GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-04-28 10:44:20 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000AAKS-75A7B2 rev.01.03B01 465.76GB Running: 59qntdqr.exe; Driver: C:\Users\tim\AppData\Local\Temp\pwldipow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 560 fffff80002e09000 45 bytes [3B, C6, 0F, 85, 7A, D5, 02, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 607 fffff80002e0902f 1 byte [44] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1664] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007771fc90 5 bytes JMP 00000001006a091c .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1664] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007771fdf4 5 bytes JMP 00000001006a0048 .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1664] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007771fe88 5 bytes JMP 00000001006a02ee .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1664] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007771ffe4 5 bytes JMP 00000001006a04b2 .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1664] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077720018 5 bytes JMP 00000001006a09fe .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1664] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077720048 5 bytes JMP 00000001006a0ae0 .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1664] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077720064 5 bytes JMP 000000010054004c .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1664] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007772077c 5 bytes JMP 00000001006a012a .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1664] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007772086c 5 bytes JMP 00000001006a0758 .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1664] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077720884 5 bytes JMP 00000001006a0676 .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1664] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077720dd4 5 bytes JMP 00000001006a03d0 .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1664] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077721900 5 bytes JMP 00000001006a0594 .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1664] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077721bc4 5 bytes JMP 00000001006a083a .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1664] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077721d50 5 bytes JMP 00000001006a020c .text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\STService.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007771fc90 5 bytes JMP 00000001005f091c .text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\STService.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007771fdf4 5 bytes JMP 00000001005f0048 .text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\STService.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007771fe88 5 bytes JMP 00000001005f02ee .text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\STService.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007771ffe4 5 bytes JMP 00000001005f04b2 .text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\STService.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077720018 5 bytes JMP 00000001005f09fe .text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\STService.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077720048 5 bytes JMP 00000001005f0ae0 .text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\STService.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077720064 5 bytes JMP 00000001005d004c .text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\STService.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007772077c 5 bytes JMP 00000001005f012a .text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\STService.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007772086c 5 bytes JMP 00000001005f0758 .text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\STService.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077720884 5 bytes JMP 00000001005f0676 .text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\STService.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077720dd4 5 bytes JMP 00000001005f03d0 .text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\STService.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077721900 5 bytes JMP 00000001005f0594 .text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\STService.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077721bc4 5 bytes JMP 00000001005f083a .text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\STService.exe[3364] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077721d50 5 bytes JMP 00000001005f020c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007771fc90 5 bytes JMP 000000010028091c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007771fdf4 5 bytes JMP 0000000100280048 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007771fe88 5 bytes JMP 00000001002802ee .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007771ffe4 5 bytes JMP 00000001002804b2 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077720018 5 bytes JMP 00000001002809fe .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077720048 5 bytes JMP 0000000100280ae0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077720064 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007772077c 5 bytes JMP 000000010028012a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007772086c 5 bytes JMP 0000000100280758 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077720884 5 bytes JMP 0000000100280676 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077720dd4 5 bytes JMP 00000001002803d0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077721900 5 bytes JMP 0000000100280594 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077721bc4 5 bytes JMP 000000010028083a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077721d50 5 bytes JMP 000000010028020c .text C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007771fc90 5 bytes JMP 000000010022091c .text C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007771fdf4 5 bytes JMP 0000000100220048 .text C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007771fe88 5 bytes JMP 00000001002202ee .text C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007771ffe4 5 bytes JMP 00000001002204b2 .text