CIS Scan found Trojan?

CIS Initial scan found …
Trojan.Win32.Patched.m@333776 … in location … C:\WINDOWS$hf_mig$\KB840987\SP1QFE\winlogon.exe

Refers to SP1, and is dated 2004.
I have ALL MS updates through SP2/SP3 and to date!

But current ‘googled’ advice is not to delete anything in this folder.

Suggestions appreciated

Hello, Welcome to the forums (:HUG)

Could you please upload the file to and get back to me with the results.

Thanks for your reply :

File has already been analysed:
MD5: e7f9d2e4e4a94a6f58014e5ffa16a65e
First received: 01.31.2008 13:40:31 (CET)
Date: 11.22.2008 19:14:36 (CET) [>4D]
Results: 0/37
Permalink: analisis/e0920a2ee9b06318dac3bd2ee6348c17

Thank you, I believe this to be a nasty… 1 big reason is because Winlogon.exe should be found in

Can you please do a search on your computer and look for “winlogon” and see what locations you find,
Also you can try submitting C:\WINDOWS$hf_mig$\KB840987\SP1QFE\winlogon.exe to

Can you please → right click → properties and see when the file was created?

As stated in my first ‘post’, the file is dated 2004.

I do have winlogon.exe in C:\windows\system32 (dated 2008) … and in C:\WINDOWS\system32\dllcache (dated 2008)

But I’m now getting confused.

I think that the file that is giving the ‘threat’ (C:\WINDOWS$hf_mig$\KB840987\SP1QFE\winlogon.exe) is part of the Windows ‘rollback’ function, and therefore not currently in use.
Is this file therefore only a problem if I ‘rollback’ to SP1 2004, which I am never going to do?
Can this file safely be deleted from C:\WINDOWS$hf_mig$

I’m not convinced, Been doing alot of looking into this with a friend and every instance of
C:\WINDOWS$hf_mig$\KB840987\SP1QFE\winlogon.exe seems to be related to some form of infection.

Can you upload it to and run a scan with Malware bytes and Super Antispyware please.

If those come clean then it’s might be a False positive, The odd thing is that you are the only user to report this in that file location.

Quote From Comodus on msn

I think nobody gets alerted because almost all of us have SP3 or SP2 intergrated No one has updated from SP1 to SP2 and then SP3 That could be the problem

I did an SP2 upgrade using a MS SP2 cd, and the SP3 upgrade using a ‘slipstreamed’ WinXP Pro cd.
Statements on Google seem to suggest that the Service Pack installs do not remove the then redundant files; although many of the files in this folder no longer appear in Add/Remove programs.

I have had AVG (7.0, 7.5, 8) installed; have on many occasions run Trend Housecall online scan; and never had this file ‘flagged’.

Is it safe to allow CAVS to remove this file, as it wants to do?

Hi. You can also trie do delete all your restore points. :slight_smile: Reboot and see it’s detected again.

IMHO that file is safe to remove :slight_smile:

Is the file Microsoft signed? When it is signed it is not malware.

On a sidenote. I just did a reinstall of XP with SP 3 slipstreamed. I have no uninstall folder for KB840987 in either the Windows folder or the $hf_mig$ folder. So the KB840987 folder is prior to SP3 and can be safely deleted.

In my install the lowest KB number is KB898461. So I think you can delete all uninstal folders with number lower than KB898461 as they are pre SP3. This way you can get some extra disk space.

You probably also still have %systemroot%$NtServicePackUninstall$ folder. That is there in case you want to uninstall the latest service pack. After a while you don’t need it anymore. You can delete it and get 0,5 GB disk space back. Read this aricle: Microsoft Support . Read this article carefully and remember to never delete %systemroot%\Servicepackfiles Folder.

We have identified this false-positive and will be fixed in next CAV update.

Thank you for reporting.

Thanks idem