NOD32 Quarantines logonui.exe

Discussion in 'ESET NOD32 Antivirus' started by hatemf90, Apr 10, 2009.

Thread Status:
Not open for further replies.
  1. hatemf90

    hatemf90 Registered Member

    Joined:
    Apr 10, 2009
    Posts:
    7
    Hi,

    After I installed NOD32, it constantly quarantines logonui.exe which is in system32 folder, that file is needed for the XP welcome instead of the classical one im getting.

    So every time I replace it, NOD quarantines it. Its obviously not virus/worm cause I just installed windows...

    When I add the file to exceptions it is there i system32 folder but it doesnt work, how do I make NOD completely ignore logonui.exe or mabe there is a way to install the file, not just move it there?

    Thanks
     
  2. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    Have you updated to the latest definitions?
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    You should be prompted for an action if a system file is infected. Those are not deleted automatically.
     
  4. hatemf90

    hatemf90 Registered Member

    Joined:
    Apr 10, 2009
    Posts:
    7
    Yes detentions are 3999 updated today, and no it doesnt ask, just quarantines automatically
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Do you use the latest version 4.0.417? Could you post the relevant record from the threat log here?
     
  6. hatemf90

    hatemf90 Registered Member

    Joined:
    Apr 10, 2009
    Posts:
    7
    Yes, I use the latest verison. These are all my attempts to restore the file...

     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It looks like a trojan has replaced the system file logonui.exe. It's not crucial for logon so you should be able to start Windows and carry out a full system scan. If the files keep recurring, create a log from SysInspector and check it for suspicious files. You can email it to ESET's customer care for perusal if you're not familiar with analysing it.
     
  8. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    That was my suspicion too.

    I suggest the OP gets the file from quarantine and looks at the properties, then compares it to that from a similar system. Check the file size, and check to see if it's digitally signed by Microsoft.
     
  9. hatemf90

    hatemf90 Registered Member

    Joined:
    Apr 10, 2009
    Posts:
    7
    Well I managed to download a logonui.exe and compare it, its identical in everything except size, mine is about 127 kb the other is around 500 kb, the one from the XP CD is also 127... but NOD quarantines all of them, so their most likely false positives...

    Plus, NOD was the first program I installed on a new windows install, I doubt I got infected that fast...

    So the questions here:
    How do I put back the file
    How do i make NOD ignore any file with the name logonui... ?

    Also I found 3 "C:\system volume information\" things, I think their false positive too, but how do I make sure? is submitting them for analysis enough?
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Send the file in a password protected archive to samples[at]eset.com with this thread's url in the subject. However, it's highly unlikely that a system file would be reported incorrectly as malware. In such case, it would have already been reported from thousands of users.
     
  11. hatemf90

    hatemf90 Registered Member

    Joined:
    Apr 10, 2009
    Posts:
    7
    Im pretty sure it did... infact that was the very first thing NOD did after installing it

    I have read on the web that there is a virus/worm that disguises itself as logonui.exe but those are found outside of system32, they have different sizes/look suspicious, but I think the file here is the legitimate one, proof is that I lost the Welcome screen...

    Anyway I will send the file...

    btw, I never had this problem with version 2.7
     
  12. hatemf90

    hatemf90 Registered Member

    Joined:
    Apr 10, 2009
    Posts:
    7
    Hi,

    I restored Windows to an earlier point before I installed NOD32 and reinstalled it, and same thing happened...

    Some one please tell me why once NOD is installed it goes for the logonui file? and how do I make it stop??

    Ive tried every thing il just have to uninstall NOD...
     
  13. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It doesn't look like a false positive. I highly doubt that 20 antivirus programs would detect a legit system file as a threat at VirusTotal. I'll ask our viruslab guys for checking it precisely, but it's highly unlikely it will turn out to be FP.
     
  14. BJStone

    BJStone Registered Member

    Joined:
    Oct 31, 2005
    Posts:
    139
    What did you use to change the logon screen in the first place and where did you download it from?

    In other words what did you use to tweak it..?

    Maybe the link below sets you back on track:
    http://www.mcse.ms/archive/index.php/t-504437.html

    Anyway I saw you posted in different places...
    Like this one:
    http://www.crystalxp.net/forum/en/Windows-Customization-Support/General-Discussion/sujet_12921_1.htm

    In one thread on another forum you said you managed to solve it, you were missing a registry key.
    (http://www.bleepingcomputer.com/forums/topic218521.html)

    Another place here:
    http://forums.pcper.com/showthread.php?t=463475
    ... where you also said you managed to solve it.

    And another link in where you also solved it...
    http://www.techsupportforum.com/microsoft-support/windows-xp-support/365588-logonui-exe-deleted.html

    Are you trying to play a game with us?
     
    Last edited: Apr 11, 2009
  15. hatemf90

    hatemf90 Registered Member

    Joined:
    Apr 10, 2009
    Posts:
    7
    First of all the file was never modified

    Second of all if you look at the time that was posted and the time I posted here, youl notice that I posted here 1 hour before, thats 1 hour BEFORE i fixed it....

    NOD is leaving the file because I added an exception but if I remove it itl be deleted again, the problem is the same...

    but I submitted the file to samples[at]eset.com, do get result for it?
     
  16. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    Probably not until monday
     
  17. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Didn't you read my post above?
     
Thread Status:
Not open for further replies.