GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-05-02 17:04:09 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000003c GOODRAM rev.SAFM22.3 223,57GB Running: rmq2tm48.exe; Driver: C:\Users\Vaengar\AppData\Local\Temp\kwdciuod.sys ---- User code sections - GMER 2.2 ---- ? C:\Windows\system32\wbem\wbemsvc.dll [1836] entry point in ".rdata" section 0000000072508fc0 ? C:\Windows\system32\wbem\wbemsvc.dll [1324] entry point in ".rdata" section 0000000072508fc0 ? C:\Windows\system32\wbem\wbemsvc.dll [1576] entry point in ".rdata" section 0000000072508fc0 ? C:\Windows\SYSTEM32\NTASN1.dll [1716] entry point in ".rdata" section 00000000706ba020 ? C:\Windows\system32\ncryptsslp.dll [1716] entry point in ".rdata" section 00000000706904f0 ? C:\Windows\SYSTEM32\iertutil.dll [2108] entry point in ".rdata" section 0000000072d31150 ? C:\Windows\SYSTEM32\iertutil.dll [4244] entry point in ".rdata" section 0000000072d31150 ? C:\Windows\SYSTEM32\NTASN1.dll [4380] entry point in ".rdata" section 00000000706ba020 ? C:\Windows\system32\ncryptsslp.dll [4380] entry point in ".rdata" section 00000000706904f0 ? C:\Windows\system32\wbem\wbemsvc.dll [4380] entry point in ".rdata" section 0000000072508fc0 ? C:\Windows\system32\apphelp.dll [4700] entry point in ".rdata" section 0000000070edf7c0 ? C:\Windows\system32\apphelp.dll [5912] entry point in ".rdata" section 0000000070edf7c0 ? C:\Windows\system32\apphelp.dll [6080] entry point in ".rdata" section 0000000070edf7c0 ? C:\Windows\SYSTEM32\NTASN1.dll [5792] entry point in ".rdata" section 00000000706ba020 ? C:\Windows\SYSTEM32\iertutil.dll [5792] entry point in ".rdata" section 0000000072d31150 ? C:\Windows\system32\apphelp.dll [5792] entry point in ".rdata" section 0000000070edf7c0 ? C:\Windows\SYSTEM32\iertutil.dll [6524] entry point in ".rdata" section 0000000072d31150 ? C:\Windows\SYSTEM32\NTASN1.dll [6524] entry point in ".rdata" section 00000000706ba020 ? C:\Windows\SYSTEM32\iertutil.dll [6720] entry point in ".rdata" section 0000000072d31150 ? C:\Windows\system32\apphelp.dll [6720] entry point in ".rdata" section 0000000070edf7c0 ? C:\Windows\system32\apphelp.dll [6872] entry point in ".rdata" section 0000000070edf7c0 ? C:\Windows\SYSTEM32\iertutil.dll [7016] entry point in ".rdata" section 0000000072d31150 ? C:\Windows\system32\wbem\wbemsvc.dll [7016] entry point in ".rdata" section 0000000072508fc0 ? C:\Windows\System32\ActXPrxy.dll [7016] entry point in ".rdata" section 0000000064849b80 ? C:\Windows\system32\wbem\wbemsvc.dll [6792] entry point in ".rdata" section 0000000072508fc0 ? C:\Windows\System32\iertutil.dll [720] entry point in ".rdata" section 0000000072d31150 ? C:\Windows\SYSTEM32\NTASN1.dll [720] entry point in ".rdata" section 00000000706ba020 ? C:\Windows\system32\ncryptsslp.dll [720] entry point in ".rdata" section 00000000706904f0 ? C:\Windows\System32\iertutil.dll [7840] entry point in ".rdata" section 0000000072d31150 ? C:\Windows\SYSTEM32\iertutil.dll [6756] entry point in ".rdata" section 0000000072d31150 ? C:\Windows\SYSTEM32\NTASN1.dll [6756] entry point in ".rdata" section 00000000706ba020 ? C:\Windows\system32\ncryptsslp.dll [6756] entry point in ".rdata" section 00000000706904f0 ? C:\Windows\system32\apphelp.dll [7096] entry point in ".rdata" section 0000000070edf7c0 ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Windows\Explorer.EXE[4644] @ C:\Windows\Explorer.EXE[KERNEL32.dll!MulDiv] [61c7d7e0] C:\Program Files (x86)\StartIsBack\StartIsBack64.dll IAT C:\Windows\Explorer.EXE[4644] @ C:\Windows\Explorer.EXE[USER32.dll!TrackPopupMenuEx] [61c7bbb0] C:\Program Files (x86)\StartIsBack\StartIsBack64.dll IAT C:\Windows\Explorer.EXE[4644] @ C:\Windows\Explorer.EXE[USER32.dll!PeekMessageW] [61c7cbc0] C:\Program Files (x86)\StartIsBack\StartIsBack64.dll IAT C:\Windows\Explorer.EXE[4644] @ C:\Windows\Explorer.EXE[USER32.dll!SetWindowCompositionAttribute] [61c7d850] C:\Program Files (x86)\StartIsBack\StartIsBack64.dll IAT C:\Windows\Explorer.EXE[4644] @ C:\Windows\System32\SHELL32.dll[GDI32.dll!ExtTextOutW] [7ffe9b591330] C:\Windows\System32\painter_x64.dll IAT C:\Windows\Explorer.EXE[4644] @ C:\Windows\system32\explorerframe.dll[USER32.dll!TrackPopupMenu] [61c7bc60] C:\Program Files (x86)\StartIsBack\StartIsBack64.dll IAT C:\Windows\Explorer.EXE[4644] @ C:\Windows\SYSTEM32\twinui.dll[USER32.dll!TrackPopupMenu] [61c7bc60] C:\Program Files (x86)\StartIsBack\StartIsBack64.dll IAT C:\Windows\Explorer.EXE[4644] @ C:\Windows\SYSTEM32\dui70.dll[USER32.dll!DrawTextW] [61c7dd90] C:\Program Files (x86)\StartIsBack\StartIsBack64.dll IAT C:\Windows\Explorer.EXE[4644] @ C:\Windows\system32\SearchFolder.dll[SHELL32.dll!SHParseDisplayName] [61c6af90] C:\Program Files (x86)\StartIsBack\StartIsBack64.dll ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [708:760] ffff894d73da6c20 Thread C:\Windows\system32\svchost.exe [1036:2528] 00000252803a0c8c Thread C:\Windows\system32\svchost.exe [1036:2532] 00000252803a0c8c Thread C:\Windows\system32\svchost.exe [1036:2536] 00000252803a0c8c Thread C:\Windows\system32\svchost.exe [1036:3172] 0000025280397378 Thread C:\Windows\system32\svchost.exe [1036:3176] 0000025280397378 Thread C:\Windows\SysWoW64\svchost.exe [720:908] 0000000003040a6b Thread C:\Windows\SysWoW64\svchost.exe [720:1212] 0000000003040a6b Thread C:\Windows\SysWoW64\svchost.exe [720:1524] 0000000003040a6b Thread C:\Windows\SysWoW64\svchost.exe [720:1516] 0000000003040a6b