GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-11-09 23:17:08 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 ST3320418AS rev.CC46 298,09GB Running: medwwus9.exe; Driver: C:\Users\Kamilos\AppData\Local\Temp\pxtdafog.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\SYSTEM32\iertutil.dll [2624] entry point in ".rdata" section 0000000073011590 .text C:\Program Files\VIA XHCI UASP Utility\usb3Monitor.exe[6728] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ff8ba4b132f 8 bytes [A0, 6B, F8, 7F, 00, 00, 00, ...] .text C:\Program Files\VIA XHCI UASP Utility\usb3Monitor.exe[6728] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 449 00007ff8ba4b1421 8 bytes [90, 6B, F8, 7F, 00, 00, 00, ...] .text ... * 2 .text C:\Program Files\VIA XHCI UASP Utility\usb3Monitor.exe[6728] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 368 00007ff8ba4b16b0 8 bytes [70, 6B, F8, 7F, 00, 00, 00, ...] .text C:\Program Files\VIA XHCI UASP Utility\usb3Monitor.exe[6728] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 852 00007ff8ba4b1894 8 bytes {JMP 0xffffffffffffffa0} .text C:\Program Files\VIA XHCI UASP Utility\usb3Monitor.exe[6728] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ff8ba4b230f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files\VIA XHCI UASP Utility\usb3Monitor.exe[6728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff8ba554ff0 8 bytes {JMP QWORD [RIP-0xa3946]} .text C:\Program Files\VIA XHCI UASP Utility\usb3Monitor.exe[6728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ff8ba5552f0 8 bytes {JMP QWORD [RIP-0xa3a62]} .text C:\Program Files\VIA XHCI UASP Utility\usb3Monitor.exe[6728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff8ba555350 8 bytes {JMP QWORD [RIP-0xa4027]} .text C:\Program Files\VIA XHCI UASP Utility\usb3Monitor.exe[6728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff8ba555590 8 bytes {JMP QWORD [RIP-0xa4066]} .text C:\Program Files\VIA XHCI UASP Utility\usb3Monitor.exe[6728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ff8ba5556f0 8 bytes {JMP QWORD [RIP-0xa42d5]} .text C:\Program Files\VIA XHCI UASP Utility\usb3Monitor.exe[6728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff8ba556500 8 bytes {JMP QWORD [RIP-0xa41f7]} .text C:\Program Files\VIA XHCI UASP Utility\usb3Monitor.exe[6728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ff8ba556b00 8 bytes {JMP QWORD [RIP-0xa513f]} .text C:\Program Files\VIA XHCI UASP Utility\usb3Monitor.exe[6728] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff8ba557d40 8 bytes {JMP QWORD [RIP-0xa6412]} .text C:\Program Files\VIA XHCI UASP Utility\usb3Monitor.exe[6728] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 000000006d581462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\VIA XHCI UASP Utility\usb3Monitor.exe[6728] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 000000006d5816b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\VIA XHCI UASP Utility\usb3Monitor.exe[6728] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 000000006d5817eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\VIA XHCI UASP Utility\usb3Monitor.exe[6728] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 000000006d58181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files\VIA XHCI UASP Utility\usb3Monitor.exe[6728] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 000000006d581857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ? C:\WINDOWS\system32\apphelp.dll [6756] entry point in ".rdata" section 00000000691cf7c0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[3644] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ff8ba4b132f 8 bytes [A0, 6B, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[3644] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 449 00007ff8ba4b1421 8 bytes [90, 6B, F8, 7F, 00, 00, 00, ...] .text ... * 2 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[3644] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 368 00007ff8ba4b16b0 8 bytes [70, 6B, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[3644] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 852 00007ff8ba4b1894 8 bytes {JMP 0xffffffffffffffa0} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[3644] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ff8ba4b230f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[3644] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff8ba554ff0 8 bytes {JMP QWORD [RIP-0xa3946]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[3644] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ff8ba5552f0 8 bytes {JMP QWORD [RIP-0xa3a62]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[3644] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff8ba555350 8 bytes {JMP QWORD [RIP-0xa4027]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[3644] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff8ba555590 8 bytes {JMP QWORD [RIP-0xa4066]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[3644] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ff8ba5556f0 8 bytes {JMP QWORD [RIP-0xa42d5]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[3644] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff8ba556500 8 bytes {JMP QWORD [RIP-0xa41f7]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[3644] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ff8ba556b00 8 bytes {JMP QWORD [RIP-0xa513f]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[3644] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff8ba557d40 8 bytes {JMP QWORD [RIP-0xa6412]} .