Solved

virus removal for logonui.exe

Posted on 2009-04-13
32
5,435 Views
Last Modified: 2012-05-06
I have a virus that brought up the error message "logonui.exe    Application error.
The PC is a HP laptop XP service pack 2 running the full version of Mcafee Security Centre and AV program which was up to date on 11 April. I believe my grandson installed some games from discs he was given on that date, and that is when the problem started.
I have the 3-pc Mcafee program running 2 desktops and this laptop via wireless router and the 2 desktops are not affected. I am typing this question on one of them.
To get the laptop running in safe mode I tried to turn off system restore and got the error message
"cannot find    rundll32.exe
I copied this file from my desktop onto disc, then copied it to laptop and got System restore to turn off.
When I start the laptop in safe mode with Networking I can open Internet Explorer but the keyboard is disabled and I cannot type anything to get on anything other than my home page. After a few minutes IE goes to a porn site all on it's own.
Following various questions on EE I downloaded 3 programs on my working desktop PC and burned them to disc.
1 Stinger
2 Avast
3 Kaspersky
When I put the disc in the laptop and copy these 3 programmes to the desktop none of them will run. For Stinger I got an apparent error message
"Stinger may be infected. Cannot run"
The Avast and Kapersky ran for about 10 seconds of Startup then stopped completely.
When I run the laptop in Safe mode ( windows restore turned off ) the programmes will still not start from the desktop, so I tried to run them straight from the disc. Stinger ran from the disc for a couple of hours but did not seem to find the virus, and the other 2 programmes appear to startup for about 10 seconds then stop, I presume the virus is stopping them running. The Mcafee program on the Laptop will also not run and has a red cross on the Taskbar icon.
My 2 desktops are reporting through Mcafee Networking that the laptop does not have Mcafee running but don't have the facility to Virus check it.
I think I need a virus removal programme similar to Stinger that I can download on my working PC, then burn to disc, then put in Laptop to run from disc.
The virus is clever enough to stop Avert and Kaspersky running, but not Stinger.
Can anyone help with another type of Virus removal tool?
0
Comment
Question by:MalcolmBishop
  • 17
  • 5
  • 4
  • +3
32 Comments
 
LVL 5

Expert Comment

by:rgutwein
ID: 24129094
Have you tried Malwarebytes
http://www.malwarebytes.org/

After you install the program, make sure you run the updates to get the latest definitions (you will probably have to do it twice).  Then when you are done, make sure you run the Full (Thorough) scan instead of the "Quick" one.  If your computer will not let you install and run Malwarebytes because of the infection, then I suggest you take the Hard Drive out and slave it on a working computer with Malwarebytes on it and try running a scan that way.  

Good Luck!


Randy
0
 
LVL 8

Expert Comment

by:skywalker39
ID: 24129124
Hi MalcolmBishop,

Spyware Doctor with AntiVirus is a really great tool in my own opinion. I would try it out, I would also try running it in both Normal Windows and in Safe Mode. To get in Safe Mode, reboot your computer while holding down or tapping the F8 key. Also to do a full scan. Here's the link: http://www.pctools.com/spyware-doctor-antivirus/
0
 

Author Comment

by:MalcolmBishop
ID: 24129147
Just tried malwarebytes and I get the first screen to pick the langauge, click OK, and the programme flashes up on screen and goes off.
This is a clever vurus!!!!
0
 

Author Comment

by:MalcolmBishop
ID: 24129215
Just installed Spyware doctor and so far it is running OK in Safe mode. Will try Normal mode when it finishes.
Any idea which virus is clever enough to stop
Avast
Kaspersky
Mcafee
Malwarebytes
from running on this laptop??
0
 
LVL 5

Expert Comment

by:rgutwein
ID: 24129221
Your best bet is probably going to be slaving that Hard Drive onto another computer and running all your scans from there :)
0
 

Author Comment

by:MalcolmBishop
ID: 24129283
How do I slave this HD without removing it from Laptop?
0
 

Author Comment

by:MalcolmBishop
ID: 24129293
The Spyware doctor has frozen at 10% and none of the buttons will work so I cannot shut it down.
0
 

Author Comment

by:MalcolmBishop
ID: 24129314
Spyware doctor has now frozen.
This seems a clever virus.
Any more ideas or programmes please?
0
 
LVL 8

Expert Comment

by:skywalker39
ID: 24129317
If your still having problems, I would suggest as rqutwein and take the drive and put it into another computer as slave, then run the anti-virus software that way.
0
 
LVL 5

Expert Comment

by:rgutwein
ID: 24129326
Since you have a laptop, the Hard Drive is most likely a SATA.  You will need to take it out of the laptop, and put it into a desktop computer that is compatible with SATA drives.  You will probably need an extra SATA cable to connect that laptop drive to a desktop.

SATA drives don't have a master/slave relationship with the controller like IDE. SATA controllers have two channels that correspond to the two channels on an IDE controller, but each channel can only access one drive.
0
 

Author Comment

by:MalcolmBishop
ID: 24129331
I am reluctant to take out the laptop HD as I don't have any mounting kit to fit it in a desktop.
Is that the only way I can solve the problem?
0
 
LVL 6

Expert Comment

by:vertsyeux
ID: 24129338
Avast! have something called their BART CD.. Basically, it's a bootable CD with antivirus, registry repair, disk checker etc. built-in. This means you don't ever start the Windows on your infected laptop so the virus can't affect anything.. Might be worth a look if you don't want to dismantle your laptop
0
 
LVL 6

Expert Comment

by:vertsyeux
ID: 24129407
I did a google check - it seems all the antivirus companies do "portable" versions of their scanning/cleaning programs. This means you can run it from a USB flashdrive, and if you get a drive with a write-protect switch, it can't be written to.. The problem is of course, getting Windows to start without the virus  causing problems.. If you can find a "Windows Live" image, you can make a CD that will boot and let you run your antivirus program from a flashdrive..
0
 

Author Comment

by:MalcolmBishop
ID: 24129465
Not sure I understand what "windows Live" means. How do I get a bootable disc from Mcafee, as I pay them a full subscription anyway?
0
 
LVL 6

Expert Comment

by:vertsyeux
ID: 24129511
Here's what I get when I google it..

