GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-09-15 18:53:33 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000069 WDC_WD10 rev.01.0 931,51GB Running: znmstsse.exe; Driver: C:\Users\Marcia\AppData\Local\Temp\pwdiypog.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960000d5b00 7 bytes [40, 4D, F3, FF, C1, 5A, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff960000d5b08 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.2 ---- .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCRTP.EXE[972] C:\Windows\SysWOW64\ntdll.dll!KiUserCallbackDispatcher 00000000778100ec 7 bytes JMP 00000000745a2fed .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCRTP.EXE[972] C:\Windows\SysWOW64\ntdll.dll!RtlProcessFlsData 00000000778393db 5 bytes JMP 00000000748a3e01 .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCRTP.EXE[972] C:\Windows\SysWOW64\ntdll.dll!RtlPcToFileHeader 00000000778408b3 7 bytes JMP 00000000748a3e3b .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCRTP.EXE[972] C:\Windows\SysWOW64\ntdll.dll!LdrShutdownThread 0000000077856d07 7 bytes JMP 00000000748a3f48 .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCRTP.EXE[972] C:\Windows\SysWOW64\ntdll.dll!RtlExitUserProcess 00000000778589c2 5 bytes JMP 00000000748a3da0 .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCRTP.EXE[972] C:\Windows\SysWOW64\ntdll.dll!LdrShutdownProcess 0000000077858a53 7 bytes JMP 00000000748a3ed0 .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCRTP.EXE[972] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 00000000760f48fd 5 bytes JMP 00000000748a3d51 .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCRTP.EXE[972] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000760f8769 5 bytes [33, C0, C2, 04, 00] .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCRTP.EXE[972] C:\Windows\syswow64\WS2_32.dll!gethostbyname 000000007667771b 5 bytes JMP 0000000071e31257 .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCRTP.EXE[972] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075161401 2 bytes JMP 7611b233 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCRTP.EXE[972] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075161419 2 bytes JMP 7611b35e C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCRTP.EXE[972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075161431 2 bytes JMP 76199149 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCRTP.EXE[972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007516144a 2 bytes CALL 760f4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCRTP.EXE[972] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000751614dd 2 bytes JMP 76198a42 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCRTP.EXE[972] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000751614f5 2 bytes JMP 76198c18 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCRTP.EXE[972] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007516150d 2 bytes JMP 76198938 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCRTP.EXE[972] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075161525 2 bytes JMP 76198d02 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCRTP.EXE[972] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007516153d 2 bytes JMP 7610fcc0 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCRTP.EXE[972] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075161555 2 bytes JMP 76116907 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCRTP.EXE[972] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007516156d 2 bytes JMP 76199201 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCRTP.EXE[972] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075161585 2 bytes JMP 76198d62 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCRTP.EXE[972] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007516159d 2 bytes JMP 761988fc C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCRTP.EXE[972] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000751615b5 2 bytes JMP 7610fd59 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCRTP.EXE[972] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000751615cd 2 bytes JMP 7611b2f4 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCRTP.EXE[972] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000751616b2 2 bytes JMP 761990c4 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCRTP.EXE[972] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000751616bd 2 bytes JMP 76198891 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCRTP.EXE[972] C:\Windows\syswow64\ole32.dll!CoUninitialize 00000000766e8683 5 bytes JMP 00000000748a3e78 .text C:\PROGRAM FILES (X86)\WINSTEP\WSXSERVICE.EXE[2784] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075161401 2 bytes JMP 7611b233 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\WINSTEP\WSXSERVICE.EXE[2784] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075161419 2 bytes JMP 7611b35e C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\WINSTEP\WSXSERVICE.EXE[2784] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075161431 2 bytes JMP 76199149 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\WINSTEP\WSXSERVICE.EXE[2784] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007516144a 2 bytes CALL 760f4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\PROGRAM FILES (X86)\WINSTEP\WSXSERVICE.EXE[2784] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000751614dd 2 bytes JMP 76198a42 