Trojan owns bind.exe

IP: *.tsi.tychy.pl 08.02.07, 18:17
Od jakiegoś czasu mój PC zaczął wolno chodzic postanowiłem przejrzeć go
skanerem internetowym a dokładniej mks vir odnalazł on parę wirusów ze
wszystkimi sobie poradził ale jednym z nich nie i t właśnie on sprawia mi
największy problem nazywa się owns bind.exe znajduje się w katalogu first
file dash less. Czy może ktoś z was spotkał się z tym wirusem?? Jeśli tak to
chciałbym wiedzieć jak można sie go pozbyć

Z góry dziękuje
    • Gość: Kolobos Re: Trojan owns bind.exe IP: *.escom.net.pl 08.02.07, 18:31
      Wklej log z hijackthis.
      • Gość: Damian Re: Trojan owns bind.exe IP: *.tsi.tychy.pl 08.02.07, 18:47
        Logfile of HijackThis v1.99.1
        Scan saved at 18:46:27, on 2007-02-08
        Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
        MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

        Running processes:
        C:\WINDOWS\System32\smss.exe
        C:\WINDOWS\system32\winlogon.exe
        C:\WINDOWS\system32\services.exe
        C:\WINDOWS\system32\lsass.exe
        C:\WINDOWS\system32\Ati2evxx.exe
        C:\WINDOWS\system32\svchost.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\Explorer.EXE
        C:\WINDOWS\system32\spoolsv.exe
        C:\Program Files\DAEMON Tools\daemon.exe
        C:\Program Files\QuickTime\qttask.exe
        C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
        C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
        C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
        C:\Program Files\MSN Messenger\MsnMsgr.Exe
        C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
        c:\progra~1\intern~1\iexplore.exe
        C:\Program Files\Internet Explorer\iexplore.exe
        C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
        C:\Program Files\ewido anti-malware\ewidoctrl.exe
        C:\WINDOWS\system32\svchost.exe
        C:\Program Files\Azureus\Azureus.exe
        C:\Program Files\LimeWire\LimeWire.exe
        C:\Program Files\Mozilla Firefox\firefox.exe
        C:\Program Files\Tlen.pl\tlen.exe
        C:\Program Files\strongdc\StrongDC.exe
        C:\Program Files\Internet Explorer\IEXPLORE.EXE
        C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
        C:\Program Files\FlashGet\flashget.exe
        C:\Program Files\WinRAR\WinRAR.exe
        C:\DOCUME~1\RWDO\USTAWI~1\Temp\Rar$EX01.125\HijackThis.exe

        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:
        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
        runonce.msn.com/?v=msgrv75
        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
        R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft
        Internet Explorer
        R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
        Settings,ProxyServer = http=proxy.tsi.tychy.pl:8080
        R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
        O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1
        \FlashGet\jccatch.dll
        O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} -
        C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
        O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
        Files\Java\jre1.5.0_09\bin\ssv.dll
        O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} -
        C:\Program Files\Common Files\Microsoft Shared\Windows
        Live\WindowsLiveLogin.dll
        O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1
        \FlashGet\getflash.dll
        O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
        C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
        O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} -
        C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
        O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} -
        C:\PROGRA~1\FlashGet\fgiebar.dll
        O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
        O4 - HKLM\..\Run: [ArcaMicroScanPro] "C:\Program
        Files\ArcaMicroScanPro\arcamicroscanpro.exe" /startup
        O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -
        lang 1033
        O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -
        atboottime
        O4 - HKCU\..\Run: [Komunikator] "C:\Program Files\Tlen.pl\tlen.exe" --
        confdir=home
        O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1
        \data\xtras\mssysmgr.exe
        O4 - HKCU\..\Run: [Skype] "C:\Program
        Files\Skype\Phone\Skype.exe" /nosplash /minimized
        O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-
        88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
        O4 - HKCU\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32
        \spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\system32\E_S63.tmp"
        O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &
        Destroy\TeaTimer.exe
        O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
        O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN
        Messenger\MsnMsgr.Exe" /background
        O4 - HKCU\..\Run: [theknob] C:\DOCUME~1\RWDO\DANEAP~1\MFCDCO~1\Mixkindchin.exe
        O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program
        Files\Nikon\PictureProject\NkbMonitor.exe
        O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
        res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
        O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - C:\Program
        Files\FlashGet\jc_link.htm
        O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a -
        C:\Program Files\FlashGet\jc_all.htm
        O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
        C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
        O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
        00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
        O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} -
        C:\PROGRA~1\FlashGet\flashget.exe
        O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-
        0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
        O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
        C:\Program Files\Messenger\msmsgs.exe (file missing)
        O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-
        00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
        O15 - Trusted Zone: *.mks.com.pl
        O15 - Trusted Zone: www.mks.com.pl
        O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) -
        mks.com.pl/skaner/SkanerOnline.cab
        O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.5.0_03) -
        O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
        www.mks.com.pl/skaner/SkanerOnline.cab
        O17 - HKLM\System\CCS\Services\Tcpip\..\{9E2389D8-4FA5-45C0-9FC7-3A0D5CB7E83E}:
        NameServer = 83.142.120.242
        O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1
        \MSNMES~1\MSGRAP~1.DLL
        O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1
        \MSNMES~1\MSGRAP~1.DLL
        O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32
        \Ati2evxx.exe
        O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
        O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON
        CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
        O23 - Service: ewido security suite control - ewido networks - C:\Program
        Files\ewido anti-malware\ewidoctrl.exe
        O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
        Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32
        \IDriverT.exe

