ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Trojan.Agent-2322 in winlogon.exe - false positive
wtfia


Joined: 07 May 2006
Posts: 2
Reply with quote
I just updated and did a memory scan. ClamWin reports "C:\WINDOWS\system32\winlogon.exe: Trojan.Agent-2322 FOUND". This is a WinXp Professional SP2 with all updates. Sent the file to VirusTotal and no other AV detects anything, so this is a false positive. But this is not the main problem. I just updated ClamWin itself, and before the update I uninstalled the old version, so i got the default settings. And the default setting is to "unload infected programs from computer memory". ClamWin killed winlogon.exe and I got a very blue screen which said that my computer has been shut down. And all my programs. With my unsaved work. Before I even got a chance to see why. No questions asked. Not nice Smile. Maybe ClamWin could be made aware somehow that some programs are more important to the system, and shouldn't be "removed from memory" so easy.
View user's profileSend private message
sherpya


Joined: 22 Mar 2006
Posts: 894
Location: Italy
Reply with quote
english winlogon sp2 version 5.1.2600.2180, clean for me
be sure to have latest virus definitions
View user's profileSend private message
Same problem... the solution was a version and an update....
jmason1182


Joined: 20 Mar 2007
Posts: 1
Location: Midland, TX
Reply with quote
After moving up to version 90.0 EVERY computer in our office went to the blue screen at approximately 4:15PM today (March 19th)... To fix it, I had to first do an in-place reinstall. I chose this method because with so many computers, I needed some way to concurrently run something to get it all back. I didn't, luckily, lose anything of personal value to anyone... just a few settings like screen resolution.

THEN, I quickly updated to 90.1, then updated my virus db. I rescanned winlogon.exe and viola, no virus found. Turns out that updating my database just once a day isn't enough! I'm gonna start doing it at least twice a day... especially since I scan every day at 4:00!

Hopefully everyone gets the opportunity to read this: Oh, and hopefully in the effort to help google searchers find this:
Here's the error I saw on the blue screen:

STOP: c000021a {Fatal System Error}
The Windows Logon Process system process terminated unexpectedly with a status of 0xc0000034 (0x00000000 0x00000000)
The system has been shutdown.

And for those novices out there: Use the winxp pro installation disk you used to install with, boot with it (maybe have to go in to BIOS to make sure the CDROM is read before the hard drive) and hit a key when it says to hit a key to load from CD. Then, hit the ENTER key to start the install... no you won't format or lose any info. Then, when asked to accept the license, hit the F8 key. THEN, when it searches for an existing windows installation, hit the R key to repair... then just go with the flow. Then, login as an administrator or your regular username and IMMEDIATELY update everything CLAMWIN and virus databases. That'll fix you.

Like I said, you won't lose anything but a few minor windows settings... such as your display resolutions.

Hope this helps someone.
John A. Mason
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 1748
Reply with quote
yeah that's unfortunate sorry about all the trouble.
View user's profileSend private message
sherpya


Joined: 22 Mar 2006
Posts: 894
Location: Italy
Reply with quote
unfortunately a false positive on winlogon.exe is very weird when using memory scan + process kill, since clamscan will kill it believing it's a virus,
this should be fixed now in virus db, right?
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 1748
Reply with quote
there is a potentially easier way of restoring the file if it has been quarantined. Insert Windows XP setup disk, choose a recovery console when prompted. Then copy winlogon.exe from quarantine to the windows\system32 folder:

copy "C:\Documents and Settings\All Users\.clamwin\quarantine\winlogon.exe" c:\windows\system32\

then reboot
View user's profileSend private message
pheldal


Joined: 15 Dec 2006
Posts: 4
Reply with quote
alch wrote:
there is a potentially easier way of restoring the file if it has been quarantined. Insert Windows XP setup disk, choose a recovery console when prompted. Then copy winlogon.exe from quarantine to the windows\system32 folder:

copy "C:\Documents and Settings\All Users\.clamwin\quarantine\winlogon.exe" c:\windows\system32\

then reboot


It doesnt look like the recovery console permits access to "C:\Documents and Settings". An alternative workaround is to extract winlogon.exe from the distribution media using the expand utility from the recovery console. Ex with CD/DVD on D:

Code:
expand d:\i386\winlogon.ex_ c:\windows\system32
View user's profileSend private message
sherpya


Joined: 22 Mar 2006
Posts: 894
Location: Italy
Reply with quote
perhaps there are no workaruound that could be make in the scanner to avoid these problems...
malware often use names like winlogon.exe or services.exe so it's not a good idea to skip them
View user's profileSend private message
pheldal


Joined: 15 Dec 2006
Posts: 4
Reply with quote
sherpya wrote:
perhaps there are no workaruound that could be make in the scanner to avoid these problems...
malware often use names like winlogon.exe or services.exe so it's not a good idea to skip them


It's best to handle all files the same. It would however be good to establish a minimum test-procedure for database updates before they are committed for public consumption. As a minimum the DB should be tested with a memory-scan, or even better with a complete scan against all windows system-files. That would prevent users from exposure to most false positives.

//per
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 1748
Reply with quote
pheldal wrote:


It's best to handle all files the same. It would however be good to establish a minimum test-procedure for database updates before they are committed for public consumption. As a minimum the DB should be tested with a memory-scan, or even better with a complete scan against all windows system-files. That would prevent users from exposure to most false positives.

//per


We where thinking along the same theme for a long time. But the virus database updates are done by the ClamAV team and we can't do much there. Although we don't need to say that ClamAV team efforts are invaluable with keeping the DB up-to-date with the latest threats.
View user's profileSend private message
Blue Screen of Death Also!
GuitarBob


Joined: 09 Jul 2006
Posts: 4292
Location: USA
Reply with quote
I'm glad I saw these posts. I had a similar problem yesterday. I'm not on a network--just a standalone PC running Windows XP Professional/Media Edition SP2/all patches. I set up Microsoft Fax to receive a fax to be sent in later and left at about 4 pm (Central USA time). ClamWin was set to do a scan at 5 pm. When I got back after 5:30, I had the blue screen with the C000021a fatal system error and a further explanation that the Windows logon process terminated unexpectedly with a status of oxc0000034 (ox00000000 0x00000000). I reinstalled my system.

Previous scans earlier in the day with ClamWin (9 am) and NOD 32 (noon) were clean. I don't run as a network, so there shouldn't have been any changes to Winlogon, and there was nothing in quarantine.

Regards,
View user's profileSend private message
Solution?
GuitarBob


Joined: 09 Jul 2006
Posts: 4292
Location: USA
Reply with quote
I think I'll just configure ClamWin not to kill infected files in memory from now on and let my resident scanner catch anything. I assume Winlogon.exe and similar files will be excluded from scans in Version 1.0 if there has been no change since the last scan.

Regards,
View user's profileSend private message
Trojan.Agent-2322 in winlogon.exe - false positive
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic