karen1to, на вирусы проверяться не пробовал?

[yurfed]

karen1to, это вирус. Лепится к ЕХЕ и файлам заставок. Гляди на вирусевичи.
Как называется не помню.
Жил у меня такой пока не убил

[Severny]

karen1to,
Скачай Cureit , и проверь системный диск в безопасном режиме.
Скачай HijackThis
сделай лог и выкладывай здесь.
Скачай AVZ , распакуй, обнови и перейди в меню
Файл-Исследование системы. Полученный лог запакуй и выкладывай здесь.

[karen1to]

1) проверил, ниче интересного не нашел
2) Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 20:07:06, on 02/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAGE.EXE
C:\Program Files\ASUS\Wireless Console 2\wcourier.exe
C:\PROGRA~1\ERGOMO~1\MouseElf.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\system32\TaskSwitch.exe
C:\Program Files\ICQ6\ICQ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\karen1to\Ðàáî÷èé ñòîë\Íîâàÿ ïàïêà (2)\cureit.exe
C:\DOCUME~1\karen1to\LOCALS~1\Temp\RarSFX1\_start.exe
C:\DOCUME~1\karen1to\LOCALS~1\Temp\RarSFX1\setup.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\karen1to\Ðàáî÷èé ñòîë\Íîâàÿ ïàïêà (2)\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.ru/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Nnueee
R3 - URLSearchHook: (no name) - {83821C2B-32A8-4DD7-B6D4-44309A78E668} - C:\Documents and Settings\karen1to\Application Data\Mra\Update\mrasearch.dll
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Mario Forever Toolbar Helper - {A20854FD-DDB5-4931-8F76-D11EA2364D94} - C:\Program Files\Mario Forever Toolbar\v3.2.0.0\MarioForever_Toolbar.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: Mario Forever Toolbar - {71B6ACF7-4F0F-4FD8-BB69-6D1A4D271CB7} - C:\Program Files\Mario Forever Toolbar\v3.2.0.0\MarioForever_Toolbar.dll
O3 - Toolbar: PROMT - {FF284F5C-7CF9-4682-8701-D467C1DBB99F} - C:\Program Files\PRMT6\PRMTIE\prmtie.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo RX520 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAGE.EXE /P31 "EPSON Stylus Photo RX520 Series" /O6 "USB001" /M "Stylus Photo RX520"
O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\ASUS\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\ERGOMO~1\MouseElf.EXE
O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [ßðëûê äëÿ ñòðàíèöû ñâîéñòâ High Definition Audio] HDAShCut.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\TaskSwitch.exe
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6\ICQ.exe" silent
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Ýêñïîðò â Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Coaoenoeea Aaa-Aioeae?ona - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Mail.Ru Aaaio - {7558B7E5-7B26-4201-BEDB-00D5FF534523} - C:\Program Files\Mail.Ru\Agent\magent.exe
O9 - Extra 'Tools' menuitem: Mail.Ru Aaaio - {7558B7E5-7B26-4201-BEDB-00D5FF534523} - C:\Program Files\Mail.Ru\Agent\magent.exe
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\PRMT6\PRMTIE\prmtie5.htm
O9 - Extra 'Tools' menuitem: Ia?aaanoe - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\PRMT6\PRMTIE\prmtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\PRMT6\PRMTIE\options.htm
O9 - Extra 'Tools' menuitem: Iano?ieea ia?aiao?ia ia?aaiaa - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\PRMT6\PRMTIE\options.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: I?aacaa?oc?ee Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Aaiii eyoa eaoaai?ee eiiiiiaioia - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ?o?iae niauoee (Eventlog) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\services.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Neo?aa COM caiene eiiiaeo-aeneia IMAPI (ImapiService) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\imapi.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\services.exe
O23 - Service: Aeniao?a? naaina ni?aaee aey oaaeaiiiai ?aai?aai noiea (RDSessMgr) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Nia?o-ea?ou (SCardSvr) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe
O23 - Service: ?o?iaeu e iiiaauaiey i?iecaiaeoaeuiinoe (SysmonLog) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Oaiaaia eiie?iaaiea oiia (VSS) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Aaaioa? i?iecaiaeoaeuiinoe WMI (WmiApSrv) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\wbem\wmiapsrv.exe

--
End of file - 9451 bytes

3) выложить не могу.....(

[Severny]

Цитата karen1to:

3) выложить не могу.....( »

А почему же? Кидай на zalil.ru

[karen1to]

Severny, как? (у мня эксплорер не работает)

[Severny]

Цитата karen1to:

Severny, как? (у мня эксплорер не работает) »

Ну да
В AVZ меню Файл -- Выполнить скрипт
Скопируй код и нажми "запустить".
Комп перезагрузится.

Код:

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
ExecuteRepair(1);
ExecuteRepair(5);
ExecuteRepair(6);
ExecuteRepair(7);
ExecuteRepair(8);
ExecuteRepair(9);
ExecuteRepair(10);
ExecuteRepair(11);
ExecuteRepair(16);
RebootWindows(true);
end.

[karen1to]

и что должно было произойти?
ЗЫ. тока цвет рабочего стола поменялся....

[Severny]

karen1to,
В Hijack пофикси это
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Nnueee
R3 - URLSearchHook: (no name) - {83821C2B-32A8-4DD7-B6D4-44309A78E668} - C:\Documents and Settings\karen1to\Application Data\Mra\Update\mrasearch.dl
O2 - BHO: Mario Forever Toolbar Helper - {A20854FD-DDB5-4931-8F76-D11EA2364D94} - C:\Program Files\Mario Forever Toolbar\v3.2.0.0\MarioForever_Toolbar.dll
O3 - Toolbar: Mario Forever Toolbar - {71B6ACF7-4F0F-4FD8-BB69-6D1A4D271CB7} - C:\Program Files\Mario Forever Toolbar\v3.2.0.0\MarioForever_Toolbar.dll