GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-10 15:43:29 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST964032 rev.0001 596.17GB Running: 4j7bmynj.exe; Driver: C:\Users\TeamTkac\AppData\Local\Temp\kwlorkoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 594 fffff800035fb092 22 bytes [40, 8A, 7C, 24, 40, F7, 43, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 617 fffff800035fb0a9 27 bytes {CALL 0x39537} ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076e61401 2 bytes JMP 768eb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2700] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076e61419 2 bytes JMP 768eb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076e61431 2 bytes JMP 76968ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076e6144a 2 bytes CALL 768c48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2700] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076e614dd 2 bytes JMP 769687a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076e614f5 2 bytes JMP 76968978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2700] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076e6150d 2 bytes JMP 76968698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076e61525 2 bytes JMP 76968a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076e6153d 2 bytes JMP 768dfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2700] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076e61555 2 bytes JMP 768e68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076e6156d 2 bytes JMP 76968f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076e61585 2 bytes JMP 76968ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2700] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076e6159d 2 bytes JMP 7696865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076e615b5 2 bytes JMP 768dfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076e615cd 2 bytes JMP 768eb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076e616b2 2 bytes JMP 76968e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2700] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076e616bd 2 bytes JMP 769685f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Unchecky\bin\unchecky_svc.exe[2876] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076e61401 2 bytes JMP 768eb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Unchecky\bin\unchecky_svc.exe[2876] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076e61419 2 bytes JMP 768eb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Unchecky\bin\unchecky_svc.exe[2876] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076e61431 2 bytes JMP 76968ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Unchecky\bin\unchecky_svc.exe[2876] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076e6144a 2 bytes CALL 768c48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Unchecky\bin\unchecky_svc.exe[2876] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076e614dd 2 bytes JMP 769687a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Unchecky\bin\unchecky_svc.exe[2876] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076e614f5 2 bytes JMP 76968978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Unchecky\bin\unchecky_svc.exe[2876] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076e6150d 2 bytes JMP 76968698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Unchecky\bin\unchecky_svc.exe[2876] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076e61525 2 bytes JMP 76968a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Unchecky\bin\unchecky_svc.exe[2876] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076e6153d 2 bytes JMP 768dfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Unchecky\bin\unchecky_svc.exe[2876] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076e61555 2 bytes JMP 768e68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Unchecky\bin\unchecky_svc.exe[2876] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076e6156d 2 bytes JMP 76968f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Unchecky\bin\unchecky_svc.exe[2876] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076e61585 2 bytes JMP 76968ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Unchecky\bin\unchecky_svc.exe[2876] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076e6159d 2 bytes JMP 7696865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Unchecky\bin\unchecky_svc.exe[2876] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076e615b5 2 bytes JMP 768dfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Unchecky\bin\unchecky_svc.exe[2876] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076e615cd 2 bytes JMP 768eb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Unchecky\bin\unchecky_svc.exe[2876] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076e616b2 2 bytes JMP 76968e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Unchecky\bin\unchecky_svc.exe[2876] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076e616bd 2 bytes JMP 769685f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4420] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076e61401 2 bytes JMP 768eb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4420] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076e61419 2 bytes JMP 768eb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4420] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076e61431 2 bytes JMP 76968ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4420] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076e6144a 2 bytes CALL 768c48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4420] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076e614dd 2 bytes JMP 769687a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4420] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076e614f5 2 bytes JMP 76968978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4420] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076e6150d 2 bytes JMP 76968698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4420] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076e61525 2 bytes JMP 76968a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4420] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076e6153d 2 bytes JMP 768dfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4420] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076e61555 2 bytes JMP 768e68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4420] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076e6156d 2 bytes JMP 76968f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4420] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076e61585 2 bytes JMP 76968ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4420] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076e6159d 2 bytes JMP 7696865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4420] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076e615b5 2 bytes JMP 768dfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4420] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076e615cd 2 bytes JMP 768eb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4420] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076e616b2 2 bytes JMP 76968e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[4420] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076e616bd 2 bytes JMP 769685f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Unchecky\bin\unchecky_bg.exe[4916] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076e61401 2 bytes JMP 768eb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Unchecky\bin\unchecky_bg.exe[4916] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076e61419 2 bytes JMP 768eb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Unchecky\bin\unchecky_bg.exe[4916] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076e61431 2 bytes JMP 76968ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Unchecky\bin\unchecky_bg.exe[4916] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076e6144a 2 bytes CALL 768c48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Unchecky\bin\unchecky_bg.exe[4916] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076e614dd 2 bytes JMP 769687a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Unchecky\bin\unchecky_bg.exe[4916] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076e614f5 2 bytes JMP 76968978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Unchecky\bin\unchecky_bg.exe[4916] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076e6150d 2 bytes JMP 76968698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Unchecky\bin\unchecky_bg.exe[4916] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076e61525 2 bytes JMP 76968a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Unchecky\bin\unchecky_bg.exe[4916] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076e6153d 2 bytes JMP 768dfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Unchecky\bin\unchecky_bg.exe[4916] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076e61555 2 bytes JMP 768e68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Unchecky\bin\unchecky_bg.exe[4916] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076e6156d 2 bytes JMP 76968f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Unchecky\bin\unchecky_bg.exe[4916] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076e61585 2 bytes JMP 76968ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Unchecky\bin\unchecky_bg.exe[4916] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076e6159d 2 bytes JMP 7696865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Unchecky\bin\unchecky_bg.exe[4916] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076e615b5 2 bytes JMP 768dfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Unchecky\bin\unchecky_bg.exe[4916] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076e615cd 2 bytes JMP 768eb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Unchecky\bin\unchecky_bg.exe[4916] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076e616b2 2 bytes JMP 76968e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Unchecky\bin\unchecky_bg.exe[4916] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076e616bd 2 bytes JMP 769685f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[5188] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076e61401 2 bytes JMP 768eb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[5188] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076e61419 2 bytes JMP 768eb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[5188] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076e61431 2 bytes JMP 76968ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[5188] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076e6144a 2 bytes CALL 768c48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[5188] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076e614dd 2 bytes JMP 769687a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[5188] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076e614f5 2 bytes JMP 76968978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[5188] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076e6150d 2 bytes JMP 76968698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[5188] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076e61525 2 bytes JMP 76968a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[5188] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076e6153d 2 bytes JMP 768dfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[5188] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076e61555 2 bytes JMP 768e68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[5188] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076e6156d 2 bytes JMP 76968f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[5188] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076e61585 2 bytes JMP 76968ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[5188] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076e6159d 2 bytes JMP 7696865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[5188] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076e615b5 2 bytes JMP 768dfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[5188] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076e615cd 2 bytes JMP 768eb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[5188] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076e616b2 2 bytes JMP 76968e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe[5188] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076e616bd 