Just can't get rid of this one...

[Abbot]

Another note:

if you search the system registry you will find an entry thats calle
"InstallDir" in which its value is "C:\WINDOWS\srchasst"...if you go t
this directory you will see a number of files which can clearly b
identified as "Search Assistant" files (see my first post). Tr
deleting them, they respawn indefinately!!!!!! Im still trying to fin
a way to kill this thing..


-
Abbo

 

[Geese_Hunter]

Another note:

if you search the system registry you will find an entry thats called
"InstallDir" in which its value is "C:\WINDOWS\srchasst"...if you go to
this directory you will see a number of files which can clearly be
identified as "Search Assistant" files (see my first post). Try
deleting them, they respawn indefinately!!!!!! Im still trying to find
a way to kill this thing...

Get Hijack this from www.majorgeeks.com download it to it's own
directory & post the scan on http://www.spywareinfo.com/forums/

 

[Hafnium]

I have propobly had this exploit on my computer for about two week
because I have had a very low badwidth and many chrashes during thes
weeks. Too bad that one have missed many nice fileshare download
during these two weeks, maybe I could catch up when i get rid of it
mssmgrd.exe calls internet every third second and eats ut almost all o
my cpu becaus my firewall is working hard to stop it. I have to
reinstalled the OS and many applications during these weeks and hav
gotten some damaged files too. mssmgrd.exe tryes to cal
et.bestexploiters.com on port 8040. Now when I realize that this is
exploit that should not be there I will try to make it mailfunction.
have found out that it calls 59 dll´s many shared though, but mayb
some of these are not and then I shall delete these among with th
calls in the registry and msconfig. Is there a interest in that I pos
a list of the dll´s it calls?

By the way I got it througt eMule i think becaus that is what I use
last month. And thank god for having the routine to always burn dow
erything i DL to DVD/CD-ROM and then delete it from my harddrive. S
who ever it is that have made this mssmgrd.exe that aims for shar
folders, you wont hurt my downloads this way. Maybe it is a work of th
recording industry, a counterstrike to sink our bandwidth!


-
Hafniu

 

[det_tiara]

Hello Hafnium,
I just scanned port 8040 on my pc and it's closed. If anyone i
interested in a Firewall test, go here: www.auditmypc.com
I see where your heading with fileshare users, Hafnium. Exploiting m
computer would be the last thing I'd be worrying about. I'm satisfie
with listening to the radio.
Try ending mssmgrd.exe with your Task Manager.
I have no luck searching Google for any mssmgrd.exe information. I'l
exept anything anyone is willing to pass by me

*I have propobly had this exploit on my computer for about two week
because I have had a very low badwidth and many chrashes during thes
weeks. Too bad that one have missed many nice fileshare download
during these two weeks, maybe I could catch up when i get rid of it
mssmgrd.exe calls internet every third second and eats ut almost al
of my cpu becaus my firewall is working hard to stop it. I have to
reinstalled the OS and many applications during these weeks and hav
gotten some damaged files too. mssmgrd.exe tryes to cal
et.bestexploiters.com on port 8040. Now when I realize that this is
exploit that should not be there I will try to make it mailfunction
I have found out that it calls 59 dll´s many shared though, but mayb
some of these are not and then I shall delete these among with th
calls in the registry and msconfig. Is there a interest in that
post a list of the dll´s it calls?

By the way I got it througt eMule i think becaus that is what I use
last month. And thank god for having the routine to always burn dow
erything i DL to DVD/CD-ROM and then delete it from my harddrive. S
who ever it is that have made this mssmgrd.exe that aims for shar
folders, you wont hurt my downloads this way. Maybe it is a work o
the recording industry, a counterstrike to sink our bandwidth!?

-
det_tiar

 

[Poopie D]

There is no way that this file is a legit windows file...It was trying
to connect to the internet way too hard...like 3 times a second. I have two
computers at home, both running XP and neither of them have this file in the
regitery. The computer I was working on to remove this "mssmgrd" file was my
friend's laptop.

 

[Geese_Hunter]

There is no way that this file is a legit windows file...It was trying
to connect to the internet way too hard...like 3 times a second. I have two
computers at home, both running XP and neither of them have this file in the
regitery. The computer I was working on to remove this "mssmgrd" file was my
friend's laptop.

