GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-01-27 20:41:00 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-3 ST3500320AS rev.SD15 Running: tceghdub.exe; Driver: C:\Users\dom\AppData\Local\Temp\uxriqpow.sys ---- System - GMER 1.0.15 ---- SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwAlpcConnectPort [0x90462B60] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwAlpcSendWaitReceivePort [0x904643D0] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwAssignProcessToJobObject [0x9045DC60] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwClose [0x90442C80] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwConnectPort [0x90461380] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwCreateFile [0x9043EFF0] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwCreateKey [0x9044A290] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwCreateProcess [0x904564B0] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwCreateProcessEx [0x90456DB0] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwCreateSection [0x9043DDA0] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwCreateSymbolicLinkObject [0x9044A040] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwCreateThread [0x90454F70] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwCreateThreadEx [0x904559F0] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwCreateUserProcess [0x904576C0] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwDebugActiveProcess [0x90464E10] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwDeleteFile [0x90448D20] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwDeleteKey [0x9044BB00] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwDeleteValueKey [0x904525A0] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwLoadDriver [0x90453DB0] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwMakeTemporaryObject [0x904498B0] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwOpenFile [0x90441CA0] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwOpenKey [0x9044B1C0] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwOpenProcess [0x90458EA0] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwOpenSection [0x9043E610] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwOpenThread [0x90458260] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwProtectVirtualMemory [0x9045EFA0] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwQueryDirectoryFile [0x90443AA0] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwQueryKey [0x9044D950] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwQueryValueKey [0x9044E1A0] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwQueueApcThread [0x9045D0D0] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwRenameKey [0x90451790] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwReplaceKey [0x9044F700] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwRequestPort [0x90463620] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwRequestWaitReplyPort [0x90463940] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwRestoreKey [0x90450F20] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwSaveKey [0x9044FE80] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwSaveKeyEx [0x904506D0] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwSecureConnectPort [0x90461F60] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwSetContextThread [0x9045C640] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwSetInformationDebugObject [0x90465400] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwSetInformationFile [0x90444DF0] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwSetSystemInformation [0x904533C0] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwSetValueKey [0x9044EA20] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwSuspendProcess [0x9045B390] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwSuspendThread [0x9045BCC0] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwSystemDebugControl [0x90464650] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwTerminateProcess [0x90459990] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwTerminateThread [0x9045A820] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwUnloadDriver [0x90454730] SSDT \??