Help! No idea whats wrong

Darn! Okay but you said you got ProcessExplorer running. Do the following:

Run ProcessExplorer and lets configure some options first:
Click View and select Show Lower Pane. And where it says "Lower Pane View" make sure DLL's is checked. Now click on explorer.exe. Now also under the View menu choose "Select columns" and put a check mark on "Image Path".
Now click on File and then Save As. And save the process list. Post it back here as an attachment. Also, from now on if I say to kill a process, use ProcessExplorer instead of Task Manager. Sometimes ProcessExplorer can kill things that Task Manager cannot.

 

Okay I see a process named vayvay.exe running. The full path is C:\WINNT\system32\vayvay.exe

Use Process Explorer to kill it and then see if you can run Filemon. Also keep ProcessExplorer open to see if the process restarts. It may even restart using a different name.

Also there is a DLL I would like to get more info on: muvfw32.dll
I assume it is c:\windows\system32\muvfw32.dll
See if you can locate it with Windows Explorer and right click on it. Select Properties and then the version tab and go thru the Item name list looking for company, version etc.

 

Did you try this:

- Disconnect physically (unplug cables) from the internet.
- reboot in safe mode.
- do not run anything but ProcessExplorer and Windows Explorer (not internet explorer)
- Kill the vayvay.exe process using ProcessExplorer
- Use Windows Explorer to delete C:\WINNT\system32\vayvay.exe

Reboot normal and tell me the results of this and also indicate if it came back.

 

Okay first check with ProcessExplorer to see what the name of this damn process is now. I will assume it is still paypay.exe. This time do the following:

- Disconnect physically (unplug cables) from the internet.
- reboot in safe mode.
- do not run anything but ProcessExplorer and Windows Explorer (not internet explorer)
- Kill the paypay.exe process using ProcessExplorer (if still running)
- Use Windows Explorer to delete C:\WINNT\system32\paypay.exe
- Use Windows Explorer to locate c:\windows\system32\muvfw32.dll (I'm assuming it is in system32). Now right click on the muvfw32.dll file and select rename. Rename it to muvfw32dll.bad

Reboot normal and tell me the results of this and also indicate if it came back. I have a feeling it only comes back after running IE.

 

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file move.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the move.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.

Now run HJT and fix the O1 - Hosts lines and the O15 - Trusted Zone: http://*.frame.crazywinnings.com line if still there. Then reboot your computer and get a new HJT log to post here.

 

No it isn't! Did that merge help?

 

Okay! So that merge fixed the O15 - Trusted Zone problem. At least we have that issue resolved. The O1 - Hosts problem is spreading like a plague and we have no fix yet.

 

Did you ever complete ALL of the steps in this link: How to Protect yourself from malware!

Have you re-run the steps of the READ ME FIRST?

After that, post a new HJT log!

 

Can you give more detail on what it is finding and the error? And you do mean you have version 2.12, right?

 

Are all your browser windows closed before you run it?

Did you download the new file or did you use update?

 

Okay you downloaded it. Try running it in safe mode.

 

PP,

Quinndrew5 is running Windows 2000. It is more like XP than it is like Win9x. I don't believe the above tools are meant for an NT based (Win NT, Win2K, WinXP) system.

 

Here is a set of links for all the tools that will be needed (just in case you don't have all of them). I know you have the first one.

Generic Detection Tool
http://www.downloads.subratam.org/DllCompare.exe
http://www.downloads.subratam.org/VX2Finder.exe
http://www.downloads.subratam.org/KillBox.zip

You have a very long list of files that have to be removed with Killbox. Either Phillie or myself will get back to you on this. I have to run right now.

 

Well let me see if I can get your started. Here are the files that we need to delete using Killbox. They are all in the c:\winnt\system32 folder:

