GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-05-27 16:52:54 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000023 TOSHIBA_MQ01ABD100 rev.AX1P4M 931,51GB Running: sv75ns5c.exe; Driver: C:\Users\Irek\AppData\Local\Temp\uxldrpow.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\system32\apphelp.dll [8048] entry point in ".rdata" section 000000006e1a0380 ---- User IAT/EAT - GMER 2.2 ---- IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!_wfopen] [3e006f0066] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!fclose] [7300650053003c] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!_stricmp] [6e006f00690073] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!_vsnprintf] [3e00790065004b] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!fprintf] [0] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!wcstol] [650053002f003c] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!tolower] [6f006900730073] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!srand] [790065004b006e] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!_strcmpi] [3e] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!_wcsnicmp] [7300650053003c] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!_wtol] [6e006f00690073] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!_wtoi] [5400790065004b] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!_ui64tow_s] [3e006500700079] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!_get_errno] [0] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!iswspace] [7000790054003c] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!mbstowcs_s] [3e0065] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!wcschr] [790054002f003c] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!_set_errno] [3e00650070] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!_errno] [6300690054003c] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!strncpy_s] [3e00740065006b] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!_wcstoui64] [0] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!rand] [690054002f003c] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!wcstod] [740065006b0063] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!_ultow_s] [3e] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!qsort] [7200650043003c] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!memcpy_s] [66006e00490074] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!sprintf_s] [3e006f] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!wcstoul] [650043002f003c] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!_vsnwprintf] [6e004900740072] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!memmove] [3e006f0066] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!_purecall] [790065004b003c] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!wcstombs] [72006900610070] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!wcsstr] [3e] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!_itow_s] [65004b002f003c] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!wcsncmp] [69006100700079] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!iswalnum] [3e0072] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!iswdigit] [7200650043003c] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!wcsrchr] [3e0074] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!_wtoi64] [650043002f003c] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!swprintf_s] [3e00740072] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!memcmp] [790065004b003c] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!memcpy] [46006e00650047] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!memset] [7300670061006c] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!_onexit] [3e] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!__dllonexit] [65004b002f003c] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!bsearch] [6e006500470079] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!__CxxFrameHandler3] [670061006c0046] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!_unlock] [3e0073] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!_lock] [53004800580043] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!_initterm] [7300700055006e] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!_callnewh] [6c006c0065] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!malloc] [53004800580043] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!_XcptFilter] [49006e00670069] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!wcstok_s] [6e] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!free] [54004800580043] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!_strnicmp] [73006e00610072] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!_amsg_exit] [74006e00650069] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!_wcsicmp] [6e006700690053] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[msvcrt.dll!wcscmp] [6e0049] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[ntdll.dll!TpReleaseAlpcCompletion] [74007500410065] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[ntdll.dll!ZwAlpcQueryInformation] [68] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[ntdll.dll!AlpcInitializeMessageAttribute] [69007600650044] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[ntdll.dll!vDbgPrintEx] [65005300650063] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[ntdll.dll!ZwAlpcDisconnectPort] [6f006900730073] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[ntdll.dll!TpWaitForAlpcCompletion] [790065004b006e] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[ntdll.dll!RtlWakeAddressAll] [0] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[ntdll.dll!AlpcGetMessageAttribute] [3a00730070003c] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[ntdll.dll!RtlInitUnicodeString] [65007300730041] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[ntdll.dll!TpAllocAlpcCompletion] [6f006900740072] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[ntdll.dll!RtlWaitOnAddress] [72006f0046006e] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[ntdll.dll!ZwAlpcConnectPort] [2000740061006d] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[ntdll.dll!ZwAlpcSendWaitReceivePort] [6e006c006d0078] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[ntdll.dll!ZwAlpcCancelMessage] [730070003a0073] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[ntdll.dll!RtlAllocateHeap] [7400680022003d] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[ntdll.dll!RtlFreeHeap] [2f003a00700074] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[ntdll.dll!NtSetInformationThread] [6800630073002f] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