Interpol Trojaner Windows 7

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 26-10-2014
Ran by SYSTEM on MININT-9CK0QIG on 26-10-2014 22:06:54
Running from H:\
Platform: Windows 7 Ultimate (X64) OS Language: Deutsch (Deutschland)
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: hxxp://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11613288 2010-11-19] (Realtek Semiconductor)
HKLM\...\Run: [XboxStat] => C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe [825184 2009-10-01] (Microsoft Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [499608 2011-03-30] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [641664 2012-04-06] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [AMD AVT] => C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe [10752 2012-02-20] ()
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [843712 2012-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS5.5ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe [1523360 2011-01-12] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-05-30] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => "D:\Programme\iTunes\iTunesHelper.exe"
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [751184 2014-08-04] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [256896 2014-05-07] (Oracle Corporation)
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$4c894316ff40947cb156c57739e72c4f\n. ATTENTION! ====> ZeroAccess?
HKU\ILLERMC\...\Run: [RGSC] => D:\GAMES\RockstarGamesSocialClub\Rockstar Games Social Club\RGSCLauncher.exe /silent
HKU\ILLERMC\...\Run: [AdobeBridge] => [X]
HKU\ILLERMC\...\Run: [icq] => C:\Users\ILLERMC\AppData\Roaming\ICQM\icq.exe [28698984 2013-10-14] (ICQ)
HKU\ILLERMC\...\Run: [LiveSupport] => "C:\Program Files (x86)\LiveSupport\LiveSupport.exe" /noshow /log
HKU\ILLERMC\...\Policies\Explorer: [DisallowRun] 1
Startup: C:\Users\ILLERMC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\net.lnk
ShortcutTarget: net.lnk -> C:\Users\ILLERMC\AppData\Roaming\Windows Net Data\net.exe (Windows Net)
Startup: C:\Users\ILLERMC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk
ShortcutTarget: program.lnk -> C:\ProgramData\8B307153.cpp (Microsoft Corporation)

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [430160 2014-08-04] (Avira Operations GmbH & Co. KG)
S2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [430160 2014-08-04] (Avira Operations GmbH & Co. KG)
S2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76888 2014-01-21] ()
S2 syshost32; C:\Windows\Installer\{C70AD087-5EFA-43BA-7696-8BE7565E0AF1}\syshost.exe [69120 2014-01-27] (TorchSoft)
S2 Winmgmt; C:\ProgramData\351703B8.dot [332800 2014-10-26] ()

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S0 141dc5b06e7e9c6c; C:\Windows\System32\Drivers\141dc5b06e7e9c6c.sys [85968 2012-09-14] () <===== ATTENTION Necurs Rootkit?
S0 asahci64; C:\Windows\System32\DRIVERS\asahci64.sys [36448 2011-03-23] (Asmedia Technology)
S3 AtiDCM; C:\Users\ILLERMC\AppData\Local\Temp\atdcm64a.sys [28896 2014-04-18] (Advanced Micro Devices, Inc.)
S2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [117712 2014-07-12] (Avira Operations GmbH & Co. KG)
S1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [130584 2014-06-19] (Avira Operations GmbH & Co. KG)
S1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2014-06-19] (Avira Operations GmbH & Co. KG)
S3 RTL8192su; system32\DRIVERS\RTL8192su.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-26 22:06 - 2014-10-26 22:06 - 00000000 ____D () C:\FRST
2014-10-26 09:57 - 2014-10-26 09:57 - 00332800 ____T () C:\ProgramData\351703B8.dot
2014-10-26 09:57 - 2014-10-26 09:57 - 00237752 _____ (Microsoft Corporation) C:\ProgramData\8B307153.cpp
2014-10-14 12:14 - 2014-10-14 12:14 - 00000000 _____ () C:\Users\ILLERMC\AppData\Local\{F59A9BF0-C351-4721-8699-00BB88C293BB}

