GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-05-01 19:12:00 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD15EARX-00PASB0 rev.51.0AB51 0,00MB Running: rmq2tm48.exe; Driver: C:\Users\Nejcik\AppData\Local\Temp\axdiqpow.sys ---- User code sections - GMER 2.2 ---- .text C:\ProgramData\Hotfresh\Hotfresh.exe[1264] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 00000000753e1401 2 bytes JMP 7542b233 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Hotfresh\Hotfresh.exe[1264] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 00000000753e1419 2 bytes JMP 7542b35e C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Hotfresh\Hotfresh.exe[1264] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 00000000753e1431 2 bytes JMP 754a9149 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Hotfresh\Hotfresh.exe[1264] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 00000000753e144a 2 bytes CALL 75404885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\ProgramData\Hotfresh\Hotfresh.exe[1264] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000753e14dd 2 bytes JMP 754a8a42 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Hotfresh\Hotfresh.exe[1264] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000753e14f5 2 bytes JMP 754a8c18 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Hotfresh\Hotfresh.exe[1264] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 00000000753e150d 2 bytes JMP 754a8938 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Hotfresh\Hotfresh.exe[1264] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 00000000753e1525 2 bytes JMP 754a8d02 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Hotfresh\Hotfresh.exe[1264] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 00000000753e153d 2 bytes JMP 7541fcc0 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Hotfresh\Hotfresh.exe[1264] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 00000000753e1555 2 bytes JMP 75426907 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Hotfresh\Hotfresh.exe[1264] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 00000000753e156d 2 bytes JMP 754a9201 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Hotfresh\Hotfresh.exe[1264] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 00000000753e1585 2 bytes JMP 754a8d62 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Hotfresh\Hotfresh.exe[1264] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 00000000753e159d 2 bytes JMP 754a88fc C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Hotfresh\Hotfresh.exe[1264] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000753e15b5 2 bytes JMP 7541fd59 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Hotfresh\Hotfresh.exe[1264] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000753e15cd 2 bytes JMP 7542b2f4 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Hotfresh\Hotfresh.exe[1264] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000753e16b2 2 bytes JMP 754a90c4 C:\Windows\syswow64\kernel32.dll .text C:\ProgramData\Hotfresh\Hotfresh.exe[1264] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000753e16bd 2 bytes JMP 754a8891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[2560] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 00000000753e1401 2 bytes JMP 7542b233 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[2560] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 00000000753e1419 2 bytes JMP 7542b35e C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[2560] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 00000000753e1431 2 bytes JMP 754a9149 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[2560] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 00000000753e144a 2 bytes CALL 75404885 C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[2560] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000753e14dd 2 bytes JMP 754a8a42 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[2560] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000753e14f5 2 bytes JMP 754a8c18 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[2560] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 00000000753e150d 2 bytes JMP 754a8938 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[2560] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 00000000753e1525 2 bytes JMP 754a8d02 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[2560] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 00000000753e153d 2 bytes JMP 7541fcc0 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[2560] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 00000000753e1555 2 bytes JMP 75426907 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[2560] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 00000000753e156d 2 bytes JMP 754a9201 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[2560] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 00000000753e1585 2 bytes JMP 754a8d62 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[2560] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 00000000753e159d 2 bytes JMP 754a88fc C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[2560] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000753e15b5 2 bytes JMP 7541fd59 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[2560] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000753e15cd 2 bytes JMP 7542b2f4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[2560] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000753e16b2 2 bytes JMP 754a90c4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\BlueStacks\HD-Agent.exe[2560] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000753e16bd 2 bytes JMP 754a8891 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Skillbrains\lightshot\5.4.0.1\Lightshot.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000753e1401 2 bytes JMP 7542b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skillbrains\lightshot\5.4.0.1\Lightshot.exe[2936] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000753e1419 2 bytes JMP 7542b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skillbrains\lightshot\5.4.0.1\Lightshot.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000753e1431 2 bytes JMP 754a9149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skillbrains\lightshot\5.4.0.1\Lightshot.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000753e144a 2 bytes CALL 75404885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Skillbrains\lightshot\5.4.0.1\Lightshot.exe[2936] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000753e14dd 2 bytes JMP 754a8a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skillbrains\lightshot\5.4.0.1\Lightshot.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000753e14f5 2 bytes JMP 754a8c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skillbrains\lightshot\5.4.0.1\Lightshot.exe[2936] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000753e150d 2 bytes JMP 754a8938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skillbrains\lightshot\5.4.0.1\Lightshot.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000753e1525 2 bytes JMP 754a8d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skillbrains\lightshot\5.4.0.1\Lightshot.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000753e153d 2 bytes JMP 7541fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skillbrains\lightshot\5.4.0.1\Lightshot.exe[2936] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000753e1555 2 bytes JMP 75426907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skillbrains\lightshot\5.4.0.1\Lightshot.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000753e156d 2 bytes JMP 754a9201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skillbrains\lightshot\5.4.0.1\Lightshot.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000753e1585 2 bytes JMP 754a8d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skillbrains\lightshot\5.4.0.1\Lightshot.exe[2936] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000753e159d 2 bytes JMP 754a88fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skillbrains\lightshot\5.4.0.1\Lightshot.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000753e15b5 2 bytes JMP 7541fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skillbrains\lightshot\5.4.0.1\Lightshot.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000753e15cd 2 bytes JMP 7542b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skillbrains\lightshot\5.4.0.1\Lightshot.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000753e16b2 2 bytes JMP 754a90c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skillbrains\lightshot\5.4.0.1\Lightshot.exe[2936] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000753e16bd 2 bytes JMP 754a8891 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[980] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 000000006b1d17fa 2 bytes CALL 754011a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[980] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 000000006b1d1860 2 bytes CALL 754011a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[980] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 000000006b1d1942 2 bytes JMP 75756da1 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[980] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 000000006b1d194d 2 bytes JMP 7575e8de C:\Windows\syswow64\WS2_32.dll ---- Threads - GMER 2.2 ---- Thread System [4:1284] fffffa800964e058 Thread System [4:1288] fffffa800967c9c8 Thread System [4:1292] fffffa8009685cf8 Thread System [4:1296] fffffa80096845f4 Thread System [4:1272] fffffa800967e13c Thread C:\Windows\Explorer.EXE [2304:1896] 0000000002a8449c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4816:5052] 000007fefb4e2ae8 ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 sector 0: rootkit-like behavior ---- EOF - GMER 2.2 ----