GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-03-29 18:44:00 Windows 6.2.9200 x64 \Device\Harddisk1\DR1 -> \Device\00000035 SAMSUNG_MZNLF128HCHP-00004 rev.FXT2301Q 119,24GB Running: 44qzo2v2.exe; Driver: C:\Users\Agata\AppData\Local\Temp\uwddrpow.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [712:4332] fffff961db9b4060 ---- Services - GMER 2.2 ---- Service C:\WINDOWS\System32\qmgr.dll (*** hidden *** ) [AUTO] BITS <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager\Defrag@LastRun 03:21:2016 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager\Defrag@TotalBytesSaved 0x00 0x20 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 144744401 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\acfdce8a0e4d Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\80-f5-03-a6-0f-03@ClientLocalPort 59118 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\80-f5-03-a6-0f-03@AddressCreationTimestamp 0x75 0x3F 0x0B 0x0D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\80-f5-03-a6-0f-03@TeredoAddress 2001:0:9d38:6abd:fa:1911:a6b9:7158 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 3990 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 735 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{856BBF1A-86A7-45B0-A490-6E16F74106C6} v2.25|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{26720RandomSaladGamesLLC.SimpleSolitaire_5.0.0.31_x64__kx24dqmazqk8j?ms-resource://26720RandomSaladGamesLLC.SimpleSolitaire/resources/gameName}|Desc=@{26720RandomSaladGamesLLC.SimpleSolitaire_5.0.0.31_x64__kx24dqmazqk8j?ms-resource://26720RandomSaladGamesLLC.SimpleSolitaire/resources/gameName}|LUOwn=S-1-5-21-1391875746-577248832-3267673664-1001|AppPkgId=S-1-15-2-919809942-2132619914-2252889538-1417933825-3888566155-4108240615-1551254447|EmbedCtxt=@{26720RandomSaladGamesLLC.SimpleSolitaire_5.0.0.31_x64__kx24dqmazqk8j?ms-resource://26720RandomSaladGamesLLC.SimpleSolitaire/resources/gameName}|Platform=2:6:2|Platform2=GTEQ| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{40F576A3-EDCD-4E7F-B5E9-8317B883D71F} v2.25|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.ZuneVideo_3.6.17801.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.ZuneVideo/resources/IDS_MANIFEST_VIDEO_APP_NAME}|Desc=@{Microsoft.ZuneVideo_3.6.17801.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.ZuneVideo/resources/IDS_MANIFEST_VIDEO_APP_DESCRIPTION}|LUOwn=S-1-5-21-1391875746-577248832-3267673664-1001|AppPkgId=S-1-15-2-2967553933-3217682302-2494645345-2077017737-3805576244-585965800-1797614741|EmbedCtxt=@{Microsoft.ZuneVideo_3.6.17801.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.ZuneVideo/resources/IDS_MANIFEST_VIDEO_APP_NAME}|Platform=2:6:2|Platform2=GTEQ| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{BFF26917-EA2D-4836-9FE8-9DDB83DEFD5A} v2.25|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.ZuneVideo_3.6.17801.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.ZuneVideo/resources/IDS_MANIFEST_VIDEO_APP_NAME}|Desc=@{Microsoft.ZuneVideo_3.6.17801.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.ZuneVideo/resources/IDS_MANIFEST_VIDEO_APP_DESCRIPTION}|LUOwn=S-1-5-21-1391875746-577248832-3267673664-1001|AppPkgId=S-1-15-2-2967553933-3217682302-2494645345-2077017737-3805576244-585965800-1797614741|EmbedCtxt=@{Microsoft.ZuneVideo_3.6.17801.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.ZuneVideo/resources/IDS_MANIFEST_VIDEO_APP_NAME}|Platform=2:6:2|Platform2=GTEQ| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{0C207FAB-1BD0-49E8-984A-E47E8FD51E33} v2.25|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Photos_16.302.8200.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Windows.Photos/Resources/AppStoreName}|Desc=@{Microsoft.Windows.Photos_16.302.8200.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Windows.Photos/Resources/AppStoreName}|LUOwn=S-1-5-21-1391875746-577248832-3267673664-1001|AppPkgId=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518|EmbedCtxt=@{Microsoft.Windows.Photos_16.302.8200.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Windows.Photos/Resources/AppStoreName}|Platform=2:6:2|Platform2=GTEQ| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{95BE966C-3457-4AE5-852C-0BADE1CD67E6} v2.25|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Photos_16.302.8200.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Windows.Photos/Resources/AppStoreName}|Desc=@{Microsoft.Windows.Photos_16.302.8200.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Windows.Photos/Resources/AppStoreName}|LUOwn=S-1-5-21-1391875746-577248832-3267673664-1001|AppPkgId=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518|EmbedCtxt=@{Microsoft.Windows.Photos_16.302.8200.