Bitdefender and GData delete winlogon system file
Anti-virus programs by Bitdefender and GData issued a signature update last week that identified the file "winlogon.exe" as a trojan (Trojan.Generic.1423603) and, if set up appropriately, simply deleted it. Both vendors have, in the meantime, announced that this is a false alarm and have made an update available to resolve the issue. Users who have not yet installed this update are advised to block file access, carry out a signature update and restart their computers.
If the "winlogon.exe" file has already been deleted, it needs to be restored into the
c:\Windows\system32 directory via the Windows recovery console. Then the computer must be restarted in safe mode and the virus scanner's auto-start option in the system tray, manually disabled. Next, the computer must be restarted in normal mode, the anti-virus update downloaded and "automatic" autostart, in the virus scanner's pop-up menu re-enabled, followed by a final restart.
In recent times, an increasing number of false alarms have been triggered by virus scanners. Gdata has been particularly problematic, bundling not only the detection rates, but also the false alarms of several scanners in sometimes varying combinations. In December 2007, it identified the Windows explorer.exe system file as a trojan via the Kaspersky engine, and shortly afterwards it misidentified parts of user32.dll using the Avast engine. When heise Security asked whether there are any plans to counteract the rising number of false alarms, the vendor did not reply.
This latest case gives rise to the assumption that false alarms caused by anti-virus software will continue to unnerve users. One reader told heise online that the most recent flaw caused a chaos in a mid-size company, with administrators in twenty branches having to repair the damage.