[ntdll.dll!RtlUnsubscribeWnfStateChangeNotification] [730061006d0065] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[ntdll.dll!VerSetConditionMask] [630069006d002e] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[ntdll.dll!NtQueryWnfStateData] [6f0073006f0072] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[ntdll.dll!WinSqmIncrementDWORD] [63002e00740066] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[ntdll.dll!RtlPublishWnfStateData] [50002f006d006f] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[ntdll.dll!WinSqmSetDWORD] [70007300730061] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[ntdll.dll!RtlQueryWnfStateData] [2f00740072006f] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[ntdll.dll!RtlUnsubscribeWnfNotificationWaitForCompletion] [700061006f0053] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[ntdll.dll!RtlSubscribeWnfStateChangeNotification] [76007200650053] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[ntdll.dll!RtlNtStatusToDosError] [73006500630069] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[ntdll.dll!RtlVirtualUnwind] [4300500050002f] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[ntdll.dll!RtlLookupFunctionEntry] [3e0022004c0052] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[ntdll.dll!RtlCaptureContext] [3c006400490045] IAT C:\WINDOWS\system32\svchost.exe[388] @ c:\windows\system32\wuaueng.dll[ntdll.dll!ZwClose] [3a00730070002f] ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [6440:7276] fffff9609dda4060 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\LGD045C0_00_07DE_B9^AED12737F5B52F5A5073DB61F714F062@Timestamp 0x3C 0x22 0x90 0x14 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 1455895678 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 3529 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 3534 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalResumeTime 15114 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeBootMgrTime 395 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAppTime 1843 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAppStartTimestamp 3940 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeInitTime 428 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeHiberFileTime 1166 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeRestoreImageStartTimestamp 4475 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeIoTime 874 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeDecompressTime 313 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAllocateTime 9 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeKernelSwitchTimestamp 5784 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnFromHandlerTimestamp 5833 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@SleeperThreadEndTimestamp 13131 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TimeStampCounterAtSwitchTime 5824 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnSystemPowerState 15103 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberHiberFileTime 6540 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberInitTime 287 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalHibernateTime 20352 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeHiberFileTime 5918 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@DeviceResumeTime 579 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelAnimationTime 75 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesProcessed 458166 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesWritten 0xCE 0x84 0x02 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesProcessed 29840 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesWritten 0x68 0x3B 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberWriteRate 113 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeReadRate 105 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeDecompressRate 76 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelChecksumTime 267 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelChecksumIoTime 106 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeIoCpuTime 4586 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberIoCpuTime 544 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeCompleteTimestamp 0x3F 0xA5 0x0E 0x15 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HybridBootAnimationTime 7378 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@GlassSessionId 6 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\ace010d70e1f Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings Reg HKLM\SYSTEM\CurrentControlSet\Services\IDSVia64@ImagePath \??\C:\Program Files (x86)\Norton Security\NortonData\22.6.0.142\Definitions\IPSDefs\20160525.001\IDSvia64.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\IDSVia64 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\74-44-01-40-9f-3e@ClientLocalPort 57384 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\74-44-01-40-9f-3e@AddressCreationTimestamp 0xC0 0xC5 0x57 0x0D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\74-44-01-40-9f-3e@TeredoAddress 2001:0:5ef5:79fb:28f0:1fd7:a3fa:4200 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_e1c731 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_e1c731@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_e1c731@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_e1c731@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_e1c731@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_e1c731@DisplayName MessagingService_e1c731 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_e1c731@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_e1c731\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_e1c731\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_e1c731\TriggerInfo Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_e1c731\TriggerInfo\0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_e1c731\TriggerInfo\0@Type 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_e1c731\TriggerInfo\0@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_e1c731\TriggerInfo\0@Guid 0x16 0x28 0x7A 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_e1c731\TriggerInfo\0@Data0 0x75 0x18 0xBC 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_e1c731\TriggerInfo\0@DataType0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_e1c731 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_e1c731 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_e1c731@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_e1c731@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_e1c731@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_e1c731@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_e1c731@DisplayName