GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-09-29 11:34:23 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000025 ST1000DM003-1ER162 rev.CC46 931,51GB Running: g7irnvw9.exe; Driver: C:\Users\KUBAIM~1\AppData\Local\Temp\pglcrkoc.sys ---- User code sections - GMER 2.2 ---- .text C:\WINDOWS\system32\taskhostw.exe[9360] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00007ffa2ec4eb50 5 bytes JMP 00007ffa0cbe2da0 .text C:\WINDOWS\system32\taskhostw.exe[9360] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00007ffa2eca9c20 5 bytes JMP 00007ffa0cbe2c60 .text C:\WINDOWS\system32\taskhostw.exe[9360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00007ffa2ecc53f0 5 bytes JMP 00007ffa0cbe2f30 .text C:\WINDOWS\system32\taskhostw.exe[9360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffa2ecc55d0 5 bytes JMP 00007ffa0cbe25a0 .text C:\WINDOWS\system32\taskhostw.exe[9360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffa2ecc5810 5 bytes JMP 00007ffa0cbe2410 .text C:\WINDOWS\system32\taskhostw.exe[9360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffa2ecc58d0 5 bytes JMP 00007ffa0cbe29a0 .text C:\WINDOWS\system32\taskhostw.exe[9360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffa2ecc59d0 5 bytes JMP 00007ffa0cbe2940 .text C:\WINDOWS\system32\taskhostw.exe[9360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtResumeThread 00007ffa2ecc5b10 5 bytes JMP 00007ffa0cbe27d0 .text C:\WINDOWS\system32\taskhostw.exe[9360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffa2ecc65c0 5 bytes JMP 00007ffa0cbe29f0 .text C:\WINDOWS\system32\taskhostw.exe[9360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffa2ecc6700 5 bytes JMP 00007ffa0cbe2aa0 .text C:\WINDOWS\system32\taskhostw.exe[9360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateUserProcess 00007ffa2ecc6820 5 bytes JMP 00007ffa0cbe2b50 .text C:\WINDOWS\system32\taskhostw.exe[9360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffa2ecc7320 5 bytes JMP 00007ffa0cbe2a50 .text C:\WINDOWS\system32\taskhostw.exe[9360] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffa2ecc73e0 5 bytes JMP 00007ffa0cbe2b00 .text C:\WINDOWS\Explorer.EXE[3984] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00007ffa2ec4eb50 5 bytes JMP 00007ffa0cbe2da0 .text C:\WINDOWS\Explorer.EXE[3984] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00007ffa2eca9c20 5 bytes JMP 00007ffa0cbe2c60 .text C:\WINDOWS\Explorer.EXE[3984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00007ffa2ecc53f0 5 bytes JMP 00007ffa0cbe2f30 .text C:\WINDOWS\Explorer.EXE[3984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffa2ecc55d0 5 bytes JMP 00007ffa0cbe25a0 .text C:\WINDOWS\Explorer.EXE[3984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffa2ecc5810 5 bytes JMP 00007ffa0cbe2410 .text C:\WINDOWS\Explorer.EXE[3984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffa2ecc58d0 5 bytes JMP 00007ffa0cbe29a0 .text C:\WINDOWS\Explorer.EXE[3984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffa2ecc59d0 5 bytes JMP 00007ffa0cbe2940 .text C:\WINDOWS\Explorer.EXE[3984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtResumeThread 00007ffa2ecc5b10 5 bytes JMP 00007ffa0cbe27d0 .text C:\WINDOWS\Explorer.EXE[3984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffa2ecc65c0 5 bytes JMP 00007ffa0cbe29f0 .text C:\WINDOWS\Explorer.EXE[3984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffa2ecc6700 5 bytes JMP 00007ffa0cbe2aa0 .text C:\WINDOWS\Explorer.EXE[3984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateUserProcess 00007ffa2ecc6820 5 bytes JMP 00007ffa0cbe2b50 .text C:\WINDOWS\Explorer.EXE[3984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffa2ecc7320 5 bytes JMP 00007ffa0cbe2a50 .text C:\WINDOWS\Explorer.EXE[3984] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffa2ecc73e0 5 bytes JMP 00007ffa0cbe2b00 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [3392] entry point in ".rdata" section 0000000070dbbb10 ? C:\WINDOWS\SYSTEM32\wship6.dll [8560] entry point in ".rdata" section 00000000736124b0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [8560] entry point in ".rdata" section 00000000712612d0 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [8560] entry point in ".rdata" section 0000000070dbbb10 ? C:\Windows\SYSTEM32\iertutil.dll [8768] entry point in ".rdata" section 00000000712612d0 ? C:\WINDOWS\SYSTEM32\srpapi.dll [8768] entry point in ".rdata" section 0000000072b82aa0 ? C:\Windows\SYSTEM32\ActXPrxy.dll [8768] entry point in ".rdata" section 000000007180bd10 ? C:\Windows\SYSTEM32\iertutil.dll [9352] entry point in ".rdata" section 00000000712612d0 ? C:\WINDOWS\SYSTEM32\srpapi.dll [9352] entry point in ".rdata" section 0000000072b82aa0 ? C:\Windows\SYSTEM32\ActXPrxy.dll [9352] entry point in ".rdata" section 000000007180bd10 ? C:\WINDOWS\system32\apphelp.dll [3340] entry point in ".rdata" section 0000000072700380 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [3564:5844] fffff9612de94030 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Diagnostics\Performance@ActiveShutdownDCL C:\WINDOWS\System32\WDI\LogFiles\WdiContextLog.etl.002 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\SAM0C1A808728888_01_07E0_45^55794ED43268E62925B1682E92318398@Timestamp 0x06 0xC4 0x3F 0x64 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\SIMULATED_10DE_1380_00000001_00000000_1101^C8D4F6DEB7BF78CA10749FC141AA9C99@Timestamp 0x37 0x92 0xEF 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -1688809584 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 5857 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 5577 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalResumeTime 14047 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeBootMgrTime 481 