GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-27 22:20:31 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3500418AS rev.CC38 465.76GB Running: jc73rh8u.exe; Driver: C:\Users\CORTEZ\AppData\Local\Temp\uwdirpow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 448 fffff80003004000 45 bytes [00, 00, 15, 02, 46, 69, 6C, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 495 fffff8000300402f 18 bytes [00, 00, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[6468] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074be1465 2 bytes [BE, 74] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[6468] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074be14bb 2 bytes [BE, 74] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\spoolsv.exe [1840:1836] 000007fef79c10c8 Thread C:\Windows\System32\spoolsv.exe [1840:1904] 000007fef7986144 Thread C:\Windows\System32\spoolsv.exe [1840:1956] 000007fef7775fd0 Thread C:\Windows\System32\spoolsv.exe [1840:1940] 000007fef7763438 Thread C:\Windows\System32\spoolsv.exe [1840:2032] 000007fef77763ec Thread C:\Windows\System32\spoolsv.exe [1840:1368] 000007fef7c75e5c Thread C:\Windows\System32\spoolsv.exe [1840:2052] 000007fef7ca5074 Thread C:\Windows\system32\svchost.exe [1868:2416] 000007fef6bd35c0 Thread C:\Windows\system32\svchost.exe [1868:3320] 000007fef6bd5600 Thread C:\Windows\system32\svchost.exe [1868:3612] 000007fef1842888 Thread C:\Windows\system32\svchost.exe [1868:3624] 000007fef1832940 Thread C:\Windows\system32\svchost.exe [1868:6100] 000007fef1842a40 ---- Processes - GMER 2.1 ---- Process C:\Users\CORTEZ\AppData\Roaming\pwo7\svchost.exe (*** suspicious ***) @ C:\Users\CORTEZ\AppData\Roaming\pwo7\svchost.exe [3024](2014- 0000000000400000 Library C:\Users\CORTEZ\AppData\Local\Temp\_MEI28922\python27.dll (*** suspicious ***) @ C:\Users\CORTEZ\AppData\Roaming\pwo7\svchost.exe [3024] (Python Core/Python Software Foundation)(2015-01-27 14:56:15) 000000001e000000 Library C:\Users\CORTEZ\AppData\Local\Temp\_MEI28922\_hashlib.pyd (*** suspicious ***) @ C:\Users\CORTEZ\AppData\Roaming\pwo7\svchost.exe [3024](2015-01-27 14:56:15) 0000000010000000 Library C:\Users\CORTEZ\AppData\Local\Temp\_MEI28922\win32api.pyd (*** suspicious ***) @ C:\Users\CORTEZ\AppData\Roaming\pwo7\svchost.exe [3024](2015-01-27 14:56:15) 000000001e8c0000 Library C:\Users\CORTEZ\AppData\Local\Temp\_MEI28922\pywintypes27.dll (*** suspicious ***) @ C:\Users\CORTEZ\AppData\Roaming\pwo7\svchost.exe [3024](2015-01-27 14:56:16) 000000001e7a0000 Library C:\Users\CORTEZ\AppData\Local\Temp\_MEI28922\pythoncom27.dll (*** suspicious ***) @ C:\Users\CORTEZ\AppData\Roaming\pwo7\svchost.exe [3024](2015-01-27 14:56:15) 0000000001cd0000 Library C:\Users\CORTEZ\AppData\Local\Temp\_MEI28922\win32com.shell.shell.pyd (*** suspicious ***) @ C:\Users\CORTEZ\AppData\Roaming\pwo7\svchost.exe [3024](2015-01-27 14:56:15) 000000001e800000 Library C:\Users\CORTEZ\AppData\Local\Temp\_MEI28922\_socket.pyd (*** suspicious ***) @ C:\Users\CORTEZ\AppData\Roaming\pwo7\svchost.exe [3024](2015-01-27 14:56:15) 0000000000610000 Library C:\Users\CORTEZ\AppData\Local\Temp\_MEI28922\_ssl.pyd (*** suspicious ***) @ C:\Users\CORTEZ\AppData\Roaming\pwo7\svchost.exe [3024](2015-01-27 14:56:15) 0000000002b30000 Library C:\Users\CORTEZ\AppData\Local\Temp\_MEI28922\_ctypes.pyd (*** suspicious ***) @ C:\Users\CORTEZ\AppData\Roaming\pwo7\svchost.exe [3024](2015-01-27 14:56:15) 000000001d1a0000 Library C:\Users\CORTEZ\AppData\Local\Temp\_MEI28922\win32file.pyd (*** suspicious ***) @ C:\Users\CORTEZ\AppData\Roaming\pwo7\svchost.exe [3024](2015-01-27 14:56:15) 000000001ea10000 Library C:\Users\CORTEZ\AppData\Local\Temp\_MEI28922\_multiprocessing.pyd (*** suspicious ***) @ C:\Users\CORTEZ\AppData\Roaming\pwo7\svchost.exe [3024](2015-01-27 14:56:15) 0000000001d50000 Library C:\Users\CORTEZ\AppData\Local\Temp\_MEI28922\msgpack._packer.pyd (*** suspicious ***) @ C:\Users\CORTEZ\AppData\Roaming\pwo7\svchost.exe [3024](2015-01-27 14:56:16) 0000000001d60000 Library C:\Users\CORTEZ\AppData\Local\Temp\_MEI28922\msgpack._unpacker.pyd (*** suspicious ***) @ C:\Users\CORTEZ\AppData\Roaming\pwo7\svchost.exe [3024](2015-01-27 14:56:15) 0000000001de0000 Library C:\Users\CORTEZ\AppData\Local\Temp\_MEI28922\pyHook._cpyHook.pyd (*** suspicious ***) @ C:\Users\CORTEZ\AppData\Roaming\pwo7\svchost.exe [3024](2015-01-27 14:56:16) 0000000069dc0000 Library C:\Users\CORTEZ\AppData\Local\Temp\_MEI28922\win32gui.pyd (*** suspicious ***) @ C:\Users\CORTEZ\AppData\Roaming\pwo7\svchost.exe [3024](2015-01-27 14:56:15) 000000001ea40000 Library C:\Users\CORTEZ\AppData\Local\Temp\_MEI28922\select.pyd (*** suspicious ***) @ C:\Users\CORTEZ\AppData\Roaming\pwo7\svchost.exe [3024](2015-01-27 14:56:15) 000000001d110000 Library C:\Users\CORTEZ\AppData\Local\Temp\_MEI28922\_psutil_windows.pyd (*** suspicious ***) @ C:\Users\CORTEZ\AppData\Roaming\pwo7\svchost.exe [3024](2015-01-27 14:56:15) 0000000001d70000 Process C:\Users\CORTEZ\AppData\Local\Temp\_MEI28922\bin\winlogon.exe (*** suspicious ***) @ C:\Users\CORTEZ\AppData\Local\Temp\_MEI28922\bin\winlogon.exe [3868](2015-01-27 14:56:16) 0000000000400000 ---- EOF - GMER 2.1 ----