GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-03-29 04:22:39 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 TOSHIBA_ rev.LB01 Running: o9hxr56p.exe; Driver: C:\DOCUME~1\Piotr\USTAWI~1\Temp\kgdyqpoc.sys ---- System - GMER 1.0.15 ---- SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwAllocateVirtualMemory [0x9BBC46E0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwAssignProcessToJobObject [0x9BBC4610] SSDT BA7E5574 ZwClose SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwConnectPort [0x9BBC4980] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateFile [0x9BBC21B0] SSDT BA7E552E ZwCreateKey SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateProcess [0x9BBC3AB0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateProcessEx [0x9BBC3BA0] SSDT BA7E557E ZwCreateSection SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateSymbolicLinkObject [0x9BBC2AB0] SSDT BA7E5524 ZwCreateThread SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwDebugActiveProcess [0x9BBC4FB0] SSDT BA7E5533 ZwDeleteKey SSDT BA7E553D ZwDeleteValueKey SSDT BA7E556F ZwDuplicateObject SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwEnumerateKey [0x9BBC2E10] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwEnumerateValueKey [0x9BBC2EF0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwFsControlFile [0x9BBC20C0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwLoadDriver [0x9BBC7000] SSDT BA7E5542 ZwLoadKey SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwMakeTemporaryObject [0x9BBC29F0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenFile [0x9BBC2640] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenKey [0x9BBC2C80] SSDT BA7E5510 ZwOpenProcess SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenSection [0x9BBC1EB0] SSDT BA7E5515 ZwOpenThread SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwProtectVirtualMemory [0x9BBC48A0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryKey [0x9BBC2FD0] SSDT BA7E5597 ZwQueryValueKey SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueueApcThread [0x9BBC4540] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRenameKey [0x9BBC35B0] SSDT BA7E554C ZwReplaceKey SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRequestPort [0x9BBC4C50] SSDT BA7E5588 ZwRequestWaitReplyPort SSDT BA7E5547 ZwRestoreKey SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSaveKey [0x9BBC3340] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSaveKeyEx [0x9BBC3410] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSecureConnectPort [0x9BBC4A70] SSDT BA7E5583 ZwSetContextThread SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetInformationDebugObject [0x9BBC5080] SSDT BA7E558D ZwSetSecurityObject SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetSystemInformation [0x9BBC3760] SSDT BA7E5538 ZwSetValueKey SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSuspendProcess [0x9BBC42A0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSuspendThread [0x9BBC4360] SSDT BA7E5592 ZwSystemDebugControl SSDT BA7E551F ZwTerminateProcess SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwTerminateThread [0x9BBC4150] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwUnloadDriver [0x9BBC3830] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwWriteFile [0x9BBC1FB0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwWriteVirtualMemory [0x9BBC47C0] ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2FD8 80504874 12 Bytes [A0, 42, BC, 9B, 60, 43, BC, ...] ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\svchost.exe[180] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[180] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[180] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[180] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[264] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[264] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[264] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[264] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\System32\svchost.exe[316] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\System32\svchost.exe[316] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\System32\svchost.exe[316] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\System32\svchost.exe[316] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[360] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[360] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[360] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[360] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe[508] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 00B455F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe[508] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 00B45574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe[508] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 00B455A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe[508] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 00B45624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[516] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[516] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[516] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[516] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\TPSMain.exe[524] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 009E55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\TPSMain.exe[524] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 009E5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\TPSMain.exe[524] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 009E55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\TPSMain.exe[524] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 009E5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Apoint2K\Apoint.exe[556] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Apoint2K\Apoint.exe[556] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Apoint2K\Apoint.exe[556] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Apoint2K\Apoint.exe[556] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\TOSHIBA\Controls\VolumeIndicator.exe[568] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\TOSHIBA\Controls\VolumeIndicator.exe[568] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\TOSHIBA\Controls\VolumeIndicator.exe[568] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\TOSHIBA\Controls\VolumeIndicator.exe[568] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\ctfmon.exe[700] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\ctfmon.exe[700] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\ctfmon.exe[700] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\ctfmon.exe[700] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\OscarG7\program files\OSCARK3G5\OscarEditor.exe[744] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\OscarG7\program files\OSCARK3G5\OscarEditor.exe[744] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\OscarG7\program files\OSCARK3G5\OscarEditor.exe[744] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\OscarG7\program files\OSCARK3G5\OscarEditor.exe[744] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[760] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[760] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[760] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[760] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\PeerBlock\peerblock.exe[844] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 004314E0 C:\Program Files\PeerBlock\peerblock.exe (PeerBlock/PeerBlock, LLC) .text