Help! No idea whats wrong

You never ran the online scanners from the READ ME FIRST. I do not believe they will fix this problem but they are supposed to be run. They could have found other issues.

Also, no browsers should be running anytime you use HijackThis. You had: C:\Program Files\Internet Explorer\iexplore.exe

Make absolutely sure no browsers are running during these steps!! Print the below steps so you can follow along after disconnecting. So exit all of your browsers now and stay disconnected until I say to run one.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O15 - Trusted Zone: http://*.frame.crazywinnings.com

Now open a command prompt window by clicking Start, Run, and enter cmd in the box and click OK.
Now enter the following command and then hit the enter key.
attrib +r +h +s c:\windows\system32\drivers\etc\hosts

Let me know if any error message occurs upon running this command.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Sorry I left out a few works. This quoted text:

Should be replaced by:

Make absolutely sure no browsers are running during these steps!! And I am going to have you physically disconnect (unplug your cable) from the internet too. So print the below steps so you can follow along after disconnecting. So exit all of your browsers now and physically stay disconnected until I say to get a new HJT log.

 

You are still forgetting to shut down you browser when using HJT.
C:\Program Files\Internet Explorer\iexplore.exe

It will interfere with proper operation of HJT when fixing and we do not want to see it running while scanning (unless specifically requested).

The fix I gave you needs that command line "attrib" command to work. But I screwed up and forgot you had c:\winnt not c:\windows change the command to be

attrib +r +h +s c:\winnt\system32\drivers\etc\hosts
and try the whole fix all over again

 

According to your HJT log: C:\Program Files\Internet Explorer\iexplore.exe was running. If you are 100% sure you closed down all Internet Explorer browsers (exit them not minimize them) then this could be part of your problem. That would mean some piece of malware is keeping a hidden IE session open. Check it again yourself and let me know what you find out.

Did you run that procedure again with the proper c:\winnt command?

 

Download CWShredder 2.0 from: http://www.majorgeeks.com/download3019.html
Install CWShredder 2.0. Do not run it yet.

Download Giant Antispyware from: http://www.giantcompany.com/p_antispyware.aspx
Click the link for the free trial. Install this and run it.


Download Pocket Killbox from here: http://www.downloads.subratam.org/KillBox.zip

Unzip the files to the folder of your choice.

Double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

C:\WINDOWS\httpfilter.dll

Now put a tick by Delete on reboot. Also put a check in the box by Unregister .dll before deleting.

Click on the button with the red circle with the X. It will ask for confimation. Click Yes and then No when it asks if you want to reboot now.

After you come back up from reboot do not run anything except what I give you below.
Run CWShredder 2.0 and make sure you select FIX.

Next run Hijack This again and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now and do not open any browsers until I say to do so:
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvbfi32.exe
O15 - Trusted Zone: http://*.frame.crazywinnings.com
O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINNT\httpfilter.dll

Now restart your computer safe mode. Run HijackThis again and recheck to see if the above lines are still fixed. If not, fix them again. While in safe mode, use Windows Explorer to delete:
C:\winnt\system32\kalvbfi32.exe
C:\WINNT\httpfilter.dll <--- hopefully this one is already gone
C:\WINNT\httpfilter2.dll <--- look for this one two and delete if found.

Reboot normal mode. Again Run HijackThis again and recheck to see if the above lines are still fixed. If not, fix them again. Now finally open your browser and then exit your browser. Check another HijackThis log now with no browsers open and save the log. Now come back here and post this final log.

 

Damn! There are a couple new process running now:

C:\WINNT\System32\paypay.exe <--- this looks bad
C:\WINNT\System32\drwtsn32.exe <--- did you run Dr Watson for some reason

 

Here is some info for you about it: http://support.microsoft.com/default.aspx?scid=kb;EN-US;308538

Did you have any program errors or crashes?

 

No! Only Dr. Watson is gone. paypay.exe is still there and now you have other problems too. Like NaviSearch and BullsEye Network. Where have you been surfing?

You should run a full scan with Giant Antispyware. It sometimes fixes those two items.

