Pop Up System32 beim starten des PC verschwindet sofort wieder PC ist sehr langsam geworden.

Bina.1988 · 21.02.2015, 14:44

Code:

ATTFilter

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 18-02-2015 01
Ran by Bina at 2015-02-21 14:33:42 Run:1
Running from C:\Users\Bina\Desktop
Loaded Profiles: Bina (Available profiles: Bina & krizz)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
CloseProcesses:
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction 
CHR HKU\S-1-5-21-2174489219-974603214-2956640213-1000\SOFTWARE\Policies\Google: Policy restriction 
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction 
HKU\S-1-5-21-2174489219-974603214-2956640213-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKU\S-1-5-21-2174489219-974603214-2956640213-1000 -> No Name - {C840E246-6B95-475E-9BD7-CAA1C7ECA9F2} -  No File
CHR StartupUrls: Default -> "hxxp://search.conduit.com/?ctid=CT3323737&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=4&UP=SPDB258463-4080-48BE-B4A6-DA827DF08E43&SSPV="
cmd: type "C:\ProgramData\UnhJWFY.bat"
cmd: type "C:\ProgramData\UnhJWFY.reg"
C:\ProgramData\UnhJWFY.bat
C:\ProgramData\UnhJWFY.reg
Task: {1C33CFBF-704D-464C-892A-EA47C5168CB2} - System32\Tasks\{544F2744-B9FD-4DE5-8B2D-E34D76DE8258} => pcalua.exe -a C:\Users\Bina\Desktop\fs\Uninstal.exe
Task: {40B84B81-9DAD-448C-8D18-B6071BC31A37} - System32\Tasks\{13D677FE-DEA3-4099-B53A-041F6397C5C3} => pcalua.exe -a C:\Users\Bina\Desktop\Progs\Take_On_Helicopters_Demo.exe -d C:\Users\Bina\Desktop\Progs
AlternateDataStreams: C:\ProgramData\Temp:7BFFC6A9
AlternateDataStreams: C:\ProgramData\Temp:80253E8D
EmptyTemp:
         
*****************

Processes closed successfully.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
"HKU\S-1-5-21-2174489219-974603214-2956640213-1000\SOFTWARE\Policies\Google" => Key deleted successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\S-1-5-21-2174489219-974603214-2956640213-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL => Value was restored successfully.
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Search_URL => Value was restored successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5} => value deleted successfully.
"HKCR\CLSID\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5}" => Key deleted successfully.
HKU\S-1-5-21-2174489219-974603214-2956640213-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{C840E246-6B95-475E-9BD7-CAA1C7ECA9F2} => value deleted successfully.
HKCR\CLSID\{C840E246-6B95-475E-9BD7-CAA1C7ECA9F2} => Key not found. 
Chrome StartupUrls deleted successfully.

=========  type "C:\ProgramData\UnhJWFY.bat" =========

START "ok" rundll32.exe C:\Users\Chris\AppData\Local\Temp\YFWJhnU.exe,M1N1 /B

========= End of CMD: =========


=========  type "C:\ProgramData\UnhJWFY.reg" =========

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="C:\\PROGRA~3\\UnhJWFY.bat"

========= End of CMD: =========

C:\ProgramData\UnhJWFY.bat => Moved successfully.
C:\ProgramData\UnhJWFY.reg => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1C33CFBF-704D-464C-892A-EA47C5168CB2}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1C33CFBF-704D-464C-892A-EA47C5168CB2}" => Key deleted successfully.
C:\Windows\System32\Tasks\{544F2744-B9FD-4DE5-8B2D-E34D76DE8258} => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{544F2744-B9FD-4DE5-8B2D-E34D76DE8258}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{40B84B81-9DAD-448C-8D18-B6071BC31A37}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{40B84B81-9DAD-448C-8D18-B6071BC31A37}" => Key deleted successfully.
C:\Windows\System32\Tasks\{13D677FE-DEA3-4099-B53A-041F6397C5C3} => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{13D677FE-DEA3-4099-B53A-041F6397C5C3}" => Key deleted successfully.
C:\ProgramData\Temp => ":7BFFC6A9" ADS removed successfully.
C:\ProgramData\Temp => ":80253E8D" ADS removed successfully.
EmptyTemp: => Removed 583.5 MB temporary data.


The system needed a reboot. 

==== End of Fixlog 14:34:33 ====

Huhu ja es ist genau so wie damals wie lang das jetzt her ist weiß ich nicht mehr.

