loginui.exe problems / memory writing blocking

Discussion in 'Malware Help (A Specialist Will Reply)' started by pacman326, Apr 18, 2009.

  1. pacman326

    pacman326 Private E-2

    Hey guys. Family computer got hit with something and was causing window's DEP protection to block access over and over again. The dialogue box would not close ect ect. I ran combofix and a couple of the programs recommended and tried fixing on my own. However, I think I am ready to claim defeat and leave the problem in your capable hands. Enclosed are the logs from what I was able to get working in safe mode. Thanks, and I look forward to your response.

    Notes:

    Super will not install because the admin has set policies to prevent this installation.

    I also note combofix asked me to close AVG. I checked in task manager, and I could not find an AVG processes running, so I just continued on. I know a little about batch files, but I don't think enough to identify the name of the AVG process and to run a kill batch. So I am sorry about that in advance!
    View attachment MGlogs.zip

    View attachment mbam-log-2009-04-18 (20-55-57).txt
     

    Attached Files:

    pacman326, Apr 18, 2009
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your system is seriously infected. Let's see if we can get it cleaned up.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now let's use ComboFix to remove a bunch of malware files.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    o If it is not on your Desktop, the below will not work.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    RenV::

KILLALL::

File::
c:\windows\system32\reader_s.ex_
C:\1E.tmp
C:\1D.tmp
C:\1C.tmp
C:\1B.tmp
C:\1A.tmp
C:\19.tmp
C:\14.tmp
C:\13.tmp
C:\12.tmp
C:\11.tmp
C:\10.tmp
C:\D.tmp
C:\C.tmp
C:\B.tmp
C:\A.tmp
C:\9.tmp
C:\8.tmp
C:\7.tmp
C:\6.tmp
C:\5.tmp
C:\4.tmp
C:\wxsdug.exe
C:\cpjopaid.exe
c:\windows\system32\160
c:\windows\system32\15E
c:\windows\system32\15D
c:\windows\system32\15C
C:\1381566928
C:\25.tmp
C:\24.tmp
C:\23.tmp
C:\21.tmp
C:\20.tmp
C:\1F.tmp
C:\18.tmp
C:\17.tmp
C:\16.tmp
C:\15.tmp
C:\WINDOWS\system32\3361
c:\windows\system32\fijizome.exe
c:\windows\system32\leveyemo.dll
c:\windows\system32\wejazeja.dll
c:\windows\system32\lafigayo.exe
c:\windows\system32\lokarose.dll
c:\windows\system32\kohiduma.exe
c:\windows\system32\winisajo.exe
c:\windows\system32\kupidade.exe
c:\windows\system32\womijuye.dll
c:\windows\system32\mahazudi.exe
c:\windows\system32\mivowoja.exe
c:\windows\system32\yewufume.dll
c:\windows\system32\mumawodu.exe
c:\windows\system32\busohafu.dll
c:\windows\system32\boruyani.dll
c:\windows\system32\fureboze.dll
c:\windows\system32\marehisa.dll
c:\windows\system32\wadumowi.dll
c:\windows\system32\zudanipo.dll
c:\wcfgayg.exe
c:\windows\system32\bazofoho.dll.tmp
c:\windows\system32\juyimebo.dll.tmp
c:\windows\system32\kibuhudi.dll.tmp
c:\windows\system32\rasayobi.dll.tmp
c:\windows\system32\sidoyeyi.dll.tmp
c:\windows\system32\viyorawi.exe
c:\windows\system32\zogonaha.dll.tmp
C:\WINDOWS\TEMP\fll58.exe
C:\Documents and Settings\HP_Administrator\reader_s.exe
C:\\WINDOWS\\TEMP\\999305572.exe

FCopy::
c:\windows\ServicePackFiles\i386\userinit.exe|c:\windows\system32\

Folder::
c:\windows\system32\160
c:\windows\system32\15E
c:\windows\system32\15D
c:\windows\system32\15C
C:\1381566928
C:\WINDOWS\system32\3361

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"21506"=-

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Resurections"=-
"Diagnostic Manager"=-
"reader_s"="-
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combo.
     
    TimW, Apr 21, 2009
    #2
  3. pacman326

    pacman326 Private E-2

    Thanks for the help my friend. Combofix still told me AVG was running. However I did not see AVG in the task bar. I then opened task manager and looked for avg processes. I didn't see any so I proceeded.

    I then let combofix reboot windows into normal mode. I was told logonui.exe could not "write" some memory addresses. I hit ok 8-12 times, and then was told windows had to shut down explorer.exe to protect windows. I then hard shutdown, and booted back into safe mode.

    During log generation for MGTools, ProcessDLL.exe failed to initialize properly, and I had to hit ok to get rid of application error box.

    Here are the new logs. Thank you again for your help so far!
     

