GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-10-05 18:47:19 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000031 TOSHIBA_MQ01ABD075 rev.AX0A4M 698,64GB Running: rmq2tm48.exe; Driver: C:\Users\PAWE~1\AppData\Local\Temp\fglcqpob.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\SYSTEM32\NTASN1.dll [584] entry point in ".rdata" section 00000000745ca020 ? C:\WINDOWS\system32\ncryptsslp.dll [584] entry point in ".rdata" section 00000000745a04f0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [4864] entry point in ".rdata" section 0000000073131150 ? C:\WINDOWS\SYSTEM32\dbgcore.DLL [4864] entry point in ".rdata" section 000000007210c940 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [4864] entry point in ".rdata" section 00000000745ca020 ? C:\Windows\System32\OneCoreUAPCommonProxyStub.dll [4864] entry point in ".rdata" section 000000006c727ec0 ? C:\WINDOWS\system32\apphelp.dll [7672] entry point in ".rdata" section 0000000070daf7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [7672] entry point in ".rdata" section 0000000073131150 ? C:\Windows\System32\ieproxy.dll [7672] entry point in ".rdata" section 0000000070109520 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [7672] entry point in ".rdata" section 00000000745ca020 ? C:\Windows\System32\OneCoreCommonProxyStub.dll [7672] entry point in ".rdata" section 000000006f5dda90 ? C:\WINDOWS\system32\ncryptsslp.dll [7672] entry point in ".rdata" section 00000000745a04f0 ? C:\WINDOWS\SYSTEM32\srpapi.dll [7672] entry point in ".rdata" section 000000006d0d6100 ? C:\Windows\System32\ActXPrxy.dll [7672] entry point in ".rdata" section 000000006c4a9b80 ? C:\WINDOWS\system32\apphelp.dll [5920] entry point in ".rdata" section 0000000070daf7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [5920] entry point in ".rdata" section 0000000073131150 ? C:\Windows\System32\ieproxy.dll [5920] entry point in ".rdata" section 0000000070109520 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [5920] entry point in ".rdata" section 00000000745ca020 ? C:\Windows\System32\OneCoreCommonProxyStub.dll [5920] entry point in ".rdata" section 000000006f5dda90 ? C:\WINDOWS\SYSTEM32\srpapi.dll [5920] entry point in ".rdata" section 000000006d0d6100 ? C:\WINDOWS\system32\ncryptsslp.dll [5920] entry point in ".rdata" section 00000000745a04f0 ? C:\Windows\System32\ActXPrxy.dll [5920] entry point in ".rdata" section 000000006c4a9b80 ? C:\WINDOWS\system32\apphelp.dll [3000] entry point in ".rdata" section 0000000070daf7c0 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\svchost.exe [1200:1684] 00007ffd5e9da770 Thread C:\WINDOWS\system32\svchost.exe [1200:7676] 00007ffd60019620 Thread C:\WINDOWS\system32\svchost.exe [1200:7684] 00007ffd60012680 Thread C:\WINDOWS\system32\svchost.exe [1200:4624] 00007ffd44789040 Thread C:\WINDOWS\system32\svchost.exe [1200:8888] 00007ffd56bf99e0 Thread C:\WINDOWS\system32\svchost.exe [1200:10348] 00007ffd5d9a2cf0 Thread C:\WINDOWS\system32\svchost.exe [1200:4116] 00007ffd58141670 Thread C:\WINDOWS\system32\svchost.exe [1200:2140] 00007ffd56d25bc0 Thread C:\WINDOWS\system32\svchost.exe [1836:3736] 00007ffd56765bc0 Thread C:\WINDOWS\system32\svchost.exe [1836:3744] 00007ffd56769b10 Thread C:\WINDOWS\System32\spoolsv.exe [2064:4900] 00007ffd56d25bc0 Thread C:\WINDOWS\System32\spoolsv.exe [2064:4896] 00007ffd56ce2740 Thread C:\WINDOWS\system32\csrss.exe [4072:10136] ffffaec4b9c56c20 ---- Services - GMER 2.2 ---- Service C:\Program Files (x86)\UltraISO\drivers\ISODrv64.sys (*** hidden *** ) [SYSTEM] ISODrive <-- ROOTKIT !!! Service C:\Windows\system32\drivers\mbam.sys (*** hidden *** ) [MANUAL] MBAMProtector <-- ROOTKIT !!! Service C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe (*** hidden *** ) [AUTO] MBAMService <-- ROOTKIT !!! Service C:\Windows\system32\drivers\mwac.sys (*** hidden *** ) [MANUAL] MBAMWebAccessControl <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\SDC43470_00_07DC_50^81B129762E66C42A036CA68B3AB522BF@Timestamp 0xCE 0xBA 0x39 0x2C ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -752459317 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 4093 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@FwPOSTTime 4040 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalResumeTime 13765 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAppTime 1515 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAppStartTimestamp 4939 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeInitTime 543 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeHiberFileTime 444 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeRestoreImageStartTimestamp 5960 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeIoTime 394 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeDecompressTime 131 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeAllocateTime 3 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeKernelSwitchTimestamp 6455 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnFromHandlerTimestamp 6487 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@SleeperThreadEndTimestamp 11800 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TimeStampCounterAtSwitchTime 6476 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelReturnSystemPowerState 13758 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberHiberFileTime 4673 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberInitTime 64 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@TotalHibernateTime 12261 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeHiberFileTime 4374 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@DeviceResumeTime 1938 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesProcessed 288988 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelPagesWritten 0xD4 0x86 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesProcessed 21070 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@BootPagesWritten 0x36 0x1E 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeReadRate 89 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberChecksumTime 93 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberChecksumIoTime 17 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelChecksumTime 80 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@KernelResumeIoCpuTime 3421 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HiberIoCpuTime 541 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@HybridBootAnimationTime 5332 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@ResumeCompleteTimestamp 0x69 0x11 0x1E 0x08 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@GlassSessionId 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\BITS Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\645a04c3cd41 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_30f564 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_30f564@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_30f564@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_30f564@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_30f564@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_30f564@DisplayName CDPUserSvc_30f564 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_30f564@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_30f564@Description @%SystemRoot%\system32\cdpusersvc.dll,-101 Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_30f564\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_30f564\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_30f564 Reg HKLM\SYSTEM\CurrentControlSet\Services\ISODrive Reg HKLM\SYSTEM\CurrentControlSet\Services\ISODrive@DisplayName ISO DVD/CD-ROM Device Driver Reg HKLM\SYSTEM\CurrentControlSet\Services\ISODrive@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\ISODrive@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\ISODrive@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\ISODrive@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\ISODrive@ImagePath \??