Trojaner-Board - Avira meldet Zugriff auf Registry wurde blockiert, Windows Log File zeigt asiatische Zeichen an

Hallo schrauber

bei der frst.txt ist mir direkt etwas aufgefallen. In den Files im letzten Monat bearbeitet tauchen diese hier auf:
2015-03-18 17:09 - 2010-11-21 08:50 - 00698688 _____ () C:\Windows\system32\perfh007.dat
2015-03-18 17:09 - 2010-11-21 08:50 - 00148828 _____ () C:\Windows\system32\perfc007.dat

Klingt ziemlich nach der preflib und die 007 kam auch in der Registry vor. Vielleicht Zufall, vielleicht auch nicht.

Anmerkung, diese Files sind von mir (export und Sicherung):
2015-04-10 15:40 - 2015-04-10 15:40 - 00069632 _____ () C:\Users\Admin\Documents\china.evtx
2015-04-10 15:39 - 2015-04-10 15:39 - 17263248 _____ () C:\Users\Admin\Documents\preflib.reg
2015-04-10 15:38 - 2015-04-10 15:38 - 17265000 _____ () C:\Users\Admin\Documents\preflib_x64.reg

FRST Logfile:

FRST Logfile:

Code:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 11-03-2015

Ran by Admin (administrator) on SANDBOX on 11-04-2015 07:53:09

Running from C:\Users\Admin\Downloads

Loaded Profiles: Admin (Available profiles: Admin)

Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: Deutsch (Deutschland)

Internet Explorer Version 11 (Default browser: FF)

Boot Mode: Normal

Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 

==================== Processes (Whitelisted) =================
 

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 

(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe

(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe

(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

(Realtek Semiconductor Corp.) C:\Program Files\Realtek\Audio\HDA\RtDCpl64.exe

(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe

(Intel Corporation) C:\Windows\System32\igfxtray.exe

(Intel Corporation) C:\Windows\System32\hkcmd.exe

(Intel Corporation) C:\Windows\System32\igfxpers.exe

(Geek Software GmbH) C:\Program Files (x86)\PDF24\pdf24.exe

(Horizon Datasys, Inc.) C:\Program Files\Shield\ShdServ.exe

(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe

(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe

(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
 
 

==================== Registry (Whitelisted) ==================
 

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtDCpl64.exe [2907240 2010-10-04] (Realtek Semiconductor Corp.)

HKLM\...\Run: [Shield] => C:\Program Files\Shield\shdtray.exe [72728 2014-12-05] (Horizon Datasys, Inc.)

HKLM-x32\...\Run: [PDFPrint] => C:\Program Files (x86)\PDF24\pdf24.exe [193568 2014-11-28] (Geek Software GmbH)

HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [726320 2015-04-10] (Avira Operations GmbH & Co. KG)

Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)

HKU\S-1-5-21-1948373623-948986961-338287050-1000\...\MountPoints2: {92196ac5-7aeb-11e4-ae84-806e6f6e6963} - D:\CH-Fahrschule.exe

BootExecute: ShdSyncautocheck autochk * 
 

==================== Internet (Whitelisted) ====================
 

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 

HKU\S-1-5-21-1948373623-948986961-338287050-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

HKU\S-1-5-21-1948373623-948986961-338287050-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/de-ch/?ocid=iehp

BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\ssv.dll [2015-03-31] (Oracle Corporation)

BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\jp2ssv.dll [2015-03-31] (Oracle Corporation)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
 

FireFox:

========

FF ProfilePath: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg202ews.default

FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_17_0_0_134.dll [2015-04-01] ()

FF Plugin: @microsoft.com/GENUINE -> disabled No File

FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_17_0_0_134.dll [2015-04-01] ()

FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] ()

FF Plugin-x32: @java.com/DTPlugin,version=11.40.2 -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\dtplugin\npDeployJava1.dll [2015-03-31] (Oracle Corporation)

FF Plugin-x32: @java.com/JavaPlugin,version=11.40.2 -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\plugin2\npjp2.dll [2015-03-31] (Oracle Corporation)

FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File

FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-11] (Google Inc.)

FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-11] (Google Inc.)

FF Extension: Avira Browser Safety - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg202ews.default\Extensions\abs@avira.com [2015-04-01]

FF Extension: Disconnect - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg202ews.default\Extensions\2.0@disconnect.me.xpi [2014-12-03]

FF Extension: NoScript - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg202ews.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2014-12-03]

FF Extension: Adblock Edge - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg202ews.default\Extensions\{fe272bd1-5f76-4ea4-8501-a05d35d823fc}.xpi [2014-12-03]
 

Chrome: 

=======

CHR Profile: C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default

CHR Extension: (Google Slides) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-12-03]

CHR Extension: (Google Docs) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-12-03]

CHR Extension: (Google Drive) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-12-03]

CHR Extension: (YouTube) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-12-03]

CHR Extension: (Google Search) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-12-03]

CHR Extension: (Google Sheets) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-12-03]

CHR Extension: (Avira Browser Safety) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\flliilndjeohchalpbbcdekjklbdgfkk [2014-12-03]

CHR Extension: (AdBlock) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2014-12-03]

CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-17]

CHR Extension: (Google Wallet) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-12-03]

CHR Extension: (Gmail) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-12-03]

CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.google.com/service/update2/crx

CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.google.com/service/update2/crx
 

==================== Services (Whitelisted) =================
 

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 

S2 AntiVirMailService; C:\Program Files (x86)\Avira\AntiVir Desktop\avmailc7.exe [815920 2015-04-10] (Avira Operations GmbH & Co. KG)

R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [434424 2015-04-10] (Avira Operations GmbH & Co. KG)

R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [434424 2015-04-10] (Avira Operations GmbH & Co. KG)

S2 AntiVirWebService; C:\Program Files (x86)\Avira\AntiVir Desktop\avwebg7.exe [1004280 2015-04-10] (Avira Operations GmbH & Co. KG)

R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-19] (Apple Inc.)

R2 ShdServ; C:\Program Files\Shield\shdserv.exe [232984 2014-12-05] (Horizon Datasys, Inc.)

S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
 

==================== Drivers (Whitelisted) ====================
 

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 

R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [128536 2015-03-17] (Avira Operations GmbH & Co. KG)

R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [132120 2015-03-17] (Avira Operations GmbH & Co. KG)

R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2015-03-17] (Avira Operations GmbH & Co. KG)

R2 avnetflt; C:\Windows\System32\DRIVERS\avnetflt.sys [44088 2015-03-17] (Avira Operations GmbH & Co. KG)

R3 IntcAzAudAddService; C:\Windows\System32\drivers\RTDVHD64.sys [1980648 2010-10-04] (Realtek Semiconductor Corp.)

R0 Shdbus; C:\Windows\System32\DRIVERS\Shdbus.sys [30232 2014-12-05] (Horizon Datasys, Inc.)

R0 Shield; C:\Windows\System32\DRIVERS\shield.sys [76312 2014-12-05] (Horizon Datasys, Inc.)

R0 Shieldf; C:\Windows\System32\DRIVERS\Shieldf.sys [32280 2014-12-05] (Horizon Datasys, Inc.)

R0 Shieldm; C:\Windows\System32\DRIVERS\Shieldm.sys [35352 2014-12-05] (Horizon Datasys, Inc.)
 

==================== NetSvcs (Whitelisted) ===================
 

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 

==================== One Month Created Files and Folders ========
 

(If an entry is included in the fixlist, the file\folder will be moved.)
 

