GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-11-02 21:17:08 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000031 ST1000LM014-SSHD-8GB rev.LVD4 931,51GB Running: rmq2tm48.exe; Driver: C:\Users\Robert\AppData\Local\Temp\kwrdqpoc.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [748:772] ffffd6abce736c20 ---- Services - GMER 2.2 ---- Service C:\WINDOWS\system32\Drivers\bsdpf64.sys (*** hidden *** ) [DISABLED] bsdpf64 <-- ROOTKIT !!! Service C:\WINDOWS\system32\Drivers\bsdpr64.sys (*** hidden *** ) [DISABLED] bsdpr64 <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] CDPUserSvc_9d394 <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] MessagingService_9d394 <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] OneSyncSvc_9d394 <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] PimIndexMaintenanceSvc_9d394 <-- ROOTKIT !!! Service C:\WINDOWS\System32\svchost.exe (*** hidden *** ) [MANUAL] UnistoreSvc_9d394 <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] UserDataSvc_9d394 <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [MANUAL] WpnUserService_9d394 <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xE2 0x6B 0x2D 0x31 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x3B 0xDE 0x1B 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 8 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\CMN15C40_28_07DD_1D^51AC4511CAE3489C86F1BBEC2B1C7C87@Timestamp 0xE2 0xA0 0x4E 0x32 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 632 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Program Files (x86)\Lizaward\Proxy32.dll??\??\C:\Program Files (x86)\Lizaward\Proxy64.dll??\??\C:\Users\Robert\AppData\Local\Temp\~nsuA.tmp\Un_A.exe??\??\C:\Users\Robert\AppData\Local\Temp\~nsuA.tmp??\??\C:\Program Files (x86)\CleanBrowser\uninstall.exe??\??\C:\Program Files (x86)\CleanBrowser\??\??\C:\Users\Robert\AppData\Local\Temp\~nsu.tmp\Au_.exe??\??\C:\Users\Robert\AppData\Local\Temp\~nsu.tmp??\??\C:\Users\Robert\AppData\Local\Temp\_iu14D2N.tmp??\??\C:\Users\Robert\AppData\Local\Temp\~nsu.tmp\Au_.exe??\??\C:\Users\Robert\AppData\Local\Temp\~nsu.tmp??\??\C:\Users\Robert\AppData\Local\Temp\nslE09.tmp\dapte.hef??\??\C:\Users\Robert\AppData\Local\Temp\nslE09.tmp\??\??\C:\WINDOWS\Temp\8A41.tmp??\??\C:\WINDOWS\Temp\8A43.tmp??\??\C:\WINDOWS\Temp\8A44.tmp??\??\C:\WINDOWS\Temp\8A42.tmp??\??\C:\WINDOWS\Temp\8A45.tmp??\??\C:\WINDOWS\Temp\8A46.tmp??\??\C:\Users\Robert\AppData\Local\Temp\nsu8BE4.tmp\cuphoutt.bua??\??\C:\Users\Robert\AppData\Local\Temp\nsu8BE4.tmp\??\??\C:\Users\Robert\AppData\Local\Temp\nsl8 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 1093239248 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID b27fbf5f-8513-4fa4-ac09-2400e34 Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{91f0ed40-1d37-41f3-beda-a8162c3ed1ae} Reg HKLM\SYSTEM\CurrentControlSet\Services\0074871477923139mcinstcleanup Reg HKLM\SYSTEM\CurrentControlSet\Services\0074871477923139mcinstcleanup@Type 16 Reg HKLM\SYSTEM\CurrentControlSet\Services\0074871477923139mcinstcleanup@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\0074871477923139mcinstcleanup@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\0074871477923139mcinstcleanup@ImagePath C:\WINDOWS\TEMP\007487~1.EXE -cleanup -nolog Reg HKLM\SYSTEM\CurrentControlSet\Services\0074871477923139mcinstcleanup@DisplayName McAfee Application Installer Cleanup (0074871477923139) Reg HKLM\SYSTEM\CurrentControlSet\Services\0074871477923139mcinstcleanup@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\0074871477923139mcinstcleanup@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\0074871477923139mcinstcleanup Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@PerfMMFileName Global\MMF_BITSc52d3ceb-e893-4c19-adcd-78ff432e66cf Reg HKLM\SYSTEM\CurrentControlSet\Services\bsdpf64 Reg HKLM\SYSTEM\CurrentControlSet\Services\bsdpf64@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\bsdpf64@Start 4 Reg HKLM\SYSTEM\CurrentControlSet\Services\bsdpf64@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\bsdpf64@ImagePath \??\C:\WINDOWS\system32\Drivers\bsdpf64.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\bsdpf64@DisplayName bsdpf64 service Reg HKLM\SYSTEM\CurrentControlSet\Services\bsdpf64@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\Services\bsdpf64@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\Services\bsdpf64@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\bsdpf64@DeleteFlag 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\bsdpf64\Instances Reg HKLM\SYSTEM\CurrentControlSet\Services\bsdpf64\Instances@DefaultInstance bsdpf64 Instance Reg HKLM\SYSTEM\CurrentControlSet\Services\bsdpf64\Instances\bsdpf64 Instance Reg HKLM\SYSTEM\CurrentControlSet\Services\bsdpf64\Instances\bsdpf64 Instance@Altitude 333111 Reg HKLM\SYSTEM\CurrentControlSet\Services\bsdpf64\Instances\bsdpf64 Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\bsdpf64 Reg HKLM\SYSTEM\CurrentControlSet\Services\bsdpr64 Reg HKLM\SYSTEM\CurrentControlSet\Services\bsdpr64@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\bsdpr64@Start 4 Reg HKLM\SYSTEM\CurrentControlSet\Services\bsdpr64@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\bsdpr64@ImagePath \??