need help with patience

[mauserme]

Hi newb.

I think I see a bit of an infection called wareout that we should be able to clean up.  Darth_Mickey also mentioned a couple things we'll look at.

First  download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.




After posting the ComboFix log download FixWareout.exe.  When the download finishes double click the FixWareout.exe icon to begin the installation.  Click the Next button to continue the installation, then click Install.  The tool will be installed to the C:\FixWareout folder.

You will now be at the last screen of the FixWareout setup. Make sure that the checkbox labeled Run fixit is filled, then click on the Finish button to automatically start FixWareout.

Press any key on your keyboard to start the removal process.

FixWareout will now display a prompt stating that you will need to reboot your computer to continue with the fix.  Click on the OK button to start the reboot process.  Please be aware that the reboot time may be longer than normal due to the running of this fix. Before your desktop appears you will see a prompt stating Beginning Fix ... Click OK to Start.

Press the OK button to continue with the removal process. This process can take a while, so please be patient.

Finally you will see a prompt stating that FixWareout has finished.

Press the OK button to close FixWareout and for your Windows desktop to appear.

When the desktop appears a file called report.txt will automatically open in Notepad. Please copy/paste this log into your next response.



Then post a fresh HijackThis log from normal mode, if possible.  Otherwise it can be run in safemode again.


EDIT:  Are the Turkish start page and toolbar something you expect?  I ask because your log is predominantly in English.

[newb]

THANK YOU MAUSERME AND DAVID-MIKEY

here what is going on here....

I just downloaded the combofix and when I double click an error says it can not found on windows.  %systemroot%\system32\cmd.exe   
and I did not mouseclıck on combofix window while it was running...
and yes turkish is the language we like to keep... (I am helping my father to fix his computer)

 
should I remove those 3 lines or later?  I have got firefox browser now... thank you... I was able to use it fine except trying to enter this page. for some reason can not connect to the form? using IE now...
(by the way I am really learning this computer from all of you... thank you soooo much)

looking forward to hear from you.....

[Hard_ROCKER]

should I remove those 3 lines or later?

If you're talking about those lines in HijackThis then yes remove them, restart the computer run HijackThis again and post the contents of the log so we can be sure they're really gone ...

[newb]

ohhh I forgot... the Hijackthis log was done in normal mode.... not the safe mode....

[mauserme]

It would be good if you could run FixWareout first, before fixing those lines.  It should run on WIN98.

[newb]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:28:29, on 19.07.2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60308
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60308
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60308
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60308
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60308
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = TTNET tarafından sağlanan Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\CRAWLER\TOOLBAR\CTBR.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1055,&Radyo - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\CRAWLER\TOOLBAR\CTBR.DLL
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
O4 - HKUS\.DEFAULT\..\Run: [SUPERAntiSpyware] C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE (User 'Default user')
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 85.255.116.163,85.255.112.102
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\CRAWLER\TOOLBAR\CTBR.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\PROGRAM FILES\SUPERANTISPYWARE\SASWINLO.DLL

--
End of file - 3710 bytes

[newb]

Hi Mauserme:

when I click on fixwareout.exe link it directs me to www.bleepingcomputer.com which the page can not be displayed\ server not found.... Anythingelse I can do next?

also while trying to send a post computer froze 2 times 

Have a great day....

[mauserme]

I think the site is down.

Try this link instead

http://downloads.subratam.org/Fixwareout.exe

[newb]

and hi Darth_Mikey:

I just post the new Hijackthis log. what do you think now?

and so sorry about the David-Mikey...  It is so early and looks like my brain concentrated on computer so much.....

have a great day

[mauserme]

If you've already fixed the suggested lines in HJT the 017 is back because there is at least one wareout file restoring it.

After FixWareout finishes and you reboot you can fix the 017 again, but make sure to post the FixWareout log as there may be files that need to checked manually.


EDIT:  BTW, ComboFix didn't run because WINME/WIN98 has command.com instead of cmd.com   Some of the tools don't work on older operating sytems.

[newb]

Mauserme
you wrote:
FixWareout will now display a prompt stating that you will need to reboot your computer to continue with the fix.  Click on the OK button to start the reboot process.  Please be aware that the reboot time may be longer than normal due to the running of this fix. Before your desktop appears you will see a prompt stating Beginning Fix ... Click OK to Start.

well boot time was so quick and when the computer turned on again there was just a regular screen... I have not seen a prompt stating Beginning Fix

again something about being an old computer???

I really wanna thank you for your time too...
and how do you do that cut and paste lines from the other post? please let me know if you are not already tired of me......

[newb]

I have deleted:

04-HKLM\........C:windows\sys32\igiduexe
and
015-Thrusted zone:......

should I have deleted 017 too?

[newb]

Mauserme wrote:
BTW, ComboFix didn't run because WINME/WIN98 has command.com instead of cmd.com   Some of the tools don't work on older operating sytems.

so should I uninstall that too?

[mauserme]

and how do you do that cut and paste lines from the other post? please let me know if you are not already tired of me......

Do you mean this?     Just hit the quote button in the post you want to excerpt from and edit as needed.


Let me take a step or two back.  What Darth-Mikey (I think I spelled it right too this time) said to fix in HJT this was correct.  I thought he included the 017 in his list of lines to fix but he didn't. Apologies to Darth_Mikey for the misinterpretation.

I believe the 017 is an indication of the wareout infection I mentioned but before we do more let me ask, what is the status of things at this point?

[Hard_ROCKER]

Yes you're right i forgot to include O17(that nasty Ukraine server) in my post guys. Sorry !
Remove that one as well newb !
Other than that your log appears to be clean.

EDIT: Don't worry about misspelling my nickname i am already used to that ...