GMER 2.2.19882 - http://www.gmer.net
Rootkit scan 2016-09-22 14:50:23
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST1000DM003-9YN162 rev.CC4B 931,51GB
Running: qzj3rp04.exe; Driver: C:\Users\user\AppData\Local\Temp\ugddqpog.sys


---- User code sections - GMER 2.2 ----

.text  C:\gmer\qzj3rp04.exe[1116] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection                        000000007779fc90 5 bytes JMP 000000000029038e
.text  C:\gmer\qzj3rp04.exe[1116] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                          000000007779fcc0 5 bytes JMP 00000000002a0070
.text  C:\gmer\qzj3rp04.exe[1116] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                        000000007779fe24 5 bytes JMP 0000000000290284
.text  C:\gmer\qzj3rp04.exe[1116] C:\Windows\SysWOW64\ntdll.dll!NtReadVirtualMemory                         000000007779fea0 5 bytes JMP 00000000002a038e
.text  C:\gmer\qzj3rp04.exe[1116] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent                                 000000007779feb8 5 bytes JMP 00000000002908c0
.text  C:\gmer\qzj3rp04.exe[1116] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThread                            000000007779ff34 5 bytes JMP 00000000002a0498
.text  C:\gmer\qzj3rp04.exe[1116] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                              00000000777a0014 5 bytes JMP 0000000000290ad4
.text  C:\gmer\qzj3rp04.exe[1116] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                      00000000777a0048 5 bytes JMP 00000000002a017a
.text  C:\gmer\qzj3rp04.exe[1116] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread                              00000000777a0078 5 bytes JMP 00000000002a0284
.text  C:\gmer\qzj3rp04.exe[1116] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                           00000000777a0094 5 bytes JMP 0000000000030050
.text  C:\gmer\qzj3rp04.exe[1116] C:\Windows\SysWOW64\ntdll.dll!NtAlertResumeThread                         00000000777a02f8 5 bytes JMP 0000000000290498
.text  C:\gmer\qzj3rp04.exe[1116] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant                              00000000777a07ac 5 bytes JMP 00000000002906ac
.text  C:\gmer\qzj3rp04.exe[1116] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                  00000000777a089c 5 bytes JMP 0000000000290df2
.text  C:\gmer\qzj3rp04.exe[1116] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                            00000000777a08b4 5 bytes JMP 0000000000290ce8
.text  C:\gmer\qzj3rp04.exe[1116] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                00000000777a0e04 5 bytes JMP 00000000002909ca
.text  C:\gmer\qzj3rp04.exe[1116] C:\Windows\SysWOW64\ntdll.dll!NtQueueApcThreadEx                          00000000777a15e4 5 bytes JMP 00000000002905a2
.text  C:\gmer\qzj3rp04.exe[1116] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                          00000000777a1930 5 bytes JMP 0000000000290bde
.text  C:\gmer\qzj3rp04.exe[1116] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                      00000000777a1bf4 5 bytes JMP 0000000000290efc
.text  C:\gmer\qzj3rp04.exe[1116] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread                             00000000777a1d80 5 bytes JMP 00000000002907b6
.text  C:\gmer\qzj3rp04.exe[1116] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206            00000000751c524f 7 bytes JMP 00000000002a09d2
.text  C:\gmer\qzj3rp04.exe[1116] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380                00000000751c53d0 7 bytes JMP 00000000002a0cf6
.text  C:\gmer\qzj3rp04.exe[1116] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149               00000000751c5677 7 bytes JMP 00000000002a0ade
.text  C:\gmer\qzj3rp04.exe[1116] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542                      00000000751c589a 7 bytes JMP 00000000002a06ae
.text  C:\gmer\qzj3rp04.exe[1116] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382                      00000000751c5a1d 7 bytes JMP 00000000002a0f0e
.text  C:\gmer\qzj3rp04.exe[1116] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370                 00000000751c5c9b 7 bytes JMP 00000000002a0bea
.text  C:\gmer\qzj3rp04.exe[1116] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231                   00000000751c5d87 7 bytes JMP 00000000002a0e02
.text  C:\gmer\qzj3rp04.exe[1116] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123  00000000751c7240 7 bytes JMP 00000000002a08c6
.text  C:\gmer\qzj3rp04.exe[1116] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882                 0000000076141566 7 bytes JMP 00000000003f017a
.text  C:\gmer\qzj3rp04.exe[1116] C:\Windows\syswow64\ADVAPI32.dll!LogonUserExA + 366                       0000000076882aa3 7 bytes JMP 0000000000290070
.text  C:\gmer\qzj3rp04.exe[1116] C:\Windows\syswow64\ADVAPI32.dll!EncryptFileW + 74                        0000000076882af2 7 bytes JMP 000000000029017a

---- EOF - GMER 2.2 ----