I just updated and did a memory scan. ClamWin reports "C:\WINDOWS\system32\winlogon.exe: Trojan.Agent-2322 FOUND". This is a WinXp Professional SP2 with all updates. Sent the file to VirusTotal and no other AV detects anything, so this is a false positive. But this is not the main problem. I just updated ClamWin itself, and before the update I uninstalled the old version, so i got the default settings. And the default setting is to "unload infected programs from computer memory". ClamWin killed winlogon.exe and I got a very blue screen which said that my computer has been shut down. And all my programs. With my unsaved work. Before I even got a chance to see why. No questions asked. Not nice . Maybe ClamWin could be made aware somehow that some programs are more important to the system, and shouldn't be "removed from memory" so easy.

english winlogon sp2 version 5.1.2600.2180, clean for me
be sure to have latest virus definitions

After moving up to version 90.0 EVERY computer in our office went to the blue screen at approximately 4:15PM today (March 19th)... To fix it, I had to first do an in-place reinstall. I chose this method because with so many computers, I needed some way to concurrently run something to get it all back. I didn't, luckily, lose anything of personal value to anyone... just a few settings like screen resolution.

THEN, I quickly updated to 90.1, then updated my virus db. I rescanned winlogon.exe and viola, no virus found. Turns out that updating my database just once a day isn't enough! I'm gonna start doing it at least twice a day... especially since I scan every day at 4:00!

Hopefully everyone gets the opportunity to read this: Oh, and hopefully in the effort to help google searchers find this:
Here's the error I saw on the blue screen:

STOP: c000021a {Fatal System Error}
The Windows Logon Process system process terminated unexpectedly with a status of 0xc0000034 (0x00000000 0x00000000)
The system has been shutdown.

And for those novices out there: Use the winxp pro installation disk you used to install with, boot with it (maybe have to go in to BIOS to make sure the CDROM is read before the hard drive) and hit a key when it says to hit a key to load from CD. Then, hit the ENTER key to start the install... no you won't format or lose any info. Then, when asked to accept the license, hit the F8 key. THEN, when it searches for an existing windows installation, hit the R key to repair... then just go with the flow. Then, login as an administrator or your regular username and IMMEDIATELY update everything CLAMWIN and virus databases. That'll fix you.

Like I said, you won't lose anything but a few minor windows settings... such as your display resolutions.

Hope this helps someone.
John A. Mason

yeah that's unfortunate sorry about all the trouble.

unfortunately a false positive on winlogon.exe is very weird when using memory scan + process kill, since clamscan will kill it believing it's a virus,
this should be fixed now in virus db, right?

there is a potentially easier way of restoring the file if it has been quarantined. Insert Windows XP setup disk, choose a recovery console when prompted. Then copy winlogon.exe from quarantine to the windows\system32 folder:

copy "C:\Documents and Settings\All Users\.clamwin\quarantine\winlogon.exe" c:\windows\system32\

then reboot

It doesnt look like the recovery console permits access to "C:\Documents and Settings". An alternative workaround is to extract winlogon.exe from the distribution media using the expand utility from the recovery console. Ex with CD/DVD on D:

perhaps there are no workaruound that could be make in the scanner to avoid these problems...
malware often use names like winlogon.exe or services.exe so it's not a good idea to skip them

It's best to handle all files the same. It would however be good to establish a minimum test-procedure for database updates before they are committed for public consumption. As a minimum the DB should be tested with a memory-scan, or even better with a complete scan against all windows system-files. That would prevent users from exposure to most false positives.

//per

We where thinking along the same theme for a long time. But the virus database updates are done by the ClamAV team and we can't do much there. Although we don't need to say that ClamAV team efforts are invaluable with keeping the DB up-to-date with the latest threats.

I'm glad I saw these posts. I had a similar problem yesterday. I'm not on a network--just a standalone PC running Windows XP Professional/Media Edition SP2/all patches. I set up Microsoft Fax to receive a fax to be sent in later and left at about 4 pm (Central USA time). ClamWin was set to do a scan at 5 pm. When I got back after 5:30, I had the blue screen with the C000021a fatal system error and a further explanation that the Windows logon process terminated unexpectedly with a status of oxc0000034 (ox00000000 0x00000000). I reinstalled my system.

Previous scans earlier in the day with ClamWin (9 am) and NOD 32 (noon) were clean. I don't run as a network, so there shouldn't have been any changes to Winlogon, and there was nothing in quarantine.

Regards,

I think I'll just configure ClamWin not to kill infected files in memory from now on and let my resident scanner catch anything. I assume Winlogon.exe and similar files will be excluded from scans in Version 1.0 if there has been no change since the last scan.

Regards,