I don't have Admin priv.'s on this account so I can't give you step by
step, but you can click on start then run & type in MSCONFIG then
you can go to the boo.ini, startup.ini
Take a look at this link that gives detail.
http://www.networkclue.com/os/Windows/commands/msconfig.php

 

[imsscott]

I just downloaded the latest updates for McAfee and it finally
recognizes a virus in the mssmgrd.exe file. The virus is sdbot.worm.jt

It just deleted it so apparently there is no real Windows file by that
name.

 

[FromTheRafters]

I just downloaded the latest updates for McAfee and it finally
recognizes a virus in the mssmgrd.exe file. The virus is sdbot.worm.jt

It just deleted it so apparently there is no real Windows file by that
name.

While apparently true, the reasoning that you used to come
to that conclusion is in error. If the malware author had used
the name jdbgmgr.exe for the executable, the AV software
still would have recommended deleting the file because it is
"not cleanable" because it is not an "infected" otherwise legit
file. You cannot tell by name alone whether or not a file is a
legitimate "Windows" file, and in the above example your
conclusion would have been that jdbgmgr.exe was not a
legit Windows file - and would be in error. The above also
shows how "Googling" filenames can also mislead you.

 

[imsscott]

While apparently true, the reasoning that you used to come
to that conclusion is in error. If the malware author had used
the name jdbgmgr.exe for the executable, the AV software
still would have recommended deleting the file because it is
"not cleanable" because it is not an "infected" otherwise legit
file. You cannot tell by name alone whether or not a file is a
legitimate "Windows" file, and in the above example your
conclusion would have been that jdbgmgr.exe was not a
legit Windows file - and would be in error. The above also
shows how "Googling" filenames can also mislead you.

So what you are saying is if your anti-virus software deletes a file
it is the user's responsibility to get that file replaced because it
could be a legitimate file name in Windows? Again, how would one find
that out? How do you determine whether a file name matches a
legitimate file name in Windows?

Since I didn't find anything by that name anywhere, including
Microsoft and anti-virus sites, I am going to assume that there is no
legitimate mssmgrd.exe in Windows and I'm not going to try and replace
it with a "real" one.

 

[FromTheRafters]

So what you are saying is if your anti-virus software deletes a file
it is the user's responsibility to get that file replaced because it
could be a legitimate file name in Windows?

Actually, you should have your AV set to quarantine suspect files
until you are ready to deal with them. If it happened to be a legit
file that the AV couldn't clean, there is a chance that they might
add support for cleaning it in the future. Many people believe that
you should *never* clean infected files but should always replace
them from a known good backup. In this case it is still a very good
idea to quarantine rather than delete because sometimes an AV
program will falsely accuse a file of having malicious content.

Again, how would one find that out?

You could use Google to look for that file name to determine
if there is a legitimate Windows file by that name. However, it
would tell you nothing about the suspect file other than that it
has the same name as a legitimate Windows file.

There are sites on the web that not only will tell you that a file
name is used by a legitimate Windows file, but will also tell you
which .CAB file you can extract the legitimate file from.

How do you determine whether a file name matches a
legitimate file name in Windows?

See above - also you could search Microsoft's knowledge base.

Since I didn't find anything by that name anywhere, including
Microsoft and anti-virus sites, I am going to assume that there
is no legitimate mssmgrd.exe in Windows and I'm not going to
try and replace it with a "real" one.

Very good, but the fact that an AV deletes a file has nothing to
do with its legitimacy. The "delete" or "clean" has to do with the
inability (or ability) to extract a nefarious function from a program
file and yet still retain its original function. Your AV can sometimes
clean a virally "infected" program, and maybe even a program file
that has been modified non-virally such as "trojanized" programs,
or even some types of corrupted files (program or data).

 

[MeatballTurbo]

Since I didn't find anything by that name anywhere, including
Microsoft and anti-virus sites, I am going to assume that there is no
legitimate mssmgrd.exe in Windows and I'm not going to try and replace
it with a "real" one.

usually a google search will tell you whether it is a legitimate MS
file.

May also advise whether it has been infected as well, or whether it is a
tarked for infection/replacement by know worms/trojans/virii.

 

[wb]

found this in a news group
viruses and worms / viruses and worms / Re:mssmgrd.exe on: April 06,
2004, 02:44:42 PM
Started by epinhao, Message by epinhao
Thnx I already found it and determined its name, it is called
Sdbot.RPC or Randex; I'm using it as a testdrive to get a new antivirus
program

Try stinger.exe from Mcafee, it puts that one away.
wb
good luck
http://vil.nai.com/vil/stinger/