LG Bina

deeprybka · 21.02.2015, 16:30

So war es damals...

Zitat:

Zitat von Bina.1988

kannst du vielleicht an den Prozessen aus dem task manager sehen ob d was läuft was da nicht laufen sollte?
Ich danke dir viel mals. Ich hab das Problem gelöst. ich hab ACR launcher irgendein Spiel was mein Freund runtergeladen hat und es ist weg.

Schritt 1

ESET Online Scanner

Hier findest du eine bebilderte Anleitung zu ESET Online Scanner
Lade und starte Eset Online Scanner
Setze einen Haken bei Ja, ich bin mit den Nutzungsbedingungen einverstanden und klicke auf Starten.
Aktiviere die "Erkennung von eventuell unerwünschten Anwendungen" und wähle folgende Einstellungen.
Klicke auf Starten.
Die Signaturen werden heruntergeladen, der Scan beginnt automatisch.
Klicke am Ende des Suchlaufs auf Fertig stellen.
Schließe das Fenster von ESET.
Explorer öffnen.
C:\Programme\Eset\EsetOnlineScanner\log.txt (bei 64 Bit auch C:\Programme (x86)\Eset\EsetOnlineScanner\log.txt) suchen und mit Deinem Editor öffnen (bebildert).
Logfile hier posten.
Deinstallation: Systemsteuerung => Software / Programme deinstallieren => Eset Online Scanner V3 entfernen.
Manuell folgenden Ordner löschen und Papierkorb leeren => C:\Programme\Eset

Schritt 2
Downloade Dir HitmanPro

auf Deinen Desktop:

HitmanPro-32 Bit Version
HitmanPro-64 Bit Version

Starte die HitmanPro.exe
Klicke auf
Entferne den Haken bei
Klicke auf
und
Akzeptiere die Lizenzbedingungen und klicke auf
Klicke auf

und auf
Wenn der Scan beendet wurde, nichts löschen lassen etc. sondern wähle unten links auf der Button-Leiste
und speichere die Logdatei auf Deinem Desktop.
Schließe HitmanPro und poste mir das Log.

Bina.1988 · 21.02.2015, 23:25

Code:

ATTFilter

ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=d61975459f74b7429fc2c028ad676718
# engine=13249
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2013-02-26 10:25:51
# local_time=2013-02-26 11:25:51 (+0100, Mitteleuropäische Zeit)
# country="Germany"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=774 16777213 100 88 13184 138627423 0 0
# compatibility_mode=5893 16776574 100 94 25065 113547401 0 0
# scanned=229482
# found=4
# cleaned=0
# scan_time=8242
sh=46C1319EE38510C365A4226621DE30BDF7E462FF ft=1 fh=662930a683ab766b vn="Win64/Conedex.C trojan" ac=I fn="C:\Qoobox\Quarantine\C\$Recycle.Bin\S-1-5-21-2174489219-974603214-2956640213-1004\$623235fd9acb63d37cd05f847f298693\U\00000004.@.vir"
sh=810E28D4E7B28D658DC48A82F0C65B46149AAE89 ft=1 fh=120d32a29875bbd8 vn="Win64/Conedex.B trojan" ac=I fn="C:\Qoobox\Quarantine\C\$Recycle.Bin\S-1-5-21-2174489219-974603214-2956640213-1004\$623235fd9acb63d37cd05f847f298693\U\000000cb.@.vir"
sh=061A3739739904F13A5B9ADCBF4AC2E8A3157B18 ft=1 fh=3f70b78fb0084ee4 vn="Win64/Sirefef.AW trojan" ac=I fn="C:\Qoobox\Quarantine\C\$Recycle.Bin\S-1-5-21-2174489219-974603214-2956640213-1004\$623235fd9acb63d37cd05f847f298693\U\80000000.@.vir"
sh=75BB04900AC0028C289D41EC423A1C898DB67CE2 ft=1 fh=2b46c437d4ba4830 vn="a variant of Win64/Sirefef.AN trojan" ac=I fn="C:\Qoobox\Quarantine\C\$Recycle.Bin\S-1-5-21-2174489219-974603214-2956640213-1004\$623235fd9acb63d37cd05f847f298693\U\80000064.@.vir"
ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=d61975459f74b7429fc2c028ad676718
# engine=13399
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2013-03-16 10:37:25
# local_time=2013-03-16 11:37:25 (+0100, Mitteleuropäische Zeit)
# country="Germany"
# lang=1031
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=772 16777213 83 91 349283 140140117 0 0
# compatibility_mode=5893 16776574 100 94 1541359 115060095 0 0
# scanned=183248
# found=0
# cleaned=0
# scan_time=58802
ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=d61975459f74b7429fc2c028ad676718
# engine=22587
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2015-02-21 09:42:38
# local_time=2015-02-21 10:42:38 (+0100, Mitteleuropäische Zeit)
# country="Germany"
# lang=1031
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='avast! Antivirus'
# compatibility_mode=783 16777213 100 92 6260848 188975448 0 0
# compatibility_mode_1=''
# compatibility_mode=5893 16776574 100 94 51020789 176184808 0 0
# scanned=113699
# found=2
# cleaned=0
# scan_time=5537
sh=16068B8977B4DC562AE782D91BC009472667E331 ft=1 fh=c3b5a87b7d152749 vn="Variante von Win32/DownloadSponsor.C evtl. unerwünschte Anwendung" ac=I fn="C:\AdwCleaner\Quarantine\C\Users\Bina\AppData\Local\Temp\OCS\ocs_v71a.exe.vir"
sh=C058C543D91955AA533C6C6840DCB1DC67E746B6 ft=0 fh=0000000000000000 vn="Variante von Win32/Toolbar.Conduit.AL evtl. unerwünschte Anwendung" ac=I fn="C:\Users\Bina\AppData\Local\CRE\leocdeigfnkaojcapikdjcdbedcjmffc.crx"