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[3644] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 000000006d581462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[3644] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 000000006d5816b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[3644] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 000000006d5817eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[3644] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 000000006d58181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[3644] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 000000006d581857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[5652] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ff8ba4b132f 8 bytes [A0, 6B, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[5652] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 449 00007ff8ba4b1421 8 bytes [90, 6B, F8, 7F, 00, 00, 00, ...] .text ... * 2 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[5652] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 368 00007ff8ba4b16b0 8 bytes [70, 6B, F8, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[5652] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 852 00007ff8ba4b1894 8 bytes {JMP 0xffffffffffffffa0} .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[5652] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ff8ba4b230f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[5652] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff8ba554ff0 8 bytes {JMP QWORD [RIP-0xa3946]} .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[5652] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ff8ba5552f0 8 bytes {JMP QWORD [RIP-0xa3a62]} .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[5652] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff8ba555350 8 bytes {JMP QWORD [RIP-0xa4027]} .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[5652] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff8ba555590 8 bytes {JMP QWORD [RIP-0xa4066]} .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[5652] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ff8ba5556f0 8 bytes {JMP QWORD [RIP-0xa42d5]} .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[5652] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff8ba556500 8 bytes {JMP QWORD [RIP-0xa41f7]} .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[5652] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ff8ba556b00 8 bytes {JMP QWORD [RIP-0xa513f]} .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[5652] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff8ba557d40 8 bytes {JMP QWORD [RIP-0xa6412]} .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[5652] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 000000006d581462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[5652] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 000000006d5816b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[5652] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 000000006d5817eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[5652] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 000000006d58181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[5652] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 000000006d581857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4640] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ff8ba4b132f 8 bytes [A0, 6B, AE, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4640] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 449 00007ff8ba4b1421 8 bytes [90, 6B, AE, 7F, 00, 00, 00, ...] .text ... * 2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4640] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 368 00007ff8ba4b16b0 8 bytes [70, 6B, AE, 7F, 00, 00, 00, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4640] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 852 00007ff8ba4b1894 8 bytes {JMP 0xffffffffffffffa0} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4640] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ff8ba4b230f 8 bytes {JMP 0xffffffffffffffec} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff8ba554ff0 8 bytes {JMP QWORD [RIP-0xa3946]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ff8ba5552f0 8 bytes {JMP QWORD [RIP-0xa3a62]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff8ba555350 8 bytes {JMP QWORD [RIP-0xa4027]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff8ba555590 8 bytes {JMP QWORD [RIP-0xa4066]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ff8ba5556f0 8 bytes {JMP QWORD [RIP-0xa42d5]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff8ba556500 8 bytes {JMP QWORD [RIP-0xa41f7]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ff8ba556b00 8 bytes {JMP QWORD [RIP-0xa513f]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4640] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff8ba557d40 8 bytes {JMP QWORD [RIP-0xa6412]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4640] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 000000006d581462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4640] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 