GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-04-04 19:47:15 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002e WDC_WD10EZRZ-00HTKB0 rev.01.01A01 931,51GB Running: nmh6z2l7.exe; Driver: C:\Users\nathi\AppData\Local\Temp\kfrdipoc.sys ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [704:744] fffff487fab36c20 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2344:2348] 0000000000ef0d1f Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2344:2768] 0000000072fee660 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2344:2772] 0000000072fee660 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2344:2988] 0000000072fee660 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2344:2376] 00000000731926c0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2344:1880] 0000000070bb6800 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2344:4100] 0000000070bb6800 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2344:4104] 0000000070b92d70 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2344:4108] 0000000070bac230 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2344:4112] 0000000070baa340 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2344:5032] 000000006b5088f0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2344:5036] 000000006b5088f0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2344:5040] 000000006b5088f0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2344:5044] 000000006b506590 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2344:5816] 0000000070bb6800 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2344:5824] 000000006b5088f0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2344:5836] 0000000070b80ff0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2344:5840] 0000000070b80e50 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2344:6760] 000000006b5088f0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2344:972] 00000000732f8420 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2564:2568] 000000000027e2ea Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2564:3732] 0000000073cab960 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2564:6304] 000000006aa825a0 Thread C:\WINDOWS\Explorer.EXE [3608:2920] 00007ffeb6c920e0 Thread C:\WINDOWS\Explorer.EXE [3608:2616] 00007ffebb3a20e0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control@LastBootShutdown 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x4D 0x6C 0xB9 0x2F ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x40 0x60 0xB1 0x30 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x0B 0x31 0xBE 0x2F ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x1F 0x28 0xB6 0x30 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 10 Reg HKLM\SYSTEM\CurrentControlSet\Control\Cryptography\Ngc\AIKCertEnroll@ErrorCode 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\SAM0D20H4ZH903016_24_07E0_C5^640ABF8224F99A7CF6B763E97E869D30@Timestamp 0x16 0xFE 0xFA 0x95 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 900 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Users\nathi\AppData\Local\Temp\~nsu.tmp\Au_.exe??\??\C:\Users\nathi\AppData\Local\Temp\~nsu.tmp?? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 1496973 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -1143342000 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 10 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 500798369 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 10781 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 10783 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID c96c71d4-c05b-403c-b548-1f905ed Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@GlassSessionId 3 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\acpipagr\Parameters\Wdf@TimeOfLastTelemetryLog 0x81 0x1D 0x73 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\avusbflt\Parameters\Wdf@TimeOfLastTelemetryLog 0xF2 0x86 0xEF 0x27 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS\Performance@PerfMMFileName Global\MMF_BITSd487a17f-8551-4ab9-a8c9-b054285b3203 Reg HKLM\SYSTEM\CurrentControlSet\Services\cdrom\Parameters\Wdf@TimeOfLastTelemetryLog 0xEB 0x7F 0x75 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CompositeBus\Parameters\Wdf@TimeOfLastTelemetryLog 0xCF 0xA7 0x5D 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{bbf2f0e1-e35f-4abb-97a0-e53e9e91734b}@LastProbeTime 1491131957 Reg HKLM\SYSTEM\CurrentControlSet\Services\HDAudBus\Parameters\Wdf@TimeOfLastTelemetryLog 0x81 0x1D 0x73 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\intelpep\Parameters\Wdf@TimeOfLastTelemetryLog 0xE2 0xC3 0x8D 0x27 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\intelppm\Parameters\Wdf@TimeOfLastTelemetryLog 0x81 0x1D 0x73 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\c4-12-f5-5e-20-4f@AddressCreationTimestamp 0x3D 0x1E 0xF4 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\c4-12-f5-5e-20-4f@NatDetectionTimestamp 0x3D 0x1E 0xF4 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\c4-12-f5-5e-20-4f@TeredoAddress 2001:0:9d38:90d7:305b:2b22:d156:a06c Reg HKLM\SYSTEM\CurrentControlSet\Services\MEIx64\Parameters\Wdf@TimeOfLastTelemetryLog 0x63 0x26 0x85 0x2E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\monitor\Parameters\Wdf@TimeOfLastTelemetryLog 0x67 0xA3 0xEA 0x88 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\msisadrv\Parameters\Wdf@TimeOfLastTelemetryLog 0x16 0xEB 0x94 0x27 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf@TimeOfLastTelemetryLog 0xEB 0x7F 0x75 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Diagnostics@ReadyBootTrainingCountSinceLastServicing 5 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?wt.?, ?kwi ?04 ?17, 06:22:29 PM??????