2015-04-11 07:53 - 2015-04-11 07:53 - 00010021 _____ () C:\Users\Admin\Downloads\FRST.txt

2015-04-11 07:52 - 2015-04-11 07:53 - 00000000 ____D () C:\FRST

2015-04-11 07:52 - 2015-04-11 07:52 - 02095616 _____ (Farbar) C:\Users\Admin\Downloads\FRST64.exe

2015-04-10 16:20 - 2015-04-10 16:20 - 00000000 ____D () C:\Users\Admin\Documents\bami

2015-04-10 16:16 - 2015-04-10 16:16 - 00443242 _____ () C:\Windows\PFRO.log

2015-04-10 16:07 - 2015-04-10 16:07 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira

2015-04-10 16:06 - 2015-04-10 16:08 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Avira

2015-04-10 16:05 - 2015-04-10 16:07 - 00000000 ____D () C:\ProgramData\Avira

2015-04-10 16:05 - 2015-04-10 16:05 - 00000000 ____D () C:\Program Files (x86)\Avira

2015-04-10 16:05 - 2015-03-17 13:01 - 00132120 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys

2015-04-10 16:05 - 2015-03-17 13:01 - 00128536 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys

2015-04-10 16:05 - 2015-03-17 13:01 - 00044088 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avnetflt.sys

2015-04-10 16:05 - 2015-03-17 13:01 - 00028600 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avkmgr.sys

2015-04-10 15:40 - 2015-04-10 15:40 - 00069632 _____ () C:\Users\Admin\Documents\china.evtx

2015-04-10 15:39 - 2015-04-10 15:39 - 17263248 _____ () C:\Users\Admin\Documents\preflib.reg

2015-04-10 15:38 - 2015-04-10 15:38 - 17265000 _____ () C:\Users\Admin\Documents\preflib_x64.reg

2015-04-10 15:25 - 2015-04-11 07:43 - 00000907 _____ () C:\Windows\setupact.log

2015-04-10 15:25 - 2015-04-10 15:25 - 00000000 _____ () C:\Windows\setuperr.log

2015-04-10 15:11 - 2015-04-10 15:11 - 00000000 ____D () C:\Windows\system32\appmgmt

2015-04-10 14:16 - 2015-04-10 14:20 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Apple Computer

2015-04-10 14:16 - 2015-04-10 14:16 - 00001753 _____ () C:\Users\Public\Desktop\iTunes.lnk

2015-04-10 14:16 - 2015-04-10 14:16 - 00000000 ____D () C:\Users\Admin\AppData\Local\Apple Computer

2015-04-10 14:16 - 2015-04-10 14:16 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes

2015-04-10 14:16 - 2012-10-03 16:14 - 00033240 _____ (GEAR Software Inc.) C:\Windows\system32\Drivers\GEARAspiWDM.sys

2015-04-10 14:15 - 2015-04-10 14:16 - 00000000 ____D () C:\ProgramData\E1864A66-75E3-486a-BD95-D1B7D99A84A7

2015-04-10 14:15 - 2015-04-10 14:16 - 00000000 ____D () C:\Program Files\iTunes

2015-04-10 14:15 - 2015-04-10 14:15 - 00000000 ____D () C:\ProgramData\Apple Computer

2015-04-10 14:15 - 2015-04-10 14:15 - 00000000 ____D () C:\Program Files\iPod

2015-04-10 14:15 - 2015-04-10 14:15 - 00000000 ____D () C:\Program Files (x86)\iTunes

2015-04-10 14:13 - 2015-04-10 14:15 - 00000000 ____D () C:\Program Files\Common Files\Apple

2015-04-10 14:13 - 2015-04-10 14:13 - 00000000 ____D () C:\Users\Admin\AppData\Local\Apple

2015-04-10 14:13 - 2015-04-10 14:13 - 00000000 ____D () C:\Program Files\Bonjour

2015-04-10 14:13 - 2015-04-10 14:13 - 00000000 ____D () C:\Program Files (x86)\Bonjour

2015-04-10 14:12 - 2015-04-10 14:13 - 00000000 ____D () C:\ProgramData\Apple

2015-04-10 13:51 - 2015-04-10 13:51 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox

2015-03-31 16:16 - 2015-03-31 16:16 - 00000000 ____D () C:\Users\Admin\.pdfsam

2015-03-31 16:13 - 2015-03-31 16:13 - 00098216 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll

2015-03-31 16:13 - 2015-03-31 16:13 - 00000000 ____D () C:\ProgramData\Sun

2015-03-31 16:13 - 2015-03-31 16:13 - 00000000 ____D () C:\ProgramData\Oracle

2015-03-31 16:13 - 2015-03-31 16:13 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java

