BTW tried everything on how to get rid of the messenger, it is disabled but STILL comes up.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:15:49 PM, on 8/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Documents and Settings\Dusty Alexander\Desktop\HiJackThis.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.urisp.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
R3 - URLSearchHook: (no name) - - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.urisp.net"); (C:\Documents and Settings\DUSTY ALEXANDER\Application Data\Mozilla\Profiles\default\v91vqb8z.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DUSTY ALEXANDER\Application Data\Mozilla\Profiles\default\v91vqb8z.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RCAutoLiveUpdate] C:\Program Files\Max Registry Cleaner\MaxLiveUpdateRC.exe -AUTO
O4 - HKLM\..\Run: [RCSystemTray] C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: -
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZK
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.urisp.net
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1182217005375
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8161 bytes

 

[Alf]

The only thing that my untrained eyes see, is Yahoo! toolbar. Its pointless for most people.
Download CClearner and run it, it will clean out your computer of junk.

 

[muckshifter]

Yes, you DO HAVE a couple of nasties on your system.

Remember that Hijackthis must be run in an own folder. Only if Hijackthis is run in its own folder will it create backups!


I suggest you get HJT to 'fix' the following ...

C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
I do not know this program, but it ain't doing a good job ... suggest you uninstall it ... do not use HJT to fix, use Windows 'add remove programs'

R3 - URLSearchHook: (no name) - - (no file)
Nastie, Should be fixed

N3 - Netscape 7: user_pref("browser.startup.homepage", "www.urisp.net"); (C:\Documents and Settings\DUSTY ALEXANDER\Application Data\Mozilla\Profiles\default\v91vqb8z.slt\prefs.j s)
If you know the page, this entry does not need to be fixed. Safe in most cases.

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5 Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DUSTY ALEXANDER\Application Data\Mozilla\Profiles\default\v91vqb8z.slt\prefs.j s)
If you know the page, this entry does not need to be fixed. Safe in most cases.

O4 - Global Startup: -
Unknown application, I would fix it

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZK
Extremly Nastie, needs fixing

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
Unnecessary (deactivated) entry that can be fixed

O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!


I was not suggesting running your system with NO AV, merely saying Norton is not that good these days, better to use an alternative ... up to you, it's your PC.

Please turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn System Restore back on and create a restore point.


As I said ... search your hard drive for msmsgs.exe and rename it to msmsgs.sav


Disclaimer: Modifying the registry can cause serious problems that may require you to reinstall your operating system. I cannot guarantee that problems resulting from modifications to the registry can be solved. Use the information provided at your own risk.

 

[GuyWithAProblem]

MaxRCSystemTray.exe is the executable that runs Max Secure's Max Registry Cleaner in the taskbar. I'm happy with how it's doing it's job, and I'm certainly NOT going to uninstall it as I paid good money for it. All of those other entries I knew about..except for the mywebsearchtoolbar..I thought that I had uninstalled it. And what is the URLSearchHook anyways? I've already fixed it but curiosity has gotten the best of me.

 

[muckshifter]

And what is the URLSearchHook anyways?

Was probably part of mywebsearchtoolbar.

 

[GuyWithAProblem]

Ah, okay. Everything seems to be running well now. Windows Messenger is FINALLY leaving me alone, and only 1 LUcallbackproxy comes up now. Although I don't know what I did to make it do that...may have done something when I deleted it from the Prefetch folder. It doesn't seem to have harmed anything, though. Thanks for the help.