Hello .
I have a little problem with a person in NOD's BG forum.NOD32 detect this trojan in file in his computer
c:\windows\system32\winlogon.exe

{QUOTE-> Scan performed at: 3/10/2007 16:04:41
Scanning Log
NOD32 version 2106 (20070310) NT
Command line: c:\windows\system32\winlogon.exe
Operating memory - Win32/Wigon.I trojan

Date: 10.3.2007 Time: 16:05:19
Scanned disks, folders and files: c:\windows\system32\winlogon.exe
c:\windows\system32\winlogon.exe - Win32/Wigon.I trojan - deleted (after the next restart) [2]
Number of scanned files: 1
Number of threats found: 1
Number of files cleaned: 1
Time of completion: 16:05:24 Total scanning time: 5 sec (00:00:05)

Notes:
[2] File is being used (open or running). System restart is required for the cleaning to complete. <-QUOTE}
Generally I have no problem to tell him delete the file with some tools but I'm a little bit concerned because this file coincides with the path of the original legitimate Windows file winlogon.exe. I am concerned because of this and because I have heard of malware which overwrite the original file and if this is deleted the computer will crash.I have heard that the such infection should be cured with the Windows CD , running sfc.exe which will replace the infected one with the original one and the trojan will be gone . Since I have no information about how this trojan works I would like some advice from knowledgable people here at Wilders ;D

Thanks

I'd suggest you do the following:
- rename winlogon.exe
- copy a clean winlogon.exe instead
- restart the computer

By the posted logfile it looks to me as id Nod is going to complete cleaning file on reboot:-or am I misreading it?,if it returns after that there is probably a reg entry that also needs removing

{QUOTE-> By the posted logfile it looks to me as id Nod is going to complete cleaning file on reboot:-or am I misreading it?,if it returns after that there is probably a reg entry that also needs removing <-QUOTE}

His HijackThis log file doesn't show anything about about that file.
And yes , it is returning after restart.

{QUOTE-> I'd suggest you do the following:
- rename winlogon.exe
- copy a clean winlogon.exe instead
- restart the computer <-QUOTE}

This person said that it can't be accessed even in Safe Mode and he mention he tried deleting it from Safe Mode with no success.Which means he may not be able to rename it.Marcos , could you provide more suggestions about the part of renaming?Thanks

check reg values in
local machine/software/microsoft/windows/current version/run(runonce,runoncex etc)see if there is an entry that shoulndn't be there relating to it

Thanks . Since he is not so knowledgable to touch the registry , I may ask him for AutoRuns logs , it should show there (the run key)

was going to suggest that next(nice one)has he got it installed?
May seem a simple fix but has he/she got a restore point on his PC from before he got "infected":-it can work!

{QUOTE-> I may ask him for AutoRuns logs , it should show there (the run key) <-QUOTE}Those learned in HJT log reviewing would be able to observe any "run key" entries in "His HijackThis log" along with other items possibly of interest.

Bubba

The problem is that his HJT log shows nothing about winlogon.exe which makes me think Windows finds it legit.It runs from the same location as the legit Windows application.His HJT log showed two other malware which he removed.

My question was if this is the case here.If anybody knows something (not only ESET Mods but everybody) they are welcome

{QUOTE-> The problem is that his HJT log shows nothing about winlogon.exe <-QUOTE}Regardless that the HJT shows nothing about winlogin.exe....the viewing of the run key entries would possibly show an entry that's not legit to those learned in HJT log reviewing. {QUOTE-> which makes me think Windows finds it legit <-QUOTE}Take that assumption a step further and check the properties of that particular winlogin.exe file.

Just to update my thread.

I didn't reply earlier because of technical reason and lack of internet.Sorry! :)

Since it has been 3 days+ since this guy last posted , the case is now frozen.
Thanks very much for the help :thumb:

{QUOTE-> This person said that it can't be accessed even in Safe Mode and he mention he tried deleting it from Safe Mode with no success.Which means he may not be able to rename it.Marcos , could you provide more suggestions about the part of renaming?Thanks <-QUOTE}
Via BartPE.