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@EffectivePends 30 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 938 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 116 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 9 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters@DhcpNameServer 192.168.8.1 192.168.8.1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ef400024-3ffd-49fd-a3b3-13c2ace8781f}@LeaseObtainedTime 1491302861 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ef400024-3ffd-49fd-a3b3-13c2ace8781f}@T1 1491346061 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ef400024-3ffd-49fd-a3b3-13c2ace8781f}@T2 1491378461 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ef400024-3ffd-49fd-a3b3-13c2ace8781f}@LeaseTerminatesTime 1491389261 Reg HKLM\SYSTEM\CurrentControlSet\Services\TPM@OsBootCount 10 Reg HKLM\SYSTEM\CurrentControlSet\Services\TPM\Parameters\Wdf@TimeOfLastTelemetryLog 0xD8 0x60 0xAA 0x27 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\umbus\Parameters\Wdf@TimeOfLastTelemetryLog 0xCF 0xA7 0x5D 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\USBHUB3\Parameters\Wdf@TimeOfLastTelemetryLog 0x95 0xB0 0x85 0x2E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\USBXHCI\Parameters\Wdf@TimeOfLastTelemetryLog 0xE2 0x2A 0x70 0x2E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\vdrvroot\Parameters\Wdf@TimeOfLastTelemetryLog 0xD8 0x60 0xAA 0x27 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x67 0xAB 0x75 0x76 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x67 0x13 0x3A 0xD8 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x67 0x43 0xB1 0x14 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 10858 10864 10874 10884 10904 10948 10958 10996 11002 11018 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter 11024 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help 11025 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Counter 10858 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Help 10859 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\499db701 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\499db701@FileExtension jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\499db701@Url wpnidm:http://store-images.s-microsoft.com/image/global.38698.acentoprodimg.f850efbf-1fd6-4402-8a27-5720f5114ab5.23c7c923-e8fb-4a86-a9e3-2e3aa812d217?w=600&foreground=%2300000033 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\499db701@FileName C:\Users\nathi\AppData\Local\Microsoft\Windows\Notifications\wpnidm\499db701.jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\499db701@FileSize 53291 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\499db701@Flag 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\499db701@LocalPath C:\Users\nathi\AppData\Local\Microsoft\Windows\Notifications\wpnidm\499db701.jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\499db701@Aumid Microsoft.WindowsStore_8wekyb3d8bbwe!App Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\499db701@Expiration 0x00 0x00 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\499db701@NotificationsCount 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\499db701@Notifications 0xFD 0x04 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\6aba7859 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\6aba7859@FileExtension jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\6aba7859@Url wpnidm:http://store-images.s-microsoft.com/image/global.34634.acentoprodimg.26b07656-a19e-4c79-8d84-98f1da9db086.31152ad0-ae01-4c2a-a351-2b41115ff91c?w=600&foreground=%2300000033 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\6aba7859@FileName C:\Users\nathi\AppData\Local\Microsoft\Windows\Notifications\wpnidm\6aba7859.jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\6aba7859@FileSize 55960 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\6aba7859@Flag 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\6aba7859@LocalPath C:\Users\nathi\AppData\Local\Microsoft\Windows\Notifications\wpnidm\6aba7859.jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\6aba7859@Aumid Microsoft.WindowsStore_8wekyb3d8bbwe!App Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\6aba7859@Expiration 0x00 0x00 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\6aba7859@NotificationsCount 