Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)
-   -   Userinit wurde ersetzt durch pvrjz.exe (https://www.trojaner-board.de/70367-userinit-wurde-ersetzt-pvrjz-exe.html)

Dyna 24.02.2009 12:53
Userinit wurde ersetzt durch pvrjz.exe
 
Ich hab hier ein System auf dem die userinit anscheinend ersetzt wurde. Es wird jedesmal die Datei system32\pvrjz.exe als "userinit" gestartet. Wenn ich die Datei umbenenne ist kein erfolgreicher Login möglich. Der Benutzer wird sofort wieder abgemeldet.

Wie sollte ich weiter vorgehen?

Vielen Dank

Code:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:51:20, on 24.02.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programme\Windows Media Player\WMPNSCFG.exe
C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programme\CASIO\Photo Loader\Plauto.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\HP\Digital Imaging\bin\hpqSTE08.exe
G:\Tools\Anti Spyware\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Programme\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [rundll32.exe] rundll32.exe "C:\Dokumente und Einstellungen\Matthias\Anwendungsdaten\Macromedia\Common\2a5260181.dll""
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [rundll32.exe] rundll32.exe "C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\Macromedia\Common\2a5260181.dll"" (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Photo Loader resident.lnk = C:\Programme\CASIO\Photo Loader\Plauto.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134055363296
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6566 bytes

Dyna 24.02.2009 15:20
Irgendwie klappt das bearbeiten nicht?!

Hier das Virustotal Ergebnis:
Code:
        Datei pvrjz.exe empfangen 2009.02.24 14:53:57 (CET)
                Status:                Beendet 
 Ergebnis: 3/39 (7.69%)
 
     


 

 
    Antivirus Version letzte aktualisierung Ergebnis 
a-squared 4.0.0.93 2009.02.24 - 
AhnLab-V3 2009.2.24.0 2009.02.24 - 
AntiVir 7.9.0.88 2009.02.24 - 
Authentium 5.1.0.4 2009.02.24 - 
Avast 4.8.1335.0 2009.02.23 - 
AVG 8.0.0.237 2009.02.24 - 
BitDefender 7.2 2009.02.24 - 
CAT-QuickHeal 10.00 2009.02.22 - 
ClamAV 0.94.1 2009.02.24 - 
Comodo 986 2009.02.20 - 
DrWeb 4.44.0.09170 2009.02.24 - 
eSafe 7.0.17.0 2009.02.19 Suspicious File 
eTrust-Vet 31.6.6369 2009.02.23 - 
F-Prot 4.4.4.56 2009.02.24 - 
F-Secure 8.0.14470.0 2009.02.24 - 
Fortinet 3.117.0.0 2009.02.24 - 
GData 19 2009.02.24 - 
Ikarus T3.1.1.45.0 2009.02.24 - 
K7AntiVirus 7.10.639 2009.02.21 - 
Kaspersky 7.0.0.125 2009.02.24 - 
McAfee 5534 2009.02.23 - 
McAfee+Artemis 5534 2009.02.23 - 
Microsoft 1.4306 2009.02.24 - 
NOD32 3885 2009.02.24 - 
Norman 6.00.06 2009.02.24 - 
nProtect 2009.1.8.0 2009.02.24 - 
Panda 10.0.0.10 2009.02.23 Suspicious file 
PCTools 4.4.2.0 2009.02.24 - 
Prevx1 V2 2009.02.24 - 
Rising 21.18.12.00 2009.02.24 - 
SecureWeb-Gateway 6.7.6 2009.02.24 - 
Sophos 4.39.0 2009.02.24 - 
Sunbelt 3.2.1856.2 2009.02.24 - 
Symantec 10 2009.02.24 - 
TheHacker 6.3.2.5.264 2009.02.24 - 
TrendMicro 8.700.0.1004 2009.02.24 - 
VBA32 3.12.10.0 2009.02.24 suspected of Malware-Cryptor.Win32.General.3 
ViRobot 2009.2.24.1621 2009.02.24 - 
VirusBuster 4.5.11.0 2009.02.24 -     