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Windows.Photos/Resources/AppStoreName}|Platform=2:6:2|Platform2=GTEQ|Edge=TRUE| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{EDC65BE9-6AD7-4D96-B684-01D1E809FF7C} v2.25|Action=Block|Active=TRUE|Dir=In|Name=@{26720RandomSaladGamesLLC.SimpleSolitaire_5.0.0.31_x64__kx24dqmazqk8j?ms-resource://26720RandomSaladGamesLLC.SimpleSolitaire/resources/gameName}|Desc=@{26720RandomSaladGamesLLC.SimpleSolitaire_5.0.0.31_x64__kx24dqmazqk8j?ms-resource://26720RandomSaladGamesLLC.SimpleSolitaire/resources/gameName}|LUOwn=S-1-5-21-1391875746-577248832-3267673664-1001|AppPkgId=S-1-15-2-919809942-2132619914-2252889538-1417933825-3888566155-4108240615-1551254447|EmbedCtxt=@{26720RandomSaladGamesLLC.SimpleSolitaire_5.0.0.31_x64__kx24dqmazqk8j?ms-resource://26720RandomSaladGamesLLC.SimpleSolitaire/resources/gameName}| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{F2EFB666-6966-4836-BDFB-DB064C6C72D5} v2.25|Action=Block|Active=TRUE|Dir=Out|Name=@{26720RandomSaladGamesLLC.SimpleSolitaire_5.0.0.31_x64__kx24dqmazqk8j?ms-resource://26720RandomSaladGamesLLC.SimpleSolitaire/resources/gameName}|Desc=@{26720RandomSaladGamesLLC.SimpleSolitaire_5.0.0.31_x64__kx24dqmazqk8j?ms-resource://26720RandomSaladGamesLLC.SimpleSolitaire/resources/gameName}|LUOwn=S-1-5-21-1391875746-577248832-3267673664-1001|AppPkgId=S-1-15-2-919809942-2132619914-2252889538-1417933825-3888566155-4108240615-1551254447|EmbedCtxt=@{26720RandomSaladGamesLLC.SimpleSolitaire_5.0.0.31_x64__kx24dqmazqk8j?ms-resource://26720RandomSaladGamesLLC.SimpleSolitaire/resources/gameName}| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{8345CB29-9B5B-4DAA-8D79-B4959C292E1B} v2.25|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{26720RandomSaladGamesLLC.SimpleSolitaire_5.0.0.31_x64__kx24dqmazqk8j?ms-resource://26720RandomSaladGamesLLC.SimpleSolitaire/resources/gameName}|Desc=@{26720RandomSaladGamesLLC.SimpleSolitaire_5.0.0.31_x64__kx24dqmazqk8j?ms-resource://26720RandomSaladGamesLLC.SimpleSolitaire/resources/gameName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-1391875746-577248832-3267673664-1001|AppPkgId=S-1-15-2-919809942-2132619914-2252889538-1417933825-3888566155-4108240615-1551254447|EmbedCtxt=@{26720RandomSaladGamesLLC.SimpleSolitaire_5.0.0.31_x64__kx24dqmazqk8j?ms-resource://26720RandomSaladGamesLLC.SimpleSolitaire/resources/gameName}| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{6027DBB3-356A-4E9E-B8BF-B75A57C37533} v2.25|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.ZuneVideo_3.6.17801.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.ZuneVideo/resources/IDS_MANIFEST_VIDEO_APP_NAME}|Desc=@{Microsoft.ZuneVideo_3.6.17801.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.ZuneVideo/resources/IDS_MANIFEST_VIDEO_APP_DESCRIPTION}|LUOwn=S-1-5-21-1391875746-577248832-3267673664-1001|AppPkgId=S-1-15-2-2967553933-3217682302-2494645345-2077017737-3805576244-585965800-1797614741|EmbedCtxt=@{Microsoft.ZuneVideo_3.6.17801.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.ZuneVideo/resources/IDS_MANIFEST_VIDEO_APP_NAME}| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{4316A78B-BAB3-4B5B-84DE-3AA55D3F6B41} v2.25|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.ZuneVideo_3.6.17801.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.ZuneVideo/resources/IDS_MANIFEST_VIDEO_APP_NAME}|Desc=@{Microsoft.ZuneVideo_3.6.17801.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.ZuneVideo/resources/IDS_MANIFEST_VIDEO_APP_DESCRIPTION}|LUOwn=S-1-5-21-1391875746-577248832-3267673664-1001|AppPkgId=S-1-15-2-2967553933-3217682302-2494645345-2077017737-3805576244-585965800-1797614741|EmbedCtxt=@{Microsoft.ZuneVideo_3.6.17801.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.ZuneVideo/resources/IDS_MANIFEST_VIDEO_APP_NAME}| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{F6C0A521-C4CB-4DDC-B420-FB713481A609} v2.25|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.ZuneVideo_3.6.17801.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.ZuneVideo/resources/IDS_MANIFEST_VIDEO_APP_NAME}|Desc=@{Microsoft.ZuneVideo_3.6.17801.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.ZuneVideo/resources/IDS_MANIFEST_VIDEO_APP_DESCRIPTION}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-1391875746-577248832-3267673664-1001|AppPkgId=S-1-15-2-2967553933-3217682302-2494645345-2077017737-3805576244-585965800-1797614741|EmbedCtxt=@{Microsoft.ZuneVideo_3.6.17801.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.ZuneVideo/resources/IDS_MANIFEST_VIDEO_APP_NAME}| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{68C38D76-3AEC-479C-BD42-4D74C41AACDD} v2.25|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.ZuneVideo_3.6.17801.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.ZuneVideo/resources/IDS_MANIFEST_VIDEO_APP_NAME}|Desc=@{Microsoft.ZuneVideo_3.6.17801.