Code:

ATTFilter


	Code: 

 ATTFilter

  
	HitmanPro 3.7.9.238
www.hitmanpro.com

   Computer name . . . . : BINA-PC
   Windows . . . . . . . : 6.1.1.7601.X64/2
   User name . . . . . . : Bina-PC\Bina
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Free

   Scan date . . . . . . : 2015-02-21 22:53:00
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 9m 20s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 0
   Traces  . . . . . . . : 8

   Objects scanned . . . : 1.881.979
   Files scanned . . . . : 44.178
   Remnants scanned  . . : 668.268 files / 1.169.533 keys

Suspicious files ____________________________________________________________

   C:\Users\Bina\AppData\Local\PunkBuster\APB\pb\pbcl.dll
      Size . . . . . . . : 953.905 bytes
      Age  . . . . . . . : 971.1 days (2012-06-25 20:00:51)
      Entropy  . . . . . : 7.6
      SHA-256  . . . . . : 9A5BDD44D0817FE21A154412B5989E157455BC24ADBCB238376F73FCEFB14696
      Fuzzy  . . . . . . : 29.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.

   C:\Users\Bina\AppData\Local\PunkBuster\APB\pb\PnkBstrK.sys
      Size . . . . . . . : 138.992 bytes
      Age  . . . . . . . : 971.1 days (2012-06-25 20:01:22)
      Entropy  . . . . . : 7.7
      SHA-256  . . . . . : 17E604316606C999C87C896508B3525E4897DFA1522FEE01B86524F46B3D9B3D
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : 22.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.
         The file is a device driver. Device drivers run as trusted (highly privileged) code.
         Program is code signed with a valid Authenticode certificate.

   C:\Users\Bina\AppData\Local\PunkBuster\GRO\pb\pbcl.dll
      Size . . . . . . . : 957.254 bytes
      Age  . . . . . . . : 800.4 days (2012-12-13 13:46:34)
      Entropy  . . . . . : 7.6
      SHA-256  . . . . . : 119B810057B5BEB396E0788D092661B805D7E9AF1AD066BA3BD952DBA6064C82
      Fuzzy  . . . . . . : 29.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.

   C:\Users\Bina\AppData\Local\PunkBuster\GRO\pb\PnkBstrK.sys
      Size . . . . . . . : 141.072 bytes
      Age  . . . . . . . : 800.4 days (2012-12-13 13:47:00)
      Entropy  . . . . . : 7.8
      SHA-256  . . . . . : C3A38891678AC34784E90D385B3DDEAC690E11E05A7657F9D287E7DC373D2592
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : 22.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.
         The file is a device driver. Device drivers run as trusted (highly privileged) code.
         Program is code signed with a valid Authenticode certificate.

