I've been going nuts

Please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal
If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

 

You should read the tutorial in this Sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log file as an attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

Make sure you have HJT version 1.98.2 and follow the guidelines on where to install it and how to post a log as an attachment.

 

Did you scroll down in your message windows to look for it? After click go advanced, besides getting more editing options for your messages, the Manage Attachments selection shows up under Additional Options but you need to scroll down to see it.

 

In addition to what Kodo said:

- No browsers should be running. You had: C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

- Also before running the HJT scan, goto Add/Remove programs and uninstall WEATHERBUG

 

You still did not fix what Kodo asked. You have HijackThis running from:

C:\WINDOWS\DESKTOP\MY DOCUMENT 24\HIJACK THIS\HIJACKTHIS.EXE

You need to create a directory like C:\Program Files\HJT or C:\Program Files\HijackThis and put the HIJACKTHIS.EXE file in that directory and run your scans using it.

 

First be sure to get HJT running from the proper location before performing the below steps.
This may not completely work due to the nature of one of the hijacks you have. We may need to perform some additional steps to get rid of the hijacker completely.

Make sure you have viewing of hidden files enabled and have downloaded About:Buster (per the tutorial).

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below processes and End them:
WINAL32
SYSTIME


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\dkmrh.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\dkmrh.dll/sp.html#29126
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\dkmrh.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\dkmrh.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\dkmrh.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\dkmrh.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\dkmrh.dll/sp.html#29126
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {18F6DF56-04E0-EABB-9FE9-169856A43121} - C:\WINDOWS\SYSTEM\IPXS32.DLL
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\QUESTMOD.DLL
O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
O4 - HKLM\..\RunServices: [APIEM32.EXE] C:\WINDOWS\SYSTEM\APIEM32.EXE
O4 - HKLM\..\RunServices: [WINAL32.EXE] C:\WINDOWS\SYSTEM\WINAL32.EXE
O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe

O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://67.97.0.66:3000/msrdp.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {6CD092E5-AFA4-73CA-B4EA-523618731988} - http://82.179.166.72/1/gdnUS208.exe
O16 - DPF: {2D9E0469-BDB1-1406-B97F-3C1D66279D65} - http://82.179.166.72/1/rdgUS208.exe
O16 - DPF: {44F964EE-B49C-4300-5131-1D7162CF2567} - http://82.179.166.72/1/rdgUS208.exe
O16 - DPF: v3cab - http://searchmiracle.com/cab/v2cab.cab

Run About:Buster and save the log (like ablog1
.txt).


Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system\dkmrh.dll
C:\WINDOWS\SYSTEM\IPXS32.DLL
C:\WINDOWS\QUESTMOD.DLL
C:\WINDOWS\SYSTEM\WINAL32.EXE
C:\WINDOWS\SYSTEM\SYSTIME.EXE

Run About:Buster and save the log to another file (like ablog2.txt).


Now reboot in normal mode and post a new HJT log and the two About:Buster logs. And tell us how things are working.

 

To save the log, highlight the text with your mouse and copy using CTRL-C. Then paste it into a file using CTRL-V.

In Win98, it CTRL-ALT-DEL brings up taskmon.exe (similar to Task Manager - taskmgr.exe in other OS). What happened when you hit CTRL-ALT-DEL? Didn't a window popup with the title "Close Program" in it?