przoszę o sprawdzenie Hijack This

IP: *.neoplus.adsl.tpnet.pl 09.05.05, 22:45
Logfile of HijackThis v1.99.1
Scan saved at 22:41:55, on 05-05-09
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PROFESSIONAL\AD-WATCH.EXE
C:\PROGRAM FILES\GADU-GADU\GG.EXE
C:\WINDOWS\PULPIT\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.specialgoods.info/ad/ad0276/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
www.eu.microsoft.com/poland/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F1 - win.ini: run=hpfsched
O1 - Hosts: 127.0.0.3 n-glx.s-redirect.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 newiframe.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.pi..to.biz
O1 - Hosts: 127.0.0.3 pi..to.biz
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Zasobnik systemowy] SysTray.Exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPass.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\PROGRAM FILES\GADU-GADU\GG.EXE" /tray
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202 (HKLM)

    • neder Re: przoszę o sprawdzenie Hijack This 09.05.05, 23:03
      log nie zmieścił się cały.

      Na razie zastartuj do trybu awaryjnego i odinstaluj MediaPass (poprzez dodaj/usuń programy - potem sprawdź czy nie zostały po nim jakies resztki w ProgramFiles)

      Uruchom HJ wybierz "do a system scan only" i zaznacz wpisy
      > R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
      > www.specialgoods.info/ad/ad0276/
      > O1 - Hosts: 127.0.0.3 n-glx.s-redirect.com
      > O1 - Hosts: 127.0.0.3 x.full-tgp.net
      > O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
      > O1 - Hosts: 127.0.0.3 autoescrowpay.com
      > O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
      > O1 - Hosts: 127.0.0.3 www.awmdabest.com
      > O1 - Hosts: 127.0.0.3 www.sexfiles.nu
      > O1 - Hosts: 127.0.0.3 awmdabest.com
      > O1 - Hosts: 127.0.0.3 sexfiles.nu
      > O1 - Hosts: 127.0.0.3 allforadult.com
      > O1 - Hosts: 127.0.0.3 www.allforadult.com
      > O1 - Hosts: 127.0.0.3 www.iframe.biz
      > O1 - Hosts: 127.0.0.3 iframe.biz
      > O1 - Hosts: 127.0.0.3 www.newiframe.biz
      > O1 - Hosts: 127.0.0.3 newiframe.biz
      > O1 - Hosts: 127.0.0.3 www.vesbiz.biz
      > O1 - Hosts: 127.0.0.3 vesbiz.biz
      > O1 - Hosts: 127.0.0.3 www.pi..to.biz
      > O1 - Hosts: 127.0.0.3 pi..to.biz
      > O1 - Hosts: 127.0.0.3 www.aaasexypics.com
      > O1 - Hosts: 127.0.0.3 aaasexypics.com
      > O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
      > O1 - Hosts: 127.0.0.3 virgin-tgp.net
      > O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPass.exe
      > O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
      > Office\Office\OSA9.EXE -> nic szkodliwego ale zbędne
      > O14 - IERESET.INF: SEARCH_PAGE_URL=
      > O14 - IERESET.INF: START_PAGE_URL=
      > O15 - Trusted Zone: *.windupdates.com
      > O15 - Trusted Zone: *.slotchbar.com
      > O15 - Trusted Zone: *.windupdates.com (HKLM)
      > O15 - Trusted Zone: *.skoobidoo.com (HKLM)
      > O15 - Trusted Zone: *.slotchbar.com (HKLM)
      > O15 - Trusted Zone: *.iframedollars.biz (HKLM)
      > O15 - Trusted IP range: 213.159.117.202
      > O15 - Trusted IP range: 213.159.117.202 (HKLM)

      i FixChecked

      przy usuwaniu 015 używasz KillTrusted:
      www.searchengines.pl/phpbb203/index.php?s=5debf1bfeab0c89e54567f66c39699f0&act=Attach&type=post&id=459
      start do trybu normalnego i wklej nowy log.
    • Gość: KOKO Re: przoszę o sprawdzenie Hijack This IP: *.neoplus.adsl.tpnet.pl 10.05.05, 01:23
      Logfile of HijackThis v1.99.1
      Scan saved at 01:20:48, on 05-05-10
      Platform: Windows 98 SE (Win9x 4.10.2222A)
      MSIE: Internet Explorer v5.00 (5.00.2614.3500)