2015-03-31 16:13 - 2015-03-31 16:13 - 00000000 ____D () C:\Program Files (x86)\Java

2015-03-31 16:11 - 2015-03-31 16:11 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PDF Split And Merge Basic

2015-03-31 16:11 - 2015-03-31 16:11 - 00000000 ____D () C:\Program Files (x86)\PDF Split And Merge Basic

2015-03-24 11:57 - 2015-03-24 11:57 - 00000600 _____ () C:\Users\Admin\AppData\Local\PUTTY.RND

2015-03-24 11:27 - 2015-03-24 11:28 - 00001354 _____ () C:\Users\Admin\Desktop\putty.lnk

2015-03-24 11:27 - 2015-03-24 11:27 - 00000000 ____D () C:\Program Files (x86)\putty

2015-03-21 12:09 - 2015-03-21 12:09 - 00000000 ____D () C:\Windows\pss

2015-03-18 17:48 - 2015-03-18 17:48 - 13569522 _____ () C:\Users\Admin\Downloads\gs915w64.exe

2015-03-18 17:48 - 2015-03-18 17:48 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ghostscript

2015-03-18 17:48 - 2015-03-18 17:48 - 00000000 ____D () C:\Program Files\gs
 

==================== One Month Modified Files and Folders =======
 

(If an entry is included in the fixlist, the file\folder will be moved.)
 

2015-04-11 07:51 - 2009-07-14 06:45 - 00021888 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2015-04-11 07:51 - 2009-07-14 06:45 - 00021888 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2015-04-11 07:47 - 2015-02-13 15:34 - 00107576 _____ () C:\Windows\WindowsUpdate.log

2015-04-11 07:43 - 2009-07-14 07:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT

2015-04-10 15:24 - 2014-12-03 15:43 - 00000822 _____ () C:\Users\Public\Desktop\CCleaner.lnk

2015-04-10 15:24 - 2014-12-03 15:43 - 00000000 ____D () C:\Program Files\CCleaner

2015-04-10 15:17 - 2014-12-03 15:51 - 00000000 ____D () C:\ProgramData\Package Cache

2015-04-10 14:51 - 2015-02-13 15:31 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service

2015-04-10 13:54 - 2014-12-03 15:48 - 00778928 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2015-04-10 13:54 - 2014-12-03 15:48 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2015-04-10 13:54 - 2014-12-03 15:47 - 00000000 ____D () C:\Users\Admin\AppData\Local\Adobe

2015-03-31 16:16 - 2014-12-03 15:04 - 00000000 ____D () C:\Users\Admin

2015-03-24 11:57 - 2015-03-10 13:29 - 00000600 _____ () C:\Users\Admin\AppData\Roaming\winscp.rnd

2015-03-21 12:02 - 2014-12-03 15:46 - 00000000 ____D () C:\Users\Admin\Documents\My Digital Editions

2015-03-18 17:47 - 2014-12-05 10:02 - 00000000 ____D () C:\Users\Admin\AppData\Roaming\Scribus

2015-03-18 17:09 - 2010-11-21 08:50 - 00698688 _____ () C:\Windows\system32\perfh007.dat

2015-03-18 17:09 - 2010-11-21 08:50 - 00148828 _____ () C:\Windows\system32\perfc007.dat

2015-03-18 17:09 - 2009-07-14 07:13 - 01096226 _____ () C:\Windows\system32\PerfStringBackup.INI
 

==================== Files in the root of some directories =======
 

2015-03-10 13:29 - 2015-03-24 11:57 - 0000600 _____ () C:\Users\Admin\AppData\Roaming\winscp.rnd

2015-03-24 11:57 - 2015-03-24 11:57 - 0000600 _____ () C:\Users\Admin\AppData\Local\PUTTY.RND

2015-03-05 18:24 - 2015-03-05 18:24 - 0000218 _____ () C:\Users\Admin\AppData\Local\recently-used.xbel
 

Some content of TEMP:

====================

C:\Users\Admin\AppData\Local\Temp\avgnt.exe
 
 

==================== Bamital & volsnap Check =================
 

(There is no automatic fix for files that do not pass verification.)
 

