Friday 13 February 2009

BitDefender: Trojan.Generic.1423603 in winlogon.exe

This looks like a false positive: BitDefender is reporting Trojan.Generic.1423603 in C:\windows\system32\winlogon.exe. This name is sometimes used by malware, but in this case no other product is detecting anything malicious.

Current pattern is for BitDefender is 2640654, pushed out on Friday 13th February (!).

I will post the ThreatExpert prognosis when I get it.. in the mean time I would suggest that you do NOT try to remove winlogon.exe as you will render your system unbootable. (NOTE: Do NOT reboot your machine as this will most likely break it!)

Update: ThreatExpert indicates that it is clean. Several comments confirm that it is a false positive. The problem seems to be on Windows XP SP3, SP2 does not seem to have the same issue. The MD5 for this file is ed0ef0a136dec83df69f04118870003e

It seems that there are several reports at the BitDefender forum. I would guess that BitDefender are aware of the problem, temporarily disabling the anti-virus scanner may be a good idea else your system may become unusable. Usually these issues are fixed in 24 hours.

Update 2:
If you can't get the winlogon.exe out of quarantine, then this is a copy of the original (English US) file for XP SP3. Use at your own risk - password is "bitdefender".
winlogon_xpsp3.zip

12 comments:

  1. Yes it is a false positive as reported here (german site):

    Trojan.Generic.1423603

    ReplyDelete
  2. Was heißt "falsche Positive" mal so für Anfänger gesprochen.

    Was sollte man tun bzw. lassen, wenn man selbst betroffen ist.

    Fragende Grüße

    ReplyDelete
  3. Yes, I second Serafine's question. Is there something that can be done, or something that shouldn't be done in this situation? Should we just wait until a new update to the virus definitions comes out, or is there a way to tell Bitdefender to leave it alone?

    Thanks for any help!

    ReplyDelete
  4. Usually these things are fixed fairly quickly, I would wait for the next update.

    This was on Windows XP SP3 by the way, I don't know if other OSes have the same problem.

    ReplyDelete
  5. ...na dann hoffen und warten wir mal gemeinsam auf gute Besserung!

    Gespannte Grüße

    ReplyDelete
  6. Oh dear, I clicked to allow G Data to quarantine the file. Now my Windows XP computer just fails on boot up to blue screen with Windows logon ended.

    I can't get winlogon.exe out of quarantine because I can't start Windows.

    The G Data boot disk might allow me to see what data I have on the computer but has a Linux type look with folder names that I don't understand.

    The Windows XP CD offers to repair my Windows installation but asks for an administrator password which I don't know because I've never entered one!

    Has anyone a brilliant idea to get my computer running again. Flaming Friday 13th!

    PS My Windows XP is German but it's quicker for me to write in English. Answers in either langauge would be very welcome.

    ReplyDelete
  7. If you have access to another PC, then it might be possible to slave the disk to that and carry out a recovery in Windows Explorer. I keep a USB drive caddy around just for this type of eventuality. It's much easier than using the recovery console.. although if you don't have a caddy, you may need to buy one from your local PC store.

    Yes, there are other ways of recovering it. I just find slaving the disk to a working PC is often much easier.

    ReplyDelete
  8. So the problem seems to have been fixed by Bitdefender (if that is what you are using). If you can still log in to your computer, then do a Bitdefender update and the problem should go away. One of the computers that I was no longer able to login to, I booted with a Linux Live CD, mounted the internal Windows hard drive, copied winlogon.exe from a working computer (same service pack level) and put it in the correct location and rebooted and it was fine. Before doing the reboot, I booted into safe mode and disabled Bitdefender services. Once I was able to log back into normal mode, I re-enabled the services and did the Bitdefender update.

    ReplyDelete
  9. ... kann ich bestätigen, nach dem update ist alles wieder so, wie es sein sollte :o)

    ReplyDelete
  10. Thanks for your help.

    Success. Copied winlogon.exe from my other German Windows XP computer to floppy disk.

    Windows XP installation CD goes into a DOS mode so was able to insert floppy disk and copy winlogon.exe with DOS command to windows\system32.

    Now seems to work. Thank goodness for floppy disk drives because I'm not sure whether a USB stick or a CD would have worked.

    PS The other Windows XP computer also gave the G Data warning but I had already learned not to believe it.

    Perhaps now I can enjoy Friday 13th!

    ReplyDelete
  11. Typical!! No sooner does my computer work than G Data gives a solution to the problem.

    Frage: Fehlerkennung in Winlogon.exe (Windows XP) Trojan.Generic.1423603

    Antwort: Wenn auf Ihrem System die Datei "Winlogon.exe" als virenbehaftet erkannt wird, so handelt es sich hierbei um einen Fehlalarm. Bei einem Fund durch den Wächter wählen Sie bitte "Dateizugriff sperren".

