Bitdefender notifies that a trojan seems to have infected the PC each time i logon.
The trojan is Trojan.WLPatch.A, bitdefender can't disinfect it, it moves it, which subsequently reappears when the computer is rebooted.
Where is the trojan located? Please post the location of the trojan.
Andrei
C:\WINDOWS\system32\winlogon.exe Infected: Trojan.WLPatch.A
C:\WINDOWS\system32\winlogon.exe Disinfection failed
C:\WINDOWS\system32\winlogon.exe Moved
Hello danp
Perform an update an winlogon will not be detected anymore. In this case it was a false positiv. See here for more information: http://www.neuber.com/taskmanager/process/winlogon.exe.html But there is some malware that uses the same name but than it isn't located in the system 32 folder.
Regards
Niels
Hi Niels,
Update to Bitdefender plus v10 didnt really help. Still shows trojan on winlogon.exe
here is the lines when a full system scan was completed:
<System>=>C:\WINDOWS\system32\winlogon.exe (memory dump) Infected: Trojan.WLPatch.A
<System>=>C:\WINDOWS\system32\winlogon.exe (memory dump) Disinfection failed
<System>=>C:\WINDOWS\system32\winlogon.exe (memory dump) Move failed
<System>=>C:\WINDOWS\system32\winlogon.exe (disk) Infected: Trojan.WLPatch.A
<System>=>C:\WINDOWS\system32\winlogon.exe (disk) Disinfection failed
<System>=>C:\WINDOWS\system32\winlogon.exe (disk) Move failed
<System>=>C:\WINDOWS\system32\winlogon.exe (full dump) Infected: Trojan.WLPatch.A
<System>=>C:\WINDOWS\system32\winlogon.exe (full dump) Disinfection failed
<System>=>C:\WINDOWS\system32\winlogon.exe (full dump) Move failed
<System>=>HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\AUTOCHK\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Detected: Trojan.WLPatch.A
<System>=>HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\AUTOCHK\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Disinfection failed
<System>=>HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\AUTOCHK\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Move failed
<System>=>HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\WINLOGON\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Detected: Trojan.WLPatch.A
<System>=>HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\WINLOGON\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Disinfection failed
<System>=>HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\WINLOGON\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Move failed
<System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG\APPLICATION\AUTOCHK\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Detected: Trojan.WLPatch.A
<System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG\APPLICATION\AUTOCHK\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Disinfection failed
<System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG\APPLICATION\AUTOCHK\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Move failed
<System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG\APPLICATION\WINLOGON\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Detected: Trojan.WLPatch.A
<System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG\APPLICATION\WINLOGON\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Disinfection failed
<System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG\APPLICATION\WINLOGON\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Move failed
<System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET002\SERVICES\EVENTLOG\APPLICATION\AUTOCHK\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Detected: Trojan.WLPatch.A
<System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET002\SERVICES\EVENTLOG\APPLICATION\AUTOCHK\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Disinfection failed
<System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET002\SERVICES\EVENTLOG\APPLICATION\AUTOCHK\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Move failed
<System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET002\SERVICES\EVENTLOG\APPLICATION\WINLOGON\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Detected: Trojan.WLPatch.A
<System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET002\SERVICES\EVENTLOG\APPLICATION\WINLOGON\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Disinfection failed
<System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET002\SERVICES\EVENTLOG\APPLICATION\WINLOGON\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Move failed
<System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET003\SERVICES\EVENTLOG\APPLICATION\AUTOCHK\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Detected: Trojan.WLPatch.A
<System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET003\SERVICES\EVENTLOG\APPLICATION\AUTOCHK\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Disinfection failed
<System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET003\SERVICES\EVENTLOG\APPLICATION\AUTOCHK\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Move failed
<System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET003\SERVICES\EVENTLOG\APPLICATION\WINLOGON\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Detected: Trojan.WLPatch.A
<System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET003\SERVICES\EVENTLOG\APPLICATION\WINLOGON\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Disinfection failed
<System>=>HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET003\SERVICES\EVENTLOG\APPLICATION\WINLOGON\EventMessageFile=>C:\WINDOWS\SYSTEM32\WINLOGON.EXE Move failed
Try this put in your windows installation cd-rom after that go to start,run,at the run dialogbox type cmd after that type this: expand X:\I386\WINLOGON.EXE_ X:\WINDOWS\SYSTEM32\WINLOGON.EXE (you must type the underscore after .exe and you have to change X in the letter of your cd-rom/dvd-rom drive where you have put in your windows installation cd-rom and in the second command after the underscore you have to change the X by the letter that your hard disc have or the partition where windows is installed on)
This will replace the infected file with a clean one.
Perform afterwards a deep scan and post the scan report.
Trojan.WLPatch.A is not a false positive (it happens to be my signature... ). It detects a winlogon.exe (standard Windows file) which was patched by a trojan. Please submit the file and I'll tell you which file to look for.
Hi vlad
The reason why I first said that was because also route.exe was first detected. Also when I gave that answer he only posted the winlogon.exe as infected. After that when he posted more information than I was aware that the winlogon was indeed infected.
But I apologize for saying that it was a false positiv.
I was only kidding; you don't have to apologize, especially since you very well could've been right...
