A Squared found a Trojan

don't know how I could of gotten this. It was found in C:\i386\winlogin.exe and C:\WINDOWS\system32\winlogin.exe If I delete this will it mess up my log in?

 

The valid Windows file is winlogon.exe, not winlogin.exe so it might be malware using a similar name so as not to be too obvious.

 

So delete it?

Its in quarantine now

Sorry it is winlogon not login. Now I'm worried

 

Look in your System32 directory and see if you have winlogon.exe there (you should). If that file is there, go ahead and delete the file A-squared found or leave it in quarantine till you're sure everything still works ok. The Windows file protection would give you a warning if something tried to modify or delete winlogon.exe, or at least it's supposed to.

 

I believe it is a false positive, i just updated and did a scan and it has found the same trojan on my computer.
NOD32 found nothing.
Superantispyware found nothing.

 

Maybe you should restore it from quarantine and try an online scan like BitDefender or Kaspersky to see what it says. You seem to have quite a few security apps, do any of the others detect this? If not, it's probably a false positive.

 

Nope none find it.

I hate false positives they are scary

I'll leave it in quarantine for now and remove it from it later today

 

Farmerlee has the same thing, it's obviously a false positive. I'd go ahead and restore it, this is an essential Windows file. One or both of you should report this to A-squared. I'm glad I don't use this app

 

Restored both files. I hope everthing is ok now.

 

Not necessarily a FP, at the moment there are a couple of malwares around that patch winlogon.exe (like Vundo). This MIGHT be a fp, however it's exactly on the file that also would be patched by some of the malwares. The best would be to upload your winlogon.exe to virustotal or jotti to get a larger overview over the detections.

I think it well in the realm of the possible that this is a FP (a2 isn't really famous for reliable detection), but at the same time an infection is also likely.

 

Oh crap I just got it out of quarantine so do I have to scan again and put it back in?

 

Just upload this file to virustotal and check the results there before you make more drama.

 

How do I locate it in the big thing of files that comes up?

 

i will update a squared free tonight and do a scan and tell you if it detects it.
this is not uncommon thou.
there has been some fp's with a squared free in the past just read the old threads titled something false possitive.
nothing against emsi because i think a squared free is great.
no tray icon no loading at startup just an on demand scanner that opens when you want it to.
lodore

 

a-squared also tells me that my winlogon.exe is "Trojan.Win32.Patched.i". Almost sure it's a false positive. Comes up clean when scanned at jotti's, VirusTotal, Virus.Org etc.

EDIT: Here's the MD5 value so you can check if yours has been "modified" or "patched" in any way by a trojan: 01c3346c241652f43aed8e2149881bfe (check the link for more info)

 

It's a fp:-

http://forum.emsisoft.com/Default.aspx?g=posts&t=1757

 

Well if there were any doubt before about whether the Ashampoo AS was an A-squared OEM, there is none now. The Ashampoo anti-spyware had the exact same false positive.

 

I have to ask but what in most people experience is the ratio of false positives to real issues ?

 

That would depend almost exclusively on the scanning product. Some programs are notorious for finding false positives while others are not.