      Running processes:
      C:\WINDOWS\SYSTEM\KERNEL32.DLL
      C:\WINDOWS\SYSTEM\MSGSRV32.EXE
      C:\WINDOWS\SYSTEM\MPREXE.EXE
      C:\WINDOWS\SYSTEM\MSTASK.EXE
      C:\WINDOWS\SYSTEM\mmtask.tsk
      C:\WINDOWS\EXPLORER.EXE
      C:\WINDOWS\SYSTEM\INTERNAT.EXE
      C:\WINDOWS\TASKMON.EXE
      C:\WINDOWS\SYSTEM\SYSTRAY.EXE
      C:\WINDOWS\SOUNDMAN.EXE
      C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
      C:\PROGRAM FILES\GADU-GADU\GG.EXE
      C:\WINDOWS\NOTEPAD.EXE
      C:\WINDOWS\SYSTEM\WMIEXE.EXE
      C:\WINDOWS\PULPIT\HIJACKTHIS\HIJACKTHIS.EXE

      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
      www.specialgoods.info/ad/ad0276/
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
      www.eu.microsoft.com/poland/
      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
      F1 - win.ini: run=hpfsched
      O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
      C:\WINDOWS\SYSTEM\MSDXM.OCX
      O4 - HKLM\..\Run: [internat.exe] internat.exe
      O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
      O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
      O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
      O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
      powrprof.dll,LoadCurrentPwrScheme
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
      C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
      O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
      C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
      O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
      O4 - HKLM\..\Run: [Zasobnik systemowy] SysTray.Exe
      O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
      O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
      powrprof.dll,LoadCurrentPwrScheme
      O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
      O4 - HKCU\..\Run: [Gadu-Gadu] "C:\PROGRAM FILES\GADU-GADU\GG.EXE" /tray
      O14 - IERESET.INF: SEARCH_PAGE_URL=
      O14 - IERESET.INF: START_PAGE_URL=
      O15 - Trusted IP range: 213.159.117.202
      O15 - Trusted IP range: 213.159.117.202 (HKLM)

      • neder Re: przoszę o sprawdzenie Hijack This 10.05.05, 08:48
        już jest lepiej :) ale ciągle zostaly wpisy do usunięcia:

        > R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
        > www.specialgoods.info/ad/ad0276/
        > R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
        > www.eu.microsoft.com/poland/ -> tego nie usuwaj jesli stronę microsoftu ustawialaś sam(a) jako startową
        > O14 - IERESET.INF: SEARCH_PAGE_URL=
        > O14 - IERESET.INF: START_PAGE_URL=
        > O15 - Trusted IP range: 213.159.117.202
        > O15 - Trusted IP range: 213.159.117.202 (HKLM)

        usuwalaś(eś) 015 KillTrusted?
        • Gość: KOKO Re: przoszę o sprawdzenie Hijack This IP: *.neoplus.adsl.tpnet.pl 10.05.05, 09:46
          Logfile of HijackThis v1.99.1
          Scan saved at 09:43:57, on 05-05-10
          Platform: Windows 98 SE (Win9x 4.10.2222A)
          MSIE: Internet Explorer v5.00 (5.00.2614.3500)