    In diesem Fall führen Sie bitte ein Viren-Update durch und starten den Rechner erneut.

    Mit dem aktuellen Update tritt diese Fehlerkennung nicht mehr auf.



    Sollten Sie die Datei bereits gelöscht oder in Quarantäne verschoben haben, gehen Sie bitte wie folgt vor:

    1. Legen Sie die Windows XP-Startdiskette in das Diskettenlaufwerk ein, oder legen Sie die Windows XP-CD-ROM in das CD-ROM-Laufwerk ein, und starten Sie den Computer anschließend erneut.

    Wenn Sie dazu aufgefordert werden, drücken Sie eine Taste, um von der eingelegten CD-ROM bzw. Diskette zu starten.

    2. Wenn die Willkommensseite angezeigt wird, starten Sie mit der Taste [R] die Wiederherstellungskonsole.

    3. Wählen Sie die Installation aus, auf die Sie von der Wiederherstellungskonsole aus zugreifen möchten.

    4. Geben Sie das Administratorkennwort ein, wenn Sie dazu aufgefordert werden. Wenn es sich bei dem Administratorkennwort um ein leeres Kennwort handelt, drücken Sie einfach die [EINGABETASTE].

    5. Tippen Sie bitte folgenden Befehl ein: "cd windows\servicepackfiles\i386" und bestätigen Sie diesen mit der [EINGABETASTE].

    6. Geben Sie dann folgenden Befehl ein: "copy winlogon.exe c:\Windows\system32" und bestätigen Sie diesen mit der [EINGABETASTE].

    7. Geben Sie nun "exit" ein, und drücken Sie anschließend die [EINGABETASTE], um die Wiederherstellungskonsole zu beenden und den Computer neu zu starten.

    8. Starten Sie nun den PC bitte im abgesicherten Modus.



    Diesen erreichen Sie, indem Sie vom Beginn des Start-Vorgangs an die "F8"-Taste so oft hintereinander drücken, bis ein entsprechender Auswahlbildschirm erscheint. Dort wählen Sie dann bitte den "Abgesicherten Modus" und drücken die [EINGABETASTE].



    9. Setzen Sie den Starttyp des AntiVirus Wächters unter "Start > Systemsteuerung > Verwaltung > Dienste" auf "deaktiviert".

    10. Starten Sie den PC neu und laden dann (im normalen Modus) ein Update der Virensignaturen.

    11. Nach Abschluss des Updates stellen Sie unter "Start > Systemsteuerung > Verwaltung > Dienste" den Starttyp des AntiVirus Wächters wieder auf "automatisch".

    12. Starten Sie den Rechner neu; die Systemdatei wird jetzt nicht mehr erkannt.

    ReplyDelete
  12. Autotranslated:
    Question:

    Error identifier in Winlogon.exe (Windows XP) Trojan.Generic.1423603
    Answer:

    If your file system Winlogon.exe virenbehaftet be recognized, so this is a false alarm. When a fund by the Guardian, please select "File access block".

    In this case, please do a virus update and restart the computer again.

    With the latest update, this error ID no longer appears.



    If the file is already deleted or quarantined by mistake, please proceed as follows:

    1. Insert the Windows XP startup disk into the floppy disk drive, or insert the Windows XP CD-ROM into the CD-ROM drive and restart your computer again.

    If you are prompted to press a button to switch from the CD-ROM or floppy disk to start.

    2. If the Welcome page is displayed, start by pressing [R], the Recovery Console.

    3. Select the installation that you can restore from the console access.

    4. Enter the administrator password when prompted. If the administrator password to a blank password is, simply press the [ENTER].

    5. Please type the following command: cd windows \ service pack files \ i386 "and confirm this with the [ENTER].

    6. Then enter the following command: "copy winlogon.exe c: \ Windows \ system32" and confirm this with the [ENTER].

    7. Enter "exit" and then press the [ENTER] to open the Recovery Console to quit and restart your computer.

    8. Now start the PC in Safe Mode please.

    This is accomplished by you from the beginning of the startup process to the "F8" key as many times in succession until an appropriate selection screen appears. There, then please select the "Safe Mode" and press the [ENTER].



    9. Set the Startup type of antivirus guard under Start> Control Panel> Administrative Tools> Services "to" disabled. "

    10. Restart the PC and then load (in normal mode) to update the virus signatures.

    11. After completing the update, set the "Start> Control Panel> Administrative Tools> Services" of the start_type AntiVirus guard returns to "automatically".

    12. Restart the computer, the file system is no longer recognized.

    ReplyDelete