A Squared found a Trojan

Discussion in 'other anti-malware software' started by cheater87, Jan 15, 2007.

Thread Status:
Not open for further replies.
  1. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,175
    Location:
    Pennsylvania.
    don't know how I could of gotten this. It was found in C:\i386\winlogin.exe and C:\WINDOWS\system32\winlogin.exe If I delete this will it mess up my log in?
     
  2. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    The valid Windows file is winlogon.exe, not winlogin.exe so it might be malware using a similar name so as not to be too obvious.
     
  3. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,175
    Location:
    Pennsylvania.
    So delete it?

    Its in quarantine now

    Sorry it is winlogon not login. Now I'm worried
     
  4. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    Look in your System32 directory and see if you have winlogon.exe there (you should). If that file is there, go ahead and delete the file A-squared found or leave it in quarantine till you're sure everything still works ok. The Windows file protection would give you a warning if something tried to modify or delete winlogon.exe, or at least it's supposed to.
     
  5. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    I believe it is a false positive, i just updated and did a scan and it has found the same trojan on my computer.
    NOD32 found nothing.
    Superantispyware found nothing.
     

    Attached Files:

    • a2.JPG
      a2.JPG
      File size:
      59.6 KB
      Views:
      5
    Last edited: Jan 15, 2007
  6. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    Maybe you should restore it from quarantine and try an online scan like BitDefender or Kaspersky to see what it says. You seem to have quite a few security apps, do any of the others detect this? If not, it's probably a false positive.
     
  7. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,175
    Location:
    Pennsylvania.
    Nope none find it.

    I hate false positives they are scary

    I'll leave it in quarantine for now and remove it from it later today
     
  8. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    Farmerlee has the same thing, it's obviously a false positive. I'd go ahead and restore it, this is an essential Windows file. One or both of you should report this to A-squared. I'm glad I don't use this app :D
     
  9. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,175
    Location:
    Pennsylvania.
    Restored both files. I hope everthing is ok now.
     
  10. FRug

    FRug Registered Member

    Joined:
    Feb 7, 2006
    Posts:
    309
    Not necessarily a FP, at the moment there are a couple of malwares around that patch winlogon.exe (like Vundo). This MIGHT be a fp, however it's exactly on the file that also would be patched by some of the malwares. The best would be to upload your winlogon.exe to virustotal or jotti to get a larger overview over the detections.

    I think it well in the realm of the possible that this is a FP (a2 isn't really famous for reliable detection), but at the same time an infection is also likely.
     
  11. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,175
    Location:
    Pennsylvania.
    Oh crap I just got it out of quarantine so do I have to scan again and put it back in?
     
  12. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    Just upload this file to virustotal and check the results there before you make more drama.
     
  13. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,175
    Location:
    Pennsylvania.
    How do I locate it in the big thing of files that comes up?
     
  14. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,041
    i will update a squared free tonight and do a scan and tell you if it detects it.
    this is not uncommon thou.
    there has been some fp's with a squared free in the past just read the old threads titled something false possitive.
    nothing against emsi because i think a squared free is great.
    no tray icon no loading at startup just an on demand scanner that opens when you want it to.
    lodore
     
  15. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    a-squared also tells me that my winlogon.exe is "Trojan.Win32.Patched.i". Almost sure it's a false positive. Comes up clean when scanned at jotti's, VirusTotal, Virus.Org etc.

    EDIT: Here's the MD5 value so you can check if yours has been "modified" or "patched" in any way by a trojan: 01c3346c241652f43aed8e2149881bfe (check the link for more info)
     
  16. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
  17. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,964
    Well if there were any doubt before about whether the Ashampoo AS was an A-squared OEM, there is none now. The Ashampoo anti-spyware had the exact same false positive.
     
  18. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    I have to ask but what in most people experience is the ratio of false positives to real issues ?
     
  19. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,964
    That would depend almost exclusively on the scanning product. Some programs are notorious for finding false positives while others are not.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.