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\6aba7859@Notifications 0xFF 0x04 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\9c58aee9 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\9c58aee9@FileExtension jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\9c58aee9@Url wpnidm:http://store-images.s-microsoft.com/image/global.62271.acentoprodimg.222fb11b-f225-45a5-a63b-7ab7ab6169fd.89e0951e-8844-45a1-bbc8-0703b324e250?w=600&foreground=%2300000033 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\9c58aee9@FileName C:\Users\nathi\AppData\Local\Microsoft\Windows\Notifications\wpnidm\9c58aee9.jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\9c58aee9@FileSize 50172 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\9c58aee9@Flag 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\9c58aee9@LocalPath C:\Users\nathi\AppData\Local\Microsoft\Windows\Notifications\wpnidm\9c58aee9.jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\9c58aee9@Aumid Microsoft.WindowsStore_8wekyb3d8bbwe!App Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\9c58aee9@Expiration 0x00 0x00 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\9c58aee9@NotificationsCount 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\9c58aee9@Notifications 0xFC 0x04 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\9f284009 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\9f284009@FileExtension jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\9f284009@Url wpnidm:http://store-images.s-microsoft.com/image/apps.56486.14301808469964752.5399e4c2-d371-40b1-9021-bf1c4e14a47c.1bdbdf1c-0b33-467d-9ace-218a5a7de37c?background=%23000000&foreground=%2300000033&mode=letterbox&w=150&h=150 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\9f284009@FileName C:\Users\nathi\AppData\Local\Microsoft\Windows\Notifications\wpnidm\9f284009.jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\9f284009@FileSize 23684 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\9f284009@Flag 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\9f284009@LocalPath C:\Users\nathi\AppData\Local\Microsoft\Windows\Notifications\wpnidm\9f284009.jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\9f284009@Aumid Microsoft.WindowsStore_8wekyb3d8bbwe!App Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\9f284009@Expiration 0x00 0x00 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\9f284009@NotificationsCount 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\9f284009@Notifications 0xFD 0x04 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\b949a74b Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\b949a74b@FileExtension jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\b949a74b@Url wpnidm:http://store-images.s-microsoft.com/image/apps.57899.13510798887339475.f2d53261-974f-4d6d-8a05-40410431508f.01b1d6fe-b773-42be-aed8-5de6aeaf904d?background=%23336699&foreground=%2300000033&mode=letterbox&w=150&h=150 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\b949a74b@FileName C:\Users\nathi\AppData\Local\Microsoft\Windows\Notifications\wpnidm\b949a74b.jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\b949a74b@FileSize 22306 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\b949a74b@Flag 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\b949a74b@LocalPath C:\Users\nathi\AppData\Local\Microsoft\Windows\Notifications\wpnidm\b949a74b.jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\b949a74b@Aumid Microsoft.WindowsStore_8wekyb3d8bbwe!App Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\b949a74b@Expiration 0x00 0x00 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\b949a74b@NotificationsCount 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\b949a74b@Notifications 0xFF 0x04 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\ba2f12e Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\ba2f12e@FileExtension jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\ba2f12e@Url wpnidm:http://store-images.s-microsoft.com/image/apps.52334.9007199266538018.3bb60836-7261-47b8-a084-51423f3fd123.3f4618e5-9b36-47d5-b2d5-db3b90741718?background=transparent&foreground=%2300000033&mode=letterbox&w=150&h=150 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\ba2f12e@FileName C:\Users\nathi\AppData\Local\Microsoft\Windows\Notifications\wpnidm\ba2f12e.jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\ba2f12e@FileSize 2114 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\ba2f12e@Flag 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\ba2f12e@LocalPath C:\Users\nathi\AppData\Local\Microsoft\Windows\Notifications\wpnidm\ba2f12e.jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\ba2f12e@Aumid Microsoft.WindowsStore_8wekyb3d8bbwe!App Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\ba2f12e@Expiration 0x00 0x00 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\ba2f12e@NotificationsCount 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\ba2f12e@Notifications 0xFE 0x04 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\cd8966b5 