          Running processes:
          C:\WINDOWS\SYSTEM\KERNEL32.DLL
          C:\WINDOWS\SYSTEM\MSGSRV32.EXE
          C:\WINDOWS\SYSTEM\MPREXE.EXE
          C:\WINDOWS\SYSTEM\MSTASK.EXE
          C:\WINDOWS\SYSTEM\mmtask.tsk
          C:\WINDOWS\EXPLORER.EXE
          C:\WINDOWS\SYSTEM\INTERNAT.EXE
          C:\WINDOWS\TASKMON.EXE
          C:\WINDOWS\SYSTEM\SYSTRAY.EXE
          C:\WINDOWS\SOUNDMAN.EXE
          C:\WINDOWS\SYSTEM\SYSTRAY.EXE
          C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
          C:\PROGRAM FILES\GADU-GADU\GG.EXE
          C:\WINDOWS\SYSTEM\WMIEXE.EXE
          C:\WINDOWS\SYSTEM\DDHELP.EXE
          C:\WINDOWS\PULPIT\HIJACKTHIS\HIJACKTHIS.EXE

          R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
          www.specialgoods.info/ad/ad0276/
          R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
          F1 - win.ini: run=hpfsched
          O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
          C:\WINDOWS\SYSTEM\MSDXM.OCX
          O4 - HKLM\..\Run: [internat.exe] internat.exe
          O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
          O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
          O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
          O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
          powrprof.dll,LoadCurrentPwrScheme
          O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
          C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
          O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
          O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
          C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
          O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
          O4 - HKLM\..\Run: [Zasobnik systemowy] SysTray.Exe
          O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
          O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
          powrprof.dll,LoadCurrentPwrScheme
          O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
          O4 - HKCU\..\Run: [Gadu-Gadu] "C:\PROGRAM FILES\GADU-GADU\GG.EXE" /tray
          O14 - IERESET.INF: SEARCH_PAGE_URL=
          O14 - IERESET.INF: START_PAGE_URL=


          ne usuwalem 015 KillTrusted.
          • neder Re: przoszę o sprawdzenie Hijack This 10.05.05, 11:25
            dobra, 015 juz nie ma więc z tym przynajmniej jest spokój. Ciągle masz ciekawą stronę startową, spróbuj w awaryjnym przeskanowac jeszcze tym:
            forum.gazeta.pl/forum/72,2.html?f=430&w=14530041
            najpierw ściągnij, uaktualnij (jeszcze nie skanuj), start do awaryjnego -> teraz skanujesz.

            Z 014 spróbuj tak:
            Narzędzia > Opcje internetowe > Programy > resetuj ustawienia -> to powinno pomóc

            Potem uruchamiasz HJ i usuwasz wpisy:
            > R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
            > www.specialgoods.info/ad/ad0276/
            > O14 - IERESET.INF: SEARCH_PAGE_URL=
            > O14 - IERESET.INF: START_PAGE_URL=


            restart i wklej nowego loga
            • Gość: KOKO Re: przoszę o sprawdzenie Hijack This IP: *.neoplus.adsl.tpnet.pl 10.05.05, 13:28
              Logfile of HijackThis v1.99.1
              Scan saved at 13:26:32, on 05-05-10
              Platform: Windows 98 SE (Win9x 4.10.2222A)
              MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

              Running processes:
              C:\WINDOWS\SYSTEM\KERNEL32.DLL
              C:\WINDOWS\SYSTEM\MSGSRV32.EXE
              C:\WINDOWS\SYSTEM\MPREXE.EXE
              C:\WINDOWS\SYSTEM\MSTASK.EXE
              C:\WINDOWS\SYSTEM\mmtask.tsk
              C:\WINDOWS\SYSTEM\DDHELP.EXE
              C:\WINDOWS\SYSTEM\PSTORES.EXE
              C:\WINDOWS\EXPLORER.EXE
              C:\WINDOWS\SYSTEM\INTERNAT.EXE
              C:\WINDOWS\TASKMON.EXE
              C:\WINDOWS\SYSTEM\SYSTRAY.EXE
              C:\WINDOWS\SOUNDMAN.EXE
              C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
              C:\PROGRAM FILES\GADU-GADU\GG.EXE
              C:\WINDOWS\SYSTEM\WMIEXE.EXE
              C:\WINDOWS\PULPIT\HIJACKTHIS\HIJACKTHIS.EXE

