Jump to content

Cannot remove uacinit.dll - winlogon.exe application error persists


Recommended Posts

I think I am losing my mind - especially since this is a work computer!

Yesterday evening the winlogon.exe error began: "The instruction at "0x00620036" referenced memory at "0x00620036". The memory could not be "written". Click on OK to terminate the program. Click on CANCEL to debug the program." Clicking either or just closing the error window could result in a system shutdown. I finally figured out I could just ignore the error and continue to startup, so that is how I have access to the computer.

For the longest time, no scan would run... then I got MBAM to run by changing all of the .exe file names in the MBAM folder and restarting numerous times. I have managed to get rid of all of the trojan components except the pesky uacinit.dll file and its buddies.

Please help me! I have tried RootRepeal.exe, but it gives me this error:

ROOTREPEAL CRASH REPORT

-------------------------

Windows Version: Windows XP SP2

Exception Code: 0xc0000005

Exception Address: 0x0040a53f

Attempt to read from address: 0x018a77d3

My antivirus software, TrendOffice, tries to install at each startup so I assume the bug has messed with it too. I also tried Kaspersky AVP, it did not detect anything wrong.

Below are my HijackThis and MBAM logs - I will be forever indebted to you if you can help me get my computer clean.

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:14:02 AM, on 8/11/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\ngvpnmgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\BEDevCtl.exe

C:\WINDOWS\system32\BEFCSvcn.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\LANDesk\Shared Files\residentagent.exe

C:\Program Files\LANDesk\LDClient\LocalSch.EXE

C:\WINDOWS\system32\CBA\pds.exe

C:\Program Files\LANDesk\LDClient\tmcsvc.exe

C:\PROGRA~1\LANDesk\LDClient\issuser.exe

C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\LANDesk\LDClient\collector.exe

C:\PROGRA~1\LANDesk\LDClient\LDregwatch.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\sgrmsrvn.exe

C:\WINDOWS\system32\rpcnet.exe

C:\WINDOWS\system32\SGN_MasterServicen.exe

C:\Program Files\LANDesk\LDClient\softmon.exe

C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe

C:\PROGRA~1\LANDesk\LDClient\rcgui.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Internet Explorer\Iexplore.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\Utimaco\SafeGuard Enterprise\Client\SGNMaster.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe

C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cranet/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: (no name) - {497BE86B-DB92-4773-901B-93D84A145FA7} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [sGNMasterApplication] C:\Program Files\Utimaco\SafeGuard Enterprise\Client\SGNMaster.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {2DE00CA6-49B3-11D3-8826-00105A11D2F0} (Project1.SpellCheck) - http://finweb/webtime/MainOptions/SpellChecker.CAB

O16 - DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} (Confidence Online for Web Applications) - https://webvpn.crai.com/preauthWSC/winxp/AXXPEE.dll

O16 - DPF: {600F2D47-906C-11D3-AE3A-00105A11D2F0} (TimeClock.TimeClockControl) - http://finweb/webtime/MainOptions/TimeClock.CAB

O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://vseapps1/viewer/activeXViewer/activexviewer.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://crai.webex.com/client/wbs25-vzbprod...bex/ieatgpc.cab

O16 - DPF: {E8671A88-E5DD-11CD-836C-0000C0C14E92} (SSMonth Control) - http://finweb/webtime/MainOptions/SSCALA32.CAB

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cra.int

O17 - HKLM\Software\..\Telephony: DomainName = cra.int

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cra.int

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = cra.int

O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = cra.int

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O20 - AppInit_DLLs: nsojph.dll

O20 - Winlogon Notify: SGSSOGinaExtension - C:\Program Files\Utimaco\SafeGuard Enterprise\SSO\SGSSOGinaExtension.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: SafeGuard® Device Encryption Controller (BEDevCtl) - Utimaco Safeware AG - C:\WINDOWS\system32\BEDevCtl.exe

O23 - Service: SafeGuard® Kernel Feature Client (BEFCSvcn) - Utimaco Safeware AG - C:\WINDOWS\system32\BEFCSvcn.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: LANDesk® Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe

O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE

O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe

O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe

O23 - Service: LANDesk Policy Invoker - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe

O23 - Service: Aventail VPN Client (NgVpnMgr) - Aventail Corporation - C:\WINDOWS\system32\ngvpnmgr.exe

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Unknown owner - C:\OfficeScan NT\NTRtScan.exe (file missing)