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\cd8966b5@FileExtension jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\cd8966b5@Url wpnidm:http://store-images.s-microsoft.com/image/global.9357.acentoprodimg.54d3811a-bd61-4ac6-80cb-fad0c9616d7b.05aa97a8-8d99-452d-98a2-21309f0bd9a6?w=600&foreground=%2300000033 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\cd8966b5@FileName C:\Users\nathi\AppData\Local\Microsoft\Windows\Notifications\wpnidm\cd8966b5.jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\cd8966b5@FileSize 25000 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\cd8966b5@Flag 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\cd8966b5@LocalPath C:\Users\nathi\AppData\Local\Microsoft\Windows\Notifications\wpnidm\cd8966b5.jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\cd8966b5@Aumid Microsoft.WindowsStore_8wekyb3d8bbwe!App Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\cd8966b5@Expiration 0x00 0x00 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\cd8966b5@NotificationsCount 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\cd8966b5@Notifications 0xFE 0x04 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\d4379a07 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\d4379a07@FileExtension jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\d4379a07@Url wpnidm:http://store-images.s-microsoft.com/image/apps.51513.13510798886208245.6592f3b0-e1e9-4108-8806-5c3592df5fd0.e2e03286-275c-4ba4-a6cd-ad8bcd80ebd2?background=%23000000&foreground=%2300000033&mode=letterbox&w=150&h=150 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\d4379a07@FileName C:\Users\nathi\AppData\Local\Microsoft\Windows\Notifications\wpnidm\d4379a07.jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\d4379a07@FileSize 26646 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\d4379a07@Flag 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\d4379a07@LocalPath C:\Users\nathi\AppData\Local\Microsoft\Windows\Notifications\wpnidm\d4379a07.jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\d4379a07@Aumid Microsoft.WindowsStore_8wekyb3d8bbwe!App Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\d4379a07@Expiration 0x00 0x00 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\d4379a07@NotificationsCount 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\d4379a07@Notifications 0xFC 0x04 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\fb9ee533 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\fb9ee533@FileExtension jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\fb9ee533@Url wpnidm:http://store-images.s-microsoft.com/image/global.4063.acentoprodimg.a87e6194-1ef8-4f0f-b889-7d7e4fbf3a8a.e2d01431-9f18-4f27-8992-6d5727475562?w=600&foreground=%2300000033 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\fb9ee533@FileName C:\Users\nathi\AppData\Local\Microsoft\Windows\Notifications\wpnidm\fb9ee533.jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\fb9ee533@FileSize 47798 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\fb9ee533@Flag 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\fb9ee533@LocalPath C:\Users\nathi\AppData\Local\Microsoft\Windows\Notifications\wpnidm\fb9ee533.jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\fb9ee533@Aumid Microsoft.WindowsStore_8wekyb3d8bbwe!App Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\fb9ee533@Expiration 0x00 0x00 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\fb9ee533@NotificationsCount 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\fb9ee533@Notifications 0xFB 0x04 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\ffbc9b34 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\ffbc9b34@FileExtension jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\ffbc9b34@Url wpnidm:http://store-images.s-microsoft.com/image/apps.2027.9007199266251727.c99285d0-1dcb-4986-84a0-6b7006fc0aad.4a3254a1-78d9-4e10-b7f5-c83e9c4c2d49?background=%2326222D&foreground=%2300000033&mode=letterbox&w=150&h=150 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\ffbc9b34@FileName C:\Users\nathi\AppData\Local\Microsoft\Windows\Notifications\wpnidm\ffbc9b34.jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\ffbc9b34@FileSize 56726 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\ffbc9b34@Flag 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\ffbc9b34@LocalPath C:\Users\nathi\AppData\Local\Microsoft\Windows\Notifications\wpnidm\ffbc9b34.jpg Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\ffbc9b34@Aumid Microsoft.WindowsStore_8wekyb3d8bbwe!App Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\ffbc9b34@Expiration 0x00 0x00 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\ffbc9b34@NotificationsCount 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\ffbc9b34@Notifications 0xFB 0x04 0x00 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search@JumpListChangedAppIds Chrome? Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@Chrome 0xC6 0x74 0xB1 0x3D ... ---- EOF - GMER 2.2 ----