Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 09-12-2013 Ran by mati at 2013-12-10 17:26:42 Run:2 Running from C:\Users\mati\Desktop Boot Mode: Normal ============================================== Content of fixlist: ***************** CMD: netstat -ano CMD: tasklist /svc Reg: reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows" Reg: reg delete HKLM\SOFTWARE\Mozilla\Thunderbird /f AppInit_DLLs-x32: system32\aakah.dll [ ] () S2 aakah; \??\C:\Windows\system32\aakah.sys [x] S2 aakbdrv; \??\C:\Windows\system32\aakbdrv.sys [x] C:\Windows\SysWOW64\aakah.dll C:\Windows\SysWOW64\lqoe89kr.lwp C:\Users\mati\Downloads\advanced-anti-keylogger.zip C:\Users\mati\Downloads\advanced-anti-keylogger(1).zip C:\Users\mati\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Advanced Anti Keylogger C:\Users\mati\AppData\Roaming\ESET C:\Users\mati\AppData\Local\ESET ***************** ========= netstat -ano ========= Aktywne po��czenia Protok�� Adres lokalny Obcy adres Stan PID TCP 0.0.0.0:135 0.0.0.0:0 NAS�UCHIWANIE 828 TCP 0.0.0.0:445 0.0.0.0:0 NAS�UCHIWANIE 4 TCP 0.0.0.0:1025 0.0.0.0:0 NAS�UCHIWANIE 496 TCP 0.0.0.0:1026 0.0.0.0:0 NAS�UCHIWANIE 948 TCP 0.0.0.0:1027 0.0.0.0:0 NAS�UCHIWANIE 440 TCP 0.0.0.0:1028 0.0.0.0:0 NAS�UCHIWANIE 580 TCP 0.0.0.0:1044 0.0.0.0:0 NAS�UCHIWANIE 552 TCP 0.0.0.0:5357 0.0.0.0:0 NAS�UCHIWANIE 4 TCP 0.0.0.0:12025 0.0.0.0:0 NAS�UCHIWANIE 1264 TCP 0.0.0.0:12110 0.0.0.0:0 NAS�UCHIWANIE 1264 TCP 0.0.0.0:12119 0.0.0.0:0 NAS�UCHIWANIE 1264 TCP 0.0.0.0:12143 0.0.0.0:0 NAS�UCHIWANIE 1264 TCP 0.0.0.0:12465 0.0.0.0:0 NAS�UCHIWANIE 1264 TCP 0.0.0.0:12563 0.0.0.0:0 NAS�UCHIWANIE 1264 TCP 0.0.0.0:12993 0.0.0.0:0 NAS�UCHIWANIE 1264 TCP 0.0.0.0:12995 0.0.0.0:0 NAS�UCHIWANIE 1264 TCP 0.0.0.0:27275 0.0.0.0:0 NAS�UCHIWANIE 1264 TCP 127.0.0.1:1029 127.0.0.1:1030 USTANOWIONO 1852 TCP 127.0.0.1:1030 127.0.0.1:1029 USTANOWIONO 1852 TCP 127.0.0.1:1031 127.0.0.1:5354 USTANOWIONO 2008 TCP 127.0.0.1:1032 127.0.0.1:5354 USTANOWIONO 2008 TCP 127.0.0.1:1170 127.0.0.1:1171 USTANOWIONO 3988 TCP 127.0.0.1:1171 127.0.0.1:1170 USTANOWIONO 3988 TCP 127.0.0.1:1172 127.0.0.1:12080 USTANOWIONO 3988 TCP 127.0.0.1:1174 127.0.0.1:12080 USTANOWIONO 3988 TCP 127.0.0.1:1175 127.0.0.1:12080 USTANOWIONO 3988 TCP 127.0.0.1:1181 127.0.0.1:12080 USTANOWIONO 3988 TCP 127.0.0.1:1182 127.0.0.1:12080 USTANOWIONO 3988 TCP 127.0.0.1:1186 127.0.0.1:12080 USTANOWIONO 3988 TCP 127.0.0.1:1192 127.0.0.1:12080 CZAS_OCZEKIWANIA 0 TCP 127.0.0.1:1193 127.0.0.1:12080 CZAS_OCZEKIWANIA 0 TCP 127.0.0.1:1200 127.0.0.1:12080 USTANOWIONO 3988 TCP 127.0.0.1:1206 127.0.0.1:1207 CZAS_OCZEKIWANIA 0 TCP 