You don't understand me.This person is an end-user . I myself know and can do it and if it was on my computer or on a computer I have physical access I would delete the file and would replace it with a new clean MS copy . But I can't explain an end-user , not so knowledgable , not in my town how to get and use Bart PE and boot from a media.:thumb:
I was seeking for an easy solution but as I said it is now not needed because he hasn't replied my posts , so frozen . If necessary I have some things in my mind to offer him ;)
Thanks anyway

{QUOTE-> You don't understand me.This person is an end-user . I myself know and can do it and if it was on my computer or on a computer I have physical access I would delete the file and would replace it with a new clean MS copy . But I can't explain an end-user <-QUOTE}

Can be if u make a dummy article for him but needs a lot of time. OR a repair install of XP.
Anyway as u said, not needed now.

heloo all
same problem here with this wigon crap!
i renamed it,and move it to another location thatn sys32
but stil i cant delete it!
nothing work,ad aware,spy boot,nod 32 :wacko:
a nice guide how to get rid of it please? thank you
p.s.: im quite a noob in computers,so excuse my words

The least tricky procedure would be booting from a safe media and replacing winlogon.exe with a clean copy from the installation CD or another clean computer with the very same OS version installed.

Hi,

I have a problem with Wigon.I as well... here's my HJT log, I hope somebody can find out something because I am not familiar with all this at all...

Many thanks!

~HJT log removed as per this Announcement (http://www.wilderssecurity.com/showthread.php?t=42148)....Bubba~

hhhheeeyyyyyy!!!! i got it! i fix this crap! do this:
1. stop the restore system
2. run the antivirus
3. delete the virus
4.reboot
5. put on the restore system point!!!
it works for me! have nod32! good luck

for shutting down the system restore: go to start>all programs>accesories>system tools>system restore>system restore settings> mark turn off system restore on all drivers>apply>ok.
after reboot the comp will promt you with a msg alert that your system restore point is off. put it on again,and.... everything is ok! hope it works for you!
good luck!

before i was cut and copy the virus from system32 out of the windows folder,somewhere else( dont think it matters,but just in case),and rename it! try and this first!

I have the same problem with this Wigon Trojon and have tried to delete it as per Spitffire's suggestion but no such luck. NOD32 picks up the problem but after rebooting the Trojan still remains. Can someone steer me in the right direction. I am not a genius with computers so easy steps please. Fingers crossed!

download Dr Web cure-it and try. Its free.

Down loaded Dr Web and ran scan reported no threats found but still have trojan. Whats Next

Hi calmetcalfe, welcome to Wilders.

Please forward logs from the following programs to support office in your country:

Download HijackThis from HERE (http://www.wilderssecurity.com/showthread.php?t=12516)

Download Autoruns from HERE (http://www.sysinternals.com/Utilities/Autoruns.html)

Download Lookinmypc from HERE (http://www.lookinmypc.com)
1. Select "Generate report"
2. Wait - scan results will pop up in a browser
3. Go to folder with LookInMyPC installed (default in C:\ProgramFiles\LookInMyPC\Reports\username\LookInMyPC.zip), and attach LookInMyPC.zip to the reply email

Then run the other 2 programs and forward the logs from all three programs together with the following:

1. Go to the NOD32 Control Centre
2. Click on Logs
3. Right Click on one of last completed full system scan logs.
4. Click on “Details”
5. Right Click anywhere on the scan log
6. Click on “copy all”
7. Right Click in the replying email to me.
8. Click on “Paste”

This will paste a copy of one of the scans you have completed.

Let us know how you go...

Cheers ;D

I'd suggest you boot from a clean media and replace winlogon.exe with a clean copy (should be the very same version from another computer or extract it from your Windows installation cd).

Thankyou for your help my computers skills are not are not very good I'm afraid. When I tried to paste scan report from NOD the paste selection is not highlited so does not attach when I right click reply to you.
May be a computer shop jobto fix!

Show someone this thread and have them complete Marcos's instructions as posted above.

Cheers ;D