Hi,

Lately I've been having problems accessing certain sites in IE and Firefox. I do have better luck (with some sites) using NetScape (AOL). From looking through these forums, it sounds like spyware is the likely culprit, so I've attached a HiJackThis log.

Any help, much appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:51:38, on 23/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\COMMON~1\aol\ACS\AOLacsd.exe
E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
E:\WINDOWS\system32\inetsrv\inetinfo.exe
E:\Program Files\Kontiki\KService.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\wanmpsvc.exe
E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
E:\Program Files\Real\RealPlayer\RealPlay.exe
E:\Program Files\Common Files\AOL\1176761340\ee\AOLSoftware.exe
F:\iTunesHelper.exe
E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
E:\Program Files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Kontiki\KHost.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\AOL 9.0\aoltray.exe
E:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
E:\Program Files\Picaboo\Picaboo\PicabooMain.exe
E:\WINDOWS\System32\alg.exe
e:\program files\common files\aol\1176761340\ee\aolsoftware.exe
E:\WINDOWS\system32\wbem\wmiapsrv.exe
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
E:\Program Files\AOL 9.0\waol.exe
E:\Program Files\AOL 9.0\shellmon.exe
E:\Program Files\Common Files\AOL\aoltpspd.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
E:\Program Files\Mozilla Firefox\firefox.exe
F:\Backup\Files\Progs\SpywareRemoval\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [RealTray] E:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AOLDialer] E:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] E:\Program Files\Common Files\AOL\1176761340\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "F:\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DACSMiniApp] E:\Program Files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [4oD] "E:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [MSConfig] E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Teoa] "E:\WINDOWS\SSTEM~1\logonui.exe" -vt yazb
O4 - HKCU\..\Run: [SUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [kdx] E:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Picaboo.lnk = E:\Program Files\Picaboo\Picaboo\PicabooMain.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = E:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1176660019031
O17 - HKLM\System\CCS\Services\Tcpip\..\{442E6D78-A9EE-46FE-91AB-4A5C4A2647C5}: NameServer = 205.188.146.145
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - E:\PROGRA~1\COMMON~1\aol\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - E:\Program Files\Kontiki\KService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - E:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - E:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - E:\WINDOWS\wanmpsvc.exe

--
End of file - 6975 bytes

WELL MY SUGGESTION IS TO GET RID OF SUPERantispyware AND DOWNLOAD Spybot Search & Destroy. AND DO A SCAN WITH THAT.
ALSO DO U KNOW WHAT THIS IS ??

O23 - Service: PnkBstrA - Unknown owner - E:\WINDOWS\system32\PnkBstrA.exe

REMOVE THIS A.S.A.P!!!!! AND THEN RESTART YOUR COMPUTER AND LET ME KNOW WHAT HAPPENS

O4 - HKCU\..\Run: [Teoa] "E:\WINDOWS\SSTEM~1\logonui.exe" -vt yazb

Legit... stops ppl using cheats in Punkbuster online games.
O23 - Service: PnkBstrA - Unknown owner - E:\WINDOWS\system32\PnkBstrA.exe

I already had Spybot and ran this (as well as AdAware, AVG and SuperAntiSpyware) several times. It seems that eventually this has solved the problem and I can now access the sites I was previously having problems with.

I have since removed the following though as advised:

O4 - HKCU\..\Run: [Teoa] "E:\WINDOWS\SSTEM~1\logonui.exe" -vt yazb

Thanks for the help guys!

Delete the file..:
E:\WINDOWS\SSTEM~1\logonui.exe
-fixing the entry as advised above only removes the registry key which starts the process, you then delete the file if it is bad, as this one is.
Glad you are up and running again.

Are you sure that file is bad? My E: drive is in fact my startup drive. I've read that logonui.exe is used to show the logon screen when windows starts up.

well im gonna let gerbil do a follow up on that.... but if you have ccleaner run that and run the registry tool in the ccleaner also and let me know how that works out for you and if you dont have ccleaner there is a link in my signature to download it

Hi again... logonui.exe normally resides in system32. There should be no such directory E:\WINDOWS\SSTEM~1 [it is a corruption of some sort, malware?] - and that abbreviation is wrong for system32, it refers to some directory [or file!!] named sstem+whatever. So check in your system32 for logonui.exe; if it exists happily delete the E:\WINDOWS\SSTEM~1\logonui.exe

Hi,

I do have a logonui.exe in my E:\Windows\System32 directory. I've found out the SSTEM~1 directory is actually a second directory in E:\Windows named 'system' (I seem to have 2 'system' directories somehow)? In the 2nd system directory is another folder named system (so far we're at E:\Windows\system\system) and in there is 1 file named 'ctxad-555.0000'. Would I be correct in thinking I should be deleting this 2nd E:\windows\system directory?

I also have a file named 'LOGONUI.EXE-0AF22957.pf' in the E:\Windows\Prefetch directory?

Thanks.