GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-04-23 22:24:06 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000034 Hitachi_HTS547575A9E384 rev.JE4OA50A 698.64GB Running: ufc5mom1.exe; Driver: C:\Users\Kim\AppData\Local\Temp\ufdyafow.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable fffff96000171a00 15 bytes [00, 2E, F4, 01, 80, A0, 6E, ...] .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 17 fffff96000171a11 10 bytes [5E, FC, FF, 00, BB, C7, 00, ...] ---- User code sections - GMER 2.1 ---- ? C:\Windows\SYSTEM32\BsHelpCSps.dll [2936] entry point in ".data" section 0000000002f25055 .text C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe[3168] C:\WINDOWS\system32\IMM32.DLL!ImmProcessKey 00007ffc34355060 14 bytes {JMP QWORD [RIP+0x0]} ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [872:896] fffff960009222d0 Thread C:\WINDOWS\Explorer.EXE [3500:3560] 00007ffc29329970 Thread C:\WINDOWS\Explorer.EXE [3500:3140] 0000000066018d2c Thread C:\WINDOWS\Explorer.EXE [3500:4424] 00007ffc2932e630 Thread C:\WINDOWS\Explorer.EXE [3500:908] 0000000065509300 Thread C:\WINDOWS\Explorer.EXE [3500:6916] 00007ffc26391120 Thread C:\WINDOWS\Explorer.EXE [3500:6312] 00007ffc29e5ab50 Thread C:\WINDOWS\Explorer.EXE [3500:3352] 00007ffc2970cb00 Thread C:\Windows\System32\SettingSyncHost.exe [5552:6572] 00007ffc24937090 ---- Processes - GMER 2.1 ---- Process C:\Users\Kim\AppData\Local\Temp\ocr3DA0.tmp\bin\rubyw.exe (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr3DA0.tmp\bin\rubyw.exe [4044] (Ruby interpreter (GUI) 1.9.3p448 [i386-mingw32]/http://www.ruby-lang.org/)(2015-04-23 21:53:33) 0000000000400000 Library C:\Users\Kim\AppData\Local\Temp\ocr3DA0.tmp\bin\msvcrt-ruby191.dll (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr3DA0.tmp\bin\rubyw.exe [4044] (Ruby interpreter (DLL) 1.9.3p448 [i386-mingw32]/http://www.ruby-lang.org/)(2015-04-23 21:53:40) 0000000062d00000 Library C:\Users\Kim\AppData\Local\Temp\ocr3DA0.tmp\lib\ruby\1.9.1\i386-mingw32\enc\encdb.so (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr3DA0.tmp\bin\rubyw.exe [4044](2015-04-23 21:55:01) 0000000071280000 Library C:\Users\Kim\AppData\Local\Temp\ocr3DA0.tmp\lib\ruby\1.9.1\i386-mingw32\enc\iso_8859_1.so (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr3DA0.tmp\bin\rubyw.exe [4044](2015-04-23 21:55:01) 0000000070600000 Library C:\Users\Kim\AppData\Local\Temp\ocr3DA0.tmp\lib\ruby\1.9.1\i386-mingw32\enc\trans\transdb.so (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr3DA0.tmp\bin\rubyw.exe [4044](2015-04-23 21:55:01) 000000006dd40000 Library C:\Users\Kim\AppData\Local\Temp\ocr3DA0.tmp\src\rgloader\rgloader193.mswin.so (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr3DA0.tmp\bin\rubyw.exe [4044](2015-04-23 21:53:30) 0000000010000000 Library C:\Users\Kim\AppData\Local\Temp\ocr3DA0.tmp\lib\ruby\1.9.1\i386-mingw32\etc.so (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr3DA0.tmp\bin\rubyw.exe [4044](2015-04-23 21:55:11) 0000000065000000 Library C:\Users\Kim\AppData\Local\Temp\ocr3DA0.tmp\lib\ruby\site_ruby\1.9.1\rgloader\rgloader193.mswin.so (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr3DA0.tmp\bin\rubyw.exe [4044](2015-04-23 21:55:06) 00000000005b0000 Library C:\Users\Kim\AppData\Local\Temp\ocr3DA0.tmp\lib\ruby\1.9.1\i386-mingw32\win32ole.so (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr3DA0.tmp\bin\rubyw.exe [4044](2015-04-23 21:55:12) 000000006ab80000 Library C:\Users\Kim\AppData\Local\Temp\ocr3DA0.tmp\lib\ruby\1.9.1\i386-mingw32\dl.so (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr3DA0.tmp\bin\rubyw.exe [4044](2015-04-23 21:55:12) 000000006c280000 Library C:\Users\Kim\AppData\Local\Temp\ocr3DA0.tmp\lib\ruby\1.9.1\i386-mingw32\fiddle.so (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr3DA0.tmp\bin\rubyw.exe [4044](2015-04-23 21:55:12) 0000000070a40000 Library C:\Users\Kim\AppData\Local\Temp\ocr3DA0.tmp\bin\libffi-6.dll (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr3DA0.tmp\bin\rubyw.exe [4044](2015-04-23 21:54:34) 000000006b740000 Library C:\Users\Kim\AppData\Local\Temp\ocr3DA0.tmp\lib\ruby\1.9.1\i386-mingw32\enc\utf_16le.so (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr3DA0.tmp\bin\rubyw.exe [4044](2015-04-23 21:55:06) 0000000065480000 Library C:\Users\Kim\AppData\Local\Temp\ocr3DA0.tmp\lib\ruby\1.9.1\i386-mingw32\enc\trans\utf_16_32.so (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr3DA0.tmp\bin\rubyw.exe [4044](2015-04-23 21:55:06) 000000006d400000 Library C:\Users\Kim\AppData\Local\Temp\ocr3DA0.tmp\lib\ruby\1.9.1\i386-mingw32\enc\trans\single_byte.so (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr3DA0.tmp\bin\rubyw.exe [4044](2015-04-23 21:55:06) 00000000628c0000 Library C:\Users\Kim\AppData\Local\Temp\ocr3DA0.tmp\lib\ruby\gems\1.9.1\gems\win32-api-1.5.0-universal-mingw32\lib\win32\ruby19\win32\api.so (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr3DA0.tmp\bin\rubyw.exe [4044](2015-04-23 21:55:17) 0000000066940000 Process C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\bin\rubyw.exe (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\bin\rubyw.exe [1844] (Ruby interpreter (GUI) 1.9.3p448 [i386-mingw32]/http://www.ruby-lang.org/)(2015-04-23 21:55:26) 0000000000400000 Library C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\bin\msvcrt-ruby191.dll (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\bin\rubyw.exe [1844] (Ruby interpreter (DLL) 1.9.3p448 [i386-mingw32]/http://www.ruby-lang.org/)(2015-04-23 21:55:26) 0000000062d00000 Library C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\lib\ruby\1.9.1\i386-mingw32\enc\encdb.so (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\bin\rubyw.exe [1844](2015-04-23 21:55:27) 0000000071280000 Library C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\lib\ruby\1.9.1\i386-mingw32\enc\iso_8859_1.so (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\bin\rubyw.exe [1844](2015-04-23 21:55:27) 0000000070600000 Library C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\lib\ruby\1.9.1\i386-mingw32\enc\trans\transdb.so (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\bin\rubyw.exe [1844](2015-04-23 21:55:27) 000000006dd40000 Library C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\src\rgloader\rgloader193.mswin.so (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\bin\rubyw.exe [1844](2015-04-23 21:55:26) 0000000010000000 Library C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\lib\ruby\site_ruby\1.9.1\rgloader\rgloader193.mswin.so (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\bin\rubyw.exe [1844](2015-04-23 21:55:28) 00000000003d0000 Library C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\lib\ruby\1.9.1\i386-mingw32\socket.so (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\bin\rubyw.exe [1844](2015-04-23 21:55:28) 000000006e600000 Library C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\lib\ruby\1.9.1\i386-mingw32\zlib.so (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\bin\rubyw.exe [1844](2015-04-23 21:55:29) 000000006a400000 Library C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\bin\zlib1.dll (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\bin\rubyw.exe [1844](2015-04-23 21:55:26) 00000000025f0000 Library C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\lib\ruby\1.9.1\i386-mingw32\stringio.so (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\bin\rubyw.exe [1844](2015-04-23 21:55:29) 0000000065080000 Library C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\lib\ruby\1.9.1\i386-mingw32\openssl.so (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\bin\rubyw.exe [1844](2015-04-23 21:55:29) 00000000671c0000 Library C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\bin\LIBEAY32.dll (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\bin\rubyw.exe [1844] (OpenSSL shared library/The