modified winlogon is this a real threat

After running CCE quick scan it showed one threat. I choose to ignore the threat for now and ran a scan using CIS. The results of CIS scan were no threats found. Here is the text info from the CCE scan.

====== System Information ======
Computer Name: HPDESKTOP
Log on User: John
Memory Size: 7.75 GB.
Windows Directory: C:\Windows
Windows Version: 7 (64bit)
CCE Version: 2.5.242177.201

Virus database version: 13147

[12:45:29] Scan started.
====== Cleanup results ======
Global WINLOGON SYSCHANGE Ignore OK

What should I do?

Please check the digital signature of the winlogon file to see it has a valid digital signature by Microsoft.

To know for sure that winlogon.exe is the original file you can use Sigcheck to see if it is digitally signed by Microsoft.

Download this zip archive and unpack it to C:\Program Files\SysinternalsSuite\ . When done run sigcheck.reg to add it to the registry.

When this is done navigate to the system32 folder, look up and select winlogon.exe click right and choose Signature from the context menu. A black command box will pop up. See if it is signed or not.

I am unable to get a black command box to open… I right click on the file and select signature but then I get a box asking what program to open the mui file…

That’s odd and has me stuck for answer… 88) :-\

I asked the other mods to take a look at this problem.

Please run the extra tool ‘Autoruns’ and click on the ‘Winlogon’ part in the left menu.
Then post a screenshot of the results please so we might see what has been changed.

Here it is and I also provided screenshot of the cce scan…

Does it make sense to you that CCE would show a threat but CIS does not?

[attachment deleted by admin]

how about this

Click on “start”
Click on “All Programs”
Click on “Accessories”
Click on “Command Prompt” <---------Right Click on - RUN AS ADMIN
type in “sfc /scannow” <----without the " "

Ran sfc /scannow earlier today and no problems or issues were found…

[attachment deleted by admin]

Ran sfc /scannow earlier today and no problems or issues were found..

go to start and type msconfig, please post a pic of each tab. Thanks

There are several stages of ‘winlogon’ e.g. in win.ini and system.ini, registry etc.
The CCE entrie doesn’t show a clue where to look for modified things, I’d suggest to run a MBAM scan to see if that shows more details.

Just thinking out loud. May be it is responding to the file not found situation? Try disabling the autorun entry with the file not found error and try again.

Also try running checkdisk to see if the file system is intact. Run chkdsk /f from the command prompt and allow Windows to run chkdsk on the next boot.

Here they are

[attachment deleted by admin]

Not sure what you want me to do… Please help me understand… ty

Fixed the quote. Eric

Do you think this is even an issue… MBAM and CIS do not find any threats… Only CCE

[attachment deleted by admin]

your issue is that you have it set to selective start up, why?

I dont think selective startup may be an issue.

Mine is also selective startup. When you remove any checks from the startup entries it automatically is set to selective startup, atleast here it is so.

Win 7 64 & XP 32

Just what Naren said as soon as a startup is disabled it changes to selective startup…

why don’t you try putting it back to normal and see if the problem is still reported. To turn things off I actually use CClenaer in their tools section.

A picture says sometims more than a thousand words. Disable the Autorun that is in the red squared area and see if that makes a difference or not.

[attachment deleted by admin]