C:\Windows\System32\winlogon.exe => File is digitally signed

C:\Windows\System32\wininit.exe => File is digitally signed

C:\Windows\SysWOW64\wininit.exe => File is digitally signed

C:\Windows\explorer.exe => File is digitally signed

C:\Windows\SysWOW64\explorer.exe => File is digitally signed

C:\Windows\System32\svchost.exe => File is digitally signed

C:\Windows\SysWOW64\svchost.exe => File is digitally signed

C:\Windows\System32\services.exe => File is digitally signed

C:\Windows\System32\User32.dll => File is digitally signed

C:\Windows\SysWOW64\User32.dll => File is digitally signed

C:\Windows\System32\userinit.exe => File is digitally signed

C:\Windows\SysWOW64\userinit.exe => File is digitally signed

C:\Windows\System32\rpcss.dll => File is digitally signed

C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 

LastRegBack: 2015-03-31 09:55
 

==================== End Of Log ============================

--- --- ---

--- --- ---

Code:

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 11-03-2015

Ran by Admin at 2015-04-11 07:53:47

Running from C:\Users\Admin\Downloads

Boot Mode: Normal

==========================================================
 
 

==================== Security Center ========================
 

(If an entry is included in the fixlist, it will be removed.)
 

AV: Avira Antivirus (Enabled - Up to date) {4D041356-F94D-285F-8768-AAE50FA36859}

AS: Avira Antivirus (Enabled - Up to date) {F665F2B2-DF77-27D1-BDD8-9197742422E4}

AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 

==================== Installed Programs ======================
 

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 

7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)

Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 17.0.0.124 - Adobe Systems Incorporated)

Adobe Digital Editions 2.0 (HKLM-x32\...\Adobe Digital Editions 2.0) (Version: 2.0.1 - Adobe Systems Incorporated)

Adobe Flash Player 17 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 17.0.0.134 - Adobe Systems Incorporated)

Adobe Flash Player 17 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 17.0.0.134 - Adobe Systems Incorporated)

Apple Application Support (32-Bit) (HKLM-x32\...\{AFA1153A-F547-409B-B837-3A0D6C5A3FEC}) (Version: 3.1.3 - Apple Inc.)

Apple Application Support (64-Bit) (HKLM\...\{D7B824DE-DA32-4772-9E5E-39C5158136A7}) (Version: 3.1.3 - Apple Inc.)

Apple Mobile Device Support (HKLM\...\{C4123106-B685-48E6-B9BD-E4F911841EB4}) (Version: 8.1.1.3 - Apple Inc.)

Arduino (HKLM-x32\...\Arduino) (Version: 1.6.0 - Arduino LLC)

Audacity 2.0.6 (HKLM-x32\...\Audacity_is1) (Version: 2.0.6 - Audacity Team)

Auslogics DiskDefrag (HKLM-x32\...\{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1) (Version: 5.1.0.0 - Auslogics Labs Pty Ltd)

Avira Antivirus (HKLM-x32\...\Avira Antivirus) (Version: 15.0.9.504 - Avira Operations GmbH & Co. KG)

Blender (HKLM\...\Blender) (Version: 2.73a - Blender Foundation)

Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)

calibre 64bit (HKLM\...\{EB3D23E3-91A7-46A0-9D7F-698151973A41}) (Version: 2.12.0 - Kovid Goyal)

CCleaner (HKLM\...\CCleaner) (Version: 5.04 - Piriform)

ClipGrab 3.4.9 (HKLM-x32\...\{8A1033B0-EF33-4FB5-97A1-C47A7DCDD7E6}_is1) (Version:  - Philipp Schmieder Medien)

Convo (HKLM-x32\...\convofy.0F156731A8EDAB9758133E30CA85B43DA5F59D40.1) (Version: 2015012901 - Scrybe, Inc.)