C:\Program Files\PeerBlock\peerblock.exe[844] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\PeerBlock\peerblock.exe[844] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\PeerBlock\peerblock.exe[844] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\PeerBlock\peerblock.exe[844] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\hkcmd.exe[872] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 009B55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\hkcmd.exe[872] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 009B5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\hkcmd.exe[872] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 009B55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\hkcmd.exe[872] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 009B5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\ATnotes\ATnotes.exe[880] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\ATnotes\ATnotes.exe[880] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\ATnotes\ATnotes.exe[880] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\ATnotes\ATnotes.exe[880] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\spoolsv.exe[1356] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\spoolsv.exe[1356] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\spoolsv.exe[1356] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\spoolsv.exe[1356] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[1708] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[1708] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[1708] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[1708] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\Explorer.EXE[1736] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\Explorer.EXE[1736] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\Explorer.EXE[1736] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\Explorer.EXE[1736] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\winlogon.exe[1800] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\winlogon.exe[1800] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\winlogon.exe[1800] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\winlogon.exe[1800] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\services.exe[1844] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\services.exe[1844] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\services.exe[1844] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\services.exe[1844] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\lsass.exe[1856] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\lsass.exe[1856] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\lsass.exe[1856] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\lsass.exe[1856] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Bonjour\mDNSResponder.exe[2180] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Bonjour\mDNSResponder.exe[2180] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Bonjour\mDNSResponder.exe[2180] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Bonjour\mDNSResponder.exe[2180] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\wscntfy.exe[2268] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\wscntfy.exe[2268] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\wscntfy.exe[2268] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\wscntfy.exe[2268] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2312] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 007155F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2312] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 00715574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2312] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 007155A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2312] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 00715624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\System32\alg.exe[2520] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\System32\alg.exe[2520] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\System32\alg.exe[2520] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\System32\alg.exe[2520] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[2572] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[2572] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[2572] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[2572] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text c:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe[2624] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text c:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe[2624] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text c:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe[2624] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text c:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe[2624] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[2916] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[2916] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[2916] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[2916] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\TPSBattM.exe[3212] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 009955F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\TPSBattM.exe[3212] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 00995574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\TPSBattM.exe[3212] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 009955A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\TPSBattM.exe[3212] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 00995624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[3436] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[3436] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[3436] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[3436] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Documents and Settings\Piotr\Pulpit\wirus\o9hxr56p.exe[3644] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Documents and Settings\Piotr\Pulpit\wirus\o9hxr56p.exe[3644] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Documents and Settings\Piotr\Pulpit\wirus\o9hxr56p.exe[3644] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Documents and Settings\Piotr\Pulpit\wirus\o9hxr56p.exe[3644] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [B7D45182] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B7D45182] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [B7D45182] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B7D45182] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B7D45182] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B7D45182] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [B7D45182] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B7D45182] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) ---- Devices - GMER 1.0.15 ---- Device \Driver\Tcpip \Device\Ip afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) Device \Driver\Tcpip \Device\Tcp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) Device \Driver\Tcpip \Device\Udp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) Device \Driver\Tcpip \Device\RawIp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) Device \Driver\Tcpip \Device\IPMULTICAST afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x13 0x33 0x0F 0xFA ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xE6 0xD6 0x44 0xCF ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xCF 0x59 0xCC 0x3F ... ---- EOF - GMER 1.0.15 ----