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.ZuneVideo/resources/IDS_MANIFEST_VIDEO_APP_DESCRIPTION}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-1391875746-577248832-3267673664-1001|AppPkgId=S-1-15-2-2967553933-3217682302-2494645345-2077017737-3805576244-585965800-1797614741|EmbedCtxt=@{Microsoft.ZuneVideo_3.6.17801.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.ZuneVideo/resources/IDS_MANIFEST_VIDEO_APP_NAME}| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{9A1014F7-17B9-4A1A-B72C-7DD202F46311} v2.25|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.ZuneVideo_3.6.17801.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.ZuneVideo/resources/IDS_MANIFEST_VIDEO_APP_NAME}|Desc=@{Microsoft.ZuneVideo_3.6.17801.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.ZuneVideo/resources/IDS_MANIFEST_VIDEO_APP_DESCRIPTION}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-1391875746-577248832-3267673664-1001|AppPkgId=S-1-15-2-2967553933-3217682302-2494645345-2077017737-3805576244-585965800-1797614741|EmbedCtxt=@{Microsoft.ZuneVideo_3.6.17801.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.ZuneVideo/resources/IDS_MANIFEST_VIDEO_APP_NAME}|Security=Authenticate| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{68A7A807-1B6A-49E1-A25B-78C4A71AD3D0} v2.25|Action=Allow|Active=TRUE|Dir=Out|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.ZuneVideo_3.6.17801.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.ZuneVideo/resources/IDS_MANIFEST_VIDEO_APP_NAME}|Desc=@{Microsoft.ZuneVideo_3.6.17801.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.ZuneVideo/resources/IDS_MANIFEST_VIDEO_APP_DESCRIPTION}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-1391875746-577248832-3267673664-1001|AppPkgId=S-1-15-2-2967553933-3217682302-2494645345-2077017737-3805576244-585965800-1797614741|EmbedCtxt=@{Microsoft.ZuneVideo_3.6.17801.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.ZuneVideo/resources/IDS_MANIFEST_VIDEO_APP_NAME}|Security=Authenticate| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{D6BC3FB4-F999-4969-925E-EC5F3DB8AB2E} v2.25|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.ZuneVideo_3.6.17801.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.ZuneVideo/resources/IDS_MANIFEST_VIDEO_APP_NAME}|Desc=@{Microsoft.ZuneVideo_3.6.17801.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.ZuneVideo/resources/IDS_MANIFEST_VIDEO_APP_DESCRIPTION}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-1391875746-577248832-3267673664-1001|AppPkgId=S-1-15-2-2967553933-3217682302-2494645345-2077017737-3805576244-585965800-1797614741|EmbedCtxt=@{Microsoft.ZuneVideo_3.6.17801.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.ZuneVideo/resources/IDS_MANIFEST_VIDEO_APP_NAME}| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{32F00BA1-BA70-4AF8-B1CD-AB0E620B45BC} v2.25|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.Photos_16.302.8200.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Windows.Photos/Resources/AppStoreName}|Desc=@{Microsoft.Windows.Photos_16.302.8200.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Windows.Photos/Resources/AppStoreName}|LUOwn=S-1-5-21-1391875746-577248832-3267673664-1001|AppPkgId=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518|EmbedCtxt=@{Microsoft.Windows.Photos_16.302.8200.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Windows.Photos/Resources/AppStoreName}| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{DDCF84F7-D683-4F35-9E91-EFC9BE1AC4E0} v2.25|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.Photos_16.302.8200.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Windows.Photos/Resources/AppStoreName}|Desc=@{Microsoft.Windows.Photos_16.302.8200.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Windows.Photos/Resources/AppStoreName}|LUOwn=S-1-5-21-1391875746-577248832-3267673664-1001|AppPkgId=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518|EmbedCtxt=@{Microsoft.Windows.Photos_16.302.8200.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Windows.Photos/Resources/AppStoreName}| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{2D49D44A-5952-4F8D-9E36-067894F22C83} v2.25|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.Windows.Photos_16.302.8200.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Windows.Photos/Resources/AppStoreName}|Desc=@{Microsoft.Windows.Photos_16.302.8200.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Windows.Photos/Resources/AppStoreName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-1391875746-577248832-3267673664-1001|AppPkgId=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518|EmbedCtxt=@{Microsoft.Windows.Photos_16.302.8200.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Windows.Photos/Resources/AppStoreName}| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{E8642FA0-88D4-4F81-A6D1-2E9110522049} v2.25|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.Windows.Photos_16.302.8200.