"trojan.winlogon.exe" found on 3 notebooks during comodo-installation process

I am new here and I am a beginner using COMODO firewall 3…
during installation von comodo 3.0… scan results turn out o show 2x “trojan.winlogon.exe”…
than I tried the same process on two more notebooks and found out, that ALL schon as Scan-result “trojan.winlogon.exe”…

how dangerous are these trojans and what shall I do, PLEASE?
THANKING in anticipation…
with best regards,


If it’s located in \WINDOWS\system32, it should NOT be removed. It’s a very important system files, and should for no reason be removed.
winlogon.exe is always running in memory, so it’s highly unlikely that it has been infected. If it’s located somewhere else than \WINDOWS\system32, it might actually be a sign of malware.


Strange if the Virus scanner is picking up winlogon.exe on all 3 comps.
Are they all on the same network?

Regards Matty

Comodo isnt the best scanner to trust. Scan with a good av and as.Upload the file here if you want.



VERY, VERY helpful!

i did NOT remove or quaratain it (again )because as i did so teh first time,
xp did not work any more…

here is the full test text of the malware results:

Trojan.Win32.Patched.m(ID = 0x72d15) C:\WINDOWS\system32\dllcache\winlogon.exe
Trojan.Win32.Patched.m(ID = 0x72d15) C:\WINDOWS\system32\winlogon.exe

i use a fritz box for wlan + lan…

i also thin it is very strange,
that all three notebboks are supposed to be infected,
even so when installed the one completely new - after carefully formatting it…

further help ist very wellcome…

THANKS again,


All I have to say is, LEAVE THOSE FILES ALONE! You do NOT want to delete them. Like you wrote, Windows will NOT work without winlogon.exe.



	Datei winlogon.exe empfangen 2008.03.09 21:44:59 (CET)
	Status: Ergebnis: 0/32 (0%)

does this meen,
that comodo pro detected a “trojan” without reason???

should we send this result to comodo technical result?


Thank you,
that is very helpfull for me!


Its called a false positive and alot of spyware scanners and av scanners have this problem.

Yeah. I don’t know why this happend, but it’s a VERY serious problem. Inexperienced users that doesn’t have any idea what winlogon.exe is, might quarantine/delete it like you did, and therefore be unable to boot again. Which’ll result in a re-formatting and a possible data loss.
There’s been other serious false positives before.

Yes, that’s true. But flagging important system files as malware is VERY serious.


True but even before I knew alot about computers and back when I had dumb ass Norton and it said I had a virus I researched it online and found it wasn’t a virus. It was the latest dat files making a false positive. The next update it was fixed. As far as Comodo and the scanner for malware that needs alot of maturing. Better off using a known good program like Spybot or SuperAntiSpyware. Its kinda like throwing out milk just cause its past the expiration date. If you actually taste it you would find out that its still good.

There have been documented instances of malicious code masquerading as winlogon.exe. I know, because one managed to infiltrate my laptop’s Windows root directory last October. A rollback to a previous System Restore point enabled me to remove the trojan from my Windows root directory (not the “system32” directory). Check the Properties of winlogon.exe, which should have the following attributes:

Size: 502,272 bytes
Date: 2004-08-04 00:56:58.

If the Winlogon.exe files on your system(s) reflect these attributes, do not delete them. They may appear in the following folders: C:\WINDOWS\SYSTEM32; C:\WINDOWS\SYSTEM32\DLLCACHE; C:\WINDOWS$NtServicePackUninstall$; C:\I386\ and C:\WINDOWS\ServicePackFiles\i386\

Additional information:


VERY interesting,
THANKS to all:

  • on the 3rd notebook suddenly no threads anymore!!

  • on the other 2 notebooks one “trojan.winlogon.exe” on system32 and one on system32/dllcache.
    the properties are:

++ XP-home
507.392 / 507.904 bytes
29.Dec.2004, changed 04.aug.13:00:00
(WATCH: the date “made” is younger than the date “Changed”!)
Version 5.1.2600.2180 (xpsp_sp2_rtm 040803_2158)

++ XP-prof.
bytes dito
BOTH dates 04.aug.2004 13:00:00
version dito

cheers + once more thank you,

Comodo AV did the same, didn’t it ? I believe it even deleted the “infected” file .

This is a serious issue as all the Fear,Uncertainty and Disinformation that has been spread by
the “security”-industry works - most users will blindly trust what their state-of-the-art security-program
tells them and do as it (maybe) suggests - in this case doing so would render your windows useless
as you, and more important ! “system”, won’t be able to log on .

Maybe Comodo should slow down a bit on all the new stuff and do better beta-testing before releasing ?

It looks clean.
If you still want to be 100% sure, then you unplug the network cable, boot with Windows Recovery Console, and delete both winlogon.exe, then copy the one from your CD. This is not needed tho.


The best idea in case someone is unsure regarding a file is to submit to http://virustotal.com (working with many engines).

False positives are deadly to the inexperienced. Trusting Comodo and removing the suspects hoses their system and pisses them off. Since the probability of actually having a virus is quite low, misses are actually better. (For those of you who remember Bayes Rule and Type I and Type 2 errors :slight_smile: ) CFP3 would be much better off with a disclaimer for now telling the user to check these alerts with an on-demand scanner. There is a bug report on this, but the developers have marked it as “trivial”. I don’t think they understand the impact on the users. :frowning:

THANK YOU! :slight_smile:
regards from germany,

So is there anything I can do to get my system back up after putting the winlogon.exe into quarantaine?
Or is a format the only solution?
Sorry for hijacking.
Thanks in advance.

Try doing a system restore back before you did a scan.