TR/AD.Firehooker.BU

Start::
CloseProcesses:
Virustotal: C:\ProgramData\Package Cache\{E744E07E-2B6E-4056-B6F4-E66E57627248}\{011AFFE6-A17F-4D3E-9100-930346FAECD4}
Virustotal: C:\WINDOWS\Installer\{CB249B03-5AD7-4E91-BB5D-252FC2D9D100}\{27D839DB-1A4B-475E-8CC0-16785EC2BC89}
HKLM\...\Run: [] => [X]
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Avira SystrayStartTrigger] => C:\Program Files (x86)\Avira\Launcher\Avira.SystrayStartTrigger.exe [704720 2020-09-22] (Avira Operations GmbH & Co. KG -> Avira Operations GmbH & Co. KG)
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Beschränkung <==== ACHTUNG
HKU\S-1-5-21-2257729394-1977194822-4025707799-1005\...\Run: [CCleaner Smart Cleaning] => C:\Program Files\CCleaner\CCleaner64.exe [27775672 2020-04-27] (Piriform Software Ltd -> Piriform Software Ltd)
HKU\S-1-5-21-2257729394-1977194822-4025707799-1005\...\Run: [] => [X]
GroupPolicy: Beschränkung - Chrome <==== ACHTUNG
HKLM\SOFTWARE\Policies\Google: Beschränkung <==== ACHTUNG
HKLM\SOFTWARE\Policies\Microsoft\Edge: Beschränkung <==== ACHTUNG
Task: {5805AFDA-FAF0-43BE-AD3C-E2025EF7E106} - System32\Tasks\CommonLog(ClipSVC) => C:\Program Files (x86)\nodejs\node.exe [15017624 2017-05-02] (Node.js Foundation -> Node.js) -> C:\WINDOWS\Installer\{CB249B03-5AD7-4E91-BB5D-252FC2D9D100}\{27D839DB-1A4B-475E-8CC0-16785EC2BC89} <==== ACHTUNG
Task: {6B3C486F-3E43-4E3D-B4CD-EC4BC7CADECB} - System32\Tasks\AviraSystemSpeedupUpdate => C:\ProgramData\Avira\SystemSpeedup\Update\avira_speedup_setup_update.exe [30106496 2020-10-10] (Avira Operations GmbH & Co. KG -> Avira Operations GmbH & Co. KG)
Task: {76615F7E-F15C-4A7C-88C4-796E0BDD16C3} - System32\Tasks\Avira_Antivirus_Systray => C:\Program Files (x86)\Avira\Antivirus\avgnt.exe [2649200 2020-09-24] (Avira Operations GmbH & Co. KG -> Avira Operations GmbH & Co. KG)
Task: {7ED1BF45-6801-4962-A4F7-C4F9A49D53CA} - System32\Tasks\Avira_Security_Update => C:\Program Files (x86)\Avira\Security\Avira.Spotlight.Common.Updater.exe [230120 2020-10-19] (Avira Operations GmbH & Co. KG -> Avira Operations GmbH & Co. KG)
Task: {95F99347-FC44-422A-A11F-4B97E1B7A5B1} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [23571128 2020-04-27] (Piriform Software Ltd -> Piriform Software Ltd)
Task: {B76EB90D-080C-46E5-869F-90CBE243B289} - System32\Tasks\Anmelde-Assistent Microsoft Hypervisor_Virtual => C:\Program Files (x86)\nodejs\node.exe [15017624 2017-05-02] (Node.js Foundation -> Node.js) -> "C:\ProgramData\Package Cache\{E744E07E-2B6E-4056-B6F4-E66E57627248}\{011AFFE6-A17F-4D3E-9100-930346FAECD4}" <==== ACHTUNG
Task: {EA0D151E-7AB2-410C-A97B-7B60F0C510A3} - System32\Tasks\CCleaner Update => C:\Program Files\CCleaner\CCUpdate.exe [686384 2020-04-27] (Piriform Software Ltd -> Piriform Software Ltd)
FF user.js: detected! => C:\Users\finle\AppData\Roaming\Mozilla\Firefox\Profiles\iy1m8tt1.default\user.js [2020-10-10]
FF NewTab: Mozilla\Firefox\Profiles\iy1m8tt1.default -> https://defaultsearch.co/homepage?hp=1&pId=AC191101&iDate=2020-08-14 11:11:22&bName=&bitmask=0600
FF HKLM\...\Firefox\Extensions: [{24754FC9-762E-4F27-92C5-37EC6DC3CA14}] - C:\WINDOWS\Installer\{390442D3-9A47-417F-8E7D-053E2826C639}\{24754FC9-762E-4F27-92C5-37EC6DC3CA14}.xpi
FF Extension: ( ) - C:\WINDOWS\Installer\{390442D3-9A47-417F-8E7D-053E2826C639}\{24754FC9-762E-4F27-92C5-37EC6DC3CA14}.xpi [2020-10-10]
FF HKLM-x32\...\Firefox\Extensions: [{24754FC9-762E-4F27-92C5-37EC6DC3CA14}] - C:\WINDOWS\Installer\{390442D3-9A47-417F-8E7D-053E2826C639}\{24754FC9-762E-4F27-92C5-37EC6DC3CA14}.xpi
FF Plugin-x32: @java.com/DTPlugin,version=11.261.2 -> C:\Program Files (x86)\Java\jre1.8.0_261\bin\dtplugin\npDeployJava1.dll [2020-07-23] (Oracle America, Inc. -> Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.261.2 -> C:\Program Files (x86)\Java\jre1.8.0_261\bin\plugin2\npjp2.dll [2020-07-23] (Oracle America, Inc. -> Oracle Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2020-09-11] (Adobe Inc. -> Adobe Systems Inc.)
C:\ProgramData\Package Cache\{E744E07E-2B6E-4056-B6F4-E66E57627248}
C:\WINDOWS\Installer\{CB249B03-5AD7-4E91-BB5D-252FC2D9D100}
C:\Users\finle\AppData\Local\Google\Chrome\User Data\Default\Extensions\caljgklbbfbcjjanaijlacgncafpegll
C:\Users\finle\AppData\Local\Google\Chrome\User Data\Default\Extensions\ccbpbkebodcjkknkfkpmfeciinhidaeh
AV: Avira Antivirus (Enabled - Up to date) {88AE6B46-DC3C-455A-A21B-085F285A3546}
AS: Avira Antivirus (Enabled - Up to date) {33CF8AA2-FA06-4AD4-98AB-332D53DD7FFB}
C:\ProgramData\Avira
C:\Program Files (x86)\Avira
C:\Program Files\CCleaner
C:\Users\AllUserName\AppData\Local\Avira
C:\WINDOWS\system32\Tasks\Avira*
C:\Program Files (x86)\nodejs
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js
DeleteKey: HKLM\SOFTWARE\Node.js
DeleteKey: HKLM\SOFTWARE\WOW6432Node\Node.js
DeleteKey: HKLM\SOFTWARE\Classes\Installer\Products\4D45993E1218CF443A3DFD6652D48B19
DeleteKey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4D45993E1218CF443A3DFD6652D48B19
DeleteKey: HKU\.DEFAULT\Software\Node.js
DeleteKey: HKCU\SOFTWARE\Node.js
DeleteKey: HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E39954D4-8121-44FC-A3D3-DF66254DB891}
DeleteKey: HKCR\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
DeleteKey: HKU\S-1-5-18\Software\OCS
DeleteKey: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
cmd: netsh advfirewall reset
emptytemp:
End::