Trojan Wigon.I

Discussion in 'NOD32 version 2 Forum' started by ASpace, Mar 11, 2007.

Thread Status:
Not open for further replies.
  1. ASpace

    ASpace Guest

    Hello .
    I have a little problem with a person in NOD's BG forum.NOD32 detect this trojan in file in his computer
    c:\windows\system32\winlogon.exe

    Generally I have no problem to tell him delete the file with some tools but I'm a little bit concerned because this file coincides with the path of the original legitimate Windows file winlogon.exe. I am concerned because of this and because I have heard of malware which overwrite the original file and if this is deleted the computer will crash.I have heard that the such infection should be cured with the Windows CD , running sfc.exe which will replace the infected one with the original one and the trojan will be gone . Since I have no information about how this trojan works I would like some advice from knowledgable people here at Wilders :D

    Thanks
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I'd suggest you do the following:
    - rename winlogon.exe
    - copy a clean winlogon.exe instead
    - restart the computer
     
  3. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    By the posted logfile it looks to me as id Nod is going to complete cleaning file on reboot:-or am I misreading it?,if it returns after that there is probably a reg entry that also needs removing
     
  4. ASpace

    ASpace Guest

    His HijackThis log file doesn't show anything about about that file.
    And yes , it is returning after restart.
     
  5. ASpace

    ASpace Guest

    This person said that it can't be accessed even in Safe Mode and he mention he tried deleting it from Safe Mode with no success.Which means he may not be able to rename it.Marcos , could you provide more suggestions about the part of renaming?Thanks
     
  6. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    check reg values in
    local machine/software/microsoft/windows/current version/run(runonce,runoncex etc)see if there is an entry that shoulndn't be there relating to it
     
  7. ASpace

    ASpace Guest

    Thanks . Since he is not so knowledgable to touch the registry , I may ask him for AutoRuns logs , it should show there (the run key)
     
  8. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    was going to suggest that next(nice one)has he got it installed?
    May seem a simple fix but has he/she got a restore point on his PC from before he got "infected":-it can work!
     
  9. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Those learned in HJT log reviewing would be able to observe any "run key" entries in "His HijackThis log" along with other items possibly of interest.

    Bubba
     
  10. ASpace

    ASpace Guest

    The problem is that his HJT log shows nothing about winlogon.exe which makes me think Windows finds it legit.It runs from the same location as the legit Windows application.His HJT log showed two other malware which he removed.

    My question was if this is the case here.If anybody knows something (not only ESET Mods but everybody) they are welcome
     
  11. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Regardless that the HJT shows nothing about winlogin.exe....the viewing of the run key entries would possibly show an entry that's not legit to those learned in HJT log reviewing.
    Take that assumption a step further and check the properties of that particular winlogin.exe file.
     
  12. ASpace

    ASpace Guest

    Just to update my thread.

    I didn't reply earlier because of technical reason and lack of internet.Sorry! :)

    Since it has been 3 days+ since this guy last posted , the case is now frozen.
    Thanks very much for the help :thumb:
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Via BartPE.
     
  14. ASpace

    ASpace Guest

    You don't understand me.This person is an end-user . I myself know and can do it and if it was on my computer or on a computer I have physical access I would delete the file and would replace it with a new clean MS copy . But I can't explain an end-user , not so knowledgable , not in my town how to get and use Bart PE and boot from a media.:thumb:
    I was seeking for an easy solution but as I said it is now not needed because he hasn't replied my posts , so frozen . If necessary I have some things in my mind to offer him ;)
    Thanks anyway
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Can be if u make a dummy article for him but needs a lot of time. OR a repair install of XP.
    Anyway as u said, not needed now.
     
  16. spitfirre

    spitfirre Registered Member

    Joined:
    Mar 18, 2007
    Posts:
    2
    heloo all
    same problem here with this wigon crap!
    i renamed it,and move it to another location thatn sys32
    but stil i cant delete it!
    nothing work,ad aware,spy boot,nod 32 o_O
    a nice guide how to get rid of it please? thank you
    p.s.: im quite a noob in computers,so excuse my words
     
  17. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The least tricky procedure would be booting from a safe media and replacing winlogon.exe with a clean copy from the installation CD or another clean computer with the very same OS version installed.
     
  18. Highliner

    Highliner Registered Member

    Joined:
    Mar 19, 2007
    Posts:
    1
    Hi,

    I have a problem with Wigon.I as well... here's my HJT log, I hope somebody can find out something because I am not familiar with all this at all...

    Many thanks!

    ~HJT log removed as per this Announcement....Bubba~
     
    Last edited by a moderator: Mar 19, 2007
  19. spitfirre

    spitfirre Registered Member

    Joined:
    Mar 18, 2007
    Posts:
    2
    hhhheeeyyyyyy!!!! i got it! i fix this crap! do this:
    1. stop the restore system
    2. run the antivirus
    3. delete the virus
    4.reboot
    5. put on the restore system point!!!
    it works for me! have nod32! good luck

    for shutting down the system restore: go to start>all programs>accesories>system tools>system restore>system restore settings> mark turn off system restore on all drivers>apply>ok.
    after reboot the comp will promt you with a msg alert that your system restore point is off. put it on again,and.... everything is ok! hope it works for you!
    good luck!

    before i was cut and copy the virus from system32 out of the windows folder,somewhere else( dont think it matters,but just in case),and rename it! try and this first!
     
  20. calmetcalfe

    calmetcalfe Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    3
    I have the same problem with this Wigon Trojon and have tried to delete it as per Spitffire's suggestion but no such luck. NOD32 picks up the problem but after rebooting the Trojan still remains. Can someone steer me in the right direction. I am not a genius with computers so easy steps please. Fingers crossed!
     
  21. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    download Dr Web cure-it and try. Its free.
     
  22. calmetcalfe

    calmetcalfe Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    3
    Down loaded Dr Web and ran scan reported no threats found but still have trojan. Whats Next
     
  23. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi calmetcalfe, welcome to Wilders.

    Please forward logs from the following programs to support office in your country:

    Download HijackThis from HERE

    Download Autoruns from HERE

    Download Lookinmypc from HERE
    1. Select "Generate report"
    2. Wait - scan results will pop up in a browser
    3. Go to folder with LookInMyPC installed (default in C:\ProgramFiles\LookInMyPC\Reports\username\LookInMyPC.zip), and attach LookInMyPC.zip to the reply email

    Then run the other 2 programs and forward the logs from all three programs together with the following:

    1. Go to the NOD32 Control Centre
    2. Click on Logs
    3. Right Click on one of last completed full system scan logs.
    4. Click on “Details”
    5. Right Click anywhere on the scan log
    6. Click on “copy all”
    7. Right Click in the replying email to me.
    8. Click on “Paste”

    This will paste a copy of one of the scans you have completed.

    Let us know how you go...

    Cheers :D
     
  24. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I'd suggest you boot from a clean media and replace winlogon.exe with a clean copy (should be the very same version from another computer or extract it from your Windows installation cd).
     
  25. calmetcalfe

    calmetcalfe Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    3
    Thankyou for your help my computers skills are not are not very good I'm afraid. When I tried to paste scan report from NOD the paste selection is not highlited so does not attach when I right click reply to you.
    May be a computer shop jobto fix!
     
Thread Status:
Not open for further replies.