Helping people with computers... one answer at a time.

Msmsger.exe is, most likely, an imposter. Trying to look like something legitimate, msmsger.exe is probably malware.

I discovered that I have a program installed called msmsger.exe. I don´t know where it came from and to what it might be associated. From time to time my personal firewall tells me that the program msmsger.exe wants to access the internet. I have blocked such request.

I did a Google-search but found only 4 forums (in languages I do not understand) where it is mentioned. Neither my antispam software nor AV virus software detects it as bad. I have no Microsoft Messenger software installed.

Any idea what this piece of software does or is?

I believe this is a great example of something we see all the time: malicious programs trying to "look like" other programs so you'll be uncertain about their maliciousness.

And, yes, even though your anti-malware programs don't flag it, I believe it is malware. Which brings up another very important point.

One of the ways that malicious software tries to hide itself, or at least confuse people, is by taking a name that is very similar to a legitimate piece of software.

The name "msmsger".exe is very similar to msmsgs.exe (Windows Messenger) or msnmsgr.exe (MSN Instant Messenger), but of course that actually means nothing. Just because programs have similar names doesn't mean that they're related at all.

And yet, it's easy to think so and easy to misread the imposter's name as one of the others if you're not paying close attention.

And, of course, that's exactly what malware authors have been relying on for years. Consider that "lsass.exe" is a legitimate and important system process. But "isass.exe", and even "1sass.exe" look very similar. They are not. They are viruses that have caused a lot of people a lot of grief.

So my first inclination when I see a program that has a name similar but not quite the same as a legitimate windows program is to consider it suspect. Choosing a name that is close to the name of a real, legitimate program is a frequent sign of malware.

"... none of the anti-malware programs give you 100% coverage."

"But," (I hear you saying), "my anti-virus program didn't flag it!"

True enough. And, to be honest, that's important data. But not enough to call the file legitimate either. (As an aside, I'm assuming that your anti-virus and anti-spyware packages are getting regular database updates to keep track of new threats that are constantly emerging. Without those updates, best done daily or at least weekly, they won't catch new malware.)

The sad fact is that not all anti-malware programs catch all malware. Good ones will catch a lot; even most of the malware that's out there. But none of them are 100% accurate.

I'll say that again: none of the anti-malware programs give you 100% coverage.

Sucks, doesn't it?

In the case of msmsger.exe, I did find at least one anti-spyware vendor that and only recently explicitly lists is as a threat but provides very little detail. It's difficult to determine just how much of a threat it really is.

My first recommendation is to run additional spyware and virus scans using some of the free or trial versions of scanners that are currently available.

If they show nothing, my next recommendation is to delete the file (following the steps in Is it safe to delete this file?), and see what happens.

But the fact that it's named similarly to a legitimate program and that it's trying to access the internet most definitely have me concerned, and almost convinced, that it's a virus or other malware of some sort.

Article C2907 - January 24, 2007 « »

Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

Lou Gascon
January 27, 2007 2:58 AM

Hi Leo and the chap sporting msmsger.exe... have it on file already - search msmsger.exe and you will get:
What I like about prevx is that it probably won't allow the file on the computer in the first place, but even if it did it certainly would not allow the program to run without a specific yes from its online database or me...
Well worth a look...

January 27, 2007 11:05 PM

Excellent warning and clear explanation.

February 2, 2007 12:45 AM
Its a worm.

Leo Notenboom
February 2, 2007 9:34 AM

Hash: SHA1

That comment, unfortunately, illustrates one of the reasons that malware
authors use names that are so similar to other thing.

The article here talks about "msmsger.exe" - the article on doesn't mention "msmsger.exe" at all. Many similar names,
but NOT the exact same name.

That's important. Make sure you are carefully examining the correct
information for the exact name you you're seeing.

Version: GnuPG v1.4.6 (MingW32)


February 2, 2007 6:38 PM

I recognized the similarity to a line in my computer when I was trying to trim my startup programs, so I was relieved to find from checking here that mine was the 'good' one. But if I hadn't already read the article, I wouldn't even have known that there was anything to check. An index of topics you've answered would be helpful. Do you already have one, and how do I access it? If not, I'd be willing to help set one up, which I have done in the past, but just on paper, never on a computer. I think an indepth index would be helpful, so let me know--with instructions--if I can be of help. BombayGranny

February 3, 2007 7:13 AM

A while back my firewall informed me that msmger.exe was being blocked and asked me what I wanted to do with it. I didn't know what it is so I told the firewall to ask me again later. Then my system started lagging badly while trying to web surf. As soon as I removed msmsger My system started running good again. This thing is a malware so if you get it remove it.

Leo Notenboom
February 3, 2007 9:23 AM

Hash: SHA1

Again, folks, the the filename in that previous comment is not the same
as the filename that started this article. >>Pay careful attention to
the filename

February 18, 2007 10:45 PM

The worm opens an IRCout event to that IP address an Port. I dont know the relevance of this, maybe someone will.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to to ask your question.