GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2015-03-09 09:44:44
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST500DM0 rev.KC48 465,76GB
Running: h3uc85rx.exe; Driver: C:\Users\teresa14\AppData\Local\Temp\pgddqpob.sys


---- User code sections - GMER 2.1 ----

.text   C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1272] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17      0000000076541401 2 bytes JMP 7659b21b C:\Windows\syswow64\kernel32.dll
.text   C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1272] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17        0000000076541419 2 bytes JMP 7659b346 C:\Windows\syswow64\kernel32.dll
.text   C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1272] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17      0000000076541431 2 bytes JMP 76618ea9 C:\Windows\syswow64\kernel32.dll
.text   C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1272] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42      000000007654144a 2 bytes CALL 765748ad C:\Windows\syswow64\kernel32.dll
.text   ...                                                                                                                              * 9
.text   C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1272] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17         00000000765414dd 2 bytes JMP 766187a2 C:\Windows\syswow64\kernel32.dll
.text   C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1272] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17  00000000765414f5 2 bytes JMP 76618978 C:\Windows\syswow64\kernel32.dll
.text   C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1272] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17         000000007654150d 2 bytes JMP 76618698 C:\Windows\syswow64\kernel32.dll
.text   C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1272] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17  0000000076541525 2 bytes JMP 76618a62 C:\Windows\syswow64\kernel32.dll
.text   C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1272] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17        000000007654153d 2 bytes JMP 7658fca8 C:\Windows\syswow64\kernel32.dll
.text   C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1272] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17             0000000076541555 2 bytes JMP 765968ef C:\Windows\syswow64\kernel32.dll
.text   C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1272] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17      000000007654156d 2 bytes JMP 76618f61 C:\Windows\syswow64\kernel32.dll
.text   C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1272] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17        0000000076541585 2 bytes JMP 76618ac2 C:\Windows\syswow64\kernel32.dll
.text   C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1272] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17           000000007654159d 2 bytes JMP 7661865c C:\Windows\syswow64\kernel32.dll
.text   C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1272] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17        00000000765415b5 2 bytes JMP 7658fd41 C:\Windows\syswow64\kernel32.dll
.text   C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1272] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17      00000000765415cd 2 bytes JMP 7659b2dc C:\Windows\syswow64\kernel32.dll
.text   C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1272] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20  00000000765416b2 2 bytes JMP 76618e24 C:\Windows\syswow64\kernel32.dll
.text   C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe[1272] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31  00000000765416bd 2 bytes JMP 766185f1 C:\Windows\syswow64\kernel32.dll
.text   C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[2760] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                           0000000077751650 5 bytes JMP 00000000778b0018
.text   C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                          0000000077751650 5 bytes JMP 00000000778b0018
.text   C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[2836] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory       0000000077751650 5 bytes JMP 00000000778b0018
.text   C:\Windows\System32\mobsync.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                         0000000077751650 5 bytes JMP 00000000778b0018
.text   C:\Windows\system32\svchost.exe[2636] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                         0000000077751650 5 bytes JMP 00000000778b0018
.text   C:\Windows\System32\svchost.exe[3524] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                         0000000077751650 5 bytes JMP 00000000778b0018
.text   C:\Program Files (x86)\AVG\AVG2015\avgui.exe[3780] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                            00000000778ffe14 5 bytes JMP 0000000174f61000
.text   E:\WEBSHO~1\Webshots.scr[3792] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                00000000778ffe14 5 bytes JMP 0000000174f61000
.text   C:\Windows\SysWOW64\ctfmon.exe[3912] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                          00000000778ffe14 5 bytes JMP 0000000174f61000
.text   C:\Windows\system32\svchost.exe[2388] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                         0000000077751650 5 bytes JMP 00000000778b0018
.text   C:\Windows\system32\taskhost.exe[6036] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                        0000000077751650 5 bytes JMP 00000000778b0018
.text   C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[4040] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory     0000000077751650 5 bytes JMP 00000000778b0018
.text   E:\pobierak\h3uc85rx.exe[3676] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory                                                00000000778ffe14 5 bytes JMP 0000000174f61000

---- User IAT/EAT - GMER 2.1 ----

IAT     C:\Windows\system32\winlogon.exe[676] @ C:\Windows\system32\themeservice.dll[KERNEL32.dll!GetProcAddress]                        [7fefb2a2840] c:\windows\system32\uxtuneup.dll
IAT     C:\Windows\system32\winlogon.exe[676] @ C:\Windows\system32\themeservice.dll[KERNEL32.dll!ReadFile]                              [7fefb2a2720] c:\windows\system32\uxtuneup.dll
IAT     C:\Windows\system32\svchost.exe[588] @ c:\windows\system32\themeservice.dll[KERNEL32.dll!GetProcAddress]                         [7fefb2a2840] c:\windows\system32\uxtuneup.dll
IAT     C:\Windows\system32\svchost.exe[588] @ c:\windows\system32\themeservice.dll[KERNEL32.dll!ReadFile]                               [7fefb2a2720] c:\windows\system32\uxtuneup.dll
IAT     C:\Windows\system32\svchost.exe[588] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!GetProcAddress]                              [7fefb2a2840] c:\windows\system32\uxtuneup.dll
IAT     C:\Windows\system32\svchost.exe[588] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!ReadFile]                                    [7fefb2a2720] c:\windows\system32\uxtuneup.dll

---- Threads - GMER 2.1 ----

Thread  C:\Program Files\Windows Media Player\wmpnetwk.exe [1004:2240]                                                                   000007fefb6f2bf8

---- EOF - GMER 2.1 ----