help required in cleaning a trusted zone problem

Hi, I did something so stupid and clicked a link I should have known better than to click.

The upshot was I got infected before I could stop it - my usual defence is to restart in safe mode and delete any exe and dll files that i had just picked up.. a stubborn one was msiyr.dll but i eventually got rid of it.

now I ran hijack this but was continually showing trusted zone 63.219.187.7 which no matter how many times I checked it, it would not remove. I updated to Hijackthis 1.99 and ran it, it removed it but now there different trusted zone URLs appearing I will paste the hijack log. They are the 015 lines I presume.

If anyone can help me to fix whatever is infecting/sitting in the computer I would very much appreciate it. It is basically resetting my browser hompage and who knows what else

I have usually been successful in removing any infiltrations by starting in safe mode and removing the dll or exe files that were picked up and installed. I would greatly appreciate any help anyone could offer.

Thanks

Logfile of HijackThis v1.99.0
Scan saved at 4:01:16 AM, on 01/15/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\PGPSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
D:\Tools_95\Register\REMIND.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
C:\PROGRAM FILES\DIAMOND\INCONTROL TOOLS 99\DMHKEY.EXE
C:\WINDOWS\FSSCRCTL.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
D:\TOOLS_95\IMGICON.EXE
C:\PROGRAM FILES\PGP CORPORATION\PGP FOR WINDOWS 98\PGPTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

F1 - win.ini: load=D:\TOOLS_95\REGISTER\remind.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [PGPSERV] C:\WINDOWS\SYSTEM\PGPserv.exe
O4 - HKCU\..\Run: [RealJukeboxSystray] C:\Program Files\Real\RealJukebox\tsystray.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: InControl Desktop Manager.lnk = C:\Program Files\Diamond\InControl Tools 99\DMHKEY.EXE
O4 - Startup: Shortcut to FSScrCtl.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Iomega Watch.lnk = D:\Tools_95\IOWATCH.EXE
O4 - Startup: Iomega Startup Options.lnk = D:\Tools_95\IMGSTART.EXE
O4 - Startup: Iomega Disk Icons.lnk = D:\Tools_95\imgicon.exe
O4 - Startup: PGPtray.lnk = C:\Program Files\PGP Corporation\PGP for Windows 98\PGPtray.exe
O8 - Extra context menu item: Liatro SWF Decoder Catch - G:\PROGRAM FILES\LIATRO\LIATRO SWF DECODER 4.5\swfcatch.htm
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - G:\PROGRAM FILES\YAHOO\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - G:\PROGRAM FILES\YAHOO\MESSENGER\YPAGER.EXE
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = ozemail
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.188.178,69.31.80.244

 

You've got a baddie that doesn't look like one.
First take HJT off of the desktop and put it into it's own folder, unless you want some strange items appearing on your desktop, and one will be a baddie.

Remove these.

O4 - Startup: PowerReg Scheduler.exe
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202 (HKLM)

Delete the file "PowerReg Scheduler.exe ", it may appear in the HJT folder after removal. Or could could remove from Start\Programs\Startup, and then delete it.

 

This was part of the infection
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F547C77-48D2-49C6-8292-C0D6B22E47CA}: NameServer = 69.50.166.94,69.31.80.244

Have hiajckthis fix it.

If fixing those O15 - Trusted IP range's doesnt work, use the attachment
save it to your desktop, right click and rename to clearzones&ranges.reg
then run the reg file, you will have to reprotect again if SpywareBlaster is installed, re-immunize if spybot is installed and or reinstall iespyadds