GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-05-11 12:09:05 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000003e Micron_M600_MTFDDAV256MBF rev.MA01 238.47GB Running: 8gbf65fs.exe; Driver: C:\Users\maja\AppData\Local\Temp\kwedipob.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\SYSTEM32\iertutil.dll [2716] entry point in ".rdata" section 000000006c793150 ? C:\WINDOWS\SYSTEM32\dbgcore.DLL [2716] entry point in ".rdata" section 000000006c11c940 ? C:\WINDOWS\system32\apphelp.dll [2716] entry point in ".rdata" section 00000000699bf7c0 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [2880] entry point in ".rdata" section 000000006d498fc0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [7400] entry point in ".rdata" section 000000006c793150 ? C:\WINDOWS\system32\apphelp.dll [7400] entry point in ".rdata" section 00000000699bf7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [10320] entry point in ".rdata" section 000000006c793150 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [10320] entry point in ".rdata" section 0000000067f2a020 ? C:\WINDOWS\system32\ncryptsslp.dll [10320] entry point in ".rdata" section 0000000067f004f0 ? C:\WINDOWS\system32\apphelp.dll [9444] entry point in ".rdata" section 00000000699bf7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [9444] entry point in ".rdata" section 000000006c793150 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [9444] entry point in ".rdata" section 000000006d498fc0 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [9444] entry point in ".rdata" section 0000000067f2a020 ? C:\WINDOWS\system32\ncryptsslp.dll [9444] entry point in ".rdata" section 0000000067f004f0 ? C:\Windows\System32\ActXPrxy.dll [9444] entry point in ".rdata" section 000000005b359c50 ? C:\Windows\System32\OneCoreCommonProxyStub.dll [9444] entry point in ".rdata" section 000000005b0dda90 ? C:\WINDOWS\SYSTEM32\PhotoMetadataHandler.dll [9444] entry point in ".rdata" section 0000000056ac5d20 ? C:\Windows\System32\ieproxy.dll [9444] entry point in ".rdata" section 0000000056a79600 ? C:\WINDOWS\SYSTEM32\iertutil.dll [5216] entry point in ".rdata" section 000000006c793150 ? C:\Windows\System32\OneCoreCommonProxyStub.dll [5216] entry point in ".rdata" section 000000005b0dda90 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [5216] entry point in ".rdata" section 0000000067f2a020 ? C:\WINDOWS\system32\ncryptsslp.dll [5216] entry point in ".rdata" section 0000000067f004f0 ? C:\WINDOWS\SYSTEM32\srpapi.dll [5216] entry point in ".rdata" section 000000005b0a6100 ? C:\Windows\System32\ieproxy.dll [5216] entry point in ".rdata" section 0000000056a79600 ? C:\WINDOWS\SYSTEM32\dbgcore.DLL [9560] entry point in ".rdata" section 000000006c11c940 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [9560] entry point in ".rdata" section 0000000067f2a020 ? C:\WINDOWS\SYSTEM32\iertutil.dll [9560] entry point in ".rdata" section 000000006c793150 ? C:\WINDOWS\SYSTEM32\atlthunk.dll [9560] entry point in ".data" section 00000000512e4290 ? C:\Windows\System32\ActXPrxy.dll [9560] entry point in ".rdata" section 000000005b359c50 ? C:\WINDOWS\System32\apphelp.dll [9560] entry point in ".rdata" section 00000000699bf7c0 ? C:\WINDOWS\system32\mssprxy.dll [9560] entry point in ".rdata" section 00000000504ba650 ? C:\Windows\System32\OneCoreCommonProxyStub.dll [9560] entry point in ".rdata" section 000000005b0dda90 ? C:\Windows\System32\smartscreenps.dll [9560] entry point in ".rdata" section 0000000068d558a0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [9328] entry point in ".rdata" section 000000006c793150 ? C:\Windows\System32\OneCoreCommonProxyStub.dll [9328] entry point in ".rdata" section 000000005b0dda90 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [9328] entry point in ".rdata" section 0000000067f2a020 ? C:\WINDOWS\system32\ncryptsslp.dll [9328] entry point in ".rdata" section 0000000067f004f0 ? C:\WINDOWS\SYSTEM32\srpapi.dll [9328] entry point in ".rdata" section 000000005b0a6100 ? C:\Windows\System32\ieproxy.dll [9328] entry point in ".rdata" section 0000000056a79600 ? C:\Windows\System32\ActXPrxy.dll [9328] entry point in ".rdata" section 000000005b359c50 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [652:704] ffffc2523a736c20 Thread [6800:7092] 00007fff892f2dc0 Thread [6800:6604] 00007fff6f9178a0 Thread [6800:7108] 00007fff6f911ca0 Thread [6800:7104] 00007fff6f911ce0 Thread [6800:6928] 00007fff892f2dc0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x88 0xF3 0x3F 0x5D ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x50 0xD6 0x0B 0xCF ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x88 0xF3 0x3F 0x5D ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x50 0xD6 0x0B 0xCF ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@en-US 42 Reg HKLM\SYSTEM\CurrentControlSet\Control\Cryptography\Ngc\AIKCertEnroll@ErrorCode 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\AUO272D0_10_07DF_82^88C18FF1E7A6B88BD0B61B533C9185C5@Timestamp 0xAD 0x17 0x4B 0x5E ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{002C8D6C-2511-456C-9B30-20F92BB63B6D}\Connection@Name Reusable ISATAP Interface {002C8D6C-2511-456C-9B30-20F92BB63B6D} Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -536665159 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 66f9077e-af13-4dea-bff9-a91c1ca Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@GlassSessionId 7 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\ClusterSettings@LastLSMInstanceID 66f9077e-af13-4dea-bff9-a91c1ca Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{70019214-babe-45b0-9391-b1c00c2bdb52} Reg HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\Notifications\Components\TrustedInstaller@Events Reg HKLM\SYSTEM\CurrentControlSet\Services\acpials\Parameters\Wdf@TimeOfLastTelemetryLog 0xB0 0x83 0x9B 0xD1 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\acpipagr\Parameters\Wdf@TimeOfLastTelemetryLog 0x19 0xD9 0x05 