127.0.0.1:1214 127.0.0.1:1215 CZAS_OCZEKIWANIA 0 TCP 127.0.0.1:1223 127.0.0.1:1224 CZAS_OCZEKIWANIA 0 TCP 127.0.0.1:5354 0.0.0.0:0 NAS�UCHIWANIE 1324 TCP 127.0.0.1:5354 127.0.0.1:1031 USTANOWIONO 1324 TCP 127.0.0.1:5354 127.0.0.1:1032 USTANOWIONO 1324 TCP 127.0.0.1:12025 0.0.0.0:0 NAS�UCHIWANIE 1264 TCP 127.0.0.1:12080 0.0.0.0:0 NAS�UCHIWANIE 1264 TCP 127.0.0.1:12080 127.0.0.1:1065 USTANOWIONO 1264 TCP 127.0.0.1:12080 127.0.0.1:1067 USTANOWIONO 1264 TCP 127.0.0.1:12080 127.0.0.1:1172 USTANOWIONO 1264 TCP 127.0.0.1:12080 127.0.0.1:1174 USTANOWIONO 1264 TCP 127.0.0.1:12080 127.0.0.1:1175 USTANOWIONO 1264 TCP 127.0.0.1:12080 127.0.0.1:1181 USTANOWIONO 1264 TCP 127.0.0.1:12080 127.0.0.1:1182 USTANOWIONO 1264 TCP 127.0.0.1:12080 127.0.0.1:1186 USTANOWIONO 1264 TCP 127.0.0.1:12080 127.0.0.1:1200 USTANOWIONO 1264 TCP 127.0.0.1:12080 127.0.0.1:1208 CZAS_OCZEKIWANIA 0 TCP 127.0.0.1:12080 127.0.0.1:1212 CZAS_OCZEKIWANIA 0 TCP 127.0.0.1:12110 0.0.0.0:0 NAS�UCHIWANIE 1264 TCP 127.0.0.1:12119 0.0.0.0:0 NAS�UCHIWANIE 1264 TCP 127.0.0.1:12143 0.0.0.0:0 NAS�UCHIWANIE 1264 TCP 127.0.0.1:12465 0.0.0.0:0 NAS�UCHIWANIE 1264 TCP 127.0.0.1:12563 0.0.0.0:0 NAS�UCHIWANIE 1264 TCP 127.0.0.1:12993 0.0.0.0:0 NAS�UCHIWANIE 1264 TCP 127.0.0.1:12995 0.0.0.0:0 NAS�UCHIWANIE 1264 TCP 127.0.0.1:27015 0.0.0.0:0 NAS�UCHIWANIE 2008 TCP 127.0.0.1:27275 0.0.0.0:0 NAS�UCHIWANIE 1264 TCP 192.168.1.100:139 0.0.0.0:0 NAS�UCHIWANIE 4 TCP 192.168.1.100:1038 77.234.42.51:80 USTANOWIONO 1264 TCP 192.168.1.100:1068 65.54.89.159:80 OCZEKIWANIE_ZAMKN 1264 TCP 192.168.1.100:1173 85.17.248.242:80 USTANOWIONO 1264 TCP 192.168.1.100:1177 46.28.246.108:443 USTANOWIONO 3988 TCP 192.168.1.100:1178 173.194.112.15:443 USTANOWIONO 3988 TCP 192.168.1.100:1179 68.232.35.121:80 OCZEKIWANIE_ZAMKN 1264 TCP 192.168.1.100:1180 85.17.248.242:80 USTANOWIONO 1264 TCP 192.168.1.100:1183 46.28.246.119:80 OCZEKIWANIE_ZAMKN 1264 TCP 192.168.1.100:1184 46.28.246.119:80 OCZEKIWANIE_ZAMKN 1264 TCP 192.168.1.100:1199 85.17.248.242:80 USTANOWIONO 1264 TCP 192.168.1.100:1201 31.13.81.97:80 USTANOWIONO 1264 TCP 192.168.1.100:1202 173.194.70.84:443 USTANOWIONO 3988 TCP 192.168.1.100:1203 173.194.112.107:443 USTANOWIONO 3988 TCP 192.168.1.100:1231 77.234.40.67:80 CZAS_OCZEKIWANIA 0 TCP [::]:135 [::]:0 NAS�UCHIWANIE 828 TCP [::]:445 [::]:0 NAS�UCHIWANIE 4 TCP [::]:1025 [::]:0 NAS�UCHIWANIE 496 TCP [::]:1026 [::]:0 NAS�UCHIWANIE 948 TCP [::]:1027 [::]:0 NAS�UCHIWANIE 440 TCP [::]:1028 [::]:0 NAS�UCHIWANIE 580 TCP [::]:1044 [::]:0 NAS�UCHIWANIE 552 TCP [::]:3587 [::]:0 NAS�UCHIWANIE 4488 TCP [::]:5357 [::]:0 NAS�UCHIWANIE 4 TCP [::1]:12025 [::]:0 NAS�UCHIWANIE 1264 TCP [::1]:12080 [::]:0 NAS�UCHIWANIE 1264 TCP [::1]:12110 [::]:0 NAS�UCHIWANIE 1264 TCP [::1]:12119 [::]:0 NAS�UCHIWANIE 1264 TCP [::1]:12143 [::]:0 NAS�UCHIWANIE 1264 TCP [::1]:12465 [::]:0 NAS�UCHIWANIE 1264 TCP [::1]:12563 [::]:0 NAS�UCHIWANIE 1264 TCP [::1]:12993 [::]:0 NAS�UCHIWANIE 1264 TCP [::1]:12995 [::]:0 NAS�UCHIWANIE 1264 TCP [::1]:27275 [::]:0 NAS�UCHIWANIE 1264 UDP 0.0.0.0:500 *:* 440 UDP 0.0.0.0:3544 *:* 440 UDP 0.0.0.0:3702 *:* 116 UDP 0.0.0.0:3702 *:* 2084 UDP 0.0.0.0:3702 *:* 2084 UDP 0.0.0.0:3702 *:* 116 UDP 0.0.0.0:4500 *:* 440 UDP 0.0.0.0:5355 *:* 1164 UDP 0.0.0.0:51168 *:* 2084 UDP 0.0.0.0:51170 *:* 116 UDP 0.0.0.0:51172 *:* 116 UDP 0.0.0.0:61493 *:* 1324 UDP 127.0.0.1:1900 *:* 2084 UDP 127.0.0.1:44301 *:* 2208 UDP 127.0.0.1:58229 *:* 2084 UDP 127.0.0.1:61491 *:* 2008 UDP 127.0.0.1:61492 *:* 2008 UDP 127.0.0.1:64512 *:* 1736 UDP 192.168.1.100:137 *:* 4 UDP 192.168.1.100:138 *:* 4 UDP 192.168.1.100:1900 *:* 2084 UDP 192.168.1.100:5353 *:* 1324 UDP 192.168.1.100:53910 *:* 440 UDP 192.168.1.100:58228 *:* 2084 UDP [::]:500 *:* 440 UDP [::]:3540 *:* 4488 UDP [::]:3702 *:* 2084 UDP [::]:3702 *:* 2084 UDP [::]:3702 *:* 116 UDP [::]:3702 *:* 116 UDP [::]:4500 *:* 440 UDP [::]:5355 *:* 1164 UDP [::]:51169 *:* 2084 UDP [::]:51171 *:* 116 UDP [::]:51173 *:* 116 UDP [::]:61494 *:* 1324 UDP [::1]:1900 *:* 2084 UDP [::1]:5353 *:* 1324 UDP [::1]:58227 *:* 2084 UDP [fe80::476:4963:d339:1aae%13]:1900 *:* 2084 UDP [fe80::476:4963:d339:1aae%13]:58226 *:* 2084 ========= End of CMD: ========= ========= tasklist /svc ========= Nazwa obrazu PID Us�ugi ========================= ======== ============================================ System Idle Process 0 BRAK System 4 BRAK smss.exe 324 BRAK csrss.exe 424 BRAK wininit.exe 496 BRAK csrss.exe 528 BRAK services.exe 552 BRAK lsass.exe 580 KeyIso, SamSs lsm.exe 588 BRAK winlogon.exe 700 BRAK svchost.exe 732 DcomLaunch, PlugPlay, Power svchost.exe 828 RpcEptMapper, RpcSs atiesrxx.exe 888 AMD External Events Utility svchost.exe 948 AudioSrv, Dhcp, eventlog, HomeGroupProvider, lmhosts, wscsvc svchost.exe 992 AudioEndpointBuilder, CscService, hidserv, HomeGroupListener, Netman, PcaSvc, SysMain, TrkWks, UxSms, WdiSystemHost, Wlansvc svchost.exe 116 EventSystem, fdPHost, FontCache, netprofm, nsi, WdiServiceHost, WinHttpAutoProxySvc svchost.exe 440 AeLookupSvc, BITS, Browser, EapHost, IKEEXT, iphlpsvc, LanmanServer, ProfSvc, Schedule, SENS, ShellHWDetection, Themes, Winmgmt, wuauserv svchost.exe 1048 gpsvc svchost.exe 1164 CryptSvc, Dnscache, LanmanWorkstation, NlaSvc AvastSvc.exe 1264 avast! Antivirus atieclxx.exe 1280 BRAK afwServ.exe 1436 avast! Firewall spoolsv.exe 1624 Spooler taskhost.exe 1664 BRAK svchost.exe 1672 BFE, DPS, MpsSvc dwm.exe 1788 BRAK explorer.exe 1852 BRAK armsvc.exe 1928 AdobeARMservice taskeng.exe 1972 BRAK AppleMobileDeviceService. 