Thread C:\Windows\SysWoW64\svchost.exe [720:7436] 0000000003040a6b Thread C:\Windows\SysWoW64\svchost.exe [7840:5164] 0000000002c3ba62 Thread C:\Windows\SysWoW64\svchost.exe [7840:3396] 0000000002c3ba62 Thread C:\Windows\SysWoW64\svchost.exe [7840:6084] 0000000002c3ba62 Thread C:\Windows\SysWoW64\svchost.exe [7840:7952] 0000000002c3ba62 Thread C:\Windows\SysWoW64\svchost.exe [7840:6048] 0000000002c3ba62 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x50 0x01 0x23 0xF9 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0xB9 0x51 0x25 0x45 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x50 0x01 0x23 0xF9 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x24 0xB4 0x27 0x45 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 77 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\SAM0700H9MZ807983_22_07DA_E1^5C6BE982FC4EFA61D7970DE44C67FBC1@Timestamp 0xE3 0xA8 0xD2 0x7B ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Windows\TEMP\b4DF7.tmp\firstu71\ArcherBox.dll??\??\C:\Windows\TEMP\b4DF7.tmp\secondu71\ArcherBox.dll??\??\C:\Windows\TEMP\b4DF7.tmp\secondu71\MIO.dll??\??\C:\Windows\TEMP\b4DF7.tmp\secondu71\MIO.exe?? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -1836686111 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 89664c33-0225-4101-baa4-48c8bab Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@GlassSessionId 7 Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{d8b80cd5-efaf-4b33-a705-2dc95de638b5} Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_21e1731 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_21e1731@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_21e1731@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_21e1731@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_21e1731@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_21e1731@DisplayName CDPUserSvc_21e1731 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_21e1731@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_21e1731@Description @%SystemRoot%\system32\cdpusersvc.dll,-101 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_21e1731\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_21e1731\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_21e1731 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{d197f64c-3c43-4e8e-a96f-b09b46d8584a}@LastProbeTime 1493424085 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_21e1731 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_21e1731@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_21e1731@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_21e1731@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_21e1731@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_21e1731@DisplayName Us?uga wiadomo?ci_21e1731 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_21e1731@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_21e1731@Description @%SystemRoot%\system32\MessagingService.dll,-101 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_21e1731\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_21e1731\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_21e1731\TriggerInfo Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_21e1731\TriggerInfo\0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_21e1731\TriggerInfo\0@Type 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_21e1731\TriggerInfo\0@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_21e1731\TriggerInfo\0@Guid 0x16 0x28 0x7A 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_21e1731\TriggerInfo\0@Data0 0x75 0x18 0xBC 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_21e1731\TriggerInfo\0@DataType0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_21e1731 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_21e1731 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_21e1731@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_21e1731@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_21e1731@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_21e1731@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_21e1731@DisplayName Synchronizuj hosta_21e1731 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_21e1731@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_21e1731@Description @%SystemRoot%\system32\APHostRes.dll,-10001 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_21e1731\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_21e1731\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_21e1731 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_21e1731 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_21e1731@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_21e1731@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_21e1731@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_21e1731@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_21e1731@DisplayName Dane kontaktowe_21e1731 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_21e1731@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_21e1731@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-15000 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_21e1731\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_21e1731\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_21e1731 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 4231 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 957 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 