2 bytes JMP 769685f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[5364] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000768c8791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe[5068] C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\lib\ruby\1.9.1\i386-mingw32\dl.so!Init_dl + 76 000000006c28ca5c 4 bytes [7C, 84, EF, 62] .text C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe[5068] C:\Windows\syswow64\psapi.DLL!GetModuleFileNameExW + 17 0000000076e61401 2 bytes JMP 768eb21b C:\Windows\syswow64\kernel32.dll .text C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe[5068] C:\Windows\syswow64\psapi.DLL!EnumProcessModules + 17 0000000076e61419 2 bytes JMP 768eb346 C:\Windows\syswow64\kernel32.dll .text C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe[5068] C:\Windows\syswow64\psapi.DLL!GetModuleInformation + 17 0000000076e61431 2 bytes JMP 76968ea9 C:\Windows\syswow64\kernel32.dll .text C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe[5068] C:\Windows\syswow64\psapi.DLL!GetModuleInformation + 42 0000000076e6144a 2 bytes CALL 768c48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe[5068] C:\Windows\syswow64\psapi.DLL!EnumDeviceDrivers + 17 0000000076e614dd 2 bytes JMP 769687a2 C:\Windows\syswow64\kernel32.dll .text C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe[5068] C:\Windows\syswow64\psapi.DLL!GetDeviceDriverBaseNameA + 17 0000000076e614f5 2 bytes JMP 76968978 C:\Windows\syswow64\kernel32.dll .text C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe[5068] C:\Windows\syswow64\psapi.DLL!QueryWorkingSetEx + 17 0000000076e6150d 2 bytes JMP 76968698 C:\Windows\syswow64\kernel32.dll .text C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe[5068] C:\Windows\syswow64\psapi.DLL!GetDeviceDriverBaseNameW + 17 0000000076e61525 2 bytes JMP 76968a62 C:\Windows\syswow64\kernel32.dll .text C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe[5068] C:\Windows\syswow64\psapi.DLL!GetModuleBaseNameW + 17 0000000076e6153d 2 bytes JMP 768dfca8 C:\Windows\syswow64\kernel32.dll .text C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe[5068] C:\Windows\syswow64\psapi.DLL!EnumProcesses + 17 0000000076e61555 2 bytes JMP 768e68ef C:\Windows\syswow64\kernel32.dll .text C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe[5068] C:\Windows\syswow64\psapi.DLL!GetProcessMemoryInfo + 17 0000000076e6156d 2 bytes JMP 76968f61 C:\Windows\syswow64\kernel32.dll .text C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe[5068] C:\Windows\syswow64\psapi.DLL!GetPerformanceInfo + 17 0000000076e61585 2 bytes JMP 76968ac2 C:\Windows\syswow64\kernel32.dll .text C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe[5068] C:\Windows\syswow64\psapi.DLL!QueryWorkingSet + 17 0000000076e6159d 2 bytes JMP 7696865c C:\Windows\syswow64\kernel32.dll .text C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe[5068] C:\Windows\syswow64\psapi.DLL!GetModuleBaseNameA + 17 0000000076e615b5 2 bytes JMP 768dfd41 C:\Windows\syswow64\kernel32.dll .text C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe[5068] C:\Windows\syswow64\psapi.DLL!GetModuleFileNameExA + 17 0000000076e615cd 2 bytes JMP 768eb2dc C:\Windows\syswow64\kernel32.dll .text C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe[5068] C:\Windows\syswow64\psapi.DLL!GetProcessImageFileNameW + 20 0000000076e616b2 2 bytes JMP 76968e24 C:\Windows\syswow64\kernel32.dll .text C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe[5068] C:\Windows\syswow64\psapi.DLL!GetProcessImageFileNameW + 31 0000000076e616bd 2 bytes JMP 769685f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Internet Explorer\iexplore.exe[6008] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076cd3b10 6 bytes {NOP ; JMP 0xffffffff895acc4c} .text C:\Program Files\Internet Explorer\iexplore.exe[6008] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076cd7ac0 6 bytes {NOP ; JMP 0xffffffff895a88e4} .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1112] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076ecc4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1112] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076ed1287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1112] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076e61401 2 bytes JMP 768eb21b C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1112] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076e61419 2 bytes JMP 768eb346 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1112] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076e61431 2 bytes JMP 76968ea9 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1112] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076e6144a 2 bytes CALL 768c48ad C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1112] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076e614dd 2 bytes JMP 769687a2 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1112] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076e614f5 2 bytes JMP 76968978 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1112] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076e6150d 2 bytes JMP 76968698 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1112] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076e61525 2 bytes JMP 76968a62 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1112] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076e6153d 2 bytes JMP 768dfca8 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1112] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076e61555 2 bytes JMP 768e68ef C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1112] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076e6156d 2 bytes JMP 76968f61 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1112] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076e61585 2 bytes JMP 76968ac2 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1112] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076e6159d 2 bytes JMP 7696865c C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1112] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076e615b5 2 bytes JMP 768dfd41 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1112] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076e615cd 