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Windows.Photos/Resources/AppStoreName}|Desc=@{Microsoft.Windows.Photos_16.302.8200.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Windows.Photos/Resources/AppStoreName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-1391875746-577248832-3267673664-1001|AppPkgId=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518|EmbedCtxt=@{Microsoft.Windows.Photos_16.302.8200.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Windows.Photos/Resources/AppStoreName}| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{6BFACF68-A840-460C-A1AA-1A50002EDFBB} v2.25|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.Windows.Photos_16.302.8200.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Windows.Photos/Resources/AppStoreName}|Desc=@{Microsoft.Windows.Photos_16.302.8200.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Windows.Photos/Resources/AppStoreName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-1391875746-577248832-3267673664-1001|AppPkgId=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518|EmbedCtxt=@{Microsoft.Windows.Photos_16.302.8200.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Windows.Photos/Resources/AppStoreName}|Security=Authenticate| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{51495ED3-022F-4F17-A46E-EE2B4F8A98B6} v2.25|Action=Allow|Active=TRUE|Dir=Out|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.Windows.Photos_16.302.8200.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Windows.Photos/Resources/AppStoreName}|Desc=@{Microsoft.Windows.Photos_16.302.8200.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Windows.Photos/Resources/AppStoreName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-1391875746-577248832-3267673664-1001|AppPkgId=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518|EmbedCtxt=@{Microsoft.Windows.Photos_16.302.8200.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Windows.Photos/Resources/AppStoreName}|Security=Authenticate| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{CA4FEBBB-464E-424C-9E6E-0404D28708C6} v2.25|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.Photos_16.302.8200.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Windows.Photos/Resources/AppStoreName}|Desc=@{Microsoft.Windows.Photos_16.302.8200.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Windows.Photos/Resources/AppStoreName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-2)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-1391875746-577248832-3267673664-1001|AppPkgId=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518|EmbedCtxt=@{Microsoft.Windows.Photos_16.302.8200.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Windows.Photos/Resources/AppStoreName}| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{228D18A3-C0C9-40BD-ACD0-8442268B82D3} v2.25|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.Photos_16.302.8200.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Windows.Photos/Resources/AppStoreName}|Desc=@{Microsoft.Windows.Photos_16.302.8200.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Windows.Photos/Resources/AppStoreName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-2)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-1391875746-577248832-3267673664-1001|AppPkgId=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518|EmbedCtxt=@{Microsoft.Windows.Photos_16.302.8200.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.Windows.Photos/Resources/AppStoreName}| Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeConfidence 9 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x4C 0xE1 0x3B 0x56 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x4C 0x49 0x00 0xB8 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x4C 0x79 0x77 0xF4 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeTickCount 0xBF 0xC8 0x3B 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceSetup@AppInstallNotificationChangeStamp 247 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceSetup@AppUninstallNotificationChangeStamp 187 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer@GlobalAssocChangedCounter 180 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsRequestBucketCounter 100 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0xE3 0x3E 0xF1 0xD1 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0xE3 0x3E 0xF1 0xD1 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0xE3 0x3E 0xF1 0xD1 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalRequestBucketCounter 100 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0xE3 0x3E 0xF1 0xD1 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk1\DR1 unknown MBR code ---- EOF - GMER 2.2 ----