\C:\Windows\system32\drivers\SandBox.sys ZwWriteVirtualMemory [0x9045E4B0] ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!ZwSaveKey + 13CD 830759A9 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 830954E2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntoskrnl.exe!KeRemoveQueueEx + 13C7 8309C784 4 Bytes [60, 2B, 46, 90] {PUSHA ; SUB EAX, [ESI-0x70]} .text ntoskrnl.exe!KeRemoveQueueEx + 140B 8309C7C8 4 Bytes [D0, 43, 46, 90] {ROL BYTE [EBX+0x46], 0x1; NOP } .text ntoskrnl.exe!KeRemoveQueueEx + 141B 8309C7D8 4 Bytes [60, DC, 45, 90] {PUSHA ; FADD QWORD [EBP-0x70]} .text ntoskrnl.exe!KeRemoveQueueEx + 1437 8309C7F4 4 Bytes [80, 2C, 44, 90] {SUB BYTE [ESP+EAX*2], 0x90} .text ntoskrnl.exe!KeRemoveQueueEx + 145B 8309C818 4 Bytes [80, 13, 46, 90] {ADC BYTE [EBX], 0x46; NOP } .text ... PAGE spsys.sys!?SPRevision@@3PADA + 4F90 A8845000 68 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...] PAGE spsys.sys!?SPRevision@@3PADA + 4FD5 A8845045 203 Bytes [8B, C6, F0, 0F, BA, 28, 00, ...] PAGE spsys.sys!?SPRevision@@3PADA + 50A1 A8845111 17 Bytes [87, 01, 6A, 00, 6A, 20, A3, ...] PAGE spsys.sys!?SPRevision@@3PADA + 50B3 A8845123 629 Bytes [05, 84, A8, FE, 05, 34, 05, ...] PAGE spsys.sys!?SPRevision@@3PADA + 5329 A8845399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...] PAGE ... .text user32.dll!SetForegroundWindow 77ABB225 5 Bytes [E9, 2A, 93, 5E, 98] {JMP 0xffffffff985e932f} .text user32.dll!SetWindowPos 77AC1BC4 5 Bytes [E9, B7, 29, 5E, 98] {JMP 0xffffffff985e29bc} .text user32.dll!ChangeDisplaySettingsExA 77AD627A 5 Bytes [E9, 59, E3, 5C, 98] {JMP 0xffffffff985ce35e} .text user32.dll!ChangeDisplaySettingsExW 77AFFA39 5 Bytes [E9, C6, 4B, 5A, 98] {JMP 0xffffffff985a4bcb} ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\system32\PnkBstrA.exe[320] USER32.dll!SetForegroundWindow 77ABB225 5 Bytes JMP 100A4554 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\system32\PnkBstrA.exe[320] USER32.dll!SetWindowPos 77AC1BC4 5 Bytes JMP 100A4580 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\system32\PnkBstrA.exe[320] USER32.dll!ChangeDisplaySettingsExA 77AD627A 5 Bytes JMP 100A45D8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\system32\PnkBstrA.exe[320] USER32.dll!ChangeDisplaySettingsExW 77AFFA39 5 Bytes JMP 100A4604 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\system32\services.exe[484] USER32.dll!SetForegroundWindow 77ABB225 5 Bytes JMP 100A4554 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\system32\services.exe[484] USER32.dll!SetWindowPos 77AC1BC4 5 Bytes JMP 100A4580 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\system32\services.exe[484] USER32.dll!ChangeDisplaySettingsExA 77AD627A 5 Bytes JMP 100A45D8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\system32\services.exe[484] USER32.dll!ChangeDisplaySettingsExW 77AFFA39 5 Bytes JMP 100A4604 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Users\dom\Desktop\tceghdub.exe[680] USER32.dll!SetForegroundWindow 77ABB225 5 Bytes JMP 100A4554 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Users\dom\Desktop\tceghdub.exe[680] USER32.dll!SetWindowPos 77AC1BC4 5 Bytes JMP 100A4580 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Users\dom\Desktop\tceghdub.exe[680] USER32.dll!ChangeDisplaySettingsExA 77AD627A 5 Bytes JMP 100A45D8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Users\dom\Desktop\tceghdub.exe[680] USER32.dll!ChangeDisplaySettingsExW 77AFFA39 5 Bytes JMP 100A4604 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\system32\nvvsvc.exe[712] USER32.dll!SetForegroundWindow 77ABB225 5 Bytes JMP 100A4554 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\system32\nvvsvc.exe[712] USER32.dll!SetWindowPos 77AC1BC4 5 Bytes JMP 100A4580 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\system32\nvvsvc.exe[712] USER32.dll!ChangeDisplaySettingsExA 77AD627A 5 Bytes JMP 100A45D8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\system32\nvvsvc.exe[712] USER32.dll!ChangeDisplaySettingsExW 77AFFA39 5 Bytes JMP 100A4604 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[736] USER32.dll!SetForegroundWindow 77ABB225 5 Bytes JMP 100A4554 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[736] USER32.dll!SetWindowPos 77AC1BC4 5 Bytes JMP 100A4580 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[736] USER32.dll!ChangeDisplaySettingsExA 77AD627A 5 Bytes JMP 100A45D8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[736] USER32.dll!ChangeDisplaySettingsExW 77AFFA39 5 Bytes JMP 100A4604 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[800] USER32.dll!SetForegroundWindow 77ABB225 5 Bytes JMP 100A4554 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[800] USER32.dll!SetWindowPos 77AC1BC4 5 Bytes JMP 100A4580 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[800] USER32.dll!ChangeDisplaySettingsExA 77AD627A 5 Bytes JMP 100A45D8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[800] USER32.dll!ChangeDisplaySettingsExW 77AFFA39 5 Bytes JMP 100A4604 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] USER32.dll!SetForegroundWindow 77ABB225 5 Bytes JMP 100A4554 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] USER32.dll!SetWindowPos 77AC1BC4 5 Bytes JMP 100A4580 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] USER32.dll!ChangeDisplaySettingsExA 77AD627A 5 Bytes JMP 100A45D8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1224] USER32.dll!ChangeDisplaySettingsExW 77AFFA39 5 Bytes JMP 100A4604 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\system32\nvvsvc.exe[1236] USER32.dll!SetForegroundWindow 