0xCE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\4c3488a39e0d Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_229ec15 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_229ec15@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_229ec15@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_229ec15@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_229ec15@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_229ec15@DisplayName CDPUserSvc_229ec15 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_229ec15@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_229ec15@Description @%SystemRoot%\system32\cdpusersvc.dll,-101 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_229ec15\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_229ec15\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_229ec15 Reg HKLM\SYSTEM\CurrentControlSet\Services\CompositeBus\Parameters\Wdf@TimeOfLastTelemetryLog 0xB9 0xB5 0xF5 0xCD ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{7371dcaf-255c-4e7d-b688-9b80cbc9a50d}@LastProbeTime 1494445370 Reg HKLM\SYSTEM\CurrentControlSet\Services\dptf_acpi\Parameters\Wdf@TimeOfLastTelemetryLog 0x39 0x14 0x01 0xCE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\dptf_cpu\Parameters\Wdf@TimeOfLastTelemetryLog 0x39 0x14 0x01 0xCE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\esif_lf\Parameters\Wdf@TimeOfLastTelemetryLog 0xE3 0xB9 0x83 0xD0 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\HDAudBus\Parameters\Wdf@TimeOfLastTelemetryLog 0x07 0x8A 0x16 0xCE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\hidi2c\Parameters\Wdf@TimeOfLastTelemetryLog 0xFE 0xCB 0x91 0xCE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iaLPSS2i_I2C\Parameters\Wdf@TimeOfLastTelemetryLog 0x32 0x5E 0x4B 0xCE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\ibtusb\Parameters\Wdf@TimeOfLastTelemetryLog 0xF7 0x56 0xF2 0xCE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\intelppm\Parameters\Wdf@TimeOfLastTelemetryLog 0x6A 0x77 0x03 0xCE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{002C8D6C-2511-456C-9B30-20F92BB63B6D}@InterfaceName Reusable ISATAP Interface {002C8D6C-2511-456C-9B30-20F92BB63B6D} Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{002C8D6C-2511-456C-9B30-20F92BB63B6D}@ReusableType 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{002C8D6C-2511-456C-9B30-20F92BB63B6D}@DefunctTimestamp 0x13 0x51 0x13 0x59 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{002C8D6C-2511-456C-9B30-20F92BB63B6D}@ReusableSpecificName isatap.lan Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{0C0D1C1D-B1FF-412D-8D8A-34BC2116E320}@InterfaceName isatap.{814D9C64-4E1F-4FD9-B89A-9F1728316E2F} Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{0C0D1C1D-B1FF-412D-8D8A-34BC2116E320}@DefunctTimestamp 0xE3 0x1C 0x13 0x59 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{11052E85-3F1C-4796-9978-446F26D508B4} Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{11052E85-3F1C-4796-9978-446F26D508B4}@InterfaceName isatap.{D661D8C3-EC87-4BFE-B8D4-4046BCFA299F} Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{11052E85-3F1C-4796-9978-446F26D508B4}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{11052E85-3F1C-4796-9978-446F26D508B4}@DeviceInstancePath SWD\IP_TUNNEL_VBUS\ISATAP_6 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{11052E85-3F1C-4796-9978-446F26D508B4}@DefunctTimestamp 0x00 0xF9 0x13 0x59 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MEIx64\Parameters\Wdf@TimeOfLastTelemetryLog 0x32 0x5E 0x4B 0xCE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_229ec15 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_229ec15@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_229ec15@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_229ec15@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_229ec15@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_229ec15@DisplayName MessagingService_229ec15 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_229ec15@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_229ec15@Description @%SystemRoot%\system32\MessagingService.dll,-101 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_229ec15\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_229ec15\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_229ec15\TriggerInfo Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_229ec15\TriggerInfo\0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_229ec15\TriggerInfo\0@Type 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_229ec15\TriggerInfo\0@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_229ec15\TriggerInfo\0@Guid 0x16 0x28 0x7A 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_229ec15\TriggerInfo\0@Data0 0x75 0x18 0xBC 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_229ec15\TriggerInfo\0@DataType0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_229ec15 Reg HKLM\SYSTEM\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf@TimeOfLastTelemetryLog 0x85 0x3B 0x08 0xCE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_229ec15 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_229ec15@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_229ec15@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_229ec15@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_229ec15@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_229ec15@DisplayName Sync Host_229ec15 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_229ec15@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_229ec15@Description @%SystemRoot%\system32\APHostRes.dll,-10001 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_229ec15\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_229ec15\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_229ec15 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_229ec15 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_229ec15@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_229ec15@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_229ec15@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_229ec15@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_229ec15@DisplayName