Free Malware Removal Forum

[HiTech_boy]

Hello .
I have a little problem with a person's computer .NOD32 detect this trojan in file in his computer
c:\windows\system32\winlogon.exe

Scan performed at: 3/10/2007 16:04:41
Scanning Log
NOD32 version 2106 (20070310) NT
Command line: c:\windows\system32\winlogon.exe
Operating memory - Win32/Wigon.I trojan

Date: 10.3.2007 Time: 16:05:19
Scanned disks, folders and files: c:\windows\system32\winlogon.exe
c:\windows\system32\winlogon.exe - Win32/Wigon.I trojan - deleted (after the next restart) [2]
Number of scanned files: 1
Number of threats found: 1
Number of files cleaned: 1
Time of completion: 16:05:24 Total scanning time: 5 sec (00:00:05)

Notes:
[2] File is being used (open or running). System restart is required for the cleaning to complete.

Generally I have no problem to tell him delete the file with some tools but I'm a little bit concerned because this file coincides with the path of the original legitimate Windows file winlogon.exe. I am concerned because of this and because I have heard of malware which overwrites the original file and if this is deleted the computer will crash.I have heard that such infection should be cured with the Windows CD , running sfc.exe which will replace the infected one with the original one and the trojan will be gone .

Since I have no information about how this trojan works I would like some advice from knowledgable people here and how do I deal with this.

Thanks very much !

[Angelfire777]

Hi, welcome to Malware Removal

Generally I have no problem to tell him delete the file with some tools but I'm a little bit concerned because this file coincides with the path of the original legitimate Windows file winlogon.exe. I am concerned because of this and because I have heard of malware which overwrites the original file and if this is deleted the computer will crash.

Actually, it is the legit Winlogon.exe but it has been patched by malware. You are right, if it gets deleted, the computer won't go in to the desktop anymore..

I have heard that such infection should be cured with the Windows CD , running sfc.exe which will replace the infected one with the original one and the trojan will be gone .

As of now, we can replace it manually if the computer can still boot..

Since I have no information about how this trojan works I would like some advice from knowledgable people here and how do I deal with this.

This trojan is actually very nasty..The patched winlogon.exe is used to call a rootkit on your system..

Before we start, please tell me if the computer can reach the desktop and if so,

*Click HERE to download a self-extracting version of Hijackthis. Double click on the file, by default it will extract itself to C:\Hijackthis

Next, double click on Hijackthis.exe. Click "Scan System and Save a Logfile." A Notepad will appear in your screen, copy and paste the contents of the notepad to your next reply.


*Please download SRENG

1. Extract it to Desktop & double click SREng.exe to run it

2. Select 'Smart Scan' & tick "Verify Digital Signatures"

3. Click on the [Scan] button

4. When finished, click on the [Save Reports] button & save the log to Desktop

5. Copy all the contents of the report to your next reply.

[Angelfire777]

Hi, how is it doing?

[NonSuch]

Due to inactivity, this topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.