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAppTime 568 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAppStartTimestamp 8358 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeLibraryInitTime 103 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeInitTime 100 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeHiberFileTime 360 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeRestoreImageStartTimestamp 8562 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeIoTime 225 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeDecompressTime 152 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeKernelSwitchTimestamp 8927 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnFromHandlerTimestamp 8934 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@SleeperThreadEndTimestamp 13506 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TimeStampCounterAtSwitchTime 8931 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnSystemPowerState 14038 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberHiberFileTime 4399 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberInitTime 143 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberSharedBufferTime 3 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalHibernateTime 37994 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeHiberFileTime 4254 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeInitTime 141 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@DeviceResumeTime 509 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelAnimationTime 27 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesProcessed 471307 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesWritten 0x0B 0x13 0x03 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesProcessed 30667 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesWritten 0xB6 0x3A 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberWriteRate 195 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeDecompressRate 221 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FileRuns 56 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberChecksumTime 79 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberChecksumIoTime 17 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelChecksumTime 130 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelChecksumIoTime 20 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeIoCpuTime 224 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberIoCpuTime 563 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HybridBootAnimationTime 4593 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeCompleteTimestamp 0x72 0x75 0x05 0x1B ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@GlassSessionId 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\BTHPORT Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\BTHPORT\LocalServices Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\HidBth Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0000 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0000@BackupContext 0x02 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0000@COD Type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0000@Scans Before Out of Range 8 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0000@SCO Max Channels 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0000@Store Link Key COD Masks 0x00 0x00 0x1F 0x43 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0000@SymbolicLinkName \??\USB#VID_1038&PID_1412#5&352f829b&0&12#{0850302a-b344-4fda-9be9-90576b8d46f0} Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{9A1BC6A7-3562-4203-848F-D50C70B063A3}@DefunctTimestamp 0x44 0xCE 0xEB 0x57 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\00-0b-00-00-ad-d0@AddressCreationTimestamp 0x95 0xAD 0xFC 0x0D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\00-0b-00-00-ad-d0@UPnPState 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\00-0b-00-00-ad-d0@ClientLocalPort 51523 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\00-0b-00-00-ad-d0@TeredoAddress 2001:0:5ef5:79fb:88f:36bc:aa21:f94c Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_4efee Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_4efee@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_4efee@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_4efee@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_4efee@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_4efee@DisplayName Us?uga wiadomo?ci_4efee Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_4efee@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_4efee\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_4efee\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_4efee\TriggerInfo Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_4efee\TriggerInfo\0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_4efee\TriggerInfo\0@Type 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_4efee\TriggerInfo\0@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_4efee\TriggerInfo\0@Guid 0x16 0x28 0x7A 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_4efee\TriggerInfo\0@Data0 0x75 0x18 0xBC 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_4efee\TriggerInfo\0@DataType0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_4efee Reg HKLM\SYSTEM\CurrentControlSet\Services\monitor\Parameters\Wdf@TimeOfLastTelemetryLog 0x6B 0x0F 0xA4 0x01 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_4efee Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_4efee@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_4efee@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_4efee@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_4efee@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_4efee@DisplayName Synchronizuj