77ABB225 5 Bytes JMP 100A4554 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\system32\nvvsvc.exe[1236] USER32.dll!SetWindowPos 77AC1BC4 5 Bytes JMP 100A4580 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\system32\nvvsvc.exe[1236] USER32.dll!ChangeDisplaySettingsExA 77AD627A 5 Bytes JMP 100A45D8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\system32\nvvsvc.exe[1236] USER32.dll!ChangeDisplaySettingsExW 77AFFA39 5 Bytes JMP 100A4604 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1348] USER32.dll!SetForegroundWindow 77ABB225 5 Bytes JMP 100A4554 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1348] USER32.dll!SetWindowPos 77AC1BC4 5 Bytes JMP 100A4580 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1348] USER32.dll!ChangeDisplaySettingsExA 77AD627A 5 Bytes JMP 100A45D8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1348] USER32.dll!ChangeDisplaySettingsExW 77AFFA39 5 Bytes JMP 100A4604 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\System32\spoolsv.exe[1568] USER32.dll!SetForegroundWindow 77ABB225 5 Bytes JMP 100A4554 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\System32\spoolsv.exe[1568] USER32.dll!SetWindowPos 77AC1BC4 5 Bytes JMP 100A4580 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\System32\spoolsv.exe[1568] USER32.dll!ChangeDisplaySettingsExA 77AD627A 5 Bytes JMP 100A45D8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\System32\spoolsv.exe[1568] USER32.dll!ChangeDisplaySettingsExW 77AFFA39 5 Bytes JMP 100A4604 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\system32\taskhost.exe[1700] USER32.dll!SetForegroundWindow 77ABB225 5 Bytes JMP 100A4554 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\system32\taskhost.exe[1700] USER32.dll!SetWindowPos 77AC1BC4 5 Bytes JMP 100A4580 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\system32\taskhost.exe[1700] USER32.dll!ChangeDisplaySettingsExA 77AD627A 5 Bytes JMP 100A45D8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\system32\taskhost.exe[1700] USER32.dll!ChangeDisplaySettingsExW 77AFFA39 5 Bytes JMP 100A4604 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\Explorer.EXE[1756] USER32.dll!SetForegroundWindow 77ABB225 5 Bytes JMP 100A4554 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\Explorer.EXE[1756] USER32.dll!SetWindowPos 77AC1BC4 5 Bytes JMP 100A4580 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\Explorer.EXE[1756] USER32.dll!ChangeDisplaySettingsExA 77AD627A 5 Bytes JMP 100A45D8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\Explorer.EXE[1756] USER32.dll!ChangeDisplaySettingsExW 77AFFA39 5 Bytes JMP 100A4604 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1980] USER32.dll!SetForegroundWindow 77ABB225 5 Bytes JMP 100A4554 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1980] USER32.dll!SetWindowPos 77AC1BC4 5 Bytes JMP 100A4580 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1980] USER32.dll!ChangeDisplaySettingsExA 77AD627A 5 Bytes JMP 100A45D8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Creative\Shared Files\CTDevSrv.exe[1980] USER32.dll!ChangeDisplaySettingsExW 77AFFA39 5 Bytes JMP 100A4604 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2024] USER32.dll!SetForegroundWindow 77ABB225 5 Bytes JMP 100A4554 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2024] USER32.dll!SetWindowPos 77AC1BC4 5 Bytes JMP 100A4580 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2024] USER32.dll!ChangeDisplaySettingsExA 77AD627A 5 Bytes JMP 100A45D8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe[2024] USER32.dll!ChangeDisplaySettingsExW 77AFFA39 5 Bytes JMP 100A4604 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[2036] USER32.dll!SetForegroundWindow 77ABB225 5 Bytes JMP 100A4554 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[2036] USER32.dll!SetWindowPos 77AC1BC4 5 Bytes JMP 100A4580 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[2036] USER32.dll!ChangeDisplaySettingsExA 77AD627A 5 Bytes JMP 100A45D8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[2036] USER32.dll!ChangeDisplaySettingsExW 77AFFA39 5 Bytes JMP 100A4604 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\system32\SearchIndexer.exe[2056] USER32.dll!SetForegroundWindow 77ABB225 5 Bytes JMP 100A4554 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\system32\SearchIndexer.exe[2056] USER32.dll!SetWindowPos 77AC1BC4 5 Bytes JMP 100A4580 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\system32\SearchIndexer.exe[2056] USER32.dll!ChangeDisplaySettingsExA 77AD627A 5 Bytes JMP 100A45D8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\system32\SearchIndexer.exe[2056] USER32.dll!ChangeDisplaySettingsExW 77AFFA39 5 Bytes JMP 100A4604 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2364] USER32.dll!SetForegroundWindow 77ABB225 5 Bytes JMP 100A4554 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2364] USER32.dll!SetWindowPos 