\C:\Program Files (x86)\UltraISO\drivers\ISODrv64.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\ISODrive\Parameters Reg HKLM\SYSTEM\CurrentControlSet\Services\ISODrive\Parameters@AutoMount 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\ISODrive\Parameters@ExcludeDrives CD Reg HKLM\SYSTEM\CurrentControlSet\Services\ISODrive Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMProtector Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMProtector@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMProtector@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMProtector@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMProtector@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMProtector@ImagePath \??\C:\Windows\system32\drivers\mbam.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMProtector@DisplayName MBAMProtector Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMProtector@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMProtector@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMProtector\Instances Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMProtector\Instances@DefaultInstance MBAMProtector Instance Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMProtector\Instances\MBAMProtector Instance Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMProtector\Instances\MBAMProtector Instance@Altitude 328800 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMProtector\Instances\MBAMProtector Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMProtector\Parameters Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMProtector\Parameters@PassThruFile mbampt.exe Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMProtector\Parameters@ProductPath C:\Program Files (x86)\Malwarebytes Anti-Malware Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMProtector Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMService Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMService@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMService@Description Malwarebytes Anti-Malware service Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMService@DelayedAutostart 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMService@Type 16 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMService@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMService@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMService@ImagePath "C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe" Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMService@DisplayName MBAMService Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMService@DependOnService MBAMProtector? Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMService@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMService Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMWebAccessControl Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMWebAccessControl@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMWebAccessControl@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMWebAccessControl@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMWebAccessControl@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMWebAccessControl@ImagePath \??\C:\Windows\system32\drivers\mwac.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMWebAccessControl@DisplayName MBAMWebAccessControl Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMWebAccessControl@DependOnService BFE? Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMWebAccessControl Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_30f564 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_30f564@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_30f564@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_30f564@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_30f564@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_30f564@DisplayName Us?uga wiadomo?ci_30f564 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_30f564@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_30f564@Description @%SystemRoot%\system32\MessagingService.dll,-101 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_30f564\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_30f564\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_30f564\TriggerInfo Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_30f564\TriggerInfo\0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_30f564\TriggerInfo\0@Type 7 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_30f564\TriggerInfo\0@Action 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_30f564\TriggerInfo\0@Guid 0x16 0x28 0x7A 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_30f564\TriggerInfo\0@Data0 0x75 0x18 0xBC 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_30f564\TriggerInfo\0@DataType0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MessagingService_30f564 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_30f564 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_30f564@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_30f564@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_30f564@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_30f564@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_30f564@DisplayName Synchronizuj hosta_30f564 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_30f564@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_30f564@Description @%SystemRoot%\system32\APHostRes.dll,-10001 Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_30f564\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_30f564\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_30f564 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_30f564 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_30f564@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_30f564@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_30f564@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_30f564@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_30f564@DisplayName Dane kontaktowe_30f564 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_30f564@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_30f564@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-15000 Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_30f564\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_30f564\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_30f564 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 1240 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 41 Reg HKLM\SYSTEM\CurrentControlSet\Services\SynTP\Parameters@DetectTimeMS 439 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{d65198db-e7af-454a-b476-87d06f2af689}@LeaseObtainedTime 1475662847 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{d65198db-e7af-454a-b476-87d06f2af689}@T1 1475706047 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{d65198db-e7af-454a-b476-87d06f2af689}@T2 