GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-11-19 20:23:37 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000021 WDC_WD10JPCX-24UE4T0 rev.01.01A01 931,51GB Running: dim59126.exe; Driver: C:\Users\Natalia\AppData\Local\Temp\uxrdqpow.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable fffff9600006f100 15 bytes [40, A1, F1, 01, C0, E7, 6B, ...] .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 16 fffff9600006f110 11 bytes [00, 22, FC, FF, C0, DC, CA, ...] ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [1484:1516] fffff9600081a2d0 Thread C:\Windows\System32\SettingSyncHost.exe [4476:2740] 00007ffca1187090 ---- Processes - GMER 2.1 ---- Library C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\GROOVEEX.DLL (*** suspicious ***) @ C:\WINDOWS\Explorer.EXE [3900] 00007ffca2660000 Library C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\VCRUNTIME140.dll (*** suspicious ***) @ C:\WINDOWS\Explorer.EXE [3900] 00007ffcb3930000 Library C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\MSVCP140.dll (*** suspicious ***) @ C:\WINDOWS\Explorer.EXE [3900] 00007ffca38a0000 Library C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\api-ms-win-crt-runtime-l1-1-0.dll (*** suspicious ***) @ C:\WINDOWS\Explorer.EXE [3900] 00007ffcb3960000 Library C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\api-ms-win-crt-string-l1-1-0.dll (*** suspicious ***) @ C:\WINDOWS\Explorer.EXE [3900] 00007ffcb3920000 Library C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\api-ms-win-crt-heap-l1-1-0.dll (*** suspicious ***) @ C:\WINDOWS\Explorer.EXE [3900] 00007ffcb1320000 Library C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\api-ms-win-crt-stdio-l1-1-0.dll (*** suspicious ***) @ C:\WINDOWS\Explorer.EXE [3900] 00007ffcb1310000 Library C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\api-ms-win-crt-convert-l1-1-0.dll (*** suspicious ***) @ C:\WINDOWS\Explorer.EXE [3900] 00007ffcb1300000 Library C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\api-ms-win-crt-locale-l1-1-0.dll (*** suspicious ***) @ C:\WINDOWS\Explorer.EXE [3900] 00007ffcad2b0000 Library C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\api-ms-win-crt-utility-l1-1-0.dll (*** suspicious ***) @ C:\WINDOWS\Explorer.EXE [3900] 00007ffca9540000 Library C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\api-ms-win-crt-time-l1-1-0.dll (*** suspicious ***) @ C:\WINDOWS\Explorer.EXE [3900] 00007ffca9530000 Library C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\api-ms-win-crt-filesystem-l1-1-0.dll (*** suspicious ***) @ C:\WINDOWS\Explorer.EXE [3900] 00007ffca9520000 Library C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\api-ms-win-crt-math-l1-1-0.dll (*** suspicious ***) @ C:\WINDOWS\Explorer.EXE [3900] 00007ffca8930000 Library C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\api-ms-win-crt-multibyte-l1-1-0.dll (*** suspicious ***) @ C:\WINDOWS\Explorer.EXE [3900] 00007ffca8920000 Library C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\api-ms-win-crt-environment-l1-1-0.dll (*** suspicious ***) @ C:\WINDOWS\Explorer.EXE [3900] 00007ffca8910000 Library C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\ucrtbase.DLL (*** suspicious ***) @ C:\WINDOWS\Explorer.EXE [3900] 00007ffca2560000 Library C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\1033\GrooveIntlResource.dll (*** suspicious ***) @ C:\WINDOWS\Explorer.EXE [3900] 00007ffca1a60000 Library C:\Users\Natalia\AppData\Local\SweetLabs App Platform\Engine\libPokki.dll (*** suspicious ***) @ C:\Users\Natalia\AppData\Local\SweetLabs App Platform\Engine\ServiceHostApp.exe [4760] (Chromium/The Chromium Authors)(2015-10-30 16:20:24) 0000000062480000 Library C:\Users\Natalia\AppData\Local\SweetLabs App Platform\Engine\icudt.dll (*** suspicious ***) @ C:\Users\Natalia\AppData\Local\SweetLabs App Platform\Engine\ServiceHostApp.exe [4760] (ICU Data DLL/The ICU Project)(2015-04-28 20:15:22) 0000000052880000 Library C:\Users\Natalia\AppData\Local\SweetLabs App Platform\Engine\libPokki.dll (*** suspicious ***) @ C:\Users\Natalia\AppData\Local\SweetLabs App Platform\Engine\ServiceHostApp.exe [5028] (Chromium/The Chromium Authors)(2015-10-30 16:20:24) 0000000062480000 Library C:\Users\Natalia\AppData\Local\SweetLabs App Platform\Engine\icudt.dll (*** suspicious ***) @ C:\Users\Natalia\AppData\Local\SweetLabs App Platform\Engine\ServiceHostApp.exe [5028] (ICU Data DLL/The ICU Project)(2015-04-28 20:15:22) 0000000052880000 Library C:\Users\Natalia\AppData\Local\SweetLabs App Platform\Engine\ppGoogleNaClPluginChrome.dll (*** suspicious ***) @ C:\Users\Natalia\AppData\Local\SweetLabs App Platform\Engine\ServiceHostApp.exe [5028](2015-04-28 20:15:22) 00000000718a0000 Library C:\Users\Natalia\AppData\Local\SweetLabs App Platform\Engine\avcodec-54.dll (*** suspicious ***) @ C:\Users\Natalia\AppData\Local\SweetLabs App Platform\Engine\ServiceHostApp.exe [5028](2015-04-28 20:15:22) 000000006d270000 Library C:\Users\Natalia\AppData\Local\SweetLabs App Platform\Engine\avutil-51.dll (*** suspicious ***) @ C:\Users\Natalia\AppData\Local\SweetLabs App Platform\Engine\ServiceHostApp.exe [5028](2015-04-28 20:15:22) 0000000071af0000 Library C:\Users\Natalia\AppData\Local\SweetLabs App Platform\Engine\avformat-54.dll (*** suspicious ***) @ C:\Users\Natalia\AppData\Local\SweetLabs App Platform\Engine\ServiceHostApp.exe [5028](2015-04-28 20:15:22) 0000000071ab0000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----