Just can't get rid of this one...

P

Poopie D

I am pulling my hair out! I have a program called mssmgrd.exe (windows
update) that keeps loading at windows startup and trying to access the
internet. I have deleted every reference to the file in the registery and it
keeps coming back. I ran the latest versions of Mcafee and Norton along with
the Stinger and a few of the Norton standalones. Stinger found and deleted
the Nachi virus but something is still in there.

When I let it access the internet it just lights up my modem and keeps going.

I searched every search engine I could find for "mssmgrd" and nothing came up
on any of them.

I also formatted and reinstalled windows (system recovery on a sony Vaio so it
may not have been a proper format) Still there!

Please help me!
 
D

Dan Shackelford

I am pulling my hair out! I have a program called mssmgrd.exe (windows
update) that keeps loading at windows startup and trying to access the
internet. I have deleted every reference to the file in the registery and
it keeps coming back. I ran the latest versions of Mcafee and Norton
along with the Stinger and a few of the Norton standalones. Stinger found
and deleted the Nachi virus but something is still in there.

When I let it access the internet it just lights up my modem and keeps
going.

I searched every search engine I could find for "mssmgrd" and nothing came
up on any of them.

I also formatted and reinstalled windows (system recovery on a sony Vaio
so it may not have been a proper format) Still there!

Please help me!
I dont use Windows, but if that is part of Windows upgrade, no wonder you
cannot get rid of it. It is part of the OS, basically. How do you know it
is part of the upgrade process, btw? Have you used msconfig to uncheck
it from launching at bootup?

If it is a virus or trojan or whatever ... it might be in your restore
volume which means no antivirus software will be allowed access to it. In
that case, disable system restore, remove all restore points, reboot,
rescan for viruses and adware and malware. Then restore your system
restore.
 
D

DH

I don't know if this will help. I use Windows 98 and I can boot up to DOS
if I wish. If you can boot up to DOS (not a DOS window in Windows), you
will probably be able to delete that file using the delete command. Make
sure you know the exact location of the file in question. I'm a little
rusty with DOS commands but something like CD\C:WINDOWS\SYSYSTEM (if
that's where the file is).

Then DEL followed by a space and then the name of the file.

That should delete the file. I haven't upgraded to Windows XP so I know
nothing about that OS.
 
G

Geese_Hunter

I am pulling my hair out! I have a program called mssmgrd.exe (windows
update) that keeps loading at windows startup and trying to access the
internet. I have deleted every reference to the file in the registery and it
keeps coming back. I ran the latest versions of Mcafee and Norton along with
the Stinger and a few of the Norton standalones. Stinger found and deleted
the Nachi virus but something is still in there.

When I let it access the internet it just lights up my modem and keeps going.

I searched every search engine I could find for "mssmgrd" and nothing came up
on any of them.

I also formatted and reinstalled windows (system recovery on a sony Vaio so it
may not have been a proper format) Still there!

Please help me!
Go to start, run & type msconfig, look in the system.ini file & put an
asterisk in front of the line that has the mssmgrd if any, & then
reboot.
 
P

Poopie D

I should have been more specific. The registry entry is calling the
"mssmgrd.exe" file a "windows update" file. My system restore option is
disabled so it can't be in there.

When I block it from going on the internet, it keeps trying every second.
Zonealarm can't even barley keep up. It tries to access 24.71.38.???:135. It
seems to change all the time

This is driving me nuts!
 
G

Geese_Hunter

I should have been more specific. The registry entry is calling the
"mssmgrd.exe" file a "windows update" file. My system restore option is
disabled so it can't be in there.

When I block it from going on the internet, it keeps trying every second.
Zonealarm can't even barley keep up. It tries to access 24.71.38.???:135. It
seems to change all the time

This is driving me nuts!
Have you downloaded, installed, & updated spybot s&d & ad-aware, & in
ad-aware's setting After you click start, turn green scan within
archieves, select all of your drves & in the memory & registry select
(green ) all & active in depth green check it. Also hijack this would
find it or easycleaner from http://www. toniarts.com/ecleane.htm

the other programs from majorgeeks.com

But backup your registry 1st.

The easy cleaner should get rid of it, if you've deleted the exe file,
but there is probably more than 1. Also you can post your hijack this
log on http://www. spywareinfo.com/forums/ But read their info before
you post. they are helpful, but may take time
 
G

Geese_Hunter

Géésé_Huntér052 said:
Have you downloaded, installed, & updated spybot s&d & ad-aware, & in
ad-aware's setting After you click start, turn green scan within
After re-reading all of the posts & saw Nachia try this sophos link

http://www. sophos.com/support/disinfection/nachia.html

hope it helps you
 
G

Geese_Hunter

Her's another item that may help the link & the contents of it in case
you can't get there:

http://www. net-integration.net/zeroscripts/spybot.html
Backdoor Spybot Removal

This worm is very nasty! It terminates the task manager! I assume you
acquired this worm from Kazaa or mIRC or any other IRC client. (Note:
This has NOTHING to do with Spybot Search and Destroy).

1) To view your Task Manager you will need to download a program called
Process Explorer made by SystInternals. It free!

