PDA

Click to See Complete Forum and Search --> : Still some leftover critters in my computer

fastwaves
July 26th, 2005, 11:47 PM
Here is my recent log...could someone tell me what to get rid of and how. The trusted zone files are impossible to get rid of. Your help is appreciated!

Logfile of HijackThis v1.99.0
Scan saved at 8:18:22 PM, on 7/26/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HIJACK\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\CD-Writer Plus\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunOnce: [Registering hhctrl.ocx..] C:\WINDOWS\SYSTEM\regsvr32 /s hhctrl.ocx
O4 - HKLM\..\RunOnce: [Registering itircl.dll..] C:\WINDOWS\SYSTEM\regsvr32 /s itircl.dll
O4 - HKLM\..\RunOnce: [Registering itss.dll..] C:\WINDOWS\SYSTEM\regsvr32 /s itss.dll
O4 - HKLM\..\RunOnce: [GrpConv] grpconv.exe -o
O4 - HKLM\..\RunOnce: [RegTLib] C:\WINDOWS\RegTLib.exe C:\WINDOWS\SYSTEM\StdOle2.Tlb
O4 - HKLM\..\RunOnce: [RunOnceEx] rundll32.exe C:\WINDOWS\SYSTEM\iernonce.dll,RunOnceExProcess
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivillage.com/save/makeover.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
Mayet
July 27th, 2005, 05:01 AM
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)


Those ones stand out straight away. The ip number address underneath those may need to be traced to see if you do allow it also.
slgrieb
July 28th, 2005, 01:53 PM
Impossible to get rid of how? Did HijackThis fail to remove them at all, or did they return on reboot? Have you run Ad Aware SE and Spybot S&D? Spybot's imunization feature should block these sites.
geoscomp
July 28th, 2005, 05:57 PM
you've got some others there as well:


C:\PROGRAM FILES\WINAMP\WINAMPA.EXE (this isnt winamp..this is added by the W32/spybot/br worm

O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe" (same thing)

O4 - HKLM\..\RunOnce: [Registering hhctrl.ocx..] C:\WINDOWS\SYSTEM\regsvr32 /s hhctrl.ocx

O4 - HKLM\..\RunOnce: [Registering itircl.dll..] C:\WINDOWS\SYSTEM\regsvr32 /s itircl.dll

O4 - HKLM\..\RunOnce: [Registering itss.dll..] C:\WINDOWS\SYSTEM\regsvr32 /s itss.dll

O4 - HKLM\..\RunOnce: [RegTLib] C:\WINDOWS\RegTLib.exe C:\WINDOWS\SYSTEM\StdOle2.Tlb

O4 - HKLM\..\RunOnce: [RunOnceEx] rundll32.exe C:\WINDOWS\SYSTEM\iernonce.dll,RunOnceExProcess

and of course all of the trusted zone stuff..