PopUp Trojaner

millionj0ker · 26.04.2014, 21:15

Fixlog.txt

Zitat:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 26-04-2014 02
Ran by Simon at 2014-04-26 18:24:50 Run:1
Running from C:\Users\Simon\Downloads
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
R2 PassShow; C:\Program Files (x86)\PassShow\PassShowBJ161.exe [142848 2014-04-23] ()
() C:\Program Files (x86)\PassShow\PassShowM.exe
() C:\Program Files (x86)\PassShow\PassShowBJ161.exe
2014-04-23 14:52 - 2014-04-26 14:42 - 00000380 _____ () C:\Windows\Tasks\PassShow Update.job
2014-04-23 14:52 - 2014-04-26 12:05 - 00000360 _____ () C:\Windows\Tasks\PassShow_wd.job
2014-04-23 14:52 - 2014-04-23 14:52 - 00003028 _____ () C:\Windows\System32\Tasks\PassShow Update
2014-04-23 14:52 - 2014-04-23 14:52 - 00002948 _____ () C:\Windows\System32\Tasks\PassShow_wd
2014-04-23 14:51 - 2014-04-23 14:52 - 00000000 ____D () C:\Program Files (x86)\PassShow
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
ProxyEnable: Internet Explorer proxy is enabled.
ProxyServer: http=127.0.0.1:14131
FF Extension: PassShow - C:\Program Files (x86)\PassShow\161.xpi [2014-04-23]
*****************

PassShow => Service not found.
C:\Program Files (x86)\PassShow\PassShowM.exe => No running process found
C:\Program Files (x86)\PassShow\PassShowBJ161.exe => No running process found
"C:\Windows\Tasks\PassShow Update.job" => File/Directory not found.
"C:\Windows\Tasks\PassShow_wd.job" => File/Directory not found.
"C:\Windows\System32\Tasks\PassShow Update" => File/Directory not found.
"C:\Windows\System32\Tasks\PassShow_wd" => File/Directory not found.
"C:\Program Files (x86)\PassShow" => File/Directory not found.
C:\Windows\system32\GroupPolicy\Machine => Moved successfully.
C:\Windows\system32\GroupPolicy\GPT.ini => Moved successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => Value deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => Value not found.
C:\Program Files (x86)\PassShow\161.xpi not found.

The system needed a reboot.

==== End of Fixlog ====

Mbam.txt

Zitat:

Malwarebytes Anti-Malware
Malwarebytes | Free Anti-Malware & Internet Security Software

Suchlauf Datum: 26.04.2014
Suchlauf-Zeit: 19:57:07
Logdatei: mbam.txt
Administrator: Ja

Version: 2.00.1.1004
Malware Datenbank: v2014.04.26.03
Rootkit Datenbank: v2014.03.27.01
Lizenz: Kostenlos
Malware Schutz: Deaktiviert
Bösartiger Webseiten Schutz: Deaktiviert
Chameleon: Deaktiviert

Betriebssystem: Windows 7 Service Pack 1
CPU: x64
Dateisystem: NTFS
Benutzer: Simon

Suchlauf-Art: Bedrohungs-Suchlauf
Ergebnis: Abgeschlossen
Durchsuchte Objekte: 248073
Verstrichene Zeit: 19 Min, 16 Sek

Speicher: Aktiviert
Autostart: Aktiviert
Dateisystem: Aktiviert
Archive: Aktiviert
Rootkits: Aktiviert
Shuriken: Aktiviert
PUP: Aktiviert
PUM: Aktiviert

Prozesse: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registrierungsschlüssel: 0
(No malicious items detected)

Registrierungswerte: 0
(No malicious items detected)

Registrierungsdaten: 0
(No malicious items detected)

Ordner: 0
(No malicious items detected)

Dateien: 1
PUP.Optional.OpenCandy, C:\$Recycle.Bin\S-1-5-21-4146840192-2193111062-978237871-1000\$R5MDLCW.exe, In Quarantäne, [09f740c0d42c699780c68fc53acad22e],

Physische Sektoren: 0
(No malicious items detected)

(end)

Log.txt

Zitat:

ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=a748a2e1d7798247a8bc0c0437db7a2d
# engine=18045
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2014-04-26 08:13:14
# local_time=2014-04-26 10:13:14 (+0100, Mitteleuropäische Sommerzeit)
# country="Germany"
# lang=1031
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=1799 16775165 100 94 14541 6174748 7312 0
# compatibility_mode=5893 16776574 66 85 5031100 150173044 0 0
# scanned=162166
# found=5
# cleaned=0
# scan_time=3226
sh=80DC1B8044FE7F2BC57777F9559C5050B1DF5736 ft=1 fh=3a2e66d2f7d1673f vn="Variante von Win32/AdWare.Adpeak.D Anwendung" ac=I fn="C:\AdwCleaner\Quarantine\C\Program Files\Level Quality Watcher\v1.01\levelqualitywatcher32.exe.vir"
sh=408E4906C3F215C0E44282D24B340DAF03D014A4 ft=1 fh=94d81bcdb603e2f9 vn="Variante von Win64/Adware.Adpeak.C Anwendung" ac=I fn="C:\AdwCleaner\Quarantine\C\Program Files\Level Quality Watcher\v1.01\levelqualitywatcher64.exe.vir"
sh=AFF6026DD64A6AD95B73CD2D1EE61EAEBA192C4E ft=0 fh=0000000000000000 vn="Win32/AdWare.Adpeak.B Anwendung" ac=I fn="C:\AdwCleaner\Quarantine\C\Program Files (x86)\SavingsBull\bootstrap.js.old.vir"
sh=5E0244166A810D56E9DE30B9D87052F385A42B4C ft=0 fh=0000000000000000 vn="Win32/AdWare.Adpeak.B Anwendung" ac=I fn="C:\AdwCleaner\Quarantine\C\Program Files (x86)\SavingsBull\bootstrap.js.vir"
sh=6503A0EA70DE432C52C23B8E414C8E6167D7BE91 ft=1 fh=50a9951a540afa9c vn="möglicherweise Variante von Win32/AdWare.AddLyrics.AJ Anwendung" ac=I fn="C:\Users\Simon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CKW0WI87\1030-4001_PassShow[1]"

FRST.txt

Zitat:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 26-04-2014 02
Ran by Simon (administrator) on SIMON-PC on 26-04-2014 22:14:57
Running from C:\Users\Simon\Downloads
Windows 7 Ultimate Service Pack 1 (X64) OS Language: German Standard
Internet Explorer Version 11
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: Downloading Farbar Recovery Scan Tool
Download link for 64-Bit Version: Downloading Farbar Recovery Scan Tool
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials

==================== Processes (Whitelisted) =================

(AMD) C:\Windows\system32\atiesrxx.exe
(AMD) C:\Windows\system32\atieclxx.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
() C:\Program Files\EslWire\service\WireHelperSvc.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
() C:\Windows\SysWOW64\PnkBstrA.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Malwarebytes Corporation) C:\Program Files (x86)\ Malwarebytes Anti-Malware \mbam.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_182.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_182.exe

==================== Registry (Whitelisted) ==================

HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [689744 2014-02-14] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [5624784 2013-07-25] (Safer-Networking Ltd.)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\.DEFAULT\...\RunOnce: [SPReview] - C:\Windows\System32\SPReview\SPReview.exe [301568 2014-02-26] (Microsoft Corporation)
HKU\S-1-5-21-4146840192-2193111062-978237871-1000\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [1825984 2014-04-24] (Valve Corporation)
HKU\S-1-5-21-4146840192-2193111062-978237871-1000\...\MountPoints2: {10513451-9c9b-11e3-8c63-806e6f6e6963} - D:\Bin\ASSETUP.exe

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = MSN Deutschland: Aktuelle Nachrichten, Outlook.com Email und Skype Login.
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xB4CBEBC9BE30CF01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de
BHO: SteadyVideoBHO Class - {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - C:\Program Files\AMD\SteadyVideo\SteadyVideo.dll (Advanced Micro Devices)
BHO-x32: SteadyVideoBHO Class - {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - C:\Program Files (x86)\amd\SteadyVideo\SteadyVideo.dll (Advanced Micro Devices)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll (Advanced Micro Devices)
Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll (Advanced Micro Devices)
Filter-x32: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\amd\SteadyVideo\VideoMIMEFilter.dll (Advanced Micro Devices)
Filter-x32: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\amd\SteadyVideo\VideoMIMEFilter.dll (Advanced Micro Devices)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 192.168.0.2

FireFox:
========
FF ProfilePath: C:\Users\Simon\AppData\Roaming\Mozilla\Firefox\Profiles\mxnav4be.default
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_13_0_0_182.dll ()
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_182.dll ()
FF Plugin-x32: @esn.me/esnsonar,version=0.70.4 - C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll (ESN Social Software AB)
FF Plugin-x32: @esn/npbattlelog,version=2.3.2 - C:\Program Files (x86)\Battlelog Web Plugins\2.3.2\npbattlelog.dll (EA Digital Illusions CE AB)
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\amazondotcom-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\eBay-de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\leo_ende_de.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\yahoo-de.xml
FF HKLM-x32\...\Firefox\Extensions: [{F003DA68-8256-4b37-A6C4-350FA04494DF}] - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt

PopUp Trojaner

Plagegeister aller Art und deren Bekämpfung: PopUp Trojaner

PopUp Trojaner

Ähnliche Themen: PopUp Trojaner