        • Gość: Kolobos Re: Trojan owns bind.exe IP: *.escom.net.pl 08.02.07, 19:06
          W hjt usun:
          R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:
          R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
          runonce.msn.com/?v=msgrv75
          R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
          R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
          R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft
          Internet Explorer
          O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} -
          C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL <- katalog MyGlo... usun z dysku.
          O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
          C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll <- katalog Yahoo! usun z dysku.
          O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} -
          C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
          O4 - HKCU\..\Run: [theknob] C:\DOCUME~1\RWDO\DANEAP~1\MFCDCO~1\Mixkindchin.exe <- katalog MFCD... usun z dysku.
          O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
          C:\Program Files\Messenger\msmsgs.exe (file missing)
          O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-
          00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

          Usun zadania z C:\Windows\tasks\ (o ile jakies sa). Przeskanuj tez system przy pomocy ewido. W razie problemow z usuwaniem uzyj killbox'a.
    • Gość: Damian Re: Trojan owns bind.exe IP: *.tsi.tychy.pl 08.02.07, 21:59
      Logfile of HijackThis v1.99.1
      Scan saved at 21:52:55, on 2007-02-08
      Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
      MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\Ati2evxx.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\Explorer.EXE
      C:\WINDOWS\system32\spoolsv.exe
      C:\Program Files\DAEMON Tools\daemon.exe
      C:\Program Files\QuickTime\qttask.exe
      C:\Program Files\ewido anti-spyware 4.0\ewido.exe
      C:\Program Files\Tlen.pl\tlen.exe
      C:\Program Files\Skype\Phone\Skype.exe
      C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
      C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
      C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
      C:\Program Files\Gadu-Gadu\gg.exe
      C:\Program Files\MSN Messenger\MsnMsgr.Exe
      C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
      c:\progra~1\intern~1\iexplore.exe
      C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
      C:\Program Files\ewido anti-spyware 4.0\guard.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\wscntfy.exe
      C:\Program Files\Mozilla Firefox\firefox.exe
      C:\Program Files\Winamp\winamp.exe
      C:\Documents and Settings\RWDO\Pulpit\HijackThis.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
      www.google.pl/
      R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
      Settings,ProxyServer = http=proxy.tsi.tychy.pl:8080
      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
      O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} -
      C:\PROGRA~1\FlashGet\jccatch.dll
      O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
      Files\Java\jre1.5.0_09\bin\ssv.dll
      O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} -
      C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
      O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} -
      C:\PROGRA~1\FlashGet\getflash.dll
      O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} -
      C:\PROGRA~1\FlashGet\fgiebar.dll
      O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
      O4 - HKLM\..\Run: [ArcaMicroScanPro] "C:\Program
      Files\ArcaMicroScanPro\arcamicroscanpro.exe" /startup
      O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe"
      -lang 1033
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
      -atboottime
      O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe"
      /minimized
      O4 - HKCU\..\Run: [Komunikator] "C:\Program Files\Tlen.pl\tlen.exe" --confdir=home
      O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager]
      C:\PROGRA~1\Ahead\NEROPH~1\data\xtras\mssysmgr.exe
      O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash
      /minimized
      O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program
      Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
      O4 - HKCU\..\Run: [EPSON Stylus C42 Series]
      C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A
      "C:\WINDOWS\system32\E_S63.tmp"
      O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &
      Destroy\TeaTimer.exe
      O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
      O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
      O4 - HKCU\..\Run: [theknob] C:\DOCUME~1\RWDO\DANEAP~1\MFCDCO~1\Mixkindchin.exe
      O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program
      Files\Nikon\PictureProject\NkbMonitor.exe
      O8 - Extra context menu item: E&ksport do programu Microsoft Excel -
      res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
      O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - C:\Program
      Files\FlashGet\jc_link.htm
      O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a -
      C:\Program Files\FlashGet\jc_all.htm
      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
      C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
      O9 - Extra 'Tools' menuitem: Sun Java Console -
      {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
      Files\Java\jre1.5.0_09\bin\ssv.dll
      O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} -
      C:\PROGRA~1\FlashGet\flashget.exe
      O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3}
      - C:\PROGRA~1\FlashGet\flashget.exe
      O15 - Trusted Zone: *.mks.com.pl
      O15 - Trusted Zone: www.mks.com.pl
      O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) -
      mks.com.pl/skaner/SkanerOnline.cab
      O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.5.0_03) -
      O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
      www.mks.com.pl/skaner/SkanerOnline.cab
      O17 - HKLM\System\CCS\Services\Tcpip\..\{9E2389D8-4FA5-45C0-9FC7-3A0D5CB7E83E}:
      NameServer = 83.142.120.242
      O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} -
      C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
      O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -
      C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
      O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
      O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
      O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON
      CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
      O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. -
      C:\Program Files\ewido anti-spyware 4.0\guard.exe
      O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation
      - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

      To wygląda teraz tak. A miałem mase problemów kiedy pousuwałem to co mogłem po
      usówać czyli wszystko bez Global... . Internet odmówił posłuszeństwa przez
      kolegów udało mi sie ściągnąć killboxa dzięki któremu usunąłem tego Golbal... po
      tym internet zaczął chodzić ale mój program do blokowania wpisów w rejestrze
      cały czas blokuje jeszcze Global toolbar. Bardzo dziękuje z Góry
      • Gość: Kolobos Re: Trojan owns bind.exe IP: *.escom.net.pl 08.02.07, 22:10
        Wpis jak byl tak dalej jest:
        O4 - HKCU\..\Run: [theknob] C:\DOCUME~1\RWDO\DANEAP~1\MFCDCO~1\Mixkindchin.exe

        > program do blokowania wpisów w rejestrze cały czas blokuje jeszcze Global
        > toolbar

        Co dodaje ten wpis? Czy moze SpyBot blokuje usuniecie wpisu z rejestru?
        • Gość: Damian Re: Trojan owns bind.exe IP: *.tsi.tychy.pl 08.02.07, 22:24
          tego Wpisu O4 - HKCU\..\Run: [theknob]
          C:\DOCUME~1\RWDO\DANEAP~1\MFCDCO~1\Mixkindchin.exe <<nie moge usunąć po każdej
          próbie usunięcia wraca.

          A co do tego programu to nie wiem już co on robi ale mi się wydaje że chce go
          usunąć a ja nieświadomie go zablokowałem. Czy da się jakoś to odkręcić ??
          • Gość: Kolobos Re: Trojan owns bind.exe IP: *.escom.net.pl 09.02.07, 00:03
            Wylacz/odinstaluj/ustaw program w ktorym to zablokowales.

Pełna wersja