1475738447 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{d65198db-e7af-454a-b476-87d06f2af689}@LeaseTerminatesTime 1475749247 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_30f564 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_30f564@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_30f564@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_30f564@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_30f564@ImagePath C:\WINDOWS\System32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_30f564@DisplayName Magazyn danych u?ytkownika_30f564 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_30f564@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_30f564@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-10002 Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_30f564\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_30f564\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc_30f564 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_30f564 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_30f564@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_30f564@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_30f564@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_30f564@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_30f564@DisplayName Dost?p do danych u?ytkownika_30f564 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_30f564@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_30f564@Description @%SystemRoot%\system32\UserDataAccessRes.dll,-14000 Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_30f564\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_30f564\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc_30f564 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xA2 0x5D 0xF0 0xFB ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xA2 0xC5 0xB4 0x5D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xA2 0xF5 0x2B 0x9A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_30f564 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_30f564@Type 224 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_30f564@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_30f564@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_30f564@ImagePath C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_30f564@DisplayName Us?uga u?ytkownika powiadomie? WNS_30f564 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_30f564@FailureActions 0x80 0x51 0x01 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_30f564@Description @%SystemRoot%\system32\WpnUserService.dll,-2 Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_30f564\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_30f564\Security@Security 0x01 0x00 0x04 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_30f564 Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationFrame\TitleBar\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge@ForegroundColorInactive -6710887 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationFrame\TitleBar\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge@ButtonBackgroundColor -2656256 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationFrame\TitleBar\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge@ButtonForegroundColor -1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationFrame\TitleBar\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge@ButtonHoverBackgroundColor -2456295 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationFrame\TitleBar\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge@ButtonHoverForegroundColor -1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationFrame\TitleBar\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge@ButtonPressedBackgroundColor -2125005 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationFrame\TitleBar\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge@ButtonPressedForegroundColor -1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationFrame\TitleBar\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge@ButtonBackgroundColorInactive -1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationFrame\TitleBar\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge@ButtonForegroundColorInactive -6710887 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions\280810@LastAccessed 0xB6 0x37 0x06 0xA5 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions\280810@AccelerateCacheRefreshLastDetected 0xC0 0x1A 0x24 0x96 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions\280810@AccelerateCacheRefreshLastHandled 0xD0 0x24 0xF3 0xA4 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions\280811@LastAccessed 0xD0 0x24 0xF3 0xA4 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions\280811@AccelerateCacheRefreshLastDetected 0x35 0x43 0x0C 0x96 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions\280811@AccelerateCacheRefreshLastHandled 0x2C 0xAE 0xFC 0xA4 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore@Count 499 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore@Blocked 499 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8856F961-340A-11D0-A96B-00C04FD705A2}\iexplore@Count 399 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}\iexplore@Count 498 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}\iexplore@Blocked 498 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore@Count 498 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore@Blocked 498 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0xDD 0x02 0xA3 0x16 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications@MobileBroadbandLastResetDate 0xCD 0x67 0x73 0x38 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm\c0954515@NotificationsCount 3 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search@JumpListChangedAppIds Microsoft.InternetExplorer.Default? Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData@Microsoft.InternetExplorer.Default 0xA9 0xFD 0x5A 0xB7 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{50E15D1F-9AD8-48C0-8274-0794C1928D37}@LastAccessedTime 0x70 0xA3 0xE0 0x02 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{50E15D1F-9AD8-48C0-8274-0794C1928D37}@LaunchCount 16 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{A934AF2F-1E93-4211-9F5A-6CE7DDB443A4}@LastAccessedTime 0x00 0x2A 0x79 0x29 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{A934AF2F-1E93-4211-9F5A-6CE7DDB443A4}@LaunchCount 61 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{DDEFC2D4-83D0-4844-858A-70255353A5D6}@LastAccessedTime 0x00 0x37 0x5C 0x7D ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{DDEFC2D4-83D0-4844-858A-70255353A5D6}@LaunchCount 65 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{F1364FF9-B2A6-4C3C-8C47-2AB63205FF0C}@LastAccessedTime 0x80 0xD9 0x8A 0x94 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{F1364FF9-B2A6-4C3C-8C47-2AB63205FF0C}@LaunchCount 18 Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance@MessageTime 0x54 0x80 0x77 0x84 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate@LastScheduledRetryTime 2016-10-03 17:45:55 Reg HKCU\SOFTWARE\Microsoft\Windows\Windows Error Reporting@LastRateLimitedDumpGenerationTime 0xDC 0x86 0x0D 0x7A ... Reg HKCU\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppHang_VagScope.exe_e7b6f5d7c24be9d6d2f87bb5091857dfeeb5be_24917191_cab_27251536 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----