weitere Informationen  File size: 55537 bytes  MD5...: 23f6d0f82d8f36f41ff906dc3ff387bd  SHA1..: 4a96502ec6fe2bdc1c86651ca41914f13c80e28d  SHA256: 887b4921e524ce6c8d6ae2aee6b3570406f4d990e64cb09ee1a8364695d6c816  SHA512: f504d0ec166c5a0b9b0edd0eb9e4e99e7b28220ac5c630bab7d26cbd99488f99
bc47b972ad8fea4fa1cdd4b831e08df42f00a79183cddf7f79fd1ae52926cbfb  ssdeep: 1536:F37d4fm4fDdmCGA7PnWUAEJxEKmcFspaB8U:F37d2mYUCn7PLTXapaB8U
  PEiD..: -  TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)  PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x40bcc1
timedatestamp.....: 0x47d0ce08 (Fri Mar 07 05:09:28 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name        viradd    virsiz  rawdsiz  ntrpy  md5
.text      0x1000    0xbcde    0xbe00  7.92  e0485a2a23926c35dfdea17adf4a3a04
.rdata      0xd000    0xb14    0xc00  4.99  85a7e56e156ddd94f0945be8ec9f8e4e
.data      0xe000    0xa7c5    0x600  6.28  1972d1cdae47e87669bce2927aa13a0c
.rsrc      0x19000    0x3b8    0x400  3.18  9ddf9f7762893fc715d384fd62e622d8

( 1 imports ) 
> KERNEL32.dll: UnlockFile, GetCurrentProcessId, GetTimeFormatA, GetDateFormatA, IsProcessorFeaturePresent, SleepEx, SetupComm, GetSystemWindowsDirectoryA, TerminateThread, GetCurrentThread, SetConsoleActiveScreenBuffer, SystemTimeToTzSpecificLocalTime, GetFileType, ConvertDefaultLocale, GetPrivateProfileStructA, GetConsoleOutputCP, GetPrivateProfileSectionW, AddAtomW, GetCommModemStatus, RegisterWaitForInputIdle, WriteFileEx, Module32FirstW, AddConsoleAliasA, QueryPerformanceFrequency, DuplicateConsoleHandle, _llseek, EnumUILanguagesW, CreateTimerQueue, GetCommState, GetThreadPriority, LCMapStringA, ClearCommError, VDMOperationStarted, FreeConsole, NlsConvertIntegerToString, WaitNamedPipeA, EnumLanguageGroupLocalesA, GlobalLock, FindCloseChangeNotification, GetModuleFileNameA, TlsFree, GetLargestConsoleWindowSize, SearchPathA, EnumLanguageGroupLocalesW, WaitForMultipleObjectsEx, DeleteFileW, SetThreadLocale, CancelIo, CreateWaitableTimerA, GetTapeParameters, GetStdHandle, GetShortPathNameA, TryEnterCriticalSection, SetSystemPowerState, FreeVirtualBuffer, WriteProcessMemory, Process32FirstW, GetConsoleAliasA, IsSystemResumeAutomatic, GetUserDefaultUILanguage, SetFileApisToANSI, OpenDataFile, BuildCommDCBAndTimeoutsA, LockFileEx, GetThreadLocale, GlobalAddAtomA, InterlockedIncrement, GetFileTime, GenerateConsoleCtrlEvent, HeapUnlock, SetConsoleTextAttribute, AreFileApisANSI, lstrlen, DeleteFiber, _lwrite, MoveFileW, GetConsoleAliasExesLengthW, SetComputerNameW, FindNextFileW, GetConsoleCommandHistoryLengthW, GetCompressedFileSizeW, LocalHandle, ReleaseSemaphore, EnumDateFormatsExW, GetFileAttributesExW, DosDateTimeToFileTime, VirtualFreeEx, GetProcessIoCounters, SetComputerNameExA, CompareStringW, Process32First, IsBadHugeReadPtr, GetLocaleInfoW

( 0 exports )


Alle Zeitangaben in WEZ +1. Es ist jetzt 07:13 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131