Convo (x32 Version: 255 - Scrybe, Inc.) Hidden

FreeCAD 0.14 - A free open source CAD system (HKLM-x32\...\FreeCAD 0.14) (Version: 0.14.3700 - Juergen Riegel)

GIMP 2.8.14 (HKLM\...\GIMP-2_is1) (Version: 2.8.14 - The GIMP Team)

Google Chrome (HKLM-x32\...\Google Chrome) (Version: 41.0.2272.118 - Google Inc.)

Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden

Google Update Helper (x32 Version: 1.3.26.9 - Google Inc.) Hidden

GPL Ghostscript (HKLM\...\GPL Ghostscript 9.15) (Version: 9.15 - Artifex Software Inc.)

Inkscape 0.91 (HKLM\...\{81922150-317E-4BB0-A31D-FF1C14F707C5}) (Version: 0.91 - inkscape.org)

Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.1.70.1205 - Intel Corporation)

Intel(R) Network Connections Drivers (HKLM\...\PROSet) (Version: 18.1 - Intel)

Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.3517 - Intel Corporation)

Intel(R) SDK for OpenCL - CPU Only Runtime Package (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 2.0.0.37149 - Intel Corporation)

IrfanView (remove only) (HKLM-x32\...\IrfanView) (Version: 4.38 - Irfan Skiljan)

iTunes (HKLM\...\{93F2A022-6C37-48B8-B241-FFABD9F60C30}) (Version: 12.1.2.27 - Apple Inc.)

Java 8 Update 40 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218040F0}) (Version: 8.0.400 - Oracle Corporation)

LibreOffice 4.4.0.3 (HKLM-x32\...\{8BEE1CDD-F95D-4759-952D-6B38DF99D1F0}) (Version: 4.4.0.3 - The Document Foundation)

Microsoft .NET Framework 4.5.1 (Deutsch) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1031) (Version: 4.5.50938 - Microsoft Corporation)

Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)

Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.51106 (HKLM-x32\...\{cb41fc68-4442-4f7f-b22f-8f31c74897ac}) (Version: 11.0.51106.1 - Microsoft Corporation)

Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)

Mozilla Firefox 37.0.1 (x86 de) (HKLM-x32\...\Mozilla Firefox 37.0.1 (x86 de)) (Version: 37.0.1 - Mozilla)

Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 35.0.1 - Mozilla)

paint.net (HKLM\...\{19BD2C33-16A8-4ED1-B9EA-D9E35B21EC42}) (Version: 4.0.5 - dotPDN LLC)

PDF Split And Merge Basic (HKLM-x32\...\{9A40D2F8-9458-458B-95E3-B57797C574E1}) (Version: 2.2.4 - Andrea Vacondio)

PDF24 Creator 6.9.2 (HKLM-x32\...\{81A6F461-0DBA-4F12-B56F-0E977EC10576}_is1) (Version:  - PDF24.org)

Python 2.7 pyserial-2.7 (HKLM-x32\...\pyserial-py2.7) (Version:  - )

Python 2.7.9 (HKLM-x32\...\{79F081BF-7454-43DB-BD8F-9EE596813232}) (Version: 2.7.9150 - Python Software Foundation)

Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.5883 - Realtek Semiconductor Corp.)

Reboot Restore Rx (HKLM\...\Shield) (Version: 2.0 - Horizon Datasys, Inc.)

Scribus 1.4.4 (64bit) (HKLM\...\Scribus 1.4.4) (Version: 1.4.4 - The Scribus Team)

Scrivener (HKLM-x32\...\Scrivener 1850) (Version: 1850 - Literature and Latte)

Sigil 0.8.2 (HKLM\...\Sigil_is1) (Version:  - John Schember)

SumatraPDF (HKLM-x32\...\SumatraPDF) (Version: 3.0 - Krzysztof Kowalczyk)

VLC media player (HKLM\...\VLC media player) (Version: 2.1.5 - VideoLAN)

Win32DiskImager version 0.9.5 (HKLM-x32\...\{D074CE74-912A-4AD3-A0BF-3937D9D01F17}_is1) (Version: 0.9.5 - ImageWriter Developers)

WinSCP 5.7 (HKLM-x32\...\winscp3_is1) (Version: 5.7 - Martin Prikryl)
 

