Suddenly HIPS alerts file as unrecognised and behaving like malware

Windows 7 Home Premium
Offending file: C:\Windows\System32\LogonUI.exe

Long story short - because when hibernating Windows the screen shuts down immediately, and having audio muted, I was unaware that HIPS was generating this alert:-

Descripton: winlogon.exe is trying to execute LogonUI.exe Advice: HIPS malware heuristic analysis has detected possible malware behavior in C:\Windows\System32\LogonUI.exe. However, if you are not sure whether or not LogonUI.exe is a virus, then please submit it to COMODO for analysis.

The file hashes for both winlogon and logonUI both check out on Virus Total, so I’ve had to set LogonUI.exe as trusted otherwise I can’t get past the black login screen after starting up, and can’t hibernate.

Any advice please?

Enable comodo property page using attachment from this postthen go to file location and alt-click on logonui.exe and select json: dump information for the files, save it and attach here.

Thanks for the reply, although it came a little late as I had already decided to try a clean install of CIS which seemed to trigger another problem.

I uninstalled CIS via the windows control panel.

Checked the registry and discovered several orphaned references to CIS, which I thought I’d try to clean and attempted to create a restore point before doing so, but I was presented with -

The restore point could not be created for the following reason:

The request could not be performed because of an I/O device error (0x8007045D)

Got a similar error when trying to create a system image, and discovered atapi errors in the event viewer.

Assuming a potential drive failure, i performed a clean windows install on a spare drive and installed CIS on that - no problems as such.

Having since read your reply, I have rebooted into the old drive and discovered that I can now create restore points(?!?!), so reinstalled CIS on that - again with no problems except for continued atapi errors.

Anyhow, here’s the attached file you requested.
Thanks again.

Unfortunately it wasn’t helpful, you would need to grab the info when the issue happened oh well. Do you remember when you manually changed the file rating to trusted, was the company column blank next to logonUI.exe in the file list or did it say Microsoft Windows? I have a theory that in some circumstances CIS will not see the digital certificate of the application and thus rated it as unrecognized. The company column list the certificate signer and if you double-click on a file from file list, the comodo properties window opens up and has a section called certificate signer that will list who signed it.

No, the company field in the file list was blank, and yes, the certificate signer was Microsoft (the Comodo properties window is where I got the hash from to check). This was the same for wmpnetwk.exe which HIPS baulked on a few days before the logonui event, but as it was only being reported as unrecognised (not behaving like malware) I just disabled it from auto running and didn’t report it as it wasn’t such an issue.