Half our companies IT infrastructure was brought down by a bad virus definition which was downloaded and pushed out to all clients and servers on October 28th, 2009. The virus definition, def. 5474 distributed by Sunbelt Software’s VIPRE Enterprise Antivirus software, mistakenly interpreted the winlogon.exe file to be a virus and immediately put it in quarantine. The winlogon.exe file is a critical windows file required at system logon, if Windows XP cannot find this file when starting up then the system will crash displaying the famous Blue Screen with the an error similar to the following:

STOP: C000021a {Irreversible System Error} Windows logon process terminated unexpectedly with state (0x00000000 0x00000000). The system has been closed.

Unfortunately the timing of the virus definition release corresponded with the schedule of our weekly deep scan on all client PCs. As a result close to half the company found their PCs inaccessible the next morning upon starting-up their computers. We still have to determine why not all of the systems were affected; from our experience it appears to have only affected Windows XP and Windows Server 2003 operating systems.

Fortunately after getting in contact with VIPRE support we were able to confirm that the source of the issue was related to a False Positive error in the definition file 5474 and that file definition 5475 was already available with the correction. Unfortunately, VIPRE does not yet have an easy fix to the problem, however in a follow-up email to our support ticket they indicated that “have been working on developing a bootable ISO utility designed to unquarantine the files detected by the FP (false positive)”.

Until the bootable ISO is made available to release the quarantined file the following steps are necessary to make the system once again accessible:

1. Copy the winlogon.exe file from C:\windows\system32\ on a working Windows XP machine to either a floppy disk or burn to a CD-ROM

2. Boot the system from a Windows XP installation disk. Press “R” on the first screen that asks whether to install windows or to recover an existing Windows XP installation. This will open the Recovery Console

3. Select the Operating System that you will be recovering by pressing the corresponding number from the displayed list. Type the password for the local Administrator account.

4. Insert the CD-ROM or Floppy Disk and copy the winlogon.exe file to the C:\windows\system32\ directory. (ex: \\>copy d:\winlogon.exe c:\windows\system32\)

5. Reboot the pressing F8 on start-up to launch Windows in Safe Mode with Command Prompt

6. After Windows starts up login with the local Administrator account

7. Delete the virus definition files. To do so for VIPRE go to the definitions folder (C:\Program Files\Sunbelt Software\SBEAgent\Definitions\) and delete all the contents.

8. Reboot the system

Following this procedure we have been able to get all systems back up and running.

If you have experienced similar issues please leave a comment regarding your experience.

Leave a Reply