              R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
              www.specialgoods.info/ad/ad0276/
              R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
              F1 - win.ini: run=hpfsched
              O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
              C:\WINDOWS\SYSTEM\MSDXM.OCX
              O4 - HKLM\..\Run: [internat.exe] internat.exe
              O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
              O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
              O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
              O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
              powrprof.dll,LoadCurrentPwrScheme
              O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
              C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
              O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
              O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
              C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
              O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
              O4 - HKLM\..\Run: [Zasobnik systemowy] SysTray.Exe
              O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
              O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
              powrprof.dll,LoadCurrentPwrScheme
              O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
              O4 - HKCU\..\Run: [Gadu-Gadu] "C:\PROGRAM FILES\GADU-GADU\GG.EXE" /tray
              O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
              C:\WINDOWS\web\related.htm
              O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-
              00aa003c157a} - C:\WINDOWS\web\related.htm

          • Gość: Kolobos Re: przoszę o sprawdzenie Hijack This IP: *.warszawa.sdi.tpnet.pl 10.05.05, 11:49
            Uruchom windows w trybie awaryjnym i zrob log tym:
            www.silentrunners.org/Silent%20Runners.vbs
            Nastepnie go tutaj wklej.

            Zainstaluj nowe IE:
            download.microsoft.com/download/ie6sp1/finrel/6_sp1/W98NT42KMeXP/PL/ie6setup.exe

            Antyvirus tez nie zaszkodzi:
            www.free-av.com/
            I jeszcze to:
            www.safer-networking.org/pl/mirrors/index.html <- SpyBot S&D ->
            przeskanuj i wlacz ochrone przegladarki
            www.javacoolsoftware.com/spywareblaster.html <- SpywareBlaster -> wlacz
            ochrone przegladarki
            www.wilderssecurity.net/spywareguard.html <- SpywareGuard
            • Gość: KOKO Re: przoszę o sprawdzenie Hijack This IP: *.neoplus.adsl.tpnet.pl 10.05.05, 12:18
              "Silent Runners.vbs", revision 36, www.silentrunners.org/
              Operating System: Windows 98
              Output limited to non-default values, except where indicated by "{++}"


              Startup items buried in registry:
              ---------------------------------

              HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
              "Gadu-Gadu" = ""C:\PROGRAM FILES\GADU-GADU\GG.EXE" /tray" ["sms-express.com"]

              HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
              "internat.exe" = "internat.exe" [MS]
              "ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
              "TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]
              "SystemTray" = "SysTray.Exe" [MS]
              "LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
              "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup" [MS]
              "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
              "NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit"
              [MS]
              "SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
              "Zasobnik systemowy" = "SysTray.Exe" [MS]
              "WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]

              HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
              "LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
              "SchedulingAgent" = "C:\WINDOWS\SYSTEM\mstask.exe" [MS]

              HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
              "{992CFFA0-F557-101A-88EC-00DD010CCC48}" = "Dial-Up Networking"
              -> {CLSID}\InProcServer32\(Default) = "rnaui.dll" [MS]
              "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
              -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVCPL.DLL" ["NVIDIA
              Corporation"]
              "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
              -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVSHELL.DLL"
              ["NVIDIA Corporation"]
              "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
              -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVSHELL.DLL"
              ["NVIDIA Corporation"]
              "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
              -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\NVSHELL.DLL"
              ["NVIDIA Corporation"]
              "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
              -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll"
              [null data]

              HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
              INFECTION WARNING! "{D56A1203-1452-EBA1-7294-EE3377770000}" = "Interlinking
              Memory Support"
              -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\param32.dll" [null
              data]


              Enabled Wallpaper and Active Desktop:
              -------------------------------------

              Active Desktop is enabled.