000000006d5816b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4640] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 000000006d5817eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4640] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 000000006d58181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4640] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 000000006d581857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kamilos\Desktop\Nowy folder\medwwus9.exe[7932] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 207 00007ff8ba4b132f 8 bytes [A0, 6B, F8, 7F, 00, 00, 00, ...] .text C:\Users\Kamilos\Desktop\Nowy folder\medwwus9.exe[7932] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLargeIntegerToChar + 449 00007ff8ba4b1421 8 bytes [90, 6B, F8, 7F, 00, 00, 00, ...] .text ... * 2 .text C:\Users\Kamilos\Desktop\Nowy folder\medwwus9.exe[7932] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 368 00007ff8ba4b16b0 8 bytes [70, 6B, F8, 7F, 00, 00, 00, ...] .text C:\Users\Kamilos\Desktop\Nowy folder\medwwus9.exe[7932] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrSetDllDirectory + 852 00007ff8ba4b1894 8 bytes {JMP 0xffffffffffffffa0} .text C:\Users\Kamilos\Desktop\Nowy folder\medwwus9.exe[7932] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlLockCurrentThread + 175 00007ff8ba4b230f 8 bytes {JMP 0xffffffffffffffec} .text C:\Users\Kamilos\Desktop\Nowy folder\medwwus9.exe[7932] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff8ba554ff0 8 bytes {JMP QWORD [RIP-0xa3946]} .text C:\Users\Kamilos\Desktop\Nowy folder\medwwus9.exe[7932] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ff8ba5552f0 8 bytes {JMP QWORD [RIP-0xa3a62]} .text C:\Users\Kamilos\Desktop\Nowy folder\medwwus9.exe[7932] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff8ba555350 8 bytes {JMP QWORD [RIP-0xa4027]} .text C:\Users\Kamilos\Desktop\Nowy folder\medwwus9.exe[7932] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff8ba555590 8 bytes {JMP QWORD [RIP-0xa4066]} .text C:\Users\Kamilos\Desktop\Nowy folder\medwwus9.exe[7932] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ff8ba5556f0 8 bytes {JMP QWORD [RIP-0xa42d5]} .text C:\Users\Kamilos\Desktop\Nowy folder\medwwus9.exe[7932] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff8ba556500 8 bytes {JMP QWORD [RIP-0xa41f7]} .text C:\Users\Kamilos\Desktop\Nowy folder\medwwus9.exe[7932] C:\WINDOWS\SYSTEM32\ntdll.dll!NtGetContextThread 00007ff8ba556b00 8 bytes {JMP QWORD [RIP-0xa513f]} .text C:\Users\Kamilos\Desktop\Nowy folder\medwwus9.exe[7932] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff8ba557d40 8 bytes {JMP QWORD [RIP-0xa6412]} .text C:\Users\Kamilos\Desktop\Nowy folder\medwwus9.exe[7932] C:\WINDOWS\System32\wow64cpu.dll!BTCpuProcessInit + 210 000000006d581462 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kamilos\Desktop\Nowy folder\medwwus9.exe[7932] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 564 000000006d5816b4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kamilos\Desktop\Nowy folder\medwwus9.exe[7932] C:\WINDOWS\System32\wow64cpu.dll!BTCpuIsProcessorFeaturePresent + 875 000000006d5817eb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kamilos\Desktop\Nowy folder\medwwus9.exe[7932] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 30 000000006d58181e 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Kamilos\Desktop\Nowy folder\medwwus9.exe[7932] C:\WINDOWS\System32\wow64cpu.dll!BTCpuResetToConsistentState + 87 000000006d581857 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ? C:\WINDOWS\system32\apphelp.dll [7932] entry point in ".rdata" section 00000000691cf7c0 ---- User IAT/EAT - GMER 2.2 ---- IAT C:\WINDOWS\Explorer.EXE[4516] @ C:\WINDOWS\Explorer.EXE[USER32.dll!SetWindowCompositionAttribute] [5ef0080] IAT C:\WINDOWS\Explorer.EXE[4516] @ C:\WINDOWS\Explorer.EXE[GDI32.dll!StretchDIBits] [5ef0020] IAT C:\WINDOWS\Explorer.EXE[4516] @ C:\WINDOWS\Explorer.EXE[UxTheme.dll!DrawThemeTextEx] [5ef0040] IAT C:\WINDOWS\system32\AUDIODG.EXE[3544] @ C:\WINDOWS\system32\AUDIODG.EXE[ntdll.dll!NtClose] [7ff8ba690010] IAT C:\WINDOWS\system32\AUDIODG.EXE[3544] @ C:\WINDOWS\system32\AUDIODG.EXE[ntdll.dll!NtAlpcSendWaitReceivePort] [7ff8ba690000] IAT C:\WINDOWS\system32\AUDIODG.EXE[3544] @ C:\WINDOWS\System32\KERNEL32.DLL[ntdll.dll!NtClose] [7ff8ba690010] IAT C:\WINDOWS\system32\AUDIODG.EXE[3544] @ C:\WINDOWS\System32\KERNELBASE.dll[ntdll.dll!NtClose] [7ff8ba690010] IAT C:\WINDOWS\system32\AUDIODG.EXE[3544] @ C:\WINDOWS\System32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [7ff8ba690000] IAT C:\WINDOWS\system32\AUDIODG.EXE[3544] @ C:\WINDOWS\System32\RPCRT4.dll[ntdll.dll!NtClose] [7ff8ba690010] IAT C:\WINDOWS\system32\AUDIODG.EXE[3544] @ C:\WINDOWS\System32\sechost.dll[ntdll.dll!NtClose] [7ff8ba690010] IAT C:\WINDOWS\system32\AUDIODG.EXE[3544] @ C:\WINDOWS\System32\bcryptPrimitives.dll[ntdll.dll!NtClose] [7ff8ba690010] IAT C:\WINDOWS\system32\AUDIODG.EXE[3544] @ C:\WINDOWS\System32\kernel.appcore.dll[ntdll.dll!NtClose] [7ff8ba690010] IAT C:\WINDOWS\system32\AUDIODG.EXE[3544] @ C:\WINDOWS\System32\user32.dll[ntdll.dll!NtClose] [7ff8ba690010] IAT C:\WINDOWS\system32\AUDIODG.EXE[3544] @ C:\WINDOWS\System32\gdi32full.dll[ntdll.dll!NtClose] [7ff8ba690010] IAT C:\WINDOWS\system32\AUDIODG.EXE[3544] @ C:\WINDOWS\System32\audioses.