Process Information

Process File: logonui.exe
Process Name: Microsoft Logon User Interface

Author: Microsoft Corp.
Part Of: Microsoft Windows Operating System

Description:
logonui.exe is a system process relating to the Microsoft Windows XP user switching screen. This program is important for the stable and secure running of your computer and should not be terminated.

Note: The LogonUI.exe file is located in the C:\Windows\System32 folder. In other cases, LogonUI.exe is a virus, spyware, trojan or worm!

Note: logonui.exe process belongs to Windows XP operating system. It is launched when the user profile changes. However, there are cases when computers were infected with irc.zcrew.b trojan and that trojan launched the process with the same name. That is why it is strongly recommended to scan your computer for viruses. If irc.zcrew.b is detected, the process must be immediately deleted.

Backdoor.IRC.Zcrew.B is a Backdoor Trojan Horse that may allow remote control of an infected system through IRC and FTP.
The Trojan may arrive as a self-extracting archive, approximately 1.5 megabytes in size.

When Backdoor.IRC.Zcrew.B is executed, it performs the following actions:

1. Drops the following files in the C:\WINNT\system32\wbem\repository\fs\macromed folder:
* A.bat
* Bootdrv.dll
* CLearEL.exe
* Clbcatex.exe- an IRC fileserver called Iroffer, packed with UPX
* Cnb.dll- detected as IRC Trojan
* Cygregex.dll
* Cygwin1.dll
* Explore.DAT
* Firedaemon.exe
* HCAPpRes.dll
* Hidden32.exe
* KEY.OLD
* Key.reg
* LIbparse.exe
* Logonui.exe
* MSVBCM50.DLL
* Msnet.bat
* Names.ini
* Psexec.exe
* Regkeyadd.bat- detected as Backdoor.IRC.Zcrew.B
* Regkeyadd.reg- detected as Backdoor.IRC.Zcrew.B
* SErvUDaemon.ini
* SYstem.ocx
* Safe.bat- detected as Backdoor.IRC.Zcrew.B
* Sec.bat
* Spoolsv.exe- a Serv-U FTP server, packed with UPX
* Text.txt
* Wget.exe
* Winmgnt.bat

NOTE: Except where noted, the utilities and data files listed above are not malicious.

2. Adds the hidden attribute to these files.

3. Adds the value:

"print sharing" = "\hidden32.exe \explorer.exe"

to the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

4. Starts the Serv-U and Iroffer applications as service processes.


Recommendation for logonui.exe:
Should not be disabled, required for essential applications to work properly.

Summary account

System Process: Yes
Application: No
Background Process: Yes
Uses Network: No
Uses Internet: No