==================== Custom CLSID (selected items): ==========================
 

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 

CustomCLSID: HKU\S-1-5-21-1948373623-948986961-338287050-1000_Classes\CLSID\{D45F043D-F17F-4e8a-8435-70971D9FA46D}\InprocServer32 -> C:\Program Files\Blender Foundation\Blender\BlendThumb64.dll ()
 

==================== Restore Points  =========================
 

17-03-2015 10:15:21 Geplanter Prüfpunkt

31-03-2015 10:36:32 Geplanter Prüfpunkt

31-03-2015 16:11:02 Installed PDF Split And Merge Basic

10-04-2015 14:14:05 Installed iTunes

10-04-2015 15:10:11 Removed Apple Software Update
 

==================== Hosts content: ==========================
 

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 

2009-07-14 04:34 - 2009-06-10 23:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 

==================== Scheduled Tasks (whitelisted) =============
 

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 

Task: {22414C7B-33EA-4E29-91F7-6B1F249CE8FD} - System32\Tasks\Shutdown => shutdown

Task: {37BAC564-C9FA-498A-9C81-8BBF4C3E33BF} - System32\Tasks\shutdown do => shutdown

Task: {5A07AC3B-AC1B-4B26-9468-8C2B8D01C0D9} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-12-03] (Google Inc.)

Task: {718A76A9-0B33-4D36-B397-18E0DAF5F0FD} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-12-03] (Google Inc.)

Task: {C55008EB-8793-4D74-A1EC-128FFAA3DF28} - System32\Tasks\shutdown sa => shutdown

Task: {E7F0E6F7-7E2C-4488-AF62-C6684A0D531A} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-03-13] (Piriform Ltd)

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
 

==================== Loaded Modules (whitelisted) ==============
 

2015-03-20 18:12 - 2015-03-20 18:12 - 00085832 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll

2015-03-20 18:12 - 2015-03-20 18:12 - 01346344 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll

2014-07-09 07:16 - 2014-03-20 15:34 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll

2014-12-05 10:25 - 2014-12-05 10:25 - 00015896 _____ () C:\Program Files\Shield\shdservps.dll
 

==================== Alternate Data Streams (whitelisted) =========
 

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
 

==================== Safe Mode (whitelisted) ===================
 

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 

==================== EXE Association (whitelisted) ===============
 

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 

==================== Other Areas ============================
 

(Currently there is no automatic fix for this section.)
 

HKU\S-1-5-21-1948373623-948986961-338287050-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg

DNS Servers: 192.168.1.1
 

==================== MSCONFIG/TASK MANAGER disabled items ==
 

(Currently there is no automatic fix for this section.)
 

MSCONFIG\startupfolder: C:^Users^Admin^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Convo.lnk => C:\Windows\pss\Convo.lnk.Startup

MSCONFIG\startupreg: CCleaner Monitoring => "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR

MSCONFIG\startupreg: iTunesHelper => "C:\Program Files\iTunes\iTunesHelper.exe"

MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
 

==================== Accounts: =============================
 

Admin (S-1-5-21-1948373623-948986961-338287050-1000 - Administrator - Enabled) => C:\Users\Admin

Administrator (S-1-5-21-1948373623-948986961-338287050-500 - Administrator - Disabled)

Gast (S-1-5-21-1948373623-948986961-338287050-501 - Limited - Disabled)
 

==================== Faulty Device Manager Devices =============
 
 

==================== Event log errors: =========================
 

Application errors:

==================

Error: (04/11/2015 07:47:53 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3001) (User: NT-AUTORITÄT)