77 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{229c7636-fd8e-45e5-9579-adfe45d2f82d}@LeaseObtainedTime 1493735315 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{229c7636-fd8e-45e5-9579-adfe45d2f82d}@T1 1493737115 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{229c7636-fd8e-45e5-9579-adfe45d2f82d}@T2 1493738465 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{229c7636-fd8e-45e5-9579-adfe45d2f82d}@LeaseTerminatesTime 1493738915 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_21e1731 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_21e1731@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_21e1731@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_21e1731@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_21e1731@ImagePath C:\Windows\System32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_21e1731@DisplayName Magazyn danych u?ytkownika_21e1731 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_21e1731@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_21e1731@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-10002 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_21e1731\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_21e1731\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_21e1731 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_21e1731 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_21e1731@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_21e1731@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_21e1731@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_21e1731@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_21e1731@DisplayName Dost?p do danych u?ytkownika_21e1731 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_21e1731@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_21e1731@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-14000 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_21e1731\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_21e1731\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_21e1731 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x1D 0xDC 0x11 0xC6 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x1D 0x44 0xD6 0x27 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x1D 0x74 0x4D 0x64 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 24050 24056 24066 24076 24096 24140 24150 24188 24194 24210 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter 24216 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help 24217 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Counter 24050 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Help 24051 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_21e1731 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_21e1731@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_21e1731@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_21e1731@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_21e1731@ImagePath C:\Windows\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_21e1731@DisplayName Us?uga u?ytkownika powiadomie? WNS_21e1731 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_21e1731@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_21e1731@Description @%SystemRoot%\system32\WpnUserService.dll,-2 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_21e1731\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_21e1731\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_21e1731 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{25db0195-066f-11e7-815a-708bcd57659e}\Current Media Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{25db0195-066f-11e7-815a-708bcd57659e}\Current Media@TotalBytes 0x00 0x38 0x1E 0x22 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{25db0195-066f-11e7-815a-708bcd57659e}\Current Media@FreeBytes 0x00 0x00 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{25db0195-066f-11e7-815a-708bcd57659e}\Current Media@Blank Disc 0 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{25db0195-066f-11e7-815a-708bcd57659e}\Current Media@Can Close 0 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{25db0195-066f-11e7-815a-708bcd57659e}\Current Media@Live FS 0 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{25db0195-066f-11e7-815a-708bcd57659e}\Current Media@Disc Label Watch_Dogs 2 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{25db0195-066f-11e7-815a-708bcd57659e}\Current Media@Set 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{27DD0F8B-3E0E-4ADC-A78A-66047E71ADC5}\iexplore@Count 12 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@E7CF176E110C211B 0xE1 0xF5 0x1B 0x5C ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{293816F1-093B-483B-8E1E-FF139FDA7A73}@LastAccessedTime 0x20 0x5E 0xE7 0x81 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{293816F1-093B-483B-8E1E-FF139FDA7A73}@LaunchCount 3 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{5EAEDC39-20E6-4C5B-B78E-B7A05235CC26}@LastAccessedTime 0x90 0x31 0x3D 0x44 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{5EAEDC39-20E6-4C5B-B78E-B7A05235CC26}@LaunchCount 2 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{FC5872C1-5665-4AC8-9665-E3194041AC72}@LastAccessedTime 0x20 0x91 0x66 0x24 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{FC5872C1-5665-4AC8-9665-E3194041AC72}@LaunchCount 40 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----