Help remove win32/Wigon Trojan

Discussion in 'ESET NOD32 Antivirus' started by bdmc, Aug 18, 2008.

Thread Status:
Not open for further replies.
  1. bdmc

    bdmc Registered Member

    Joined:
    May 11, 2006
    Posts:
    55
    Hi All,

    I have just been handed a PC that didn't have anti-virus installed. I have just installed NOD32, and it has found a few files infected with win32/wigon trojan.

    It was able to remove some of the infected files, but 1 file is unable to be removed.

    c:\windows\system32\drivers\Tah20.sys

    In safemode, I am still unable to rename or delete this file.

    Under HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal, there is a key for Tah20.sys, which I am unable to delete from the registry. So the driver is starting up even in safemode.

    For some reason my BartPE boot disk isn't able to see the harddisk.. Encryption is turned off though...

    Anyone have any ideas?
     
    bdmc, Aug 18, 2008
    #1
  2. nonoise

    nonoise Registered Member

    Joined:
    Jun 6, 2008
    Posts:
    322
    use superantispyware home
     
    nonoise, Aug 18, 2008
    #2
  3. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Hello,

    try to use Avenger with this script:

    Code:
    Drivers to delete:
Tah20

Files to delete:
c:\windows\system32\drivers\Tah20.sys

    Regards
     
    Kosak, Aug 18, 2008
    #3
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...