Sync Host_e1c731 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_e1c731@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_e1c731\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_e1c731\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_e1c731 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_e1c731 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_e1c731@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_e1c731@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_e1c731@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_e1c731@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_e1c731@DisplayName Contact Data_e1c731 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_e1c731@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_e1c731\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_e1c731\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_e1c731 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 8107 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 1881 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{581969BB-98A5-4F9C-93DE-F7BFCEC95B78} v2.25|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.3DBuilder_11.1.7.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.3DBuilder/resources/AppStoreName}|Desc=@{Microsoft.3DBuilder_11.1.7.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.3DBuilder/resources/AppStoreName}|LUOwn=S-1-5-21-2779230792-305716697-1430175923-1001|AppPkgId=S-1-15-2-3995430443-3719053022-3339397951-2895237338-2437516106-1575886070-2755610054|EmbedCtxt=@{Microsoft.3DBuilder_11.1.7.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.3DBuilder/resources/AppStoreName}|Platform=2:6:2|Platform2=GTEQ| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{6FA0B974-4053-4684-9BC0-C974721267F7} v2.25|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.3DBuilder_11.1.7.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.3DBuilder/resources/AppStoreName}|Desc=@{Microsoft.3DBuilder_11.1.7.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.3DBuilder/resources/AppStoreName}|LUOwn=S-1-5-21-2779230792-305716697-1430175923-1001|AppPkgId=S-1-15-2-3995430443-3719053022-3339397951-2895237338-2437516106-1575886070-2755610054|EmbedCtxt=@{Microsoft.3DBuilder_11.1.7.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.3DBuilder/resources/AppStoreName}| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{BFD54547-358E-49CA-9FD6-68592C1E1595} v2.25|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.3DBuilder_11.1.7.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.3DBuilder/resources/AppStoreName}|Desc=@{Microsoft.3DBuilder_11.1.7.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.3DBuilder/resources/AppStoreName}|LUOwn=S-1-5-21-2779230792-305716697-1430175923-1001|AppPkgId=S-1-15-2-3995430443-3719053022-3339397951-2895237338-2437516106-1575886070-2755610054|EmbedCtxt=@{Microsoft.3DBuilder_11.1.7.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.3DBuilder/resources/AppStoreName}| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System@{418DE7FD-5DAB-486F-A9AF-B980CB272F56} v2.25|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.3DBuilder_11.1.7.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.3DBuilder/resources/AppStoreName}|Desc=@{Microsoft.3DBuilder_11.1.7.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.3DBuilder/resources/AppStoreName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-2779230792-305716697-1430175923-1001|AppPkgId=S-1-15-2-3995430443-3719053022-3339397951-2895237338-2437516106-1575886070-2755610054|EmbedCtxt=@{Microsoft.3DBuilder_11.1.7.0_x64__8wekyb3d8bbwe?ms-resource://Microsoft.3DBuilder/resources/AppStoreName}| Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 1006 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{049906de-064e-4558-a5b2-5f3ab726aa67}@LeaseObtainedTime 1464284377 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{049906de-064e-4558-a5b2-5f3ab726aa67}@T1 1464327577 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{049906de-064e-4558-a5b2-5f3ab726aa67}@T2 1464359977 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{049906de-064e-4558-a5b2-5f3ab726aa67}@LeaseTerminatesTime 1464370777 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_e1c731 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_e1c731@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_e1c731@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_e1c731@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_e1c731@ImagePath C:\WINDOWS\System32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_e1c731@DisplayName User Data Storage_e1c731 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_e1c731@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_e1c731\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_e1c731\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_e1c731 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_e1c731 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_e1c731@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_e1c731@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_e1c731@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_e1c731@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_e1c731@DisplayName User Data Access_e1c731 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_e1c731@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_e1c731\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_e1c731\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_e1c731 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeConfidence 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x10 0xF9 0x72 0x58 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x10 0x61 0x37 0xBA ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x10 0x91 0xAE 0xF6 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeTickCount 0x37 0xFE 0xB7 0x15 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WpdUpFltr\Parameters\Wdf@TimeOfLastTelemetryLog 0x06 0xA6 0xF3 0xDC ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\Pnp\CurrentControlSet\Control\DeviceMigration\Devices\SWD\DAFUPNPPROVIDER\UUID:D15B7CD0-0153-4FCD-8472-6636C0333690\Interfaces\{d0875fb4-2196-4c7a-a63d-e416addd60a1}\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000E@ 0x64 0x62 0x04 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\Pnp\CurrentControlSet\Control\DeviceMigration\Devices\SWD\DAFUPNPPROVIDER\UUID:D15B7CD0-0153-4FCD-8472-6636C0333690\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000E@ 0x64 0x62 0x04 0x00 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----