system
July 21, 2015, 5:30pm
1
Hallo zusammen
Ich habe folgendes Problem:
Seit kurzem taucht beim öffnen einer Internetseite mit dem Firefox folgende Meldung in AVAST FREE 2015 auf.
http://securityutility.net/public/AddOn2/p/atakohapu17121346/gc.js
URL:Mal
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Ein daraufhin durchgeführter Virenscann mit AVAST war unauffällig.
Malwarebytes Anti Malware fand zunächst: Log 1
Daten entfernt und nochmals laufen lassen: Log 2
Beim dritten Durchlauf dann soweit ich das erkenne kann unauffällig: Log 3
Ergebnisse mit FRST und asembr auch im Anhang.
Was soll ich tun?
Vielen Dank für die Hilfe
Dann
Asyn
July 21, 2015, 5:49pm
2
Poste deine Basis-Logs laut Anleitung: https://forum.avast.com/index.php?topic=102616.0
Willkommen im Forum,
Asyn
system
July 21, 2015, 6:00pm
3
Hier die Anhänge.
Danke für die HIlfe
Asyn
July 22, 2015, 4:19am
5
Ein Malware-Experte ist informiert, bitte etwas Geduld…
LG Asyn
system
July 22, 2015, 10:40am
6
@christoph.lichtenberger
Hi!
Wenn Du keine Spammails haben möchtest, bitte Mailadresse im Forum verstecken
E-Mail im Forum verstecken: https://forum.avast.com/index.php?msg=680473
HDW
I believe this may have been bundled with Citavi
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
Startup: C:\Users\Stoffel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2015-03-24]
ShortcutTarget: Dropbox.lnk -> C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe (No File)
ShellIconOverlayIdentifiers: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Stoffel\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File
ShellIconOverlayIdentifiers: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Stoffel\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File
ShellIconOverlayIdentifiers: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Stoffel\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File
ShellIconOverlayIdentifiers: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Stoffel\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File
ShellIconOverlayIdentifiers: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Stoffel\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File
ShellIconOverlayIdentifiers: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Stoffel\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File
ShellIconOverlayIdentifiers: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Stoffel\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File
ShellIconOverlayIdentifiers: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Stoffel\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File
HKLM\...\RunOnce: [*Restore] => C:\Windows\System32\rstrui.exe [273920 2014-10-29] (Microsoft Corporation)
FF Extension: AdBeaver - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\phqxddym.default\Extensions\adbeaver@adbeaver.org.xpi [2015-06-02]
2015-07-21 17:27 - 2015-07-21 17:27 - 00000000 ____D C:\Users\Stoffel\AppData\Local\Avg
2015-07-21 17:27 - 2015-07-21 17:27 - 00000000 ____D C:\Users\Admin\AppData\Roaming\AVG
2015-07-21 17:27 - 2015-07-21 17:27 - 00000000 ____D C:\Users\Admin\AppData\Local\Avg
2015-07-21 17:26 - 2015-07-21 17:27 - 00000000 ____D C:\ProgramData\AVG
2015-07-21 16:33 - 2015-07-21 16:33 - 00000000 ____D C:\Users\Stoffel\AppData\Local\Chromium
2015-07-21 16:35 - 2015-03-24 12:33 - 00000000 __SHD C:\Users\Admin\AppData\Local\EmieUserList
2015-07-21 16:35 - 2015-03-24 12:33 - 00000000 __SHD C:\Users\Admin\AppData\Local\EmieSiteList
2015-07-20 15:33 - 2015-03-24 16:01 - 00000000 __SHD C:\Users\Stoffel\AppData\Local\EmieUserList
2015-07-20 15:33 - 2015-03-24 16:01 - 00000000 __SHD C:\Users\Stoffel\AppData\Local\EmieSiteList
2015-07-20 15:33 - 2015-03-24 16:01 - 00000000 __SHD C:\Users\Stoffel\AppData\Local\EmieBrowserModeList
CustomCLSID: HKU\S-1-5-21-3220375707-795553834-2348762128-1001_Classes\CLSID\{ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C}\InprocServer32 -> C:\Users\Stoffel\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File
CustomCLSID: HKU\S-1-5-21-3220375707-795553834-2348762128-1001_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Stoffel\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File
CustomCLSID: HKU\S-1-5-21-3220375707-795553834-2348762128-1001_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Stoffel\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File
CustomCLSID: HKU\S-1-5-21-3220375707-795553834-2348762128-1001_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Stoffel\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File
CustomCLSID: HKU\S-1-5-21-3220375707-795553834-2348762128-1001_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Stoffel\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File
CustomCLSID: HKU\S-1-5-21-3220375707-795553834-2348762128-1001_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Stoffel\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File
CustomCLSID: HKU\S-1-5-21-3220375707-795553834-2348762128-1001_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Stoffel\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File
CustomCLSID: HKU\S-1-5-21-3220375707-795553834-2348762128-1001_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Stoffel\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File
CustomCLSID: HKU\S-1-5-21-3220375707-795553834-2348762128-1001_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Stoffel\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll No File
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt , in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan .
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok .
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.
system
July 22, 2015, 3:51pm
10
Hey.
I got Citavi of my Uni Server, I am not sure if this is the source…
Here is the fixlog and the report of adw cleaner.
I hope it helps to figure out the problem. Still getting the warning.
Thanks for your effort
The fix did not work for some reason, were you logged in as administrator ?
If you were could you re-run the fix from safe mode please
system
July 22, 2015, 4:44pm
12
Here is the new fixlog, I didnt run it as an administrator…
Hope this time it will help you
system
July 22, 2015, 4:53pm
13
Just found an add-on called ad beaver in firefox, I definetely didnt install it.
I hope this will help you
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\phqxddym.default\Extensions\adbeaver@adbeaver.org.xpi => moved successfully.
Yes that was the bad one… was something left behind ?
system
July 22, 2015, 7:20pm
15
Yes. Unfortunately it is still there.
The avast warning keeps poping up as well…
system
July 22, 2015, 7:25pm
16
It is called AdBeaver 0.7.0.22
system
July 22, 2015, 7:31pm
17
I have one admin account and two normal accounts one my computer.
It seems like you removed it from one of the accounts and of the admin account as well. If I use them, avast keeps quite.
Just on one account called Stoffel Avast still keeps responding and if I open the Firefox browser Ad Beaver is listed as an add on.
Really aprreciate your work so far. Thanks a million.
Is there a chance to remove it from that last account as well?
system
July 22, 2015, 7:46pm
18
One last thing, that might be interesting.
The account stoffel was the one I used to install all the necessary programs.
I just ran them as an administratot from there.
Could this be the problem`?
Could you run FRST from that account please
system
July 22, 2015, 8:38pm
20
Allright, just did the whole thing again.
Sorry for the effort