help weird spyware problem

[MiXX Ea$twood]

Logfile of HijackThis v1.99.1
Scan saved at 10:00:45 PM, on 2/26/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MAGICKB\AALVOL.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R3 - Default URLSearchHook is missing
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] "C:\WINDOWS\scanregw.exe " /autorun
O4 - HKLM\..\Run: [TaskMonitor] "C:\WINDOWS\taskmon.exe"
O4 - HKLM\..\Run: [SystemTray] "SysTray.Exe"
O4 - HKLM\..\Run: [AtiCwd32] "Aticwd32.exe"
O4 - HKLM\..\Run: [AtiKey] "Atitask.exe"
O4 - HKLM\..\Run: [MagicKB] "c:\MagicKB\AalVol.exe"
O4 - Startup: settings.awc
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll



my host file changes and adds a bunch of ad urls to it..... pops up spawn up by them self. sbsd didnt find none. adaware finds them but cannot delete them because the files are in use. i cannot run adaware in safemode because my usb mouse will not work in in safemode and my pc doesnt have ps/2 ports. ive tried running

hijackthis
cwsshredder
spybot s&d

all in safe mode but they dont help

ive did the normal regedit and looking for them but there isnt any there CAN ANYBODY HELP?

[guestolo]

I would like to see that hosts file after the urls have been added
Can you open Hijackthis>>Open Misc tools section>>Open "Hosts file manager"
Click the "Open In Notepad" button

A text file will open, can you copy and paste the whole contents back here please

Additionally, I see no Anti-Virus software on this computer
For now, can you run an online virus scan at Panda's please

Use Internet Explorer and Run the online Panda ActiveScan
    * Once you are on the Panda site click the Scan your PC button.
    * A new window will open...click the big Check Now button.
    * Enter your Country.
    * Enter your State/Province.
    * Enter your e-mail address.
    * Select either "Home User or Company."
    * Click the big Scan Now button.
    * Allow the ActiveX component to install and download the files required for the scan. This may take a couple of minutes.
    * Click on Local Disks to start the scan.

When the scan is complete
 click See Report, then click Save Report and save it to your Desktop.

Post back this report

[MiXX Ea$twood]

i did have avg and it found nothing..... btw, the malware also makes my mouse stop moving. it doesnt do any abnormal movements, it just stops. i've check the mouse and it works fine in msdos and on another computer. it also lauches rundll32.exe alot. i dont know what the source folder for the rundll32 that is running is, so i dont know if its fake or not. spyware programs dont detect it and ive ran the sfc (system file checker) to verify it and it seems to be fine. i get popups in mozilla and ie6. ill have the panda report as soon as i can get this piece of sh** to work, without a mouse its not easy to select things using key-cuts, plus the malware takes over my browser when i try to enter urls

[guestolo]

When you supply the Hosts file from Hijackthis and the report from Panda's
Can you also let me know where your getting these popups from please, may give a good indication
What are the popups promoting?
If you just can't do much, at minimum let me know where the popups are directing please

[MiXX Ea$twood]

my aids infected host file


127.0.0.1  sds-qckads.com
127.0.0.1  status.qckads.com
127.0.0.1  www.qoolaid.com
127.0.0.1  www.qoologic.com
127.0.0.1  www.CLKPrecision.com
127.0.0.1  www.urllogic.com
127.0.0.1  www.clkoptimizer.com
127.0.0.1  www.isearch.com
127.0.0.1  isearch.com
127.0.0.1  www.idownload.com
127.0.0.1  idownload.com
127.0.0.1  www.mytotalsearch.com
127.0.0.1  mytotalsearch.com
127.0.0.1  www.lop.com
127.0.0.1  lop.com
127.0.0.1  www.websearch.com
127.0.0.1  websearch.com
127.0.0.1  www.page-not-found.net
127.0.0.1  page-not-found.net
127.0.0.1  www.isearchhere.com
127.0.0.1  isearchhere.com
127.0.0.1  as.adwave.com
127.0.0.1  sr.adwave.com
127.0.0.1  www.adwave.com
127.0.0.1  adwave.com EVENT:HOST:127.0.0.1
127.0.0.1  www.pacimedia.com
127.0.0.1  www.exactsearch.net
127.0.0.1  www.contextplus.net

[guestolo]

Try the following please, in case I don't see the other info before the end of the night
Please download L2m9xfix from one of these two locations:
GeeksToGo
Noidea.us

Save it to the desktop and run it.  Extract the files, and then open the l2m9xfix folder you just created and run RunThis.bat.