Contact Data_229ec15 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_229ec15@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_229ec15@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-15000 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_229ec15\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_229ec15\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_229ec15 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 25178 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 7610 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 41 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4fec21a6-8c05-46b5-b8e5-c2279687342d}@LeaseObtainedTime 1494490793 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4fec21a6-8c05-46b5-b8e5-c2279687342d}@T1 1494494393 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4fec21a6-8c05-46b5-b8e5-c2279687342d}@T2 1494497093 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4fec21a6-8c05-46b5-b8e5-c2279687342d}@LeaseTerminatesTime 1494497993 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{814d9c64-4e1f-4fd9-b89a-9f1728316e2f}@LeaseObtainedTime 1494491952 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{814d9c64-4e1f-4fd9-b89a-9f1728316e2f}@T1 1494492852 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{814d9c64-4e1f-4fd9-b89a-9f1728316e2f}@T2 1494493527 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{814d9c64-4e1f-4fd9-b89a-9f1728316e2f}@LeaseTerminatesTime 1494493752 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{d661d8c3-ec87-4bfe-b8d4-4046bcfa299f}@LeaseObtainedTime 1494491952 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{d661d8c3-ec87-4bfe-b8d4-4046bcfa299f}@T1 1494492852 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{d661d8c3-ec87-4bfe-b8d4-4046bcfa299f}@T2 1494493527 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{d661d8c3-ec87-4bfe-b8d4-4046bcfa299f}@LeaseTerminatesTime 1494493752 Reg HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller Reg HKLM\SYSTEM\CurrentControlSet\Services\umbus\Parameters\Wdf@TimeOfLastTelemetryLog 0xB9 0xB5 0xF5 0xCD ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_229ec15 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_229ec15@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_229ec15@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_229ec15@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_229ec15@ImagePath C:\WINDOWS\System32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_229ec15@DisplayName User Data Storage_229ec15 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_229ec15@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_229ec15@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-10002 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_229ec15\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_229ec15\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_229ec15 Reg HKLM\SYSTEM\CurrentControlSet\Services\usb3Hub\Parameters\Wdf@TimeOfLastTelemetryLog 0xB9 0xB5 0xF5 0xCD ... Reg HKLM\SYSTEM\CurrentControlSet\Services\USBHUB3\Parameters\Wdf@TimeOfLastTelemetryLog 0x37 0x99 0x46 0xCE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\USBXHCI\Parameters\Wdf@TimeOfLastTelemetryLog 0xF4 0x9F 0x0A 0xCE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_229ec15 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_229ec15@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_229ec15@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_229ec15@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_229ec15@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_229ec15@DisplayName User Data Access_229ec15 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_229ec15@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_229ec15@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-14000 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_229ec15\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_229ec15\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_229ec15 Reg HKLM\SYSTEM\CurrentControlSet\Services\vwifibus\Parameters\Wdf@TimeOfLastTelemetryLog 0x87 0x27 0x14 0xCE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x0F 0x0F 0x47 0x28 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x0F 0x77 0x0B 0x8A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x0F 0xA7 0x82 0xC6 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 29080 29086 29098 29134 29144 29154 29174 29218 29228 29266 29272 29288 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter 29294 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help 29295 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Counter 29080 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Help 29081 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_229ec15 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_229ec15@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_229ec15@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_229ec15@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_229ec15@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_229ec15@DisplayName Windows Push Notifications User Service_229ec15 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_229ec15@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_229ec15@Description @%SystemRoot%\system32\WpnUserService.dll,-2 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_229ec15\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_229ec15\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_229ec15 Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\2@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\2@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\3@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\3@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@E7CF176E110C211B 0x83 0xE9 0xF3 0xFD ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----