    Attached Files:

    pacman326, Apr 22, 2009
    #3
  4. pacman326

    pacman326 Private E-2

    I was an idiot, and tried overriding my logonui.exe file with a copy from the compress version in my /I386 folder. Now I get the error that of some "privileged" instruction error for logonui.exe in both safe and normal boot mode. Explorer still crashes in normal mode, safe mode is ok. Still cannot install superantispyware.
     
    pacman326, Apr 22, 2009
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Now download this XPsp2bu.exe to your C:\ folder like MGtools was downloaded. Once you have it downloaded, just double click it to run it. It will extract some files we will need into your C:\MGtools folder. We will be using these in the next fix.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    o If it is not on your Desktop, the below will not work.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

FCopy::
C:\MGtools\temp\userinit.exemg|C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
C:\MGtools\temp\userinit.exemg|C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\userinit.exe
C:\MGtools\temp\userinit.exemg|C:\WINDOWS\system32\userinit.exe
C:\MGtools\temp\userinit.exemg|C:\WINDOWS\system32\dllcache\userinit.exe
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combo.
     
    TimW, Apr 22, 2009
    #5
  6. pacman326

    pacman326 Private E-2

    Thanks for your continued help. The logs are attached below.

    Still getting logonui.exe memory could not be written errors/permission errors with logonui.exe when I boot into safe. Still cannot get the desktop to come up in normal boot. I see the wallpaper, and that's about it.

    Also am unable to install superantispyware still.
    Thanks again!
     

    Attached Files:

    pacman326, Apr 22, 2009
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's see if this helps.....

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.


    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * [color=darkred)Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.[/color]
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

Driver::
ftxduhs
32942eeb
eb1827a0
hggb15f

File::
C:\E.tmp
C:\f.tmp 
c:\windows\system32\julegeso.exe
c:\program files\ryqa.txt
c:\windows\system32\vuseyiju.exe
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat[/b] file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip
     
    TimW, Apr 26, 2009
    #7
  8. pacman326

    pacman326 Private E-2

    Well my father in his infinite wisdom turned on the PC while I was leaving and left it in the "hung up" state in normal boot mode. Came back, restarted in safe and noticed that malwarebytes no longer was working. I created the script and tried dragging it onto combofix.

    Combofix told me it was out of date and needed to be updated. I moved the old version of combofix to the trashcan, downloaded a new copy, and dragged it to the desktop.

    Every single time I tried to use the new copy of combofix, it told me that it had been compromised already. I try to open things on the desktop such as .txt files and it tells me "access" is denied.

    Any idea what is going on? I successfully re-installed malwarebytes and found only a malware trace, which I deleted. However while it was cleaning, it gave me a few access is denied errors also.
     
    pacman326, Apr 26, 2009
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Not good....

    download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:


    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat[/b] file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * Avenger
    * C:\MGlogs.zip
     
    TimW, Apr 26, 2009
    #9
  10. pacman326

    pacman326 Private E-2

    Still getting access denied errors for .txt files. Avenger ran successfully. I also had to reinstall MGTools, but was able to get the log file.

    I once again thank you for your patience in helping. My fault for not putting a note on the computer to not turn it on while I was away even though I verbally told him. >.<
     

    Attached Files:

    pacman326, Apr 26, 2009
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    The runkeys log was virtually empty..:(
    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    * Run avenger.exe by double-clicking on it.
    * Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:


    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run the C:\MGtools\GetLogs.bat[/b] file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * Avenger
    * C:\MGlogs.zip
     
    TimW, Apr 26, 2009
    #11
  12. pacman326

    pacman326 Private E-2

    Thanks again for your help. Still having access errors. Logs are below.
     

    Attached Files:

    pacman326, Apr 26, 2009
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Made a typo...so use windows to find and delete:
    c:\windows\system32\2.tmp

    I will check the logs tomorrow.
     
    TimW, Apr 26, 2009
    #13
  14. pacman326

    pacman326 Private E-2

    Way ahead of you. I am working from my Macbook Pro so I read the text file after I copied it over and figured the " caused the typo.

    Once again thanks for your help. This thing is tricky as hell. The one thing that bothers me is the logonui.exe problem that requires me clicking 10 times the "ok" button to get past. Did I permanently screw up things by replacing the logonui.exe with a copy from the exe_ file? The one thing I did notice from when my father booted the computer normally was that windows said a file had been changed and was requesting a Windows XP Service Pack 2 cd. However, I haven't gone back yet to that screen in fear of things getting re-infected.

    Even though I am a Mac user, I am still quite the avid Windows user also. I am currently dual booting Windows 7 and helping with testing. Where did you learn all these things about malware? I would be interested in learning what you know. I have some college programming experience and am a quick learner.
     
    pacman326, Apr 26, 2009
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    logonui.exe is the user interface.

    If you have the xp cd, go to start / run / type "sfc /scannow" without quotes and have the cd handy.

    It should be in your sys32 folder. Check to see if it is there.

    Note: Your runkeys log was virtually empty and the newfiles log is missing your add/remove program list. Did you allow it to run to completion?

    Next thing to do is this:
    Go to C:\WINDOWS
    Click Search
    All or part of the file name: logonui.exe
    A word or phrase in the file: (leave blank)
    Look in: Leave it as the folder WINDOWS

    Click Search
    The search should find logonui.EX_ in the folder C:\WINDOWS\i386 (hidden) COPY (not cut) this file into the C:\WINDOWS\system32 folder
    Open Command Promt (START >> All Programs >> Accesories >> Command Promt
    type the following text EXACTLY (including the spaces etc.):
    EXPAND c:\windows\system32\logonui.EX_ c:\windows\system32\logonui.exe
    Close Command Promt and Restart/Shut Down your system.
     
    Last edited: Apr 29, 2009
    TimW, Apr 29, 2009
    #15

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds