Paizhao.exe i Recovery.exe

Paizhao.exe i Recovery.exe

offline
  • Pridružio: 18 Dec 2003
  • Poruke: 7953
  • Gde živiš: Graceland

Evo loga vezanog za
http://www.mycity.rs/Zastita/Paizhao-exe.html

Dakle, instalirao sam k-lite kodec.

Logfile of HijackThis v1.99.1
Scan saved at 22:12:55, on 20.1.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
D:\Program Files\PTBSync\PTBSync.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\DOCUME~1\Vlada\LOCALS~1\Temp\{CEBFC9D8-72DD-4354-B508-D80457B1DA01}\Infosystem_by adni18.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\Program Files\Opera\Opera.exe
D:\Program Files\Trillian\trillian.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Documents and Settings\Vlada\Desktop\pera.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Ask Search Assistant BHO - {0A94B111-4504-4e26-AB05-E61E474AA38B} - C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [kis] "D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [PTBSync] D:\Program Files\PTBSync\PTBSync.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\Paizhao.EXE
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Recovery.EXE
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [dptracker] C:\Program Files\DigitalPeers\CamTrack\dptracker.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Infosystem_by adni18.lnk = D:\Program Files\Infosystem\Infosystem_by adni18.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Add to Kaspersky Anti-Banner - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - d:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - d:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: D:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8-) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


Uploadovao sam ta dva fajla.
Sad cu da ih proverim na onom sajtu.

Hvala!

Dopuna: 20 Jan 2008 22:20

Analiza za Paizhao.exe:
File has already been analysed:MD5: 98ff556821502ac055717e732b98fd33
Date: 12.06.2007 17:43:10 (CET) [>45D]
Results: 0/32
Permalink: analisis/56d33d97f4c057d77b7fe7dfc31c2a56

Za ovaj drugi:
File has already been analysed:MD5: e45b115037c5cb7d880236862eb7c704
Date: 01.19.2008 20:41:03 (CET) [+1D]
Results: 0/32
Permalink: analisis/b65c3530f3664653929924c10ffd2386

Jel to znaci da nisu virusi?

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Poslao sam ih u sandbox na analizu. Rezultati ce biti za jedno 10 minuta.
Imacemo izvestaj sta ti fajlovi rade, tj. koja im je funkcija.

Dopuna: 20 Jan 2008 22:31

Paizhao je pao u sandboxu zato sto nije nasao ksproxy.ax na sandbox sistemu. ksproxy.ax je izgleda deo DirectX-a (Google tako kaze).

Recovery.exe je pristupio delu registry baze i procitao par kljuceva vezanih za msvideo, i onda je samo nastavio da cuci i ceka.

Paizhao nosi signaturu ZSMCSNAP, a Recovery.exe nosi signaturu Vimicro.

Imas li neku kameru od Vimicro?

offline
  • Pridružio: 18 Dec 2003
  • Poruke: 7953
  • Gde živiš: Graceland

Imam jednu kameru novog proizvodjaca... iNTEX
Neka promotivna... Radi u mraku Smile

Izgleda da sam digao frku za dzabe, mada sam se malo uzentao kad je kaspersky poskocio Embarassed

Ko je trenutno na forumu
 

Ukupno su 1318 korisnika na forumu :: 45 registrovanih, 3 sakrivenih i 1270 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: _Rade, Asparagus, babaroga, Battlehammer, bladesu, Bobrock1, Botovac, Brana01, cenejac111, Centauro, DeerHunter, dencorr, Fabius, Georgius, Griffon vulture, Ivica1102, Kruger, kunktator, kuntalo, Lieutenant, loon123, Marko Marković, Mcdado, milan.vukovic, milenko crazy north, milutin134, mnn2, operniki, opt1, pein, procesor, rodoljub, sasa87, slonic_tonic, Srle993, stegonosa, t84dar, vaso1, vathra, virked, vladaa012, voja64, vukovi, W123, YU-UKI