2 bytes JMP 768eb2dc C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1112] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076e616b2 2 bytes JMP 76968e24 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1112] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076e616bd 2 bytes JMP 769685f1 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[4048] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076e61401 2 bytes JMP 768eb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[4048] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076e61419 2 bytes JMP 768eb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[4048] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076e61431 2 bytes JMP 76968ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[4048] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076e6144a 2 bytes CALL 768c48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[4048] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076e614dd 2 bytes JMP 769687a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[4048] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076e614f5 2 bytes JMP 76968978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[4048] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076e6150d 2 bytes JMP 76968698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[4048] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076e61525 2 bytes JMP 76968a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[4048] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076e6153d 2 bytes JMP 768dfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[4048] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076e61555 2 bytes JMP 768e68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[4048] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076e6156d 2 bytes JMP 76968f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[4048] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076e61585 2 bytes JMP 76968ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[4048] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076e6159d 2 bytes JMP 7696865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[4048] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076e615b5 2 bytes JMP 768dfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[4048] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076e615cd 2 bytes JMP 768eb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[4048] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076e616b2 2 bytes JMP 76968e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[4048] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076e616bd 2 bytes JMP 769685f1 C:\Windows\syswow64\kernel32.dll ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [500:1328] 000007fefa2359a0 Thread C:\Windows\System32\svchost.exe [500:3204] 000007fefc481a70 Thread C:\Windows\System32\svchost.exe [500:3708] 000007fef66720c0 Thread C:\Windows\System32\svchost.exe [500:3956] 000007fef66726a8 Thread C:\Windows\System32\svchost.exe [500:4072] 000007fef66729dc Thread C:\Windows\System32\svchost.exe [500:5460] 000007fef82344e0 Thread C:\Windows\System32\svchost.exe [500:3476] 000007fef84e89b8 Thread C:\Windows\System32\svchost.exe [500:2460] 000007fee87f3efc Thread C:\Windows\System32\svchost.exe [500:6424] 000007feed808a4c Thread C:\Windows\System32\svchost.exe [500:8140] 000007fef824d710 Thread C:\Windows\system32\svchost.exe [1100:1284] 000007fefa948274 Thread C:\Windows\system32\svchost.exe [1100:4100] 000007fefa948274 Thread C:\Windows\System32\spoolsv.exe [1556:3356] 000007fef6c910c8 Thread C:\Windows\System32\spoolsv.exe [1556:3364] 000007fef6c56144 Thread C:\Windows\System32\spoolsv.exe [1556:3368] 000007fef8c15fd0 Thread C:\Windows\System32\spoolsv.exe [1556:3372] 000007fef8153438 Thread C:\Windows\System32\spoolsv.exe [1556:3376] 000007fef8c163ec Thread C:\Windows\System32\spoolsv.exe [1556:3384] 000007fef6d35e5c Thread C:\Windows\System32\spoolsv.exe [1556:3388] 000007fef6d45074 Thread C:\Windows\System32\spoolsv.exe [1556:3848] 000007fef6db2288 Thread C:\Windows\System32\spoolsv.exe [1556:3912] 000007fef6ce8760 Thread C:\Windows\system32\svchost.exe [1588:2028] 000007fef93835c0 Thread C:\Windows\system32\svchost.exe [1588:3516] 000007fef9385600 Thread C:\Windows\system32\svchost.exe [1588:3968] 000007fef5e82940 Thread C:\Windows\system32\svchost.exe [1588:3684] 000007fef59e2888 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5368:5800] 000007fefb0f2bf8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5368:6124] 000007fee4f3cf60 ---- Processes - GMER 2.1 ---- Process C:\Users\TeamTkac\AppData\Local\Temp\ocrAC16.tmp\bin\rubyw.exe (*** suspicious ***) @ C:\Users\TeamTkac\AppData\Local\Temp\ocrAC16.tmp\bin\rubyw.exe [7088] (Ruby interpreter (GUI) 1.9.3p448 [i386-mingw32]/http://www.ruby-lang.org/)(2015-02-10 20:24:51) 0000000000400000 Library C:\Users\TeamTkac\AppData\Local\Temp\ocrAC16.tmp\bin\msvcrt-ruby191.dll (*** suspicious ***) @ C:\Users\TeamTkac\AppData\Local\Temp\ocrAC16.tmp\bin\rubyw.exe [7088] (Ruby interpreter (DLL) 1.9.3p448 [i386-mingw32]/http://www.ruby-lang.org/)(2015-02-10 20:24:51) 0000000062d00000 Process C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe (*** suspicious ***) @ C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe [5068] (Ruby interpreter (GUI) 1.9.3p448 [i386-mingw32]/http://www.ruby-lang.org/)(2015-02-10 20:24:54) 0000000000400000 Library C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\msvcrt-ruby191.dll (*** suspicious ***) @ C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe [5068] (Ruby interpreter (DLL) 1.9.3p448 [i386-mingw32]/http://www.ruby-lang.org/)(2015-02-10 20:24:54) 0000000062d00000 Library C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\lib\ruby\1.9.1\i386-mingw32\enc\encdb.so (*** suspicious ***) @ C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe [5068](2015-02-10 20:24:55) 0000000071280000 Library C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\lib\ruby\1.9.1\i386-mingw32\enc\iso_8859_1.so (*** suspicious ***) @ C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe [5068](2015-02-10 20:24:55) 0000000070600000 Library