\C:\WINDOWS\system32\Drivers\bsdpr64.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\bsdpr64@DisplayName bsdpr64 service Reg HKLM\SYSTEM\CurrentControlSet\Services\bsdpr64@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\bsdpr64@DeleteFlag 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\bsdpr64 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\34e6adeee5e8 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_9d394 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_9d394@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_9d394@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_9d394@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_9d394@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_9d394@DisplayName CDPUserSvc_9d394 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_9d394@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_9d394@Description @%SystemRoot%\system32\cdpusersvc.dll,-101 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_9d394\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_9d394\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_9d394 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{79ab79e5-6e2f-4e0c-aff9-6591082686c3}@LastProbeTime 1478118131 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_9d394 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_9d394@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_9d394@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_9d394@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_9d394@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_9d394@DisplayName Us?uga wiadomo?ci_9d394 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_9d394@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_9d394@Description @%SystemRoot%\system32\MessagingService.dll,-101 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_9d394\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_9d394\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_9d394\TriggerInfo Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_9d394\TriggerInfo\0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_9d394\TriggerInfo\0@Type 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_9d394\TriggerInfo\0@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_9d394\TriggerInfo\0@Guid 0x16 0x28 0x7A 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_9d394\TriggerInfo\0@Data0 0x75 0x18 0xBC 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_9d394\TriggerInfo\0@DataType0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_9d394 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_9d394 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_9d394@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_9d394@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_9d394@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_9d394@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_9d394@DisplayName Synchronizuj hosta_9d394 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_9d394@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_9d394@Description @%SystemRoot%\system32\APHostRes.dll,-10001 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_9d394\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_9d394\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_9d394 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_9d394 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_9d394@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_9d394@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_9d394@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_9d394@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_9d394@DisplayName Dane kontaktowe_9d394 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_9d394@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_9d394@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-15000 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_9d394\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_9d394\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_9d394 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Diagnostics@ReadyBootTrainingCountSinceLastServicing 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@ReadyBootPlanAge 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ??r.?, ?lis ?02 ?16, 08:28:50???}?????