OpenSSL Project, http://www.openssl.org/)(2015-04-23 21:55:26) 0000000063000000 Library C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\bin\SSLEAY32.dll (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\bin\rubyw.exe [1844] (OpenSSL shared library/The OpenSSL Project, http://www.openssl.org/)(2015-04-23 21:55:27) 000000006e400000 Library C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\lib\ruby\1.9.1\i386-mingw32\digest.so (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\bin\rubyw.exe [1844](2015-04-23 21:55:29) 0000000068000000 Library C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\lib\ruby\1.9.1\i386-mingw32\fcntl.so (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\bin\rubyw.exe [1844](2015-04-23 21:55:29) 000000006a1c0000 Library C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\lib\ruby\1.9.1\i386-mingw32\etc.so (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\bin\rubyw.exe [1844](2015-04-23 21:55:31) 0000000065000000 Library C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\lib\ruby\1.9.1\i386-mingw32\json\ext\parser.so (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\bin\rubyw.exe [1844](2015-04-23 21:55:31) 000000006fac0000 Library C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\lib\ruby\1.9.1\i386-mingw32\enc\utf_16be.so (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\bin\rubyw.exe [1844](2015-04-23 21:55:31) 0000000070f40000 Library C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\lib\ruby\1.9.1\i386-mingw32\enc\utf_16le.so (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\bin\rubyw.exe [1844](2015-04-23 21:55:28) 0000000065480000 Library C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\lib\ruby\1.9.1\i386-mingw32\enc\utf_32be.so (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\bin\rubyw.exe [1844](2015-04-23 21:55:31) 000000006ffc0000 Library C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\lib\ruby\1.9.1\i386-mingw32\enc\utf_32le.so (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\bin\rubyw.exe [1844](2015-04-23 21:55:31) 000000006d100000 Library C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\lib\ruby\1.9.1\i386-mingw32\json\ext\generator.so (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\bin\rubyw.exe [1844](2015-04-23 21:55:31) 000000006adc0000 Library C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\lib\ruby\1.9.1\i386-mingw32\win32ole.so (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\bin\rubyw.exe [1844](2015-04-23 21:55:31) 000000006ab80000 Library C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\lib\ruby\1.9.1\i386-mingw32\dl.so (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\bin\rubyw.exe [1844](2015-04-23 21:55:31) 000000006c280000 Library C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\lib\ruby\1.9.1\i386-mingw32\fiddle.so (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\bin\rubyw.exe [1844](2015-04-23 21:55:31) 0000000070a40000 Library C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\bin\libffi-6.dll (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\bin\rubyw.exe [1844](2015-04-23 21:55:27) 000000006b740000 Library C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\lib\ruby\1.9.1\i386-mingw32\enc\trans\utf_16_32.so (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\bin\rubyw.exe [1844](2015-04-23 21:55:28) 000000006d400000 Library C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\lib\ruby\1.9.1\i386-mingw32\enc\trans\single_byte.so (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\bin\rubyw.exe [1844](2015-04-23 21:55:28) 00000000628c0000 Library C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\lib\ruby\gems\1.9.1\gems\win32-api-1.5.0-universal-mingw32\lib\win32\ruby19\win32\api.so (*** suspicious ***) @ C:\Users\Kim\AppData\Local\Temp\ocr1907.tmp\bin\rubyw.exe [1844](2015-04-23 21:55:31) 0000000066940000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----