C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\lib\ruby\1.9.1\i386-mingw32\enc\trans\transdb.so (*** suspicious ***) @ C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe [5068](2015-02-10 20:24:55) 000000006dd40000 Library C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\src\rgloader\rgloader193.mswin.so (*** suspicious ***) @ C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe [5068](2015-02-10 20:24:54) 0000000010000000 Library C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\lib\ruby\site_ruby\1.9.1\rgloader\rgloader193.mswin.so (*** suspicious ***) @ C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe [5068](2015-02-10 20:24:55) 0000000000840000 Library C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\lib\ruby\1.9.1\i386-mingw32\socket.so (*** suspicious ***) @ C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe [5068](2015-02-10 20:24:55) 000000006e600000 Library C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\lib\ruby\1.9.1\i386-mingw32\zlib.so (*** suspicious ***) @ C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe [5068](2015-02-10 20:24:55) 000000006a400000 Library C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\zlib1.dll (*** suspicious ***) @ C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe [5068](2015-02-10 20:24:54) 0000000000960000 Library C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\lib\ruby\1.9.1\i386-mingw32\stringio.so (*** suspicious ***) @ C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe [5068](2015-02-10 20:24:55) 0000000065080000 Library C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\lib\ruby\1.9.1\i386-mingw32\openssl.so (*** suspicious ***) @ C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe [5068](2015-02-10 20:24:55) 00000000671c0000 Library C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\LIBEAY32.dll (*** suspicious ***) @ C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe [5068] (OpenSSL shared library/The OpenSSL Project, http://www.openssl.org/)(2015-02-10 20:24:54) 0000000063000000 Library C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\SSLEAY32.dll (*** suspicious ***) @ C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe [5068] (OpenSSL shared library/The OpenSSL Project, http://www.openssl.org/)(2015-02-10 20:24:55) 000000006e400000 Library C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\lib\ruby\1.9.1\i386-mingw32\digest.so (*** suspicious ***) @ C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe [5068](2015-02-10 20:24:55) 0000000068000000 Library C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\lib\ruby\1.9.1\i386-mingw32\fcntl.so (*** suspicious ***) @ C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe [5068](2015-02-10 20:24:55) 000000006a1c0000 Library C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\lib\ruby\1.9.1\i386-mingw32\etc.so (*** suspicious ***) @ C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe [5068](2015-02-10 20:24:55) 0000000065000000 Library C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\lib\ruby\1.9.1\i386-mingw32\json\ext\parser.so (*** suspicious ***) @ C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe [5068](2015-02-10 20:24:55) 000000006fac0000 Library C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\lib\ruby\1.9.1\i386-mingw32\enc\utf_16be.so (*** suspicious ***) @ C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe [5068](2015-02-10 20:24:55) 0000000070f40000 Library C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\lib\ruby\1.9.1\i386-mingw32\enc\utf_16le.so (*** suspicious ***) @ C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe [5068](2015-02-10 20:24:55) 0000000065480000 Library C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\lib\ruby\1.9.1\i386-mingw32\enc\utf_32be.so (*** suspicious ***) @ C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe [5068](2015-02-10 20:24:55) 000000006ffc0000 Library C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\lib\ruby\1.9.1\i386-mingw32\enc\utf_32le.so (*** suspicious ***) @ C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe [5068](2015-02-10 20:24:55) 000000006d100000 Library C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\lib\ruby\1.9.1\i386-mingw32\json\ext\generator.so (*** suspicious ***) @ C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe [5068](2015-02-10 20:24:55) 000000006adc0000 Library C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\lib\ruby\1.9.1\i386-mingw32\win32ole.so (*** suspicious ***) @ C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe [5068](2015-02-10 20:24:55) 000000006ab80000 Library C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\lib\ruby\1.9.1\i386-mingw32\dl.so (*** suspicious ***) @ C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe [5068](2015-02-10 20:24:55) 000000006c280000 Library C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\lib\ruby\1.9.1\i386-mingw32\fiddle.so (*** suspicious ***) @ C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe [5068](2015-02-10 20:24:55) 0000000070a40000 Library C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\libffi-6.dll (*** suspicious ***) @ C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe [5068](2015-02-10 20:24:55) 000000006b740000 Library C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\lib\ruby\1.9.1\i386-mingw32\enc\trans\utf_16_32.so (*** suspicious ***) @ C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe [5068](2015-02-10 20:24:55) 000000006d400000 Library C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\lib\ruby\1.9.1\i386-mingw32\enc\trans\single_byte.so (*** suspicious ***) @ C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe [5068](2015-02-10 20:24:55) 00000000628c0000 Library C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\lib\ruby\gems\1.9.1\gems\win32-api-1.5.0-universal-mingw32\lib\win32\ruby19\win32\api.so (*** suspicious ***) @ C:\Users\TeamTkac\AppData\Local\Temp\ocrB846.tmp\bin\rubyw.exe [5068](2015-02-10 20:24:55) 0000000066940000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\60d819433475 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters@DhcpNameServer 209.222.18.222 209.222.18.218 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\60d819433475 (not active ControlSet) ---- EOF - GMER 2.1 ----