Directory of C:\WINNT\System32
12/30/2004 10:15a 222,564 houi.dll
12/30/2004 10:15a 222,631 jt6007jme.dll
12/30/2004 12:18a 226,151 aza00chmef4a0.dll
12/29/2004 10:51p 222,564 azao0793e.dll
12/29/2004 10:40p 223,034 n2n6lc5s1f.dll
12/29/2004 10:31p 226,151 tOpi3.dll
12/29/2004 10:31p 223,183 aza6le3s1h.dll
12/29/2004 03:54p 226,151 hr8405lqe.dll
12/29/2004 03:13p 226,151 l2n40c5qef.dll
12/28/2004 10:38p 226,151 mvlol9331.dll
12/28/2004 09:17p 222,674 fplu0339e.dll
12/28/2004 09:00p 222,860 f40oled31h0.dll
12/28/2004 07:48p 222,546 p6p60g7se6.dll
12/28/2004 04:48p 226,151 mvv1_0.dll
12/24/2004 11:04p 225,744 mv2ml9f11.dll
12/23/2004 07:30p 224,715 azamli1118.dll
12/23/2004 05:13p 224,724 lv0009dme.dll
12/23/2004 12:08p 224,715 wlwfaxui.dll
12/23/2004 12:08p 225,158 fp4403hqe.dll
12/23/2004 11:31a 226,102 kt8ol7l31.dll
12/23/2004 11:00a 224,715 mhpmsnsv.dll
12/23/2004 11:00a 224,825 e0jm0a11ed.dll
12/23/2004 10:50a 224,715 rXsrad.dll
12/23/2004 10:50a 224,747 f2l00c3mef.dll
12/23/2004 09:43a 223,133 p0n8la5u1d.dll
12/21/2004 12:10p 223,183 q0nula591d.dll
12/21/2004 11:58a 224,732 jtj0071me.dll
12/21/2004 11:35a 225,388 fpp6037se.dll
12/20/2004 02:32p 225,463 n84s0ih7e84.dll
12/19/2004 07:30p 226,179 m464lejq1hoe.dll
12/19/2004 04:33p 223,000 jt4207hoe.dll
12/19/2004 12:51p 223,000 dvskperf.dll
12/19/2004 12:51p 223,923 fp2u03f9e.dll
12/19/2004 12:31p 224,865 ir68l5ju1.dll
12/19/2004 12:00p 223,132 g2lm0c31ef.dll
12/19/2004 12:15a 225,896 mv2sl9f71.dll
12/17/2004 11:29p 225,639 e8jmli1118.dll
12/17/2004 02:52p 223,087 mvnsl9571.dll
12/16/2004 10:00p 224,601 mvrol9931.dll
12/16/2004 07:24p 223,150 ir88l5lu1.dll
12/16/2004 07:12p 224,989 n88o0il3e8q.dll
12/16/2004 03:44p 226,301 azaolel31hq.dll
12/15/2004 10:19p 224,374 fpjq0315e.dll
12/15/2004 02:26p 224,374 drconfig.dll
12/13/2004 07:31p 224,079 g440lehm1h4a.dll
12/12/2004 10:09p 225,740 j46mlej11ho.dll
12/12/2004 02:58p 223,153 t0r8la9u1d.dll
12/12/2004 12:38p 222,759 gp0ml3d11.dll
12/12/2004 12:08p 222,749 gp80l3lm1.dll
12/12/2004 12:03a 225,740 jtro0793e.dll
12/11/2004 01:17p 225,740 i406leds1h06.dll
12/10/2004 11:53p 225,740 fpj4031qe.dll
12/10/2004 02:27p 225,740 n48olel31hq.dll
12/09/2004 10:09p 224,086 jt6207joe.dll
12/09/2004 05:16p 225,941 irn8l55u1.dll
12/09/2004 05:06p 225,655 mv6ql9j51.dll
12/08/2004 03:03p 225,733 kt46l7hs1.dll
12/08/2004 02:20p 224,086 syc.dll
12/07/2004 10:04p 222,737 l4l6le3s1h.dll
12/07/2004 08:38p 222,874 jtlm0731e.dll
12/07/2004 08:20p 223,137 g0040adqed0e0.dll
12/07/2004 08:07p 222,737 mfisip.dll
12/07/2004 08:07p 222,979 i2420choef4c0.dll
12/07/2004 08:00p 223,893 i6nmlg5116.dll
12/07/2004 05:40p 222,737 muvfw32dl.bad
12/06/2004 10:13p 225,885 m2820cloefqc0.dll
12/04/2004 12:24p 222,916 ktj4l71q1.dll
12/04/2004 11:53a 224,220 mtvideo.dll
12/03/2004 03:06p 224,327 jt0m07d1e.dll
12/03/2004 02:43p 224,999 kt6sl7j71.dll
12/02/2004 08:42p 223,232 skfilshr.dll
12/02/2004 08:42p 223,274 g2400chmef4a0.dll
12/02/2004 08:32p 223,232 n64s0gh7e64.dll
12/01/2004 07:22p 223,232 wmhirda.dll
12/01/2004 06:25p 223,232 mhconf.dll
11/22/2004 06:58p 512 NuzK63G.h8p
11/21/2004 08:00p 254,038 TqzU35W3.exe
11/21/2004 08:00p 254,038 AthffaH.exe
11/21/2004 07:59p 499,798 QjlrXhe2.exe
11/21/2004 07:59p 499,798 MtyJ63F.exe
11/21/2004 07:59p 499,798 Npw5p.exe
09/12/2004 04:53a 10,993 ipqu32.exe

and c:\winnt\system32\guard.tmp

And here is how you need to do it.

Here is the procedure to use to delete them. Run Pocket Killbox. Select the option to Replace on Reboot.

Now you are going to repeat the below steps for every file except C:\WINNT\System32\guard.tmp (we will add it separately at the end). Replace the the word fullpathfile with the actual full file name path from above (one file at a time). For example, the first time you paste in C:\WINNT\System32\houi.dll


1) Now, Copy and Paste fullpathfile into the box
2) Check the option to Use Dummy.
3) Now, Click the Red X and Yes to the confirmation message.
4) A message will ask if you want to reboot now – Click NO.
5) Repeat for all files except the last one

For the last file, we will be rebooting when prompted. Here is the final step of the file deletions:

Now, Copy and Paste C:\WINNT\System32\guard.tmp into the box. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your machine to reboot Normally.

After it reboots get another findit.bat log and post it. Also run DLL Compare – Click Run Locate.com then click the Compare button. Follow the prompts and allow time for it to complete and make a log. Please attach that Log.

 

Okay! Were you able to delete all those files?

Did you reboot? Where's are the logs?