securityutility.net, ist das ein Virus? LOGs jetzt als Anhang

Hallo zusammen
Ich habe folgendes Problem:
Seit kurzem taucht beim öffnen einer Internetseite mit dem Firefox folgende Meldung in AVAST FREE 2015 auf.

http://securityutility.net/public/AddOn2/p/atakohapu17121346/gc.js
URL:Mal
C:\Program Files (x86)\Mozilla Firefox\firefox.exe

Ein daraufhin durchgeführter Virenscann mit AVAST war unauffällig.

Malwarebytes Anti Malware fand zunächst: Log 1
Daten entfernt und nochmals laufen lassen: Log 2
Beim dritten Durchlauf dann soweit ich das erkenne kann unauffällig: Log 3

Ergebnisse mit FRST und asembr auch im Anhang.

Was soll ich tun?
Vielen Dank für die Hilfe

Dann

Poste deine Basis-Logs laut Anleitung: https://forum.avast.com/index.php?topic=102616.0

Willkommen im Forum,
Asyn

Hier die Anhänge.
Danke für die HIlfe

Und der Rest

Ein Malware-Experte ist informiert, bitte etwas Geduld…

LG Asyn

@christoph.lichtenberger
Hi!

Wenn Du keine Spammails haben möchtest, bitte Mailadresse im Forum verstecken

E-Mail im Forum verstecken: https://forum.avast.com/index.php?msg=680473
:wink:
HDW

Danke für den Hinweis

Gern geschehen.
:wink:
HDW

I believe this may have been bundled with Citavi

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: Startup: C:\Users\Stoffel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2015-03-24] ShortcutTarget: Dropbox.lnk -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe (No File) ShellIconOverlayIdentifiers: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Stoffel\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File ShellIconOverlayIdentifiers: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Stoffel\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File ShellIconOverlayIdentifiers: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Stoffel\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File ShellIconOverlayIdentifiers: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Stoffel\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File ShellIconOverlayIdentifiers: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Stoffel\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File ShellIconOverlayIdentifiers: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Stoffel\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File ShellIconOverlayIdentifiers: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Stoffel\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File ShellIconOverlayIdentifiers: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Stoffel\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File HKLM\...\RunOnce: [*Restore] => C:\Windows\System32\rstrui.exe [273920 2014-10-29] (Microsoft Corporation) FF Extension: AdBeaver - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\phqxddym.default\Extensions\adbeaver@adbeaver.org.xpi [2015-06-02] 2015-07-21 17:27 - 2015-07-21 17:27 - 00000000 ____D C:\Users\Stoffel\AppData\Local\Avg 2015-07-21 17:27 - 2015-07-21 17:27 - 00000000 ____D C:\Users\Admin\AppData\Roaming\AVG 2015-07-21 17:27 - 2015-07-21 17:27 - 00000000 ____D C:\Users\Admin\AppData\Local\Avg 2015-07-21 17:26 - 2015-07-21 17:27 - 00000000 ____D C:\ProgramData\AVG 2015-07-21 16:33 - 2015-07-21 16:33 - 00000000 ____D C:\Users\Stoffel\AppData\Local\Chromium 2015-07-21 16:35 - 2015-03-24 12:33 - 00000000 __SHD C:\Users\Admin\AppData\Local\EmieUserList 2015-07-21 16:35 - 2015-03-24 12:33 - 00000000 __SHD C:\Users\Admin\AppData\Local\EmieSiteList 2015-07-20 15:33 - 2015-03-24 16:01 - 00000000 __SHD C:\Users\Stoffel\AppData\Local\EmieUserList 2015-07-20 15:33 - 2015-03-24 16:01 - 00000000 __SHD C:\Users\Stoffel\AppData\Local\EmieSiteList 2015-07-20 15:33 - 2015-03-24 16:01 - 00000000 __SHD C:\Users\Stoffel\AppData\Local\EmieBrowserModeList CustomCLSID: HKU\S-1-5-21-3220375707-795553834-2348762128-1001_Classes\CLSID\{ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C}\InprocServer32 -> C:\Users\Stoffel\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File CustomCLSID: HKU\S-1-5-21-3220375707-795553834-2348762128-1001_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Stoffel\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File CustomCLSID: HKU\S-1-5-21-3220375707-795553834-2348762128-1001_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Stoffel\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File CustomCLSID: HKU\S-1-5-21-3220375707-795553834-2348762128-1001_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Stoffel\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File CustomCLSID: HKU\S-1-5-21-3220375707-795553834-2348762128-1001_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Stoffel\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File CustomCLSID: HKU\S-1-5-21-3220375707-795553834-2348762128-1001_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Stoffel\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File CustomCLSID: HKU\S-1-5-21-3220375707-795553834-2348762128-1001_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Stoffel\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File CustomCLSID: HKU\S-1-5-21-3220375707-795553834-2348762128-1001_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Stoffel\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File CustomCLSID: HKU\S-1-5-21-3220375707-795553834-2348762128-1001_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Stoffel\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

Hey.
I got Citavi of my Uni Server, I am not sure if this is the source…
Here is the fixlog and the report of adw cleaner.
I hope it helps to figure out the problem. Still getting the warning.
Thanks for your effort

The fix did not work for some reason, were you logged in as administrator ?

If you were could you re-run the fix from safe mode please

Here is the new fixlog, I didnt run it as an administrator…
Hope this time it will help you

Just found an add-on called ad beaver in firefox, I definetely didnt install it.
I hope this will help you

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\phqxddym.default\Extensions\adbeaver@adbeaver.org.xpi => moved successfully.

Yes that was the bad one… was something left behind ?

Yes. Unfortunately it is still there.
The avast warning keeps poping up as well…

It is called AdBeaver 0.7.0.22

I have one admin account and two normal accounts one my computer.
It seems like you removed it from one of the accounts and of the admin account as well. If I use them, avast keeps quite.
Just on one account called Stoffel Avast still keeps responding and if I open the Firefox browser Ad Beaver is listed as an add on.
Really aprreciate your work so far. Thanks a million.
Is there a chance to remove it from that last account as well?

One last thing, that might be interesting.
The account stoffel was the one I used to install all the necessary programs.
I just ran them as an administratot from there.
Could this be the problem`?

Could you run FRST from that account please

Allright, just did the whole thing again.
Sorry for the effort