A window will open, and your desktop will disappear, then reappear.  Please be patient until the batch says it is completed.

Then please restart your computer, and post a new HijackThis log as well as the entire text of the log.txt file which should be in the same folder as RunThis.bat.

[MiXX Ea$twood]

Log of L2M9XFix v1.01a
 
************
 
Running from directory:  
C:\WINDOWS\Desktop\l2m9xfix
 
************
 
Files found:
 
C:\WINDOWS\system\ADIMPPIF.DLL
C:\WINDOWS\system\ALID3DR3.DLL
C:\WINDOWS\system\CDDIAL32.DLL
C:\WINDOWS\system\DKCNDI.DLL
C:\WINDOWS\system\iofg95.dll
C:\WINDOWS\system\KCUSER.DLL
C:\WINDOWS\system\MMXML.DLL
C:\WINDOWS\system\WX2_32.DLL
 
************
 
Registry entries found:
 
[HKEY_CLASSES_ROOT\CLSID\{05D837E0-A2FE-11DA-AE8E-0010B58BC76F}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM\\DKCNDI.DLL"
 
 
************
 
Killing Explorer
Done!
 
Killing Rundll32
Done!
 
Removing malicious CLSID(s)
Done!
 
Restarting Explorer
Done!
 
Deleting malicious files
Done!
 
 
Finished!



Logfile of HijackThis v1.99.1
Scan saved at 1:19:00 AM, on 2/28/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [Tweak UI] "RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"
O4 - Startup: settings.awc


its actually acting normal now, but i dont count my chickens 'fo they hatch

[guestolo]

What happened to your hijackthis log?
And why did you install Spyhunter

Please read this on Spyhunter
http://www.spywarewarrior.com/rogue_anti-spyware.htm#sh_note

I need you to restore those entries you removed from the Hijackthis log
If you already removed entries with Hijackthis there should be a BACKUP folder on your desktop
Can you right click an empty area on the desktop, Select NEW>>Folder
Name the new folder something like>>>HJT
Right click on Hijackthis.exe and choose CUT from the menu bar
and paste it to the HJT folder
Do the same with the Backup folder, put it into the HJT folder

Then open Hijackthis.exe and click "View a List of Backups"
RESTORE all backups

Additionally, if you are controlling any entries with MSCONFIG
Reenable them all

Reboot the computer afterwards
It's not helping you or myself if you are hiding entries from me
I can't be much help with the rest of the log if I can't see what's going on

Come back here and post a fresh hijackthis log afterwards
Did you run the scan at Panda's, did you save a report?

EDIT>>I'm off to bed now, please do what I asked above
I'll look at the log tomorrow, you removed some entries you may prefer or NEED

[MiXX Ea$twood]

i didnt run panda yet, but im on it.... thanks a mil for the help and the pc is actin better. give me 5 more mins and ill be right back with a hijackthis and panda log

[guestolo]

After you restore those entries with Hijackthis and/or msconfig>>remember, enable everything!
And after you run the scan and save the report from Panda's

REBOOT the computer

I want to see if anything else may be hiding
I'm off to bed so I'll look at the new log and Panda report tomorrow

P.S. I got your email, glad to help, but let's make sure we have you totally clean and keep you that way
I have some preventive tools
I would uninstall Spyhunter!

EDIT>>you say you have/had Spybot and ad-Aware, they are very reputable
Can you let me know what versions your running please

[MiXX Ea$twood]

everythings okay.... i gotta reinstall ie6sp1 to run the panda but ill have the logs up pronto