77AC1BC4 5 Bytes JMP 100A4580 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2364] USER32.dll!ChangeDisplaySettingsExA 77AD627A 5 Bytes JMP 100A45D8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2364] USER32.dll!ChangeDisplaySettingsExW 77AFFA39 5 Bytes JMP 100A4604 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\WindowsMobile\wmdc.exe[2468] USER32.dll!SetForegroundWindow 77ABB225 5 Bytes JMP 100A4554 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\WindowsMobile\wmdc.exe[2468] USER32.dll!SetWindowPos 77AC1BC4 5 Bytes JMP 100A4580 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\WindowsMobile\wmdc.exe[2468] USER32.dll!ChangeDisplaySettingsExA 77AD627A 5 Bytes JMP 100A45D8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\WindowsMobile\wmdc.exe[2468] USER32.dll!ChangeDisplaySettingsExW 77AFFA39 5 Bytes JMP 100A4604 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2680] USER32.dll!SetForegroundWindow 77ABB225 5 Bytes JMP 100A4554 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2680] USER32.dll!SetWindowPos 77AC1BC4 5 Bytes JMP 100A4580 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2680] USER32.dll!ChangeDisplaySettingsExA 77AD627A 5 Bytes JMP 100A45D8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2680] USER32.dll!ChangeDisplaySettingsExW 77AFFA39 5 Bytes JMP 100A4604 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Creative\Software Update 3\SoftAuto.exe[2696] USER32.dll!SetForegroundWindow 77ABB225 5 Bytes JMP 002E4554 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Creative\Software Update 3\SoftAuto.exe[2696] USER32.dll!SetWindowPos 77AC1BC4 5 Bytes JMP 002E4580 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Creative\Software Update 3\SoftAuto.exe[2696] USER32.dll!ChangeDisplaySettingsExA 77AD627A 5 Bytes JMP 002E45D8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Creative\Software Update 3\SoftAuto.exe[2696] USER32.dll!ChangeDisplaySettingsExW 77AFFA39 5 Bytes JMP 002E4604 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\RALINK\Common\RaUI.exe[2716] USER32.dll!SetForegroundWindow 77ABB225 5 Bytes JMP 100A4554 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\RALINK\Common\RaUI.exe[2716] USER32.dll!SetWindowPos 77AC1BC4 5 Bytes JMP 100A4580 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\RALINK\Common\RaUI.exe[2716] USER32.dll!ChangeDisplaySettingsExA 77AD627A 5 Bytes JMP 100A45D8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\RALINK\Common\RaUI.exe[2716] USER32.dll!ChangeDisplaySettingsExW 77AFFA39 5 Bytes JMP 100A4604 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\system32\wbem\wmiprvse.exe[3164] USER32.dll!SetForegroundWindow 77ABB225 5 Bytes JMP 100A4554 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\system32\wbem\wmiprvse.exe[3164] USER32.dll!SetWindowPos 77AC1BC4 5 Bytes JMP 100A4580 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\system32\wbem\wmiprvse.exe[3164] USER32.dll!ChangeDisplaySettingsExA 77AD627A 5 Bytes JMP 100A45D8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Windows\system32\wbem\wmiprvse.exe[3164] USER32.dll!ChangeDisplaySettingsExW 77AFFA39 5 Bytes JMP 100A4604 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3320] USER32.dll!SetForegroundWindow 77ABB225 5 Bytes JMP 100A4554 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3320] USER32.dll!SetWindowPos 77AC1BC4 5 Bytes JMP 100A4580 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3320] USER32.dll!ChangeDisplaySettingsExA 77AD627A 5 Bytes JMP 100A45D8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3320] USER32.dll!ChangeDisplaySettingsExW 77AFFA39 5 Bytes JMP 100A4604 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [89B8D0C2] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [89B8D0C2] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [89B8D0C2] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) IAT \SystemRoot\System32\DRIVERS\srv2.sys[ntoskrnl.exe!IoCreateFileEx] [90440F10] \??\C:\Windows\system32\drivers\SandBox.sys IAT \SystemRoot\System32\DRIVERS\srv2.sys[ntoskrnl.exe!IoCreateFile] [904401C0] \??\C:\Windows\system32\drivers\SandBox.sys IAT \SystemRoot\System32\DRIVERS\srv2.sys[ntoskrnl.exe!NtSetInformationFile] [90453390] \??\C:\Windows\system32\drivers\SandBox.sys IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [904401C0] \??\C:\Windows\system32\drivers\SandBox.sys IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [90453390] \??\C:\Windows\system32\drivers\SandBox.sys ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) Device \Driver\ACPI_HAL \Device\0000004d halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) Device \Driver\nsiproxy \Device\Nsi afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xB3 0x32 0x3C 0x1A ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xB3 0x32 0x3C 0x1A ... ---- EOF - GMER 1.0.15 ----