              WIN.INI & SYSTEM.INI launch points:
              -----------------------------------

              WIN.INI
              [windows]
              INFECTION WARNING! "run=hpfsched" [null data]


              Enabled Scheduled Tasks:
              ------------------------

              "Rozpoczęcie aplikacji dostrajania" -> launches: "walign" [MS]


              Winsock2 Service Provider DLLs:
              -------------------------------

              Namespace Service Providers

              HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5
              \Catalog_Entries\ {++}
              000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

              Transport Service Providers

              HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9
              \Catalog_Entries\ {++}
              00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
              C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1
              C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4
              C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6


              ----------
              This report excludes default entries except where indicated.
              To see *everywhere* the script checks and *everything* it finds,
              launch it from a command prompt or a shortcut with the -all parameter.
              ----------
              • Gość: Kolobos Re: przoszę o sprawdzenie Hijack This IP: *.warszawa.sdi.tpnet.pl 10.05.05, 14:01
                Ok, juz go widac jak na dloni:

                Start->Uruchom->regedit
                Przejdz do:
                Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTask
                Scheduler\
                i usun tam ten klucz:
                "{D56A1203-1452-EBA1-7294-EE3377770000}" = "Interlinking Memory Support"

                Nastepnie killbox'em usun ten plik:
                C:\WINDOWS\System32\param32.dll

                I w hijackthis usun ten wpis:
                R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
                www.specialgoods.info/ad/ad0276/

                Po wszystkim wklej nowy log z hijackthis :-)
                • Gość: KOKO Re: przoszę o sprawdzenie Hijack This IP: *.neoplus.adsl.tpnet.pl 10.05.05, 14:23
                  Logfile of HijackThis v1.99.1
                  Scan saved at 14:22:02, on 05-05-10
                  Platform: Windows 98 SE (Win9x 4.10.2222A)
                  MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

                  Running processes:
                  C:\WINDOWS\SYSTEM\KERNEL32.DLL
                  C:\WINDOWS\SYSTEM\MSGSRV32.EXE
                  C:\WINDOWS\SYSTEM\MPREXE.EXE
                  C:\WINDOWS\SYSTEM\MSTASK.EXE
                  C:\WINDOWS\SYSTEM\mmtask.tsk
                  C:\WINDOWS\EXPLORER.EXE
                  C:\WINDOWS\SYSTEM\INTERNAT.EXE
                  C:\WINDOWS\TASKMON.EXE
                  C:\WINDOWS\SOUNDMAN.EXE
                  C:\WINDOWS\SYSTEM\SYSTRAY.EXE
                  C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
                  C:\PROGRAM FILES\GADU-GADU\GG.EXE
                  C:\WINDOWS\SYSTEM\WMIEXE.EXE
                  C:\WINDOWS\SYSTEM\PSTORES.EXE
                  C:\WINDOWS\PULPIT\HIJACKTHIS\HIJACKTHIS.EXE

                  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
                  www.google.pl/
                  R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
                  F1 - win.ini: run=hpfsched
                  O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
                  C:\WINDOWS\SYSTEM\MSDXM.OCX
                  O4 - HKLM\..\Run: [internat.exe] internat.exe
                  O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
                  O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
                  O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
                  O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
                  powrprof.dll,LoadCurrentPwrScheme
                  O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
                  C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
                  O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
                  O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
                  C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
                  O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
                  O4 - HKLM\..\Run: [Zasobnik systemowy] SysTray.Exe
                  O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
                  O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
                  powrprof.dll,LoadCurrentPwrScheme
                  O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
                  O4 - HKCU\..\Run: [Gadu-Gadu] "C:\PROGRAM FILES\GADU-GADU\GG.EXE" /tray
                  O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -
                  C:\WINDOWS\web\related.htm
                  O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-
                  00aa003c157a} - C:\WINDOWS\web\related.htm



                  a w koncu normalnie juz chodzi wszystko (-: dziekuje baaardzoo za pomoc.
                  pozdrawiam.
Pełna wersja