You could try BART PE http://www.nu2.nu/pebuilder/

It will allow you to boot from CD into a windows environment (pre-environment) where you can run all sorts of plug-ins, including the McAfee free command line scanner (with a GUI), McAfee stinger

Ultimate BootCD (http://www.ultimatebootcd.com) - Has F-Prot, McAfee, Avast and AVG
0
 
LVL 6

Expert Comment

by:vertsyeux
ID: 24129556
Incidentally, a "Live CD" is a CD that you can boot your pc from, and which runs Windows (or Linux etc.) entirely off the CD, the hard drive is not used.. However, you can still access the hard drive to carry out updates, remove viruses etc...
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:MalcolmBishop
ID: 24129957
Run the Spyware doctor, it found many problems. Paid the £40 subscription and it deleted the problems.
Re started Laptop and I now have error message
ati2evxx.exe
poping up about 4 times, instead of the logonui.exe.
any help please?
0
 
LVL 5

Expert Comment

by:rgutwein
ID: 24129973
Try reinstalling your video drivers, since this file corresponds with an ATI Graphics card (hopefully that is what your laptop has).

http://www.neuber.com/taskmanager/process/ati2evxx.exe.html
0
 

Author Comment

by:MalcolmBishop
ID: 24130607
downloaded and reinstalled ATI drivers.
On restart the display seems ok but have error message
cccinstall.exe  application error.
Spyware doctor seems to be running ok
the red cross has gone from Mcafee icon, but Mcafee still won'y start. Is this a conflict with Spyware doctor??
0
 

Author Comment

by:MalcolmBishop
ID: 24130666
I suspect the virus is still there because I have run the malwarebytes programme on my other PC and it works OK. But it still won't run on Laptop. It flashes on for a couple of seconds then goes off.
Mcafee still won't start up.
0
 

Author Comment

by:MalcolmBishop
ID: 24130728
restarted laptop several times and run Spyware doctor and it keeps finding 30 to 40 virus/malware etc.
It suposedly fixes them, but on restart it all happens again.
Virus still there???
0
 

Author Comment

by:MalcolmBishop
ID: 24130790
watching spyware doctor closely during the scan it stops for a long time in the system 32 forlder on a file called
comsa32.
when spyware doctor continues it has found a trojan.
Should I delete comsa32   ??
0
 
LVL 5

Expert Comment

by:rgutwein
ID: 24130839
0
 

Author Comment

by:MalcolmBishop
ID: 24130972
OK deleted.
When I went to msconfig to check the startup Items msconfig crashed. It won't let me run msconfig.
Also
Malwarebytes
Avert
Karsposky
still won't run from disc or desktop.
Getting desperate now, so restarted in safemode, run spyware doctor and it is still finding wormp2p agent, etc.
0
 

Author Comment

by:MalcolmBishop
ID: 24131353
Microsoft systems such as
disk defragmenter
msconfig
volume control
all will not run. They just come up with error message to send an error report to Microsoft.
Every time I run Spyware doctor in safe mode or Normal it is still finding things like
rootkit agent der
trojan downloader adp client.

is it not possible to get rid of these viruses??
0
 
LVL 22

Expert Comment

by:orangutang
ID: 24131422
0
 
LVL 8

Expert Comment

by:skywalker39
ID: 24132109
Have you tried doing a system restore? System restore has to be enabled for this to work.
0
 

Author Comment

by:MalcolmBishop
ID: 24132160
All the microsoft system like
system restore
disk defragmenter
msconfig
volume control
etc etc just crash out and give an error message.
Downloaded superanti spyware and managed to install it, but when it runs for about 5 mins it finds a lot of faults then the laptop crashes to blue screen and says something about "dumping data etc"
0
 

Author Comment

by:MalcolmBishop
ID: 24132772
Got superantispyware working in safemode.
This is last post for tonight.....bedtime....
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24137881
I suggest downloading ComboFix from http://subs.geekstogo.com/ComboFix.exe . Save it with a completely different name like jabba.exe. Reboot your PC in safe mode (if possible) and disable temporarily any anti-virus or anti-spyware solution or firewall and run ComboFix. It will create a log, please post that log to us. Don't use the mouse or keyboard while its running though, otherwise it may stall.

Please read the instructions on the below webpage:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

After running ComboFix in safe mode, run either MalwareBytes or SuperAntiSpyware as advised before and do full scan with them.

Let us know, how it goes.
0
 

Author Comment

by:MalcolmBishop
ID: 24161145
Hi, loaded superantispyware and ran in safe mode.
It removed a lot of files that appeared to be either windows or Microsoft.
I then got a blue screen with a Compaq message saying
stop c000021e
According to the HP website the message meant that c:/ drive needed resetting to Factory settings with their Rescue Disc. As I lost them recently I gave up. The Laptop is now at the Computer shop awaiting repair as I was desperate.
I am dissapointed with my failure as I always thought I new what I was doing.
0
 
LVL 16

Accepted Solution

by:
warturtle earned 500 total points
ID: 24169218
Did you try to reboot after the blue screen?? and were you able to reboot in safe mode? or normal mode? Its quite possible that SuperAntiSpyware deleted a virus which was registered as a driver, and that caused the blue screen to come up.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now