Win32.LooksLike.Virut false positive?

A few days ago I had run a tool to remove traces of a well-known security software from my PC, as I was planning to install a free version of that software and I had formerly had a security suite of that software, removed several months ago. The removal tool software crashed every time I tried to run it, so I eventually gave up and decided not to go with that product at all. I restored my computer to a restore point I had created prior to attempting to run the tool. The system was restored and I had a normal looking desktop, but then Windows generated an error message related to logonui.exe. This was followed by 4 other error messages. These would have been blue screens I think, but I don't have my system set to blue screen, just to restart instead. Event viewer just displays this as error codes. While this was going on, my full desktop was showing in the background the entire time. After several of these, everything looked normal. I tried a couple of things, I think opening the browser and the e-mail, things seemed OK, so I rebooted. I had a nice, clean reboot after that. I rebooted a couple of more times that day to verify that this process would work properly, and things seemed fine. Yesterday the system 'rebooted after a bug check' when I woke it up out of standby at one point, but other than that, things look fine. This rebooting thing does happen occasionally, something I've been looking into. (It's so sporadic that it's hard to tell, possibly some hardware thing.)

I checked my logonui.exe properties, and it looks legitimate. The information on that is as follows:

File Size: 502 kb, Size on disk 504 kb
Created: August 9, 2004 11:00 p.m.
Modified: August 9, 2004 11:00 p.m.

Company name: Microsoft Corporation
File version: 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
Internal name: Logonui
Language: English (United States)
Original file name: LOGONUI.EXE
Product name: Microsoft Windows Operating System
Product version: 6.00.2900.2180

So today I got this brainwave to scan the file at virustotal.com, and SecureWeb-Gateway 6.7.6 said it was Win32.LooksLike.Virut. All the other scanners said it was OK. I can't find any information on such malware so that I could possibly even identify any symptoms.

I have a laptop with this same file, identical information, including time and date stamp. Virutotal's hash analysis says the identical thing about both the laptop's version and the desktop's version, and both are tagged by SecureWeb-Gateway.

The MD5 hash is: 7db59fff2af32c27eb2276424fa5eddb (By the way, I don't know that much about this, only that as far as I know, the hash value would determine whether or not a file had been tampered with or corrupted at some point, right?)

I am wondering if anyone else is also experiencing this, possibly a false positive?

I am using Windows XP Media Center Edition SP 2 on the desktop PC. The laptop is running Windows XP Pro. The desktop had a full scan with AVG free 8 yesterday as well as Malwarebytes. The laptop had a full scan with AVG free 8 2 days ago and was scanned with Malwarebytes and SuperAntispyware yesterday. I'm not seeing any suspicious behavior from either system.

If this is the wrong forum on which to post this, my apologies. If someone having this same version of logonui.exe could get theirs scanned at virustotal and see if you get the same results I did, that would be helpful. Thanks!

 

I just wanted to add for the sake of clarity the timeline of events the day I had the problem with logonui.exe:

I installed CCleaner from a link on this website. I didn't run it, however. I had it scan the registry and I looked at all the entries, but I didn't do anything about it because I was unsure about what I should do. So I closed CCleaner without having it do anything, and I checked all the settings to make sure it wouldn't do anything without my telling it to do so. I created a restore point. Then I ran the tool I mentioned in the previous post to remove remnants of that other security software. It immediately crashed with a windows error message that it had encountered a problem and needed to close. I created a restore point and rebooted successfully. I created another restore point and tried downloading and running the tool again, with no success. Altogether, I made 6 unsuccessful attempts in the course of the day. At that point I decided I was done with it and I ran the system restore to the restore point I had created AFTER installing CCleaner and before running the removal tool, just in case that tool had done anything untoward. After the system was successfully restored, there were 4 error messages after the first one related to logonui.exe and they were those "Windows has recovered from a serious error" type of messages.

I don't know if any of that is even relevant or not, I'm just providing background as to what took place immediately prior to when I had a problem with logonui.exe.

I guess the bottom line is that I wanted to know if the virustotal scan result was a false positive. I'm actually inclined to think it is, I'm just looking for some reassurance. The rest of what I've said is just background which may or may not have anything to do with the events that caused me to look at my logonui.exe in the first place.

 

Thanks, Chaslang. I was hoping to get back to you and tell you it's OK...the logonui.exe, that is. Today was the first day I had a chance to check another computer that is totally outside my home network, and although this other computer has Windows XP Home SP3 (mine are both XP Pro SP2) and thus had a different version of logonui.exe than what I have, when I scanned that one at virustotal.com, the same scanner also tagged it as being the same malware. So I figured it's a false positive. I was hoping to get back to you before you had to bother with my post, I was going to tell you that I considered the issue resolved. I know you guys must be crazy-busy, from the look of things, especially now that Castlecops is gone.

I really appreciate all the help provided on this forum. I've seen you and others here patiently walk many people through many series of steps to assist in getting computers cleaned up and running smoothly. It does not go unnoticed. You're all doing a fantastic job, thank you so much!