2) Now run Trend Micros Online Scan. After running it note ALL files
named worm_spybot.gen.

3) Now open up Process Explorer. Look for all files found by Trend Micro
and terminates the process.

4) Click start, run and type regedit. Navigate to the location
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>Run. In the
right pane look under the data header. Delete anything that has the data
file as the files found by Trend Micros online scan.

5) Click start, run, and type regedit. Navigate to the location
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>RunOnce. In the right pane look under the data
header. Delete anything that has the data file as the files found by
Trend Micros online scan.

6) Click start, run and type regedit. Navigate to the location
HKEY_CURRENT_USER>Software>Kazaa>LocalContent. In the right pane look
for something that says Dir0 = 012345:%System% \kazaabackupfiles.Click
it and delete it.

7) Reboot your computer.

8) Again run Trend Micros Online Scan. If anything is detected as
worm_spybot.gen to steps 3 to 6 again.

9) If all goes well you have successfully gotten rid of the Spybot worm.

Go back to the virus list
 
D

Dan Shackelford

I should have been more specific. The registry entry is calling the
"mssmgrd.exe" file a "windows update" file. My system restore option is
disabled so it can't be in there.

When I block it from going on the internet, it keeps trying every second.
Zonealarm can't even barley keep up. It tries to access 24.71.38.???:135.
It seems to change all the time

This is driving me nuts!

Have you run (BOTH) Spybot and AdAware to see if this is malware, but not
a trojan/worm/virus?

Have you run MSCONFIG to see if it is supposed to start on bootup and
therefore you can uncheck it so that it wont?

Have you gone to the Microsoft database and checked on whether it is a
legit file or not?
 
B

Beauregard T. Shagnasty

Quoth the raven named Dan Shackelford:

Are you a Shaw subscriber? 24.71.38 ?

Google for: worm port 135
You probably have Blaster, or one of the Sobigs, and it is looking for
new victims.

I guess so... I have trouble keeping my barley up as well. <g>
 
P

Poopie D

I think I may have gotten it out but not sure.

I ran adaware and spybot...came up clean....nothing in the system.ini file

The item was in my msconfig startup folder twice ...I unchecked them and then
went into the registery. Deleted all references to the file in the
registery...without closing msconfig. Then I noticed that the item was back
in the startup of msconfig twice again! Unchecked both (now four references
alltogether) and rebooted. All seems well now...I have no idea how Nachi and
this mysterious virus could have survived a format and re-install of windows.

I just hope this virus is not sitting in a file somewhere waiting to be
executed again...scans don't show anything...I will keep my fingers crossed.

Thanks for your help...I wish I knew what I had/have!
 
G

Geese_Hunter

I think I may have gotten it out but not sure.

I ran adaware and spybot...came up clean....nothing in the system.ini file

The item was in my msconfig startup folder twice ...I unchecked them and then
went into the registery. Deleted all references to the file in the
registery...without closing msconfig. Then I noticed that the item was back
in the startup of msconfig twice again! Unchecked both (now four references
alltogether) and rebooted. All seems well now...I have no idea how Nachi and
this mysterious virus could have survived a format and re-install of windows.

I just hope this virus is not sitting in a file somewhere waiting to be
executed again...scans don't show anything...I will keep my fingers crossed.

Thanks for your help...I wish I knew what I had/have!
I'm glad it's not infecting your system anymore, however you still may
be at risk of getting re-infected. Do you have ALL of Microsoft's
updates? If not get the critical one's. Also do you have your ICF
(Internet Connection Firewall turned on ? IF not do it, it'll block
certain ports Start, Settings Control Panel or Network & internet
connections (depending on your XP view setup) then Network Connections,
then your connection , then right click & then properties & advanced &
then click ICF to enable it

Other PC's that were infected scour the Net looking for certain open
ports & Infect you.

Also, add another account as administrator w/ a pasword & cange yours to
limited, & disable the stupid guest acount.

& I'd run some on-line scans to make sure it's all gone
trend micro house call, pandasoftware.com etc...

Is IIS on your pc?IF it is remove it
Windows XP Professional

1. On the taskbar at the bottom of your screen, click Start, and then
click Control Panel.
2. Click Add or Remove Programs, click Remove a Program, and then
click Add/Remove Windows Components.
3. In the Windows Component Wizard dialog box, locate Internet
Information Services (IIS). If the Internet Information Services (IIS)
check box is selected, IIS is installed.

Also, I'd look for a firewall program, free versions you can get from
sygate, kerio, zonelabs, read the fourms & then set it up when you have
a general good idea about it. A firewall isn't any good if you don't
have it set up properly.
 
I

imsscott

Dan Shackelford said:
Have you gone to the Microsoft database and checked on whether it is a
legit file or not?

How does one find out if a program is a legitimate file? Is there
something at Microsoft's web site? Searching the knowledge base for
mssmgrd.exe yields a bunch of articles that make no mention of the
file and searching mssmgrd returns nothing.

I too have this file running on my machine and it was not removed when
the W32/Nachi.worm.b was removed.