C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077720018 5 bytes JMP 00000001002209fe .text C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077720048 5 bytes JMP 0000000100220ae0 .text C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077720064 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007772077c 5 bytes JMP 000000010022012a .text C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007772086c 5 bytes JMP 0000000100220758 .text C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077720884 5 bytes JMP 0000000100220676 .text C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077720dd4 5 bytes JMP 00000001002203d0 .text C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077721900 5 bytes JMP 0000000100220594 .text C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077721bc4 5 bytes JMP 000000010022083a .text C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe[3944] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077721d50 5 bytes JMP 000000010022020c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007771fc90 5 bytes JMP 00000001001d091c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007771fdf4 5 bytes JMP 00000001001d0048 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007771fe88 5 bytes JMP 00000001001d02ee .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007771ffe4 5 bytes JMP 00000001001d04b2 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077720018 5 bytes JMP 00000001001d09fe .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077720048 5 bytes JMP 00000001001d0ae0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077720064 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007772077c 5 bytes JMP 00000001001d012a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007772086c 5 bytes JMP 00000001001d0758 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077720884 5 bytes JMP 00000001001d0676 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077720dd4 5 bytes JMP 00000001001d03d0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077721900 5 bytes JMP 00000001001d0594 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077721bc4 5 bytes JMP 00000001001d083a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe[4660] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077721d50 5 bytes JMP 00000001001d020c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007771fc90 5 bytes JMP 000000010028091c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007771fdf4 5 bytes JMP 0000000100280048 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007771fe88 5 bytes JMP 00000001002802ee .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007771ffe4 5 bytes JMP 00000001002804b2 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077720018 5 bytes JMP 00000001002809fe .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077720048 5 bytes JMP 0000000100280ae0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077720064 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007772077c 5 bytes JMP 000000010028012a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007772086c 5 bytes JMP 0000000100280758 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077720884 5 bytes JMP 0000000100280676 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077720dd4 5 bytes JMP 00000001002803d0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077721900 5 bytes JMP 0000000100280594 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077721bc4 5 bytes JMP 000000010028083a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe[4712] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077721d50 5 bytes JMP 000000010028020c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4748] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007771fc90 5 bytes JMP 000000010028091c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4748] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007771fdf4 5 bytes JMP 0000000100280048 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4748] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007771fe88 5 bytes JMP 00000001002802ee .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4748] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007771ffe4 5 bytes JMP 00000001002804b2 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4748] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077720018 5 bytes JMP 00000001002809fe .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4748] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077720048 5 bytes JMP 0000000100280ae0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4748] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077720064 5 bytes JMP 000000010002004c .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4748] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007772077c 5 bytes JMP 000000010028012a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4748] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007772086c 5 bytes JMP 0000000100280758 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4748] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077720884 5 bytes JMP 0000000100280676 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4748] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077720dd4 5 bytes JMP 00000001002803d0 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4748] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077721900 5 bytes JMP 0000000100280594 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4748] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077721bc4 5 bytes JMP 000000010028083a .