Question

Locked

Multiple instances of logonui.exe

By eric.scholz ·
Hello everyone, and thanks in advance for your help. Tech Republic has been one of my first stops for many troubleshooting occasions, and I've finally come across something I haven't been able to solve on my own or find information within the forums.

A co-worker brought her tower to me complaining it was running slow. The symptoms were typical of spyware/malware infection, so I took a look and found there were popups occurring, and a message requiring her Windows disk to replace versions of files not recognized, and it asks to insert Windows XP Pro CD2 disc. The operating system installed is XP Media Center edition, and wouldn't you know it, the machine did not come with restore discs.

The computer was running sluggish, so I opened task manager and discovered there are 6 instances of logonui.exe running, with several of them taking up between 25-35% of the CPU cycles.

Any help you can provide will be appreciated.

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

RE: Multiple instances of logonui.exe

by Jacky Howe In reply to Multiple instances of log ...

It sounds like you have an infection.

Unexplained computer behavior may be caused by deceptive software
http://support.microsoft.com/kb/827315

Run a thorough check for hijackware.

Checking for Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_R...:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/...moving_Malware

HijackThis v2.0.2
http://aumha.org/downloads/hijackthis.exe is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware with
assistance from an expert. Post your hijackthis log
to an appropriate forum.

http://forums.spybot.info/forumdisplay.php?f=22
http://castlecops.com/forum67.html
http://forums.subratam.org/index.php?showforum=7
http://aumha.net/viewforum.php?f=30

Collapse -

Ditto: those are malware/virus components

by robo_dev In reply to RE: Multiple instances of ...

Just try not to delete the legitimate one.

Try the trend micro "housecall" online scanner, it works pretty well.

Collapse -

ComboFix did the job

by eric.scholz In reply to Multiple instances of log ...

I knew there was some sort of malevolant software running (the desktop bakground had also changed to a solid color, and from time to time there were popup windows occurring from aquacarkazz.com), so I decided it could possibly be a variant of the smitfraud or vundo.

I had some trouble getting into safe mode as administrator (the co-worker had not remembered a password for the account), and ERD Commander couldn't change it. I finally used a standalone Linux build that incorporates Offline NT Password and Registry Editor to blank the password and get in to the account.

Once I did, I ran ComboFix made by sUBs and the popups stopped and the desktop was recovered. McAfee wasn't doing its job, so I got rid of it, loaded AVG Antivirus and got rid of a few other nasty little trojan droppers.

Thanks for all your help TR and Happy New Year!

Collapse -

Atten: Beth or OP - Above post

by IC-IT In reply to ComboFix did the job

Please remove the password info.

Collapse -

Thats Great

by Jacky Howe In reply to ComboFix did the job

Eric can you remove the reference to resetting the password please TR takes a dim view in that area.

Back to Community Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums