7 replies to this topic

[m.oreilly]

noticed an odd entry in msconfig/startup: MSSERVER. after checking out it's location in windows, (which turned out to be either false or hidden), and going through the reg with a fine tooth comb, it looks like it's reformat time. anybody got a clue re removing this? it appears to be a "vundo' variant, and i even tried using "super anti spyware" (lol), which reports the presence of the bug, but is unable to remove it. i'ved tried spybot, adaware, nod32, and that sas app, but no go...anybody?

[Nvyseal]

gads, thats a bad one. you on server 2008? roll back?

[m.oreilly]

no restore points (heck, i'm a big boy... ).
success!

two apps that are a must for me now:
"super anti spyware" ( )
and
"mbam"

ran in safe mode, they did a job that left my av and spybot/adaware looking for a clue. i might also add that the app i suspect (downloaded from a torrent, scanned with the av before unraring) is a very recent digital photography one.

[m.oreilly]

oh, and a big shout out to "wilders security forums", where some folks left me a clue to start looking for a fix, and then pointed me in the right direction...Tarq57, thanks

[m.oreilly]

just a heads up: nod32 now detects the baddie. must be the new defs that loaded this morning...

[Tweak]

VundoFix from atribune.org will handle it as well.

[VROSA]

Good to see you handled to remove it

[m.oreilly]

vrosa x64, on Jul 12 2008, 04:36 PM, said:

Good to see you handled to remove it

and thanks to tweak, i think i have a handle on why my system, and an old p4 32bit rig at work were affected: i turned off DEP on my box, and the p4 system can only do limited software prevention. tweak sampled the installer of what i believe to be the bug, and it turns out his system (DEP on) was not compromised. i guess DEP is not for dopes after all...