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\WINSTEP\WSXSERVICE.EXE[2784] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000751614f5 2 bytes JMP 76198c18 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\WINSTEP\WSXSERVICE.EXE[2784] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007516150d 2 bytes JMP 76198938 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\WINSTEP\WSXSERVICE.EXE[2784] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075161525 2 bytes JMP 76198d02 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\WINSTEP\WSXSERVICE.EXE[2784] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007516153d 2 bytes JMP 7610fcc0 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\WINSTEP\WSXSERVICE.EXE[2784] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075161555 2 bytes JMP 76116907 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\WINSTEP\WSXSERVICE.EXE[2784] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007516156d 2 bytes JMP 76199201 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\WINSTEP\WSXSERVICE.EXE[2784] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075161585 2 bytes JMP 76198d62 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\WINSTEP\WSXSERVICE.EXE[2784] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007516159d 2 bytes JMP 761988fc C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\WINSTEP\WSXSERVICE.EXE[2784] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000751615b5 2 bytes JMP 7610fd59 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\WINSTEP\WSXSERVICE.EXE[2784] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000751615cd 2 bytes JMP 7611b2f4 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\WINSTEP\WSXSERVICE.EXE[2784] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000751616b2 2 bytes JMP 761990c4 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\WINSTEP\WSXSERVICE.EXE[2784] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000751616bd 2 bytes JMP 76198891 C:\Windows\syswow64\kernel32.dll .text C:\WINDOWS\EXPLORER.EXE[4016] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx 0000000077654f50 15 bytes JMP 000000006fff0158 .text C:\WINDOWS\EXPLORER.EXE[4016] C:\Windows\SYSTEM32\ntdll.dll!NtQueryValueKey 000000007766bca0 8 bytes JMP 000000006fff01b0 .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\SysWOW64\ntdll.dll!KiUserCallbackDispatcher 00000000778100ec 7 bytes JMP 00000000745a2fed .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\SysWOW64\ntdll.dll!RtlProcessFlsData 00000000778393db 5 bytes JMP 00000000748a3e01 .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\SysWOW64\ntdll.dll!RtlPcToFileHeader 00000000778408b3 7 bytes JMP 00000000748a3e3b .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\SysWOW64\ntdll.dll!LdrShutdownThread 0000000077856d07 7 bytes JMP 00000000748a3f48 .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\SysWOW64\ntdll.dll!RtlExitUserProcess 00000000778589c2 5 bytes JMP 00000000748a3da0 .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\SysWOW64\ntdll.dll!LdrShutdownProcess 0000000077858a53 7 bytes JMP 00000000748a3ed0 .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\kernel32.dll!FreeLibrary 00000000760f3468 5 bytes JMP 0000000030003471 .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 00000000760f48fd 5 bytes JMP 00000000748a3d51 .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\kernel32.dll!DeleteFileA 00000000760f53e4 5 bytes JMP 0000000030076935 .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000760f8769 5 bytes [33, C0, C2, 04, 00] .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\kernel32.dll!DeleteFileW 00000000760f8953 5 bytes JMP 000000003007685b .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\GDI32.dll!CreateFontIndirectW 0000000075f25c18 5 bytes JMP 0000000030866b61 .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\GDI32.dll!CreateFontW 0000000075f2b334 5 bytes JMP 0000000030866b48 .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000077318332 5 bytes JMP 00000000308f20c9 .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000077318a29 5 bytes JMP 00000000308f211c .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\USER32.dll!SetWindowPos 0000000077318e4e 5 bytes JMP 00000000308f206a .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\USER32.dll!DestroyWindow 0000000077319a55 5 bytes JMP 00000000308f2ea9 .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\USER32.dll!ShowWindow 0000000077320e13 5 bytes JMP 00000000308f201a .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\USER32.dll!BeginPaint 0000000077321379 5 bytes JMP 00000000308f2e4d .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\USER32.dll!InvalidateRect 0000000077321399 5 bytes JMP 00000000308f30c7 .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\USER32.dll!SetParent 00000000773245cc 5 bytes JMP 00000000308f2165 .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\USER32.dll!InvalidateRgn 00000000773276d4 5 bytes JMP 00000000308f30f6 .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\USER32.dll!ValidateRect 000000007732843b 5 bytes JMP 00000000308f238f .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\USER32.dll!ValidateRgn 0000000077329e32 5 bytes JMP 00000000308f2398 .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\USER32.dll!GetUpdateRect 000000007733e4df 5 bytes JMP 00000000308f2e02 .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExW 00000000760445dd 5 bytes JMP 00000000308aa393 .