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: SafeGuard® Removable Media Manager (rmsrvn) - Unknown owner - C:\WINDOWS\system32\sgrmsrvn.exe

O23 - Service: Remote Procedure Call (RPC) Net (Rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SafeGuard® File Encryption (SGN_FEService) - Utimaco Safeware AG - C:\WINDOWS\system32\SGN_MasterServicen.exe

O23 - Service: SafeGuard® Log Service (SGN_LogSystem) - Utimaco Safeware AG - C:\WINDOWS\system32\SGN_MasterServicen.exe

O23 - Service: SafeGuard® System Event Manager (SGN_Sem) - Utimaco Safeware AG - C:\WINDOWS\system32\SGN_MasterServicen.exe

O23 - Service: SafeGuard® Transport Service (SGN_Trans) - Utimaco Safeware AG - C:\WINDOWS\system32\SGN_MasterServicen.exe

O23 - Service: LANDesk® Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe

O23 - Service: OfficeScan NT Listener (tmlisten) - Unknown owner - C:\OfficeScan NT\TmListen.exe (file missing)

O23 - Service: OfficeScan NT Firewall (TmPfw) - Unknown owner - C:\OfficeScan NT\TmPfw.exe (file missing)

O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Unknown owner - C:\OfficeScan NT\TmProxy.exe (file missing)

O23 - Service: plasservice (ZeppelinService) - ParetoLogic Inc. - C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe

--

End of file - 11465 bytes

MBAM log:

Malwarebytes' Anti-Malware 1.40

Database version: 2551

Windows 5.1.2600 Service Pack 2

8/11/2009 9:57:18 AM

mbam-log-2009-08-11 (09-57-18).txt

Scan type: Quick Scan

Objects scanned: 132428

Time elapsed: 6 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\SKYNETlog.dat (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

Link to post
Share on other sites

  • Staff

Hi,

I think I am losing my mind - especially since this is a work computer!
Since you are posting a log from a Company owned computer... There are a few things that need attention first before we proceed with this..

* You must inform your Supervisor immediately.

This because of:

  • Most company machines are connected into a network at some time or other, and your infection may compromise the security of that network.
  • If sensitive material is compromised by an infection, your company could be held liable.

* Your Company must give permission for us to give you assistance.

This because of:

  • We are not here to replace your company's IT Department. If there's an IT Department, then they are responsible to deal with this.
  • There may be sensitive material on your computer that your company would not want revealed in an open forum.

Also, since this is a computer used at work - the first thing I always advise is to back up important files you don't want to lose, this since malware causes a system unstable and it may happen that it suddenly won't boot anymore, because of the damage already present.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

Thanks for your prompt reply miekiemoes!

I notified the ITS at my company as soon as I saw the problem, but they told me that their expertise does not extend to this kind of a complicated problem and actually suggested that I consult a serious HijackThis helper. They will make me wipe and reinstall my computer if this doesn't work anyway so I have to give it a shot. I have backed up all of my files that are not on the server and disconnected from the network - I am using my internet connection at home, though I still have access to company e-mail and intranet, just not any files.

I downloaded ComboFix.exe and added an exception to the Windows XP firewall for the program as I cannot turn the firewall completely off. However, my system crashed again after running ComboFix because even though I closed all other windows, the winlogon.exe application error window was still open (if I close it, blue screen of death) and once ComboFix started running the error window was closed (presumably by ComboFix?) and of course the system crashed immediately. I get the application error window even in safe mode - is there any way I can get around it and run ComboFix?

Thanks so much again!

Hi,

Since you are posting a log from a Company owned computer... There are a few things that need attention first before we proceed with this..

* You must inform your Supervisor immediately.

This because of:

  • Most company machines are connected into a network at some time or other, and your infection may compromise the security of that network.
  • If sensitive material is compromised by an infection, your company could be held liable.

* Your Company must give permission for us to give you assistance.

This because of:

  • We are not here to replace your company's IT Department. If there's an IT Department, then they are responsible to deal with this.
  • There may be sensitive material on your computer that your company would not want revealed in an open forum.

Also, since this is a computer used at work - the first thing I always advise is to back up important files you don't want to lose, this since malware causes a system unstable and it may happen that it suddenly won't boot anymore, because of the damage already present.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

  • Staff

Hi,

No need to close System files since that will indeed result into an error.

Did you disable your Officescan and any other Security program?

Also, do you have the Recovery console installed here?