I believe I got this worm just after a reinstall of Windows XP and
before the security patches were re-applied.
 
S

smokescreen

I got hit with this one too... just last week.

I can pretty much guarantee that it's a virus. I was playing around
with Kazaa (downloading something I probably wasn't meant to) and when
I tried opening the .exe file that I had downloaded my computer just
started going crazy - like you say - it tries opening up Explorer and
the bandwidth rate just skyrockets. Using the internet became
impossible because it was so slow and I then started finding new files
all over my computer - in any folder which had the word 'share' in
it's title.

The computer also started shutting down at random and programs were
crashing for no reason. I found a way to slow the virus down by
deleting a file in the registry (can't remember what it was called
now) but in the end the thing had spread so much I had no choice but
to re-install Windows (for the third time in 12 months).

Sorry that I don't have a solution but I just wanted to let you know
that there is at least one other person with the same problem as you.

Sorry.
 
G

Geese_Hunter

I got hit with this one too... just last week.

I can pretty much guarantee that it's a virus. I was playing around
with Kazaa (downloading something I probably wasn't meant to) and when
I tried opening the .exe file that I had downloaded my computer just
started going crazy - like you say - it tries opening up Explorer and
the bandwidth rate just skyrockets. Using the internet became
impossible because it was so slow and I then started finding new files
all over my computer - in any folder which had the word 'share' in
it's title.

The computer also started shutting down at random and programs were
crashing for no reason. I found a way to slow the virus down by
deleting a file in the registry (can't remember what it was called
now) but in the end the thing had spread so much I had no choice but
to re-install Windows (for the third time in 12 months).

Sorry that I don't have a solution but I just wanted to let you know
that there is at least one other person with the same problem as you.

Sorry.
Can you do an online scan with IE like trendmircos house call or
www.pandasoftware.com active scan ?

If not go to www.majorgeeks.com & get the hijack this program put it in
c:\hjt run it, save the results & post the log to this forum
http://www.spywareinfo.com/forums

At least someone, maybe myself will be able to tell you what virus you
have. Also mention the above info in your post kazaa, virus etc.. as it
will help the people looking to see it & not just a hijacked page or
coolweb searc prog.
 
C

CheshireCat

imsscott said:
How does one find out if a program is a legitimate file? Is there
something at Microsoft's web site? Searching the knowledge base for
mssmgrd.exe yields a bunch of articles that make no mention of the
file and searching mssmgrd returns nothing.

I too have this file running on my machine and it was not removed when
the W32/Nachi.worm.b was removed.

I believe I got this worm just after a reinstall of Windows XP and
before the security patches were re-applied.

imho the recent worms that have spread because of exploits, are more
dangerous than those that arrive with email.
Reformatting and reinstalling windows weakens your system until you can get
the critical updates installed. My partner (who stubbornly refuses to
install updates) was infected within 5 minutes of connecting to the internet
after our router died and we had to return to ICS until a new one arrived.
If you can use a hardware router/firewall with your web connection then this
is the best defense.
If it's still possible to download windows updates without installing them,
get them. Download a firewall and antivirus software and write them to a cd
(or a 2nd partition) with the updates. After a reformat, don't allow www
connection till you have them all installed.
 
G

Geese_Hunter

imho the recent worms that have spread because of exploits, are more
dangerous than those that arrive with email.
Reformatting and reinstalling windows weakens your system until you can get
the critical updates installed. My partner (who stubbornly refuses to
install updates) was infected within 5 minutes of connecting to the internet
after our router died and we had to return to ICS until a new one arrived.
If you can use a hardware router/firewall with your web connection then this
is the best defense.
If it's still possible to download windows updates without installing them,
get them. Download a firewall and antivirus software and write them to a cd
(or a 2nd partition) with the updates. After a reformat, don't allow www
connection till you have them all installed.
It depends on certain factors, Your Op system & where it is located & if
you are having problems.
What's your op system, & where is it located?
Did you install any new programs?
Are you using p2p software?
 
S

SuzyQt

I have the same file running twice on Windows XP Pro. I'm guessing it'
because of my Internet Service Provider that I'm on and their softwar
I had installed. You wouldn't happen to be a Sympatico User in Canad
are you


-
SuzyQ
 
A

Abbot

Poopie said:
*I am pulling my hair out! I have a program called mssmgrd.ex
(windows
update) that keeps loading at windows startup and trying to acces
the
internet. I have deleted every reference to the file in th
registery and it
keeps coming back. I ran the latest versions of Mcafee and Norto
along with
the Stinger and a few of the Norton standalones. Stinger found an
deleted
the Nachi virus but something is still in there.

When I let it access the internet it just lights up my modem an
keeps going.

I searched every search engine I could find for "mssmgrd" and nothin
came up
on any of them.



I don't know if this knowledge comes too late to you, but this wil
explain EVERYTHING about this supposed file "mssmgrd.exe" or relate
registry entries.

GO HERE:

http://tinyurl.com/2r884






I also formatted and reinstalled windows (system recovery on a son
Vaio so it
may not have been a proper format) Still there!

Please help me!


-
Abbo
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top