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe[4748] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077721d50 5 bytes JMP 000000010028020c .text C:\Users\tim\Downloads\59qntdqr.exe[3812] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007771fc90 5 bytes JMP 000000010028091c .text C:\Users\tim\Downloads\59qntdqr.exe[3812] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 000000007771fdf4 5 bytes JMP 0000000100280048 .text C:\Users\tim\Downloads\59qntdqr.exe[3812] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 000000007771fe88 5 bytes JMP 00000001002802ee .text C:\Users\tim\Downloads\59qntdqr.exe[3812] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 000000007771ffe4 5 bytes JMP 00000001002804b2 .text C:\Users\tim\Downloads\59qntdqr.exe[3812] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077720018 5 bytes JMP 00000001002809fe .text C:\Users\tim\Downloads\59qntdqr.exe[3812] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077720048 5 bytes JMP 0000000100280ae0 .text C:\Users\tim\Downloads\59qntdqr.exe[3812] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077720064 5 bytes JMP 000000010002004c .text C:\Users\tim\Downloads\59qntdqr.exe[3812] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 000000007772077c 5 bytes JMP 000000010028012a .text C:\Users\tim\Downloads\59qntdqr.exe[3812] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 000000007772086c 5 bytes JMP 0000000100280758 .text C:\Users\tim\Downloads\59qntdqr.exe[3812] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077720884 5 bytes JMP 0000000100280676 .text C:\Users\tim\Downloads\59qntdqr.exe[3812] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077720dd4 5 bytes JMP 00000001002803d0 .text C:\Users\tim\Downloads\59qntdqr.exe[3812] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077721900 5 bytes JMP 0000000100280594 .text C:\Users\tim\Downloads\59qntdqr.exe[3812] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077721bc4 5 bytes JMP 000000010028083a .text C:\Users\tim\Downloads\59qntdqr.exe[3812] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077721d50 5 bytes JMP 000000010028020c .text C:\Users\tim\Downloads\59qntdqr.exe[3812] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 0000000076e9524f 7 bytes JMP 0000000100280f52 .text C:\Users\tim\Downloads\59qntdqr.exe[3812] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 0000000076e953d0 7 bytes JMP 0000000100290210 .text C:\Users\tim\Downloads\59qntdqr.exe[3812] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000076e95677 1 byte JMP 0000000100290048 .text C:\Users\tim\Downloads\59qntdqr.exe[3812] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000076e95679 5 bytes {JMP 0xffffffff893fa9d1} .text C:\Users\tim\Downloads\59qntdqr.exe[3812] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 0000000076e9589a 7 bytes JMP 0000000100280ca6 .text C:\Users\tim\Downloads\59qntdqr.exe[3812] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000076e95a1d 7 bytes JMP 00000001002903d8 .text C:\Users\tim\Downloads\59qntdqr.exe[3812] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000076e95c9b 7 bytes JMP 000000010029012c .text C:\Users\tim\Downloads\59qntdqr.exe[3812] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000076e95d87 7 bytes JMP 00000001002902f4 .text C:\Users\tim\Downloads\59qntdqr.exe[3812] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000076e97240 7 bytes JMP 0000000100280e6e .text C:\Users\tim\Downloads\59qntdqr.exe[3812] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 00000000754a1492 7 bytes JMP 00000001002904bc ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [900:420] 000007fefbbaf2f4 Thread C:\Windows\System32\svchost.exe [900:456] 000007fefbb26204 Thread C:\Windows\System32\svchost.exe [900:1060] 000007fefad42070 Thread C:\Windows\System32\svchost.exe [900:1076] 000007fefac45428 Thread C:\Windows\System32\svchost.exe [900:2388] 000007fef89e5fd0 Thread C:\Windows\System32\svchost.exe [900:4116] 000007fefdf6c608 Thread C:\Windows\System32\svchost.exe [900:1792] 000007fef73d6b8c Thread C:\Windows\System32\svchost.exe [900:1268] 000007fef73d1d88 Thread C:\Windows\System32\svchost.exe [944:2704] 000007fef79420c0 Thread C:\Windows\System32\svchost.exe [944:2720] 000007fef79426a8 Thread C:\Windows\System32\svchost.exe [944:2780] 000007fef77c14a0 Thread C:\Windows\System32\svchost.exe [944:2784] 000007fef79429dc Thread C:\Windows\System32\svchost.exe [944:3084] 000007fef6f4a2b0 Thread C:\Windows\System32\svchost.exe [944:3380] 000007fefa1588f8 Thread C:\Windows\System32\svchost.exe [944:4556] 000007fef9e444e0 Thread C:\Windows\System32\svchost.exe [944:1884] 000007feed448a4c Thread C:\Windows\system32\svchost.exe [984:2712] 000007fef96a0ea8 Thread C:\Windows\system32\svchost.exe [984:2740] 000007fef9699db0 Thread C:\Windows\system32\svchost.exe [984:2880] 000007fef969aa10 Thread C:\Windows\system32\svchost.exe [984:2888] 000007fef96a1c94 Thread C:\Windows\system32\svchost.exe [984:3904] 000007fef65cd3c8 Thread C:\Windows\system32\svchost.exe [984:3900] 000007fef65cd3c8 Thread C:\Windows\system32\svchost.exe [984:3888] 000007fef65cd3c8 Thread C:\Windows\system32\svchost.exe [984:3668] 000007fef65cd3c8 Thread C:\Windows\system32\svchost.exe [120:4336] 000007fef9fd5124 Thread C:\Windows\system32\svchost.exe [120:212] 000007fefaf7506c Thread C:\Windows\system32\svchost.exe [120:4876] 000007fef7be1c20 Thread C:\Windows\system32\svchost.exe [120:4860] 000007fef7be1c20 Thread C:\Windows\system32\svchost.exe [120:4656] 000007fefad71ab0 Thread C:\Windows\system32\svchost.exe [120:3260] 000007fef95417f8 Thread C:\Windows\system32\svchost.exe [120:1596] 000007fef95417f8 Thread C:\Windows\system32\svchost.exe [1064:1108] 000007fefac1341c Thread C:\Windows\system32\svchost.exe [1064:1116] 000007fefac13a2c Thread C:\Windows\system32\svchost.exe [1064:1120] 000007fefac13768 Thread C:\Windows\system32\svchost.exe [1064:1124] 000007fefac15c20 Thread C:\Windows\system32\svchost.exe [1064:1640] 000007fefa19bd88 Thread C:\Windows\system32\svchost.exe [1064:1812] 000007fef9cd00cc Thread C:\Windows\system32\svchost.exe [1064:3428] 000007fef9fd5124 Thread C:\Windows\system32\svchost.exe [1064:5084] 000007fefac13900 Thread C:\Windows\System32\spoolsv.exe [1212:2064] 000007fef8c310c8 Thread C:\Windows\System32\spoolsv.exe [1212:2088] 000007fef8bf6144 Thread C:\Windows\System32\spoolsv.exe [1212:2092] 000007fef89e5fd0 Thread C:\Windows\System32\spoolsv.exe [1212:2096] 000007fef89d3438 Thread C:\Windows\System32\spoolsv.exe [1212:2100] 000007fef89e63ec Thread C:\Windows\System32\spoolsv.exe [1212:2528] 000007fef8ec5e5c Thread C:\Windows\System32\spoolsv.exe [1212:2572] 000007fef8f75074 Thread C:\Windows\SysWOW64\svchost.exe [1420:4640] 000000006f3317a4 Thread C:\Windows\Explorer.EXE [2148:4436] 000007feed772118 Thread C:\Windows\system32\svchost.exe [3360:1328] 000007fefadf8470 Thread C:\Windows\system32\svchost.exe [3360:3268] 000007fefae02418 Thread C:\Windows\system32\svchost.exe [3360:3012] 000007fef89e5fd0 Thread C:\Windows\system32\svchost.exe [3360:3016] 000007fef89e63ec Thread C:\Windows\system32\svchost.exe [3360:4584] 000007feeceef130 Thread C:\Windows\system32\svchost.exe [3360:4804] 000007feecee4734 Thread C:\Windows\system32\svchost.exe [3360:2432] 000007feecee4734 Thread C:\Windows\System32\svchost.exe [4160:4844] 000007fef9085170 ---- EOF - GMER 2.1 ----