Trojan.WLPatch.A on winlogon.exe

danp
danp
in Malware talk

Bitdefender notifies that a trojan seems to have infected the PC each time i logon.


The trojan is Trojan.WLPatch.A, bitdefender can't disinfect it, it moves it, which subsequently reappears when the computer is rebooted.

Comments

  • AndreiASM
    AndreiASM

    Where is the trojan located? Please post the location of the trojan.


    Andrei

  • danp
    danp

    C:\WINDOWS\system32\winlogon.exe Infected: Trojan.WLPatch.A


    C:\WINDOWS\system32\winlogon.exe Disinfection failed


    C:\WINDOWS\system32\winlogon.exe Moved

  • Niels
    Niels

    Hello danp


    Perform an update an winlogon will not be detected anymore. In this case it was a false positiv. See here for more information: http://www.neuber.com/taskmanager/process/winlogon.exe.html But there is some malware that uses the same name but than it isn't located in the system 32 folder.


    Regards


    Niels

  • danp
    danp

    Hi Niels,


    Update to Bitdefender plus v10 didnt really help. Still shows trojan on winlogon.exe


    here is the lines when a full system scan was completed:


    <System>=>C:\WINDOWS\system32\winlogon.exe (memory dump) Infected: Trojan.WLPatch.A


    <System>=>C:\WINDOWS\system32\winlogon.exe (memory dump) Disinfection failed


    <System>=>C:\WINDOWS\system32\winlogon.exe (memory dump) Move failed


    <System>=>C:\WINDOWS\system32\winlogon.exe (disk) Infected: Trojan.WLPatch.A


    <System>=>C:\WINDOWS\system32\winlogon.exe (disk) Disinfection failed


    <System>=>C:\WINDOWS\system32\winlogon.exe (disk) Move failed


    <System>=>C:\WINDOWS\system32\winlogon.exe (full dump) Infected: Trojan.WLPatch.A


    <System>=>C:\WINDOWS\system32\winlogon.exe (full dump) Disinfection failed


    <System>=>C:\WINDOWS\system32\winlogon.exe (full dump) Move failed


    <System>=>HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\AUTOCHK\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Detected: Trojan.WLPatch.A


    <System>=>HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\AUTOCHK\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Disinfection failed


    <System>=>HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\AUTOCHK\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Move failed


    <System>=>HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\WINLOGON\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Detected: Trojan.WLPatch.A


    <System>=>HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\WINLOGON\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Disinfection failed


    <System>=>HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\WINLOGON\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Move failed


    <System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG\APPLICATION\AUTOCHK\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Detected: Trojan.WLPatch.A


    <System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG\APPLICATION\AUTOCHK\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Disinfection failed


    <System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG\APPLICATION\AUTOCHK\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Move failed


    <System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG\APPLICATION\WINLOGON\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Detected: Trojan.WLPatch.A


    <System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG\APPLICATION\WINLOGON\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Disinfection failed


    <System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG\APPLICATION\WINLOGON\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Move failed


    <System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET002\SERVICES\EVENTLOG\APPLICATION\AUTOCHK\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Detected: Trojan.WLPatch.A


    <System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET002\SERVICES\EVENTLOG\APPLICATION\AUTOCHK\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Disinfection failed


    <System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET002\SERVICES\EVENTLOG\APPLICATION\AUTOCHK\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Move failed


    <System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET002\SERVICES\EVENTLOG\APPLICATION\WINLOGON\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Detected: Trojan.WLPatch.A


    <System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET002\SERVICES\EVENTLOG\APPLICATION\WINLOGON\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Disinfection failed


    <System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET002\SERVICES\EVENTLOG\APPLICATION\WINLOGON\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Move failed


    <System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET003\SERVICES\EVENTLOG\APPLICATION\AUTOCHK\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Detected: Trojan.WLPatch.A


    <System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET003\SERVICES\EVENTLOG\APPLICATION\AUTOCHK\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Disinfection failed


    <System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET003\SERVICES\EVENTLOG\APPLICATION\AUTOCHK\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Move failed


    <System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET003\SERVICES\EVENTLOG\APPLICATION\WINLOGON\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Detected: Trojan.WLPatch.A


    <System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET003\SERVICES\EVENTLOG\APPLICATION\WINLOGON\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Disinfection failed


    <System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET003\SERVICES\EVENTLOG\APPLICATION\WINLOGON\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Move failed

  • Niels
    Niels

    Hello danp


    Try this put in your windows installation cd-rom after that go to start,run,at the run dialogbox type cmd after that type this: expand X:\I386\WINLOGON.EXE_ X:\WINDOWS\SYSTEM32\WINLOGON.EXE (you must type the underscore after .exe and you have to change X in the letter of your cd-rom/dvd-rom drive where you have put in your windows installation cd-rom and in the second command after the underscore you have to change the X by the letter that your hard disc have or the partition where windows is installed on)


    This will replace the infected file with a clean one.


    Perform afterwards a deep scan and post the scan report.


    Regards


    Niels

  • vlad
    vlad

    Trojan.WLPatch.A is not a false positive (it happens to be my signature... :) ). It detects a winlogon.exe (standard Windows file) which was patched by a trojan. Please submit the file and I'll tell you which file to look for.

  • Niels
    Niels

    Hi vlad


    The reason why I first said that was because also route.exe was first detected. Also when I gave that answer he only posted the winlogon.exe as infected. After that when he posted more information than I was aware that the winlogon was indeed infected.


    But I apologize for saying that it was a false positiv.


    Regards


    Niels

  • vlad
    vlad

    I was only kidding; you don't have to apologize, especially since you very well could've been right... :)

All Time Leaders

Categories

Defenders of the month - March