A Squared found a Trojan

Discussion in 'other anti-malware software' started by cheater87, Jan 15, 2007.

Thread Status:
Not open for further replies.
  1. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,125
    Location:
    Pennsylvania.
    don't know how I could of gotten this. It was found in C:\i386\winlogin.exe and C:\WINDOWS\system32\winlogin.exe If I delete this will it mess up my log in?
     
  2. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    The valid Windows file is winlogon.exe, not winlogin.exe so it might be malware using a similar name so as not to be too obvious.
     
  3. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,125
    Location:
    Pennsylvania.
    So delete it?

    Its in quarantine now

    Sorry it is winlogon not login. Now I'm worried
     
  4. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    Look in your System32 directory and see if you have winlogon.exe there (you should). If that file is there, go ahead and delete the file A-squared found or leave it in quarantine till you're sure everything still works ok. The Windows file protection would give you a warning if something tried to modify or delete winlogon.exe, or at least it's supposed to.
     
  5. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    I believe it is a false positive, i just updated and did a scan and it has found the same trojan on my computer.
    NOD32 found nothing.
    Superantispyware found nothing.
     

    Attached Files:

    • a2.JPG
      a2.JPG
      File size:
      59.6 KB
      Views:
      5
    Last edited: Jan 15, 2007
  6. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    Maybe you should restore it from quarantine and try an online scan like BitDefender or Kaspersky to see what it says. You seem to have quite a few security apps, do any of the others detect this? If not, it's probably a false positive.
     
  7. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,125
    Location:
    Pennsylvania.
    Nope none find it.

    I hate false positives they are scary

    I'll leave it in quarantine for now and remove it from it later today
     
  8. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    Farmerlee has the same thing, it's obviously a false positive. I'd go ahead and restore it, this is an essential Windows file. One or both of you should report this to A-squared. I'm glad I don't use this app :D
     
  9. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,125
    Location:
    Pennsylvania.
    Restored both files. I hope everthing is ok now.
     
  10. FRug

    FRug Registered Member

    Joined:
    Feb 7, 2006
    Posts:
    309
    Not necessarily a FP, at the moment there are a couple of malwares around that patch winlogon.exe (like Vundo). This MIGHT be a fp, however it's exactly on the file that also would be patched by some of the malwares. The best would be to upload your winlogon.exe to virustotal or jotti to get a larger overview over the detections.

    I think it well in the realm of the possible that this is a FP (a2 isn't really famous for reliable detection), but at the same time an infection is also likely.
     
  11. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,125
    Location:
    Pennsylvania.
    Oh crap I just got it out of quarantine so do I have to scan again and put it back in?
     
  12. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    Just upload this file to virustotal and check the results there before you make more drama.
     
  13. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,125
    Location:
    Pennsylvania.
    How do I locate it in the big thing of files that comes up?
     
  14. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    i will update a squared free tonight and do a scan and tell you if it detects it.
    this is not uncommon thou.
    there has been some fp's with a squared free in the past just read the old threads titled something false possitive.
    nothing against emsi because i think a squared free is great.
    no tray icon no loading at startup just an on demand scanner that opens when you want it to.
    lodore
     
  15. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    a-squared also tells me that my winlogon.exe is "Trojan.Win32.Patched.i". Almost sure it's a false positive. Comes up clean when scanned at jotti's, VirusTotal, Virus.Org etc.

    EDIT: Here's the MD5 value so you can check if yours has been "modified" or "patched" in any way by a trojan: 01c3346c241652f43aed8e2149881bfe (check the link for more info)
     
  16. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
  17. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    Well if there were any doubt before about whether the Ashampoo AS was an A-squared OEM, there is none now. The Ashampoo anti-spyware had the exact same false positive.
     
  18. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    I have to ask but what in most people experience is the ratio of false positives to real issues ?
     
  19. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    That would depend almost exclusively on the scanning product. Some programs are notorious for finding false positives while others are not.
     
Thread Status:
Not open for further replies.