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [7ff8ba690000] IAT C:\WINDOWS\system32\AUDIODG.EXE[3544] @ C:\WINDOWS\System32\powrprof.dll[ntdll.dll!NtClose] [7ff8ba690010] IAT C:\WINDOWS\system32\AUDIODG.EXE[3544] @ C:\WINDOWS\System32\audioeng.dll[ntdll.dll!NtClose] [7ff8ba690010] IAT C:\WINDOWS\system32\AUDIODG.EXE[3544] @ C:\WINDOWS\System32\AVRT.dll[ntdll.dll!NtClose] [7ff8ba690010] ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [732:780] ffffba5e5e536c20 Thread C:\WINDOWS\System32\svchost.exe [1596:1632] 00007ff8af323bc0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x2D 0x8B 0xEE 0xD4 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x87 0x77 0x59 0x97 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x41 0xB3 0x31 0x3B ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 8 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\IVM560D1100192351317_17_07D9_69^27EAE7E352D21955EFEE59B0322FC777@Timestamp 0x6B 0x43 0xFA 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 888 Reg HKLM\SYSTEM\CurrentControlSet\Control\PnP@DisableLKG 1 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Program Files (x86)\Google\Chrome\Temp\scoped_dir_11012_13480\old_chrome.exe??\??\C:\Program Files (x86)\Google\Chrome\Temp\scoped_dir_11012_13480??\??\C:\Program Files (x86)\Google\Chrome\Temp??\??\C:\Users\Kamilos\AppData\Local\Temp\_iu14D2N.tmp??\??\C:\Users\Kamilos\AppData\Local\Temp\~nsu.tmp\Au_.exe??\??\C:\Users\Kamilos\AppData\Local\Temp\~nsu.tmp??\??\C:\Users\Kamilos\AppData\Local\Temp\nsj2286.tmp\??\??\C:\Users\Kamilos\AppData\Local\Temp\nsj2286.tmp\Lang\ENU.dll?? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 3900134 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 1928811931 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 8 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 488363371 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 12751 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 1936fdf6-20b7-4032-be15-41a40f4 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@GlassSessionId 9 Reg HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\Notifications\Components\TrustedInstaller@Events CreateSession Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\{3aa52b8b-6357-4c18-a92e-b53fb177853b}@Status 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\{6d8a3a60-40af-445a-98ca-99359e500146}@Status 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\{7d29d58a-931a-40ac-8743-48c733045548}@Status 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\{85a62a0d-7e17-485f-9d4f-749a287193a6}@Status 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\{b059b83f-d946-4b13-87ca-4292839dc2f2}@Status 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\{bff15e13-81bf-45ee-8b16-7cfead00da86}@Status 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\{e7558269-3fa5-46ed-9f4d-3c6e282dde55}@Status 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\{f1ef270a-0d32-4352-ba52-dbab41e1d859}@Status 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{0bf2fb94-7b60-4b4d-9766-e82f658df540}@Status 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{15ca44ff-4d7a-4baa-bba5-0998955e531e}@Status 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{2ff3e6b7-cb90-4700-9621-443f389734ed}@Status 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{85a62a0d-7e17-485f-9d4f-749a287193a6}@Status 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{a68ca8b7-004f-d7b6-a698-07e2de0f1f5d}@Status 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{a6ad76e3-867a-4635-91b3-4904ba6374d7}@Status 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{a8a1f2f6-a13a-45e9-b1fe-3419569e5ef2}@Status 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{abf1f586-2e50-4ba8-928d-49044e6f0db7}@Status 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{b675ec37-bdb6-4648-bc92-f3fdc74d3ca2}@Status 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 2 Reg HKLM\SYSTEM\CurrentControlSet\Services@TransactedServices ACPI?vhdmp? Reg HKLM\SYSTEM\CurrentControlSet\Services\AmdPPM\Parameters\Wdf@TimeOfLastTelemetryLog 0x33 0x00 0x79 0xD1 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\cdrom\Parameters\Wdf@TimeOfLastTelemetryLog 0x71 0xA4 0x36 0xD1 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CompositeBus\Parameters\Wdf@TimeOfLastTelemetryLog 0x96 0xC4 0x13 0xD0 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\DeviceInstall\Parameters@DeviceInstallDisabled 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{7e96c1a1-adda-4dd9-b8bb-1e275b16676c}@LastProbeTime 1478394916 Reg HKLM\SYSTEM\CurrentControlSet\Services\HDAudBus\Parameters\Wdf@TimeOfLastTelemetryLog 0x6D 0xD7 0x26 0xD0 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\monitor\Parameters\Wdf@TimeOfLastTelemetryLog 0x0C 0x3B 0x51 0xD6 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\msisadrv\Parameters\Wdf@TimeOfLastTelemetryLog 0x0E 0xF5 0xF5 0xCB ... Reg HKLM\SYSTEM\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf@TimeOfLastTelemetryLog 0x2D 0xF4 0x87 0xD1 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Diagnostics@ReadyBootTrainingCountSinceLastServicing 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?pon.?, ?lis ?07 ?16, 11:53:02????????????????????????=???????? Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@EffectivePends 504 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 2519 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 308 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{AA4D0CF0-49B6-4E71-98FE-649CCB8C499A} v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.206_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.206_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-235085378-2933528215-4077111654-1000|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.206_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{674BA3E0-EC51-4EFB-8028-A49FC7114D2C} v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AccountsControl_10.0.14393.206_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.206_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-235085378-2933528215-4077111654-1000|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.206_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{D4B6EC6B-C2BE-47B1-8984-B579014EFFD9} v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.206_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.206_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-235085378-2933528215-4077111654-1000|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.206_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{8419AC23-71CC-45E9-9B30-24393B6FC9CE} v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.206_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.206_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-235085378-2933528215-4077111654-1000|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.206_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{A2090A74-0A5A-45EF-9A86-8D8E790AEBF0} v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.206_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.206_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-235085378-2933528215-4077111654-1000|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.206_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{CDDA4DE2-BE01-4168-AA8E-0C3DCC0402A0} v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.AccountsControl_10.0.14393.206_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.206_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-235085378-2933528215-4077111654-1000|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.206_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{F6A5C7C6-482E-4B3B-8655-00A6611B44BF} v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.AccountsControl_10.0.14393.206_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.206_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-235085378-2933528215-4077111654-1000|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.206_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{9DFCB176-D53D-48CB-A7BD-FC3726A9EA2F} v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.AccountsControl_10.0.14393.206_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.206_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-235085378-2933528215-4077111654-1000|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.206_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}| Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4486c0a2-0b46-40b2-95f6-5036fae71629}@LeaseObtainedTime 1478712190 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4486c0a2-0b46-40b2-95f6-5036fae71629}@T1 1478755390 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4486c0a2-0b46-40b2-95f6-5036fae71629}@T2 1478787790 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4486c0a2-0b46-40b2-95f6-5036fae71629}@LeaseTerminatesTime 1478798590 Reg HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller Reg HKLM\SYSTEM\CurrentControlSet\Services\umbus\Parameters\Wdf@TimeOfLastTelemetryLog 0x96 0xC4 0x13 0xD0 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\USBHUB3\Parameters\Wdf@TimeOfLastTelemetryLog 0x0A 0xCE 0xA5 0xD1 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\USBXHCI\Parameters\Wdf@TimeOfLastTelemetryLog 0x0F 0xF3 0x25 0xD1 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\vdrvroot\Parameters\Wdf@TimeOfLastTelemetryLog 0xBE 0x08 0x09 0xCC ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xED 0xFF 0x4E 0x6E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xED 0x67 0x13 0xD0 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xED 0x97 0x8A 0x0C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 10018 10024 10034 10044 10064 10108 10118 10156 10162 10178 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter 10184 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help 10185 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Counter 10018 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Help 10019 Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer@GlobalAssocChangedCounter 201 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Lock Screen\Creative@LockImageFlags 3 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search@JumpListChangedAppIds 308046B0AF4A39CB? Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@308046B0AF4A39CB 0xD5 0x68 0x8C 0x11 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{19185254-6929-4C9B-BA38-255A3EEAAC7B}@LastAccessedTime 0x90 0xE4 0xFC 0x5A ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{19185254-6929-4C9B-BA38-255A3EEAAC7B}@LaunchCount 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance@MessageTime 0xED 0xBB 0xCD 0x53 ... ---- EOF - GMER 2.2 ----