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@EffectivePends 497 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 1983 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 230 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 577 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters@DhcpDomain telpol.net.pl Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters@DhcpNameServer 192.168.200.250 192.168.0.250 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b315ffbc-84e2-4a30-82ee-eb6990cb61b3}@LeaseObtainedTime 1478116406 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b315ffbc-84e2-4a30-82ee-eb6990cb61b3}@T1 1478159606 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b315ffbc-84e2-4a30-82ee-eb6990cb61b3}@T2 1478192006 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b315ffbc-84e2-4a30-82ee-eb6990cb61b3}@LeaseTerminatesTime 1478202806 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b315ffbc-84e2-4a30-82ee-eb6990cb61b3}@DhcpNetworkHint 46F6D65636A756B6D233233343 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{B315FFBC-84E2-4A30-82EE-EB6990CB61B3}@DhcpV6NetworkHint 46F6D65636A756B6D233233343 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_9d394 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_9d394@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_9d394@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_9d394@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_9d394@ImagePath C:\WINDOWS\System32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_9d394@DisplayName Magazyn danych u?ytkownika_9d394 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_9d394@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_9d394@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-10002 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_9d394\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_9d394\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_9d394 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_9d394 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_9d394@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_9d394@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_9d394@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_9d394@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_9d394@DisplayName Dost?p do danych u?ytkownika_9d394 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_9d394@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_9d394@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-14000 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_9d394\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_9d394\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_9d394 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 10372 10378 10390 10400 10410 10430 10474 10484 10522 10528 10544 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter 10550 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help 10551 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Counter 10372 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Help 10373 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_9d394 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_9d394@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_9d394@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_9d394@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_9d394@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_9d394@DisplayName Us?uga u?ytkownika powiadomie? WNS_9d394 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_9d394@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_9d394@Description @%SystemRoot%\system32\WpnUserService.dll,-2 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_9d394\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_9d394\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_9d394 Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\Pnp\CurrentControlSet\Control\DeviceMigration\Devices\SWD\DAFUPNPPROVIDER\UUID:4D454930-0100-1000-8001-8CC12115DC3F\Interfaces\{d0875fb4-2196-4c7a-a63d-e416addd60a1}\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000E@ 0x64 0x62 0x02 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\Pnp\CurrentControlSet\Control\DeviceMigration\Devices\SWD\DAFUPNPPROVIDER\UUID:4D454930-0100-1000-8001-8CC12115DC3F\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000E@ 0x64 0x62 0x02 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{5cdf3a71-a131-11e6-8294-806e6f6e6963} Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{5cdf3a71-a131-11e6-8294-806e6f6e6963}@Drive Type 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{5cdf3a71-a131-11e6-8294-806e6f6e6963}@IsImapiDataBurnSupported 0 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{5cdf3a71-a131-11e6-8294-806e6f6e6963}\Current Media Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{5cdf3a71-a131-11e6-8294-806e6f6e6963}\Current Media@TotalBytes 0x00 0xE8 0xD5 0x81 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{5cdf3a71-a131-11e6-8294-806e6f6e6963}\Current Media@FreeBytes 0x00 0x00 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{5cdf3a71-a131-11e6-8294-806e6f6e6963}\Current Media@Blank Disc 0 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{5cdf3a71-a131-11e6-8294-806e6f6e6963}\Current Media@Can Close 0 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{5cdf3a71-a131-11e6-8294-806e6f6e6963}\Current Media@Live FS 0 