The winlogon error may actually mainly caused by Utimaco Safeware AG, because it's hooked under it and since this computer is so severly infected, it won't suprise me that it causes errors now.

Can you temporary uninstall Utimaco Safeware AG, because it may interfere with Combofix etc... and since your Computer is already infected anyway, it won't be much of a help either.

then try Combofix again.

Also, I wonder if this scan will help..

Please download SysProt Anti-Rootkit from the link below (you will find it at the bottom of that page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip the .zip file into a folder on your desktop.

  • Doubleclick Sysprot.exe to start the program (Vista users please right click and select Run as Administrator).
  • Click on the Log tab.
  • In the Write to log section log place a check in these boxes only
    • Process
    • Kernel Modules
    • SSDT
    • Kernel Hooks
    • Hidden Files

    [*]Also check the Hidden Objects Only box at the bottom of the window.

    [*]Click on the Create Log button on the bottom right.

    [*]After a few seconds a new window should appear asking you to configure the hidden files scan.

    [*]Select Scan root drive only. Click on the Start button.

    [*]When it is complete a new window will appear to indicate that the scan is finished, then close the program.

    [*]The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log it contains in your next reply.

Link to post
Share on other sites

I seem to be making everything worse - after the failed ComboFix run, the computer rebooted and now when I start it up a "Windows Antivirus Pro" fake alert pops up and has disabled everything - from MBAM to Add/Remove Programs (when I tried to uninstall Utimaco). I rebooted again and started in safe mode, and though the fake alert is no longer there, I still can't open anything...

I will ask the ITS guys about uninstalling Utimaco, but I am doubtful it can be done since these computers seem to be unable to run without it.

Thanks so much again!

Link to post
Share on other sites

  • Staff

Hi,

Looks like this is almost a lost case here, which doesn't suprise me at all with this severly infected computer (work computer :( )

Renaming most applications to system files such as iexplore.exe, winlogon.exe, explorer.exe should work in your case (since the malware uses an allowlist and blocks all the rest), but to be honest and as a matter of fact, for computers used for work, I don't really recommend a manual cleanup though, but prefer a format and reinstall instead. This because you must be able to trust this computer 100% afterwards again and it should be working properly afterwards again as well. In your case, when you clean it up manually, you'll never be able to trust this computer anymore and errors/crashes may still be present. Manual cleanup will also take a lot of time.

So it's your call here - or you proceed with manual removal (if still possible) with the risk that you will never be able to trust this computer anymore and may put the entire company at risk - or proceed with a format and reinstall (you have backed up important data already anyway).

The choice shouldn't be that hard though and in a way, it would be irresponsible of me to not recommend this.

Link to post
Share on other sites

Thanks for the advice, I am really seriously considering it. It seems that the computer is so heavily encrypted anyway to protect our firm in case someone would get a hold of the computer that a manual cleanup seems very challenging - especially getting around Utimaco/SafeGuard. There will be a lot of program reinstalling, but that's about it - I guess the price is not that high.

Is there any chance that the files I backed up once the computer was already infected could infect it again once we did the reinstall and I brought the files back from the server where I stored them? It would be just terrible to lose everything through a reinstall and still be stuck with the Trojan because of those files...

THANK YOU, so much - you have been so patient and helpful.

Link to post
Share on other sites

  • Staff

Hi,

It seems that the computer is so heavily encrypted anyway to protect our firm in case someone would get a hold of the computer that a manual cleanup seems very challenging
If it was, then how did the malware come in then? In anyway, it's badly compromised, that I can tell. Once malware gets in; whatever you try, malware is on top and disables whatever is needed to pass extra data, download extra data, and upload important info. That's why I also strongly suggest you change all your passwords afterwards since they may be known.

As far as I can see here, you werent dealing with a file infector, so the files you backed up should be safe.

On the other side, IN case you were dealing with a file infector (Virut as it would have been in this case), then the files will be lost anyway because scanners should disinfect the files instead and because it's a buggy infector, files cannot properly be disinfected either, so they will be corrupted anyway and programs need to be reinstalled in such cases.

Maybe it's time to invest in good backup software - or even better, in backup software where you can create a full backup of the drive. Acronis TrueImage has that option, so if you get infected, all it takes is to revert to a previous backup (which is actually a clone of the drive).

Also, Please read my Prevention page with lots of info and tips how to prevent this in the future.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

After all, prevention is better than removal :(

Link to post
Share on other sites

  • Staff

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.