   C:\Users\Bina\Desktop\FRST64.exe
      Size . . . . . . . : 2.086.912 bytes
      Age  . . . . . . . : 20.4 days (2015-02-01 12:32:12)
      Entropy  . . . . . : 7.5
      SHA-256  . . . . . : CF3043EEDAACEDF33C72A84670D8C24560054CEC81AB37FA58B3A4E1965A74F5
      Needs elevation  . : Yes
      Fuzzy  . . . . . . : 23.0
         Program has no publisher information but prompts the user for permission elevation.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
      Forensic Cluster
          0.0s C:\Users\Bina\Desktop\FRST64.exe
          0.0s C:\Users\Bina\Downloads\FRST-OlderVersion\FRST64.exe

   C:\Users\Bina\Downloads\FRST-OlderVersion\FRST64.exe
      Size . . . . . . . : 2.131.456 bytes
      Age  . . . . . . . : 20.4 days (2015-02-01 12:32:12)
      Entropy  . . . . . : 7.5
      SHA-256  . . . . . : 75A43C7DCD832E78EE09AFE27A6C3C8EF33470D1323A781EEC04E13E4F3197A0
      Needs elevation  . : Yes
      Fuzzy  . . . . . . : 23.0
         Program has no publisher information but prompts the user for permission elevation.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
      Forensic Cluster
          0.0s C:\Users\Bina\Desktop\FRST64.exe
          0.0s C:\Users\Bina\Downloads\FRST-OlderVersion\FRST64.exe


Potential Unwanted Programs _________________________________________________

   HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\ (FLV Player)
   HKU\S-1-5-18\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\ (FLV Player)

Es wurde nichts gefunden hat Hitman gesagt.

deeprybka · 22.02.2015, 10:59

Hi,
Du hast den ESET Scan abgebrochen. Unabhängig davon glaube ich aber nicht, dass Dein Problem von aktiver Malware verursacht wird. Das war vor zwei Jahren ja auch nicht der Fall.

Bina.1988 · 22.02.2015, 21:57

Code:

ATTFilter

ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=d61975459f74b7429fc2c028ad676718
# engine=22593
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2015-02-22 08:52:04
# local_time=2015-02-22 09:52:04 (+0100, Mitteleuropäische Zeit)
# country="Germany"
# lang=1031
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='avast! Antivirus'
# compatibility_mode=783 16777213 100 92 6344214 189058814 0 0
# compatibility_mode_1=''
# compatibility_mode=5893 16776574 100 94 51104155 176268174 0 0
# scanned=232280
# found=3
# cleaned=3
# scan_time=8076
sh=16068B8977B4DC562AE782D91BC009472667E331 ft=1 fh=c3b5a87b7d152749 vn="Variante von Win32/DownloadSponsor.C evtl. unerwünschte Anwendung (gelöscht - in Quarantäne kopiert)" ac=C fn="C:\AdwCleaner\Quarantine\C\Users\Bina\AppData\Local\Temp\OCS\ocs_v71a.exe.vir"
sh=43A2C751E8596F50DAFC0D360FC594F77018049D ft=1 fh=de54c1316c0a6707 vn="Variante von Win32/InstallCore.UF evtl. unerwünschte Anwendung (gelöscht - in Quarantäne kopiert)" ac=C fn="C:\Users\Bina\Downloads\ML_TrialLogoSmartz_CB-DL-Manager.exe"
sh=CE4437D9AEF8DA1F3193FAD5CF38ABB8925699C4 ft=1 fh=3ed5c1fb2c9e35ce vn="Variante von Win32/InstallCore.BY evtl. unerwünschte Anwendung (gelöscht - in Quarantäne kopiert)" ac=C fn="C:\Users\krizz\Downloads\bass-sport-fishing.exe"

3 Sachen hat eset gefunden

deeprybka · 22.02.2015, 22:16

Ok. Aber wie gesagt, es scheint nicht an Malware etc. zu liegen. Der PC ist ja sauber...

22.02.2015, 22:16	#21
deeprybka /// TB-Ausbilder /// Anleitungs-Guru	Pop Up System32 beim starten des PC verschwindet sofort wieder PC ist sehr langsam geworden. Ok. Aber wie gesagt, es scheint nicht an Malware etc. zu liegen. Der PC ist ja sauber... __________________ --> Pop Up System32 beim starten des PC verschwindet sofort wieder PC ist sehr langsam geworden.

Pop Up System32 beim starten des PC verschwindet sofort wieder PC ist sehr langsam geworden.

Log-Analyse und Auswertung: Pop Up System32 beim starten des PC verschwindet sofort wieder PC ist sehr langsam geworden.