Vario.AntiVirus in winlogon.exe: FP?

[zcx2010]

Windows XP Professional, SP3 licensed and fully patched.
Firefox 3.6.10, NoScript 2.0.3.5, AdBlockPlus 1.2.2.
Avira Antivir Personal 10.0.0.567.
Windows Defender 1.1.1593.0.

Did an update to Zone Alarm and Windows Defender yesterday. After reboot and logon as Administrator, surprised to see an alert from Teatimer. Extract from Resident.log...

19/10/2010 18:26:13 Encountered and terminated Vario.AntiVirus in C:\WINDOWS\system32\winlogon.exe!

Finished the Zone Alarm update. Rebooted. No Teatimer alert then or since.

Updated S&D, immunised, scanned. Nothing found.
Downloaded, installed, updated MBAM 1.46. Quick scan. Nothing found.
Scanned winlogon.exe with Antivir and S&D. Nothing found.

This machine has only been used for light surfing to 'trusted' sites and email.

Any known interaction between Teatimer and Windows Defender?

[Yodama]

thank you for reporting this issue,

as of now we have not confirmed any incompatibilities between TeaTimer and Windows Defender. But it seems that TeaTimer can produce random false positives if it is unable to properly read a file. This is usually not reproducible after TeaTimer gets restarted or the computer gets rebooted.

Did you reboot your computer after this occurrence and did another TeaTimer false positive occur?

[zcx2010]

as of now we have not confirmed any incompatibilities between TeaTimer and Windows Defender. But it seems that TeaTimer can produce random false positives if it is unable to properly read a file. This is usually not reproducible after TeaTimer gets restarted or the computer gets rebooted.

Did you reboot your computer after this occurrence and did another TeaTimer false positive occur?

Yes I rebooted, and no TT false positive at logon or subsequent logons.

Checked for signs of infection of Vario.Antivirus per this post

http://forums.spybot.info/showthread...ario.antivirus

None of the files or registry entries mentioned there were present.

From S&D resident.log...

"19/10/2010 18:22:21 Allowed (based on user decision) value "ZoneAlarm Client" (new data: "") deleted in System Startup global entry!

19/10/2010 18:22:34 Allowed (based on user decision) value "CheckPoint Cleanup" (new data: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cpes_clean_launcher.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cpes_clean.exe") added in System Startup global entry!

19/10/2010 18:25:34 Allowed (based on lassh blacklist) value "Windows Defender" (new data: ""C:\Program Files\Windows Defender\MSASCui.exe" -hide") added in System Startup global entry!

19/10/2010 18:26:12 Allowed (based on authenticode whitelist) value "SunJavaUpdateSched" (new data: ""C:\Program Files\Common Files\Java\Java Update\jusched.exe"") added in System Startup global entry!

19/10/2010 18:26:13 Encountered and terminated Vario.AntiVirus in C:\WINDOWS\system32\winlogon.exe!

19/10/2010 18:26:26 Allowed (based on authenticode whitelist) value "avgnt" (new data: ""C:\ProThere was alsogram Files\Avira\AntiVir Desktop\avgnt.exe" /min") added in System Startup global entry!

19/10/2010 18:26:35 Allowed (based on authenticode whitelist) value "Adobe Reader Speed Launcher" (new data: ""C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"") added in System Startup global entry!

19/10/2010 18:26:41 Allowed (based on authenticode whitelist) value "Adobe ARM" (new data: ""C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"") added in System Startup global entry!

19/10/2010 18:28:34 Allowed (based on user decision) value "ZoneAlarm Client" (new data: ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"") added in System Startup global entry!"

I uninstalled ZA, rebooted and installed new ZA. I also did an Adobe Reader update and a Java update. I know I should have done them one at a time, but was pushed for time.

Guess there was a good chance of a locked file while TT was scanning, but why did it alert on winlogon.exe?

The reason I mentioned Windows Defender was that the alert occurred immediately following an update to its definitions. Windows defender also detected something at the same time but couldn't classify it.

From the system log...

"19/10/2010
18:38:51
Information

WinDefend
Error ID 3005

Windows Defender Real-Time Protection agent has taken action to protect this machine from spyware or other potentially unwanted software.

For more information please see the following:

http://go.microsoft.com/fwlink/?linkid=74409

Scan ID: {264B8DB4-2281-4067-ABAE-A64E19923A0E}

User: WINDOWSXP\Administrator

Name: Unknown

ID:

Severity: Not Yet Classified

Category: Not Yet Classified

Alert Type: Unclassified software

Action: Ignore"

From the WinDefend log...

"Unknown Program, Unknown Alert level, Action Taken Permit, 19/10/2010 18:38, Succeeded


Description:

This program has potentially unwanted behavior.


Advice:

Permit this detected item only if you trust the program or the software publisher.


Resources:

file:

C:\WINDOWS\system32\drivers\etc\hosts


Category:

Not Yet Classified"

What do you think?

zcx

[Yodama]

thank you for your information on this.

I think ZA may have caused this, it locks itself very deep into the system and is known to cause issues if it gets uninstalled. That may also explain the result from Windows Defender, but to be sure that your hosts file is ok you should send it in for analysis. You can attach the hosts file to your next posts here or email it to detections@spybot.info with a reference to this thread.

[zcx2010]

I think ZA may have caused this, it locks itself very deep into the system and is known to cause issues if it gets uninstalled. That may also explain the result from Windows Defender, but to be sure that your hosts file is ok you should send it in for analysis. You can attach the hosts file to your next posts here or email it to detections@spybot.info with a reference to this thread.

Just emailed hosts and winlogon.exe for your attention.

zcx

[Yodama]

received and analysed your files, they are both clean so as suspected detection on both were false positives,

thanks for your cooperation

[zcx2010]

received and analysed your files, they are both clean so as suspected detection on both were false positives

Many thanks for your help.