Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

C:\WINDOWS\system32\l?gonui.exe


  • Please log in to reply
8 replies to this topic

#1 dfederic

dfederic

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 02 July 2005 - 06:10 PM

C:\WINDOWS\system32\l?gonui.exe can't rid or even find it expect for registry crawler.

Have ran
aČ free
Ad-Aware -Spybot S&D r.
SpywareBlaster -
SpywareGuard

Logfile of HijackThis v1.99.1
Scan saved at 4:01:51 PM, on 7/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
D:\itunes\iTunesHelper.exe
C:\WINDOWS\system32\rmctrl.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
D:\Program Files\The Cleaner\tca.exe
D:\Program Files\The Cleaner\tcm.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
D:\PROGRA~1\Cacheman\Cacheman.exe
D:\Program Files\Executive Software\Diskeeper\DkService.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
c:\windows\system32\dllcache\win32\winlogon.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
d:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
d:\Program Files\a2\a2guard.exe
d:\Program Files\SpywareGuard\sgmain.exe
d:\Program Files\SpywareGuard\sgbhp.exe
D:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - d:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] D:\itunes\iTunesHelper.exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\system32\rmctrl.exe
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "D:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [tcactive] d:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] d:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Cacheman] D:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] d:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = D:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .xml: D:\Program Files\netscape\PLUGINS\npTrident.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NTLOAD - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe
O23 - Service: NTSVCMGR - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\tune up\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Hope I can get something. Will see
Dan

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:44 AM

Posted 02 July 2005 - 10:00 PM

Hi Dan,

Did one of your antivirus programs find this file? Why do you want to get rid of it?

? is a wild card, so you have to be very careful you get the correct file.


Launch Notepad, and copy/paste the box below into a new text file. Save it as FindFile.bat and save it on your Desktop.



dir C:\WINDOWS\system32\l?gonui.exe /a h > files.txt 
notepad files.txt


Locate FindFile.bat on your Desktop and double-click on it. It will open Notepad with some text in it.

Please post the text here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 dfederic

dfederic
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 02 July 2005 - 10:10 PM

Volume in drive C has no label.
Volume Serial Number is F88B-AAD3

Directory of C:\WINDOWS\system32

08/04/2004 05:00 AM 514,560 logonui.exe
05/25/2005 06:15 AM 430,080 l?gonui.exe
2 File(s) 944,640 bytes

Directory of C:\Documents and Settings\daniel federico\Deskto

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:44 AM

Posted 02 July 2005 - 10:14 PM

Hi Dan,

How did you determine this file is bad?
Did your antivirus find it? Or was it A2 trojan scan?

Go to
Jotti's malware scan copy and paste C:\WINDOWS\system32\l?gonui.exe to the upload and scan it.

Let me know the results.

Copy and paste the output to this thread

It should look something like this sample:


File: GoogleToolbarInstaller.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected: CEXE

AntiVir No viruses found (0.15 seconds taken)
Avast No viruses found (1.51 seconds taken)
BitDefender No viruses found (0.97 seconds taken)
ClamAV No viruses found (0.39 seconds taken)
Dr.Web No viruses found (0.52 seconds taken)
F-Prot Antivirus No viruses found (0.06 seconds taken)
Kaspersky Anti-Virus No viruses found (0.74 seconds taken)
mks_vir No viruses found (0.21 seconds taken)
NOD32 No viruses found (0.42 seconds taken)
Norman Virus Control No viruses found (0.40 seconds taken


Edited by SifuMike, 02 July 2005 - 10:16 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 dfederic

dfederic
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 02 July 2005 - 10:58 PM

"The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"

It came on Evidence Eliminator v5.0 and said it was likely malware that it
was not able to eliminate. It shows up on registry crawler and can't be remove. So mabe I leave it alone for the monment. Don't have any idea!!
Thanks

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:44 AM

Posted 02 July 2005 - 11:12 PM

Hi Dan,

No, do not leave it alone.

Sounds very suspicous to me. :thumbsup:

Find it, (make sure you have the correct file, it is l?gonui.exe lenght of 430,080 bytes) then rt click on it and look at the properties.

It should tell who created it.
Copy and paste the info to this post.


The creation date of l?gonui.exe was 05/25/2005 at 06:15 while the other legit logonui.exe was created 08/04/2004 (which is probably the date you installed Windows XP).


It can be removed quite easily. We will do it after your next post.

Edited by SifuMike, 02 July 2005 - 11:14 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 dfederic

dfederic
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 02 July 2005 - 11:17 PM

Problem is I can't find it.. hidden file are showing,too. I wish I could
fine it.

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:44 AM

Posted 02 July 2005 - 11:43 PM

We found it listed with the FindFile.bat, so it is there.

It may be a super hidden file. :thumbsup:

*Please download xphidden.zip to your desktop.

*Double click on the XPHidden.zip to open the file

*then double click on xphidden.reg to add the information to your registry.

*This will cause all super-hidden files and protected system files to be visible.

You should be able to see who created it.
copy and paste the info. on it to this thread.

Edited by SifuMike, 02 July 2005 - 11:45 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 dfederic

dfederic
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:44 AM

Posted 03 July 2005 - 01:39 PM

Yes, that did it but I had to go to safe mode to remove it . Run great again.
Thanks to you and this forum. Again thanks for staying with me to the end solution.
Dan




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users