Options
Win32/Wigon.I trojan
Hi all
I have a problem with this Win32/Wigon.I trojan and it is affecting my Winlogon file. I use NOD32 Antivirus software and it detects it and tells me to delete it and that it will be deleted and solved on next reboot, but when I reboot the problem persist. Every time I start any program NOD32 pops up window with warning of a threat and instructions to delete it as described.
I have followed the instructions and am including my logs.
Thanks in advance for any help.
I have a problem with this Win32/Wigon.I trojan and it is affecting my Winlogon file. I use NOD32 Antivirus software and it detects it and tells me to delete it and that it will be deleted and solved on next reboot, but when I reboot the problem persist. Every time I start any program NOD32 pops up window with warning of a threat and instructions to delete it as described.
I have followed the instructions and am including my logs.
Thanks in advance for any help.
0
Comments
Thanks
Please run HijackThis and click Do a system scan only. Check the boxes next to all the entries listed below:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - E:\CDS300\__CDS2.dll (file missing)
Remove E:\CDS300\__CDS2.dll (if found).
If you like, fix these unneeded startup entries:
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
and empty C:\Program Files\ESET\infected folder.
[SIZE=-1]It appear you don't have[/SIZE] a firewall. Please chooce one below:
Comodo
Zone Alarm
Sunbelt Kerio PF
Outpost Firewall
Download, install and reboot. After that, please update your Windows and Internet Explorer.
http://windowsupdate.microsoft.com/ (IE only)
Post new HijackThis log.
thanks vekarppe for answering and sorry for my not reponding earlier
T-HT stands for T-com Hrvatski Telekom (T-com Croatian Telecom) my internet provider. is there some problem with it?
I have emptied C:\Program Files\ESET\infected folder
I did run HijackThis and clicked Do a system scan only, checked the boxes next to all the entries as you adviesed me and than i clicked on fix checked and this is a new log that I'm posting
shoud I install firewall now? And could you please instruct me how to fix those unneeded startup entries.
Thanks
edit: I have rebooted my coputer now and NOD32 has again detected this trojan in my computer
How is your computer running [SIZE=-1]now?[/SIZE] Does NOD32 keep on warning about Win32/Wigon.I trojan?
Print out these instructions or save them with Notepad
Please download:
SDFix
Decard's System Scanner
Double-click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Restart your computer in safe mode
- If the computer is running, shut down Windows, and then turn off the power
- Wait 30 seconds, and then turn the computer on
- Start tapping the F8 key
- The Windows Advanced Options Menu appears
- Ensure that the Safe Mode option is selected
- Press Enter. The computer then begins to start in Safe mode
- Login on your usual account
Run SDFix- Open the extracted SDFix folder and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
Reboot back to normal mode and run DSS.- Close all other windows before proceeding.
- Double-click on dss.exe and follow the prompts.
- When it has finished, DSS will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
Post the contents of SDFix log too (C:\SDFix\Report.txt)Yes, unfortunatly NOD32 is still warning me about threat and it looks like this
http://i2.photobucket.com/albums/y35/NKVD/trojan.jpg
and when I click delete, this pops up
http://i2.photobucket.com/albums/y35/NKVD/trojan1.jpg
and NOD32 is poping the alert after starting any program every time.
thanks for instructions how to fix unneeded startup entries
now i'll do by rest of instructions in your post and I'll tell you the results.
and Thanks for everything
Thanks again
P.s. NOD32 is again poping the alert
Note this:
When deciding whether a re-format and re-install is needed after an infection, the most important factor is generally what the computer is used for, and what information can be accessed via the computer.
Please inform me what do you decide to do.
i have decideed to re-format my computer, because it seems to br the smartest thing to do.
thanks again for everything
Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
Detect and Remove Programs:
- How to use Ad-Aware to remove Spyware - If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
- How to use Spybot to remove Spyware - If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:- Spywareblaster - SpywareBlaster will prevent spyware from being installed.
- Spywareguard - SpywareGuard offers realtime protection from spyware installation attempts.
- IE/Spyad - IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
- MVPS Hosts file - The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
- Google Toolbar - Get the free google toolbar to help stop pop up windows.
Other necessary Programs:- AntiVirus Program - An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
- Firewall -A firewall is definatley a must have. Two good free versions are Kerio and ZoneLabs.
- More Secure Browser - Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.
And also see TonyKlein's good adviceSo how did I get infected in the first place?