2008 Apple Mobile Device rundll32.exe 1736 BRAK mDNSResponder.exe 1324 Bonjour Service CISVC.EXE 2056 CISVC LVPrcSrv.exe 2168 LVPrcS64 PnkBstrA.exe 2208 PnkBstrA LVPrS64H.exe 2216 BRAK Prime95.exe 2264 Prime95 Service svchost.exe 2360 stisvc svchost.exe 2388 WinDefend WLIDSVC.EXE 2464 wlidsvc VDeck.exe 2472 BRAK AvastUI.exe 2484 BRAK nmsrvc.exe 2808 nmservice WLIDSVCM.EXE 3032 BRAK SearchIndexer.exe 3924 WSearch svchost.exe 4052 PolicyAgent svchost.exe 2084 FDResPub, SSDPSRV wmpnetwk.exe 4092 WMPNetworkSvc svchost.exe 4488 p2pimsvc, p2psvc, PNRPsvc dllhost.exe 2100 BRAK TrustedInstaller.exe 2744 TrustedInstaller SearchProtocolHost.exe 1204 BRAK firefox.exe 3988 BRAK FRST64.exe 2044 BRAK dllhost.exe 2424 BRAK cmd.exe 4112 BRAK conhost.exe 2632 BRAK tasklist.exe 4456 BRAK WmiPrvSE.exe 4964 BRAK ========= End of CMD: ========= ========= reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows" ========= HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows IconServiceLib REG_SZ IconCodecService.dll DdeSendTimeout REG_DWORD 0x0 DesktopHeapLogging REG_DWORD 0x1 GDIProcessHandleQuota REG_DWORD 0x2710 ShutdownWarningDialogTimeout REG_DWORD 0xffffffff USERNestedWindowLimit REG_DWORD 0x32 USERPostMessageLimit REG_DWORD 0x2710 USERProcessHandleQuota REG_DWORD 0x2710 (domy˜lny) REG_SZ mnmsrvc DeviceNotSelectedTimeout REG_SZ 15 Spooler REG_SZ yes TransmissionRetryTimeout REG_SZ 90 LoadAppInit_DLLs REG_DWORD 0x1 AppInit_DLLs REG_SZ system32\aakah.dll ========= End of Reg: ========= ========= reg delete HKLM\SOFTWARE\Mozilla\Thunderbird /f ========= Operacja ukoäczona pomy˜lnie. ========= End of Reg: ========= HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs => Value was restored successfully. aakah => Service deleted successfully. aakbdrv => Service deleted successfully. C:\Windows\SysWOW64\aakah.dll => Moved successfully. C:\Windows\SysWOW64\lqoe89kr.lwp => Moved successfully. C:\Users\mati\Downloads\advanced-anti-keylogger.zip => Moved successfully. C:\Users\mati\Downloads\advanced-anti-keylogger(1).zip => Moved successfully. C:\Users\mati\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Advanced Anti Keylogger => Moved successfully. "C:\Users\mati\AppData\Roaming\ESET" => File/Directory not found. "C:\Users\mati\AppData\Local\ESET" => File/Directory not found. ==== End of Fixlog ====