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{5cdf3a71-a131-11e6-8294-806e6f6e6963}\Current Media@Disc Label Disc Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{5cdf3a71-a131-11e6-8294-806e6f6e6963}\Current Media@Set 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\StagingInfo\Volume{5cdf3a71-a131-11e6-8294-806e6f6e6963}@DriveNumber 21 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\StagingInfo\Volume{5cdf3a71-a131-11e6-8294-806e6f6e6963}@Active 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8664889D-ED18-4713-918F-E2BB69D8452B}\iexplore@Count 524 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF}\iexplore@Count 469 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsBandwidthBucketCounter 6773 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsRequestBucketCounter 286 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0x61 0x99 0x4A 0xE2 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0x61 0x99 0x4A 0xE2 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@OtherBandwidthBucketCounter 1409 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@OtherRequestBucketCounter 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0x61 0x99 0x4A 0xE2 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalBandwidthBucketCounter 8182 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalRequestBucketCounter 301 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0x61 0x99 0x4A 0xE2 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@CloudUsertileDirtyMarks 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@RoamingSyncToken LM%3d63613599742960%3bID%3d4B0F291EF1543EE6!109%3bLR%3d63613705945723%3bEP%3d13%3bSI%3d21%3bTD%3dTrue%3bSO%3d0%3bPI%3d49 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastUploadTime 0xFC 0xBF 0x51 0xE2 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\23e34802 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\23e34802@FileExtension jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\23e34802@Url wpnidm:http://img.stb.s-msn.com/usappex/tenant/amp/entityid/AAjK3Ce.jpg?h=150&w=150&m=6 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\23e34802@FileName C:\Users\Robert\AppData\Local\Microsoft\Windows\Notifications\wpnidm\23e34802.jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\4929c482 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\4929c482@FileExtension jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\4929c482@Url wpnidm:http://blob.weather.microsoft.com:80/static/mws-new/WeatherImages/210x173/30.jpg?a Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\4929c482@FileName C:\Users\Robert\AppData\Local\Microsoft\Windows\Notifications\wpnidm\4929c482.jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\ba07f029 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\ba07f029@FileExtension jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\ba07f029@Url wpnidm:http://images-eds.xboxlive.com/image?url=z951ykn43p4FqWbbFvR2Ec.8vbDhj8G2Xe7JngaTToBrrCmIEEXHC9UNrdJ6P7KIoIeJ1sl4QgwrJRGcdRHOCj5eLmw8RcR_PrRIdLBkQlUyEVxmmKtLAqCcs7lEm0ow&w=320&h=320&format=jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\ba07f029@FileName C:\Users\Robert\AppData\Local\Microsoft\Windows\Notifications\wpnidm\ba07f029.jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\ff6e0ef4 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\ff6e0ef4@FileExtension jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\ff6e0ef4@Url wpnidm:http://img.s-msn.com//tenant/amp/entityid/AAd141G_h150_w150_m7.jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\ff6e0ef4@FileName C:\Users\Robert\AppData\Local\Microsoft\Windows\Notifications\wpnidm\ff6e0ef4.jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search@JumpListChangedAppIds Chrome.UserData.ChromeDefaultData?E7CF176E110C211B? Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@Chrome.UserData.ChromeDefaultData 0xA2 0x1C 0x06 0x43 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@E7CF176E110C211B 0xD2 0x84 0x52 0xC5 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{721062F6-285B-4295-82AC-D5D310C73478}@LastAccessedTime 0x80 0xF0 0xD3 0x6F ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{721062F6-285B-4295-82AC-D5D310C73478}@LaunchCount 4 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{C3A67596-11DD-43E2-AC47-912C7062CF51}@LastAccessedTime 0xC0 0xF7 0xEF 0x4D ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{C3A67596-11DD-43E2-AC47-912C7062CF51}@LaunchCount 5 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{D703E41D-26E7-46A4-B240-F877DD8E08BD}@LastAccessedTime 0xD0 0xC4 0x0A 0xF9 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{D703E41D-26E7-46A4-B240-F877DD8E08BD}@LaunchCount 11 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance@MessageTime 0x35 0xA1 0x7C 0x82 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData@PendingOperations 104 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\browsersettings\wininet-internet-explorer@IsLocalReplicaDirty 1 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----