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-26 21:33 - 2013-08-03 11:31 - 00001106 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-10-26 21:33 - 2013-06-26 16:26 - 00000372 _____ () C:\Windows\Tasks\LyricsTab Update.job
2014-10-26 21:33 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-26 21:33 - 2009-07-14 05:51 - 00085082 _____ () C:\Windows\setupact.log
2014-10-26 19:11 - 2009-07-14 05:45 - 00014192 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-26 19:11 - 2009-07-14 05:45 - 00014192 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-26 18:46 - 2013-04-06 13:54 - 00000884 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-10-26 18:27 - 2009-07-14 18:58 - 01832686 _____ () C:\Windows\System32\perfh007.dat
2014-10-26 18:27 - 2009-07-14 18:58 - 00500954 _____ () C:\Windows\System32\perfc007.dat
2014-10-26 18:27 - 2009-07-14 06:13 - 00006208 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-10-26 18:22 - 2009-07-14 06:08 - 00032632 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-10-26 11:13 - 2013-08-03 11:32 - 00001110 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-10-25 00:36 - 2012-06-08 17:28 - 00000000 ____D () C:\Users\ILLERMC\AppData\Roaming\vlc
2014-10-24 18:18 - 2013-04-15 04:03 - 00000000 ____D () C:\Program Files (x86)\JDownloader
2014-10-24 03:50 - 2012-06-08 16:40 - 00000000 ____D () C:\Users\ILLERMC\AppData\Roaming\Adobe
2014-10-22 16:27 - 2012-08-14 00:10 - 00000000 ____D () C:\Users\ILLERMC\AppData\Roaming\FileZilla
2014-10-20 16:07 - 2012-07-20 16:17 - 00000021 _____ () C:\Windows\SurCode.INI
2014-10-20 16:07 - 2010-09-20 04:39 - 00000000 ___HD () C:\Users\ILLERMC\AppData\Local\G58wHpXtrsAJ
2014-10-14 18:08 - 2013-08-03 11:32 - 00004106 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-10-14 18:08 - 2013-08-03 11:31 - 00003854 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-10-08 23:09 - 2014-01-21 19:36 - 00281688 _____ () C:\Windows\SysWOW64\PnkBstrB.exe
2014-10-08 23:09 - 2014-01-21 19:35 - 00281688 _____ () C:\Windows\SysWOW64\PnkBstrB.xtr

2014-10-07 19:05 - 2012-06-08 17:24 - 00000000 ____D () C:\temp


ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-4097170985-2694539900-2296973922-1000\$4c894316ff40947cb156c57739e72c4f

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$4c894316ff40947cb156c57739e72c4f

Some content of TEMP:
====================
C:\Users\ILLERMC\AppData\Local\Temp\amazonicon_v4.exe
C:\Users\ILLERMC\AppData\Local\Temp\AskSLib.dll
C:\Users\ILLERMC\AppData\Local\Temp\avgnt.exe
C:\Users\ILLERMC\AppData\Local\Temp\bassmod.dll
C:\Users\ILLERMC\AppData\Local\Temp\bitool.dll
C:\Users\ILLERMC\AppData\Local\Temp\jre-7u21-windows-i586-iftw.exe
C:\Users\ILLERMC\AppData\Local\Temp\jre-7u60-windows-i586-iftw.exe
C:\Users\ILLERMC\AppData\Local\Temp\LiveSupport_setup.exe
C:\Users\ILLERMC\AppData\Local\Temp\nsb3B1F.exe
C:\Users\ILLERMC\AppData\Local\Temp\nsh27BD.exe
C:\Users\ILLERMC\AppData\Local\Temp\nsh3C78.exe
C:\Users\ILLERMC\AppData\Local\Temp\nsm2915.exe
C:\Users\ILLERMC\AppData\Local\Temp\nspC5DF.exe
C:\Users\ILLERMC\AppData\Local\Temp\OptimizerPro.exe
C:\Users\ILLERMC\AppData\Local\Temp\RPHS.dll
C:\Users\ILLERMC\AppData\Local\Temp\sdanircmdc.exe
C:\Users\ILLERMC\AppData\Local\Temp\sdapskill.exe
C:\Users\ILLERMC\AppData\Local\Temp\sdaspwn.exe
C:\Users\ILLERMC\AppData\Local\Temp\shwlrcs.exe
C:\Users\ILLERMC\AppData\Local\Temp\SSStub_Somo_SpeedyPC.exe
C:\Users\ILLERMC\AppData\Local\Temp\susuTmp.exe
C:\Users\ILLERMC\AppData\Local\Temp\UpdateCheckerSetup.exe


==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


testsigning: ==> Check for possible unsigned rootkit driver <===== ATTENTION!

==================== Restore Points  =========================

Restore point made on: 2014-10-22 12:21:09

==================== Memory info =========================== 

Percentage of memory in use: 9%
Total physical RAM: 8173.22 MB
Available physical RAM: 7375.85 MB
Total Pagefile: 8171.37 MB
Available Pagefile: 7375.94 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: (Win7) (Fixed) (Total:99.9 GB) (Free:3.8 GB) NTFS
Drive e: (Kram) (Fixed) (Total:400 GB) (Free:121.21 GB) NTFS
Drive f: (MELOMUSIC) (Fixed) (Total:431.51 GB) (Free:342.26 GB) NTFS
Drive h: (TOSHIBA) (Removable) (Total:7.21 GB) (Free:7.21 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System-reserviert) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 479B38BA)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=99.9 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=400 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=431.5 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 7.2 GB) (Disk ID: 3557270B)
Partition 1: (Not Active) - (Size=7.2 GB) - (Type=0B)


LastRegBack: 2014-10-26 10:42

==================== End Of Log ============================