Description: Die Namenszeichenfolgenwert für den Leistungsindikator in der Registrierung ist falsch formatiert. Die falsch formatierte Zeichenfolge ist "㧼㨜㨤㨬㨼㩈㩨㩴㪔㪜㪤㪰㫐㫘㫬㫸㬀㬘㬠㬨㬸㭀㭈㭐㭘㭠㭨㭰㭸㮀㮈㮐㮘㮠㮨㮰㮸㯈㯐㯘㯠㯬㯴㰘㰬㰼㱄㱌㱔㱬㱴㱼㲌㲔㲜㲤㲰㲸㳜㳰㴈㴐㴘㴰㴸㵀㵈㵜㵤㵬㵴㵸㶀㶔㶤㶸㷀㷜㷤㸄㸘㸠㸼㹄㹠㺀㺈㺐㺘㺠㺨㺰㺸㻀㻈㻐㻘㻠㻨㻰㻸㼀㼈㼔㼴㽀㽨㾌㾘㾠㿀㿤㿰㿸ꀀǴ". Das erste DWORD im Datenbereich enthält den Indexwert für die falsch formatierte Zeichenfolge, während das zweite und dritte DWORD im Datenbereich die letzten gültigen Indexwerte enthalten.
 

Error: (04/11/2015 07:44:40 AM) (Source: WinMgmt) (EventID: 10) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 

Error: (04/10/2015 04:17:53 PM) (Source: WinMgmt) (EventID: 10) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
 

System errors:

=============

Error: (04/11/2015 07:43:14 AM) (Source: EventLog) (EventID: 6008) (User: )

Description: Das System wurde zuvor am ‎10.‎04.‎2015 um 16:19:36 unerwartet heruntergefahren.
 

Error: (04/10/2015 04:16:36 PM) (Source: EventLog) (EventID: 6008) (User: )

Description: Das System wurde zuvor am ‎10.‎04.‎2015 um 16:13:13 unerwartet heruntergefahren.
 
 

Microsoft Office Sessions:

=========================

Error: (04/11/2015 07:47:53 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3001) (User: NT-AUTORITÄT)

Description: 㧼㨜㨤㨬㨼㩈㩨㩴㪔㪜㪤㪰㫐㫘㫬㫸㬀㬘㬠㬨㬸㭀㭈㭐㭘㭠㭨㭰㭸㮀㮈㮐㮘㮠㮨㮰㮸㯈㯐㯘㯠㯬㯴㰘㰬㰼㱄㱌㱔㱬㱴㱼㲌㲔㲜㲤㲰㲸㳜㳰㴈㴐㴘㴰㴸㵀㵈㵜㵤㵬㵴㵸㶀㶔㶤㶸㷀㷜㷤㸄㸘㸠㸼㹄㹠㺀㺈㺐㺘㺠㺨㺰㺸㻀㻈㻐㻘㻠㻨㻰㻸㼀㼈㼔㼴㽀㽨㾌㾘㾠㿀㿤㿰㿸ꀀǴ16000000009E2500009F250000600B0000
 

Error: (04/11/2015 07:44:40 AM) (Source: WinMgmt) (EventID: 10) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 

Error: (04/10/2015 04:17:53 PM) (Source: WinMgmt) (EventID: 10) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
 

==================== Memory info =========================== 
 

Processor: Intel(R) Core(TM) i3-2120 CPU @ 3.30GHz

Percentage of memory in use: 32%

Total physical RAM: 3977.02 MB

Available physical RAM: 2670.58 MB

Total Pagefile: 7952.23 MB

Available Pagefile: 6438.21 MB

Total Virtual: 8192 MB

Available Virtual: 8191.81 MB
 

==================== Drives ================================
 

Drive c: () (Fixed) (Total:232.88 GB) (Free:189.27 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
 

==================== MBR & Partition Table ==================
 

========================================================

Disk: 0 (Size: 232.9 GB) (Disk ID: CA4ACA4A)

Partition 1: (Active) - (Size=232.9 GB) - (Type=07 NTFS)
 

==================== End Of Log ============================

Die Festplatte hat meistens einen Schreibschutz aktiv, der durch die Software "RebootRestore" (Link zum Hersteller) ermöglicht wird. Damit eben getestete Änderungen nicht übernommen werden, aber für bestimmte Sachen wird der Schutz hin und wieder deaktiviert. Der PC ist zwar nur eine Sandbox und ich habe ein Image zur Hand, aber mich würde es dennoch interessieren, ob eines der Programme dafür verantwortlich ist, weil dann bringt mir das Image auch nichts auf lange Sicht.

Danke vielmals!