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA 000000007604485b 5 bytes JMP 00000000308aa328 .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075161401 2 bytes JMP 7611b233 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075161419 2 bytes JMP 7611b35e C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075161431 2 bytes JMP 76199149 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007516144a 2 bytes CALL 760f4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000751614dd 2 bytes JMP 76198a42 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000751614f5 2 bytes JMP 76198c18 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007516150d 2 bytes JMP 76198938 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075161525 2 bytes JMP 76198d02 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007516153d 2 bytes JMP 7610fcc0 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075161555 2 bytes JMP 76116907 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007516156d 2 bytes JMP 76199201 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075161585 2 bytes JMP 76198d62 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007516159d 2 bytes JMP 761988fc C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000751615b5 2 bytes JMP 7610fd59 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000751615cd 2 bytes JMP 7611b2f4 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000751616b2 2 bytes JMP 761990c4 C:\Windows\syswow64\kernel32.dll .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCTRAY.EXE[4724] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000751616bd 2 bytes JMP 76198891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Tencent\QQPCMgr\11.7.17744.210\plugins\QMNetMon\QQPCNetFlow.exe[5172] C:\Windows\syswow64\kernel32.dll!FreeLibrary 00000000760f3468 5 bytes JMP 0000000030003471 .text C:\Program Files (x86)\Tencent\QQPCMgr\11.7.17744.210\plugins\QMNetMon\QQPCNetFlow.exe[5172] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 00000000760f48fd 5 bytes JMP 00000000748a3d51 .text C:\Program Files (x86)\Tencent\QQPCMgr\11.7.17744.210\plugins\QMNetMon\QQPCNetFlow.exe[5172] C:\Windows\syswow64\kernel32.dll!DeleteFileA 00000000760f53e4 5 bytes JMP 0000000030076935 .text C:\Program Files (x86)\Tencent\QQPCMgr\11.7.17744.210\plugins\QMNetMon\QQPCNetFlow.exe[5172] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000760f8769 5 bytes [33, C0, C2, 04, 00] .text C:\Program Files (x86)\Tencent\QQPCMgr\11.7.17744.210\plugins\QMNetMon\QQPCNetFlow.exe[5172] C:\Windows\syswow64\kernel32.dll!DeleteFileW 00000000760f8953 5 bytes JMP 000000003007685b .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCREALTIMESPEEDUP.EXE[5288] C:\Windows\SysWOW64\ntdll.dll!KiUserCallbackDispatcher 00000000778100ec 7 bytes JMP 00000000745a2fed .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCREALTIMESPEEDUP.EXE[5288] C:\Windows\SysWOW64\ntdll.dll!RtlProcessFlsData 00000000778393db 5 bytes JMP 00000000748a3e01 .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCREALTIMESPEEDUP.EXE[5288] C:\Windows\SysWOW64\ntdll.dll!RtlPcToFileHeader 00000000778408b3 7 bytes JMP 00000000748a3e3b .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCREALTIMESPEEDUP.EXE[5288] C:\Windows\SysWOW64\ntdll.dll!LdrShutdownThread 0000000077856d07 7 bytes JMP 00000000748a3f48 .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCREALTIMESPEEDUP.EXE[5288] C:\Windows\SysWOW64\ntdll.dll!RtlExitUserProcess 00000000778589c2 5 bytes JMP 00000000748a3da0 .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCREALTIMESPEEDUP.EXE[5288] C:\Windows\SysWOW64\ntdll.dll!LdrShutdownProcess 0000000077858a53 7 bytes JMP 00000000748a3ed0 .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCREALTIMESPEEDUP.EXE[5288] C:\Windows\syswow64\kernel32.dll!FreeLibrary 00000000760f3468 5 bytes JMP 0000000030003471 .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCREALTIMESPEEDUP.EXE[5288] C:\Windows\syswow64\kernel32.dll!LoadLibraryExW 00000000760f48fd 5 bytes JMP 00000000748a3d51 .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCREALTIMESPEEDUP.EXE[5288] C:\Windows\syswow64\kernel32.dll!DeleteFileA 00000000760f53e4 5 bytes JMP 0000000030076935 .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCREALTIMESPEEDUP.EXE[5288] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000760f8769 5 bytes [33, C0, C2, 04, 00] .text C:\PROGRAM FILES (X86)\TENCENT\QQPCMGR\11.7.17744.210\QQPCREALTIMESPEEDUP.EXE[5288] C:\Windows\syswow64\kernel32.dll!DeleteFileW 00000000760f8953 5 bytes JMP 000000003007685b .text C:\PROGRAM FILES (X86)\COMMON FILES\TENCENT\QQDOWNLOAD\130\TENCENTDL.EXE[5700] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000760f8769 5 bytes [33, C0, C2, 04, 00] ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\EXPLORER.EXE [4016:4316] 000007fef412dc50 Thread C:\WINDOWS\EXPLORER.EXE [4016:4324] 000007fef412dc50 Thread C:\WINDOWS\EXPLORER.EXE [4016:4328] 000007fef412dc50 Thread C:\WINDOWS\EXPLORER.EXE [4016:4332] 000007fef41663f0 Thread C:\WINDOWS\EXPLORER.EXE [4016:4336] 000007fef4108a40 Thread C:\WINDOWS\EXPLORER.EXE [4016:4340] 000007fef40f3390 Thread C:\WINDOWS\EXPLORER.EXE [4016:4556] 000000000253cf14 Thread C:\WINDOWS\EXPLORER.EXE [4016:4616] 000007fefcb3d500 Thread C:\WINDOWS\EXPLORER.EXE [4016:4396] 000007fefadf2154 Thread C:\WINDOWS\EXPLORER.EXE [4016:4448] 000007fefbac6204 Thread C:\WINDOWS\EXPLORER.EXE [4016:5612] 000007fef0ab2118 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----