hosta_4efee Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_4efee@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_4efee\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_4efee\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_4efee Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_4efee Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_4efee@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_4efee@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_4efee@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_4efee@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_4efee@DisplayName Dane kontaktowe_4efee Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_4efee@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_4efee\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_4efee\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_4efee Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 7687 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 1023 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{343FD102-95EF-4BF9-A33E-772A03CD304D} v2.25|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.WindowsPhone_10.1608.2211.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsPhone/Resources/AppStoreName}|Desc=@{Microsoft.WindowsPhone_10.1608.2211.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsPhone/Resources/AppStoreName}|LUOwn=S-1-5-21-2670859206-3087183214-2171256421-1000|AppPkgId=S-1-15-2-1227535392-783678415-19788749-859698564-2515149781-2716591593-3518111838|EmbedCtxt=@{Microsoft.WindowsPhone_10.1608.2211.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsPhone/Resources/AppStoreName}|Platform=2:6:2|Platform2=GTEQ| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{DD02D289-F789-4539-9F95-E05F1905A814} v2.25|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.WindowsPhone_10.1608.2211.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsPhone/Resources/AppStoreName}|Desc=@{Microsoft.WindowsPhone_10.1608.2211.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsPhone/Resources/AppStoreName}|LUOwn=S-1-5-21-2670859206-3087183214-2171256421-1000|AppPkgId=S-1-15-2-1227535392-783678415-19788749-859698564-2515149781-2716591593-3518111838|EmbedCtxt=@{Microsoft.WindowsPhone_10.1608.2211.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsPhone/Resources/AppStoreName}| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{6D76ED8C-9BB5-46F3-A808-6536BFB30827} v2.25|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.WindowsPhone_10.1608.2211.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsPhone/Resources/AppStoreName}|Desc=@{Microsoft.WindowsPhone_10.1608.2211.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsPhone/Resources/AppStoreName}|LUOwn=S-1-5-21-2670859206-3087183214-2171256421-1000|AppPkgId=S-1-15-2-1227535392-783678415-19788749-859698564-2515149781-2716591593-3518111838|EmbedCtxt=@{Microsoft.WindowsPhone_10.1608.2211.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsPhone/Resources/AppStoreName}| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{4C0BF7D9-7B12-4651-92EB-1BAAEB4CAD84} v2.25|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.WindowsPhone_10.1608.2211.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsPhone/Resources/AppStoreName}|Desc=@{Microsoft.WindowsPhone_10.1608.2211.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsPhone/Resources/AppStoreName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2670859206-3087183214-2171256421-1000|AppPkgId=S-1-15-2-1227535392-783678415-19788749-859698564-2515149781-2716591593-3518111838|EmbedCtxt=@{Microsoft.WindowsPhone_10.1608.2211.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.WindowsPhone/Resources/AppStoreName}| Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bb39121f-ef99-4f6d-8cc5-42214185eefc}@LeaseObtainedTime 1475074533 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bb39121f-ef99-4f6d-8cc5-42214185eefc}@T1 1475117733 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bb39121f-ef99-4f6d-8cc5-42214185eefc}@T2 1475150133 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bb39121f-ef99-4f6d-8cc5-42214185eefc}@LeaseTerminatesTime 1475160933 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_4efee Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_4efee@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_4efee@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_4efee@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_4efee@ImagePath C:\WINDOWS\System32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_4efee@DisplayName Magazyn danych u?ytkownika_4efee Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_4efee@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_4efee\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_4efee\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_4efee Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_4efee Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_4efee@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_4efee@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_4efee@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_4efee@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_4efee@DisplayName Dost?p do danych u?ytkownika_4efee Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_4efee@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_4efee\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_4efee\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_4efee Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xB7 0x32 0xB2 0x34 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xB7 0x9A 0x76 0x96 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xB7 0xCA 0xED 0xD2 ... Reg HKLM\SYSTEM\Maps@LastMapUpdateCheck 0xF7 0x49 0x38 0xE7 ... ---- EOF - GMER 2.2 ----