I would like you to goto SysInternals and download three programs. ProcessExplorer, Regmon (Registry Monitor), and Filmon (File Monitor). Just download them and unzip all of them into a directory like c:\sysinternals. They do not require any installation. You just double click on them to run them. I provide two links below for each program. One for the program itself and one that will give you a little insight into what the program is used for.

http://www.sysinternals.com/files/procexpnt.zip ----http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
http://www.sysinternals.com/files/ntregmon.zip ----http://www.sysinternals.com/ntw2k/source/regmon.shtml
http://www.sysinternals.com/files/NTFILMON.ZIP ----http://www.sysinternals.com/ntw2k/source/filemon.shtml

I'm hoping that if we have all three of these running when fixing those O1 - Hosts lines using HijackThis that we can catch the process that runs, or
modifies the registry, or modifies the hosts file itself. Then we can locate the file/process and try to remove it.
So run those three items. And do the following to configure a few things how we want. Note: Get HijackThis running and all three of these program
running and configured as indicated below before clicking fix with HijackThis.
1) run ProcessExplorer -
Click View and select Show Lower Pane. And where it says "Lower Pane View" make sure DLL's is checked. Now click on explorer.exe. Now also under
the View menu choose "Select columns" and put a check mark on "Image Path".
Use it to observe what processes are running and just before we have HJT fix the O1 entries and just after they are fixed. If you see the file that
runs, write down the full file name and path to file and post it back here.
2) run filemon -
When it comes up, change the *.* in the Include box to say hosts. Then click Apply and OK. The Filemon window now comes up and will monitor for
anything accessing hosts. After you use HJT to fix the O1 lines, also come back to the Filemon screen and click File and then uncheck the Capture
Events selection to stop the capture process. Then use File, Save As to save the log to a file like filemon.log and post it back here as an
attachment.

3) run regmon -
When it comes up, click the icon that sort of looks like a diamond with some blue color on top. This is the Regmon filter. In this filter, enter the
following hosts; 69.20.16.183 ;httpfilter.dll Then click Apply and then OK. It will ask if you want to apply the filter to the current output.
Say yes. After you use HJT to fix the O1 lines, also come back to the Regmon screen and click File and then uncheck the Capture Events selection to
stop the capture process. Then use File, Save As to save the log to a file like regmon.log and post it back here as an attachment.

Okay so after getting that all setup. Run HJT and select the below items and then click fix:
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O15 - Trusted Zone: http://*.frame.crazywinnings.com
O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINNT\httpfilter.dll
Then save all the logs from the SysInternal programs (and the path of anything that you see run in ProcessExplorer) and post them back here.

 

You may have problems trying to run those three programs. Seems that this malware causes a problem that indicates you do not have debug level permissions.

Do the following using Windows search and please configure Windows search as follows:
If you use Search, you need to do the following:
Click Search and the Select "All files and folders"
Enter the filename in the "All or part of the file name:" box
Now select "More advanced options"
Make sure the following check boxes are checked:
- Search system folders
- Search hidden files and folders
- Search subfolders
Then click the Search button.


Then do a search for these files:
kalvsuy32.exe
iosyko.exe
iwrop.dll
sywin16.dll

Let me know if they are found and where. I would assume c:\windows\system32

 

No it's my fault! I forgot you had Win2K. All you needed to do was just run the search. Win2k does not need to configure the search to include all files.

 

Are you able to run ProcessExplorer and Filemon?

But Regmon would not run? Right? What error message did you get?

 

Filemon and Regmon will be blank after setting up the filters I gave you. They will only show info that matches what we are filtering on. Since we were looking for access to the hosts file (and the IP address too), I put them in the filter list. If you simple accessed your hosts file yourself, you would see it popup in Filemon.

So you are able to run all 3 programs then, is that true?
Other people having this O1 - Hosts issue cannot.

 

I guess you missed messages # 41 & 42

 

Did it say anything with the word debug in it?

Can you please post the exact message word for word?

 

Please try renaming the filemon.exe program to: myfmon.com
And then try to run myfmon.com. Let me know what happens.