Skinite program HijackThis.
Kada ga preuzmete, preimenujte fajl u bilo sta, npr. “destruct0.exe”. Pokrenite ga i kliknite “Do a system scan and save a logfile”. Taj log iskopirajte ovde.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:13 PM, on 7/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\T-Mobile\web'n'walk Manager\web'n'walk Manager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera\opera.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Amra\Desktop\alen.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [run32] C:\Win\lsass.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/wi...t/wuweb_site.cab?1236679581725
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/mi...t/muweb_site.cab?1236681721061
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F089C11-2FB8-43D4-AB69-3C4729E13E07}: NameServer = 195.66.160.1 195.66.160.2
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

--
End of file - 5473 bytes

Stiklirajte sledece objekte i kliknite “Fix checked”
O4 - HKLM\..\Run: [run32] C:\Win\lsass.exe
Posle toga restartujte kompjuter i napravite novi log.

Ako mozete fajl
C:\Win\lsass.exe
da zapakujete u ".rar"/".zip" sa password-om "virus", upload-ujete na Rapidshare i posaljete mi link preko PP.

Preuzmite program Dr.Web CureIt!.

• Posle preuzimanja restartujte racunar u Safe Mode-u (dok se pali racunar pritiskajte F8 pa kada se pojavi meni odaberite Safe Mode).
• Kada se ucita Safe Mode pokrenite Dr.Web CureIt!.
• Kad se upali odaberite Start. On ce automatski poceti da skenira racunar. Pustiti da skenira (to je Express Scan).
• Kada zavrsi sa skeniranjem odaberite kompletno skeniranje - Complete scan i sa desne strane pritisnite dugme Start Scanning (izgleda kao Play dugme).
Moram da vas upozorim da kompletno skeniranje moze da potraje nekoliko sati!

Pokazite log (zapakujte u ".rar" arhivu i upload-ujte) CureIt!-a koji se nalazi u C:\Documents and Settings\USERNAME\DoctorWeb\

Odradicu to sjutra pa Vam saljem posto mi je kasno veceras.

Puno Vam hvala sto ste mi izasli u susret!

Nema na cemu. :)
Najvaznije je da Vi budete zasticeni od virusa.

Evo snimio sam ovo sto je radio DeWeb:
Desktop_.ini;C:\Documents and Settings\All Users\Documents\My Music;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;C:\Documents and Settings\All Users\Documents\My Music\My Playlists;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;C:\Documents and Settings\All Users\Documents\My Music\Sample Music;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\000EF83A;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;C:\Documents and Settings\All Users\Documents\My Pictures;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures;Win32.HLLW.Gavir.ini;Deleted.;
Alen.exe;C:\Documents and Settings\Amra\My Documents;Trojan.Click.26018;Incurable.Moved.;
A0016852.exe;C:\System Volume Information\_restore{DEE782E3-DEDC-45EC-9992-BA8EF273DE3C}\RP92;Trojan.Click.26018;Incurable.Moved.;
A0016870.exe;C:\System Volume Information\_restore{DEE782E3-DEDC-45EC-9992-BA8EF273DE3C}\RP92;Trojan.Click.26018;Incurable.Moved.;
A0016916.exe;C:\System Volume Information\_restore{DEE782E3-DEDC-45EC-9992-BA8EF273DE3C}\RP93;Trojan.Click.26018;Incurable.Moved.;
A0017040.exe;C:\System Volume Information\_restore{DEE782E3-DEDC-45EC-9992-BA8EF273DE3C}\RP95;Trojan.Click.26018;Incurable.Moved.;
vistatransformationpack801.exe/Vista Transformation Pack 8.0.1.exe\data026;D:\Alenova dokumenta\Alen STARO\alen update\vistatransformationpack801.exe/Vista Transformation Pack 8.0.1.exe;Tool.Prockill;;
vistatransformationpack801.exe/Vista Transformation Pack 8.0.1.exe/data033\data009;D:\Alenova dokumenta\Alen STARO\alen update\vistatransformationpack801.exe/Vista Transformation Pack 8.0.1.exe/data033;Tool.Prockill;;
data033;D:\Alenova dokumenta\Alen STARO\alen update;Archive contains infected objects;;
Vista Transformation Pack 8.0.1.exe;D:\Alenova dokumenta\Alen STARO\alen update;Archive contains infected objects;;
vistatransformationpack801.exe;D:\Alenova dokumenta\Alen STARO\alen update;Archive contains infected objects;Moved.;
A0017070.exe/Vista Transformation Pack 8.0.1.exe\data026;D:\System Volume Information\_restore{DEE782E3-DEDC-45EC-9992-BA8EF273DE3C}\RP95\A0017070.exe/Vista Transformation Pack 8.0.1.e;Tool.Prockill;;
A0017070.exe/Vista Transformation Pack 8.0.1.exe/data033\data009;D:\System Volume Information\_restore{DEE782E3-DEDC-45EC-9992-BA8EF273DE3C}\RP95\A0017070.exe/Vista Transformation Pack 8.0.1.e;Tool.Prockill;;
data033;D:\System Volume Information\_restore{DEE782E3-DEDC-45EC-9992-BA8EF273DE3C}\RP95;Archive contains infected objects;;
Vista Transformation Pack 8.0.1.exe;D:\System Volume Information\_restore{DEE782E3-DEDC-45EC-9992-BA8EF273DE3C}\RP95;Archive contains infected objects;;
A0017070.exe;D:\System Volume Information\_restore{DEE782E3-DEDC-45EC-9992-BA8EF273DE3C}\RP95;Archive contains infected objects;Moved.;




NAPOMENA:Ovo sam iso kad je zavrsio DrWeb posao na opciju "Save report" tako nesto.
Nisam mogao naci na onoj adresi na disku kako ste mi napisali

Evo i linka nisam uspio u rar ubacit jer mi uzasno koci jedva sam i ovo uradio:
http://rapidshare.com/files/257908534/DrWeb.csv.html

Evo i log fajla Hijack-a nakon DrWeba:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:45:56 PM, on 7/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\T-Mobile\web'n'walk Manager\web'n'walk Manager.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\Amra\Desktop\alen.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/wi...t/wuweb_site.cab?1236679581725
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/mi...t/muweb_site.cab?1236681721061
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

--
End of file - 5242 bytes

I nakon svega se isto ponavlja!!!!

Ocu li ukloniti problem ako ga reinstaliram ?

Log je cist. Mora da konfliktuju neki programi medjusobno.
Kada dodje do kocenja, otvorite Task Manager i pogledajte koji proces je u pitanju (kliknite po CPU polju dva puta).

Ako je do toga što kaže Dashkes, možda da probaš da malo smanjiš ove programe koji se pokreću sa Winom
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe""
Za ovo za ATI ne znam da li je potrebno, mada verovatno nije, tako je barem sa nVidiom, a ovo sve ostalo slobodno briši. Ako nije do toga moguće da ti ili crkava HDD (tako je meni bilo jednom, na kraju nisam mogao da igram CS ni na najjadnijoj rezoluciji), ali pre bih rekao da je do Kaspersky-ja. Kog uopšte imaš?

_{[Ovu poruku je menjao Dashkes dana 21.07.2009. u 19:23 GMT+1]}