GMER 1.0.15.15570 - http://www.gmer.net Rootkit scan 2011-04-02 12:55:53 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-1b WDC_WD800JB-00JJC0 rev.05.01C05 Running: x3c0j0pj.exe; Driver: C:\DOCUME~1\abcd\USTAWI~1\Temp\ugtdrpow.sys ---- System - GMER 1.0.15 ---- SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwAssignProcessToJobObject [0xB1965C60] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwClose [0xB194AC80] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwConnectPort [0xB1969380] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateFile [0xB1946FF0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateKey [0xB1952290] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateProcess [0xB195E4B0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateProcessEx [0xB195EDB0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateSection [0xB1945DA0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateSymbolicLinkObject [0xB1952040] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateThread [0xB195CF70] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwDebugActiveProcess [0xB196CE10] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwDeleteFile [0xB1950D20] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwDeleteKey [0xB1953B00] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwDeleteValueKey [0xB195A5A0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwLoadDriver [0xB195BDB0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwMakeTemporaryObject [0xB19518B0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenFile [0xB1949CA0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenKey [0xB19531C0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenProcess [0xB1960EA0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenSection [0xB1946610] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenThread [0xB1960260] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwProtectVirtualMemory [0xB1966FA0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryDirectoryFile [0xB194BAA0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryKey [0xB1955950] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryValueKey [0xB19561A0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueueApcThread [0xB19650D0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRenameKey [0xB1959790] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwReplaceKey [0xB1957700] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRequestPort [0xB196B620] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRequestWaitReplyPort [0xB196B940] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRestoreKey [0xB1958F20] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSaveKey [0xB1957E80] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSaveKeyEx [0xB19586D0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSecureConnectPort [0xB1969F60] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetContextThread [0xB1964640] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetInformationDebugObject [0xB196D400] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetInformationFile [0xB194CDF0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetSystemInformation [0xB195B3C0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetValueKey [0xB1956A20] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSuspendProcess [0xB1963390] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSuspendThread [0xB1963CC0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSystemDebugControl [0xB196C650] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwTerminateProcess [0xB1961990] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwTerminateThread [0xB1962820] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwUnloadDriver [0xB195C730] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwWriteVirtualMemory [0xB19664B0] Code 49955D03 IoReportHalResourceUsage ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!ZwYieldExecution + 46A 804E4CC4 12 Bytes [90, 33, 96, B1, C0, 3C, 96, ...] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\UltraVNC\WinVNC.exe[336] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A45D8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\UltraVNC\WinVNC.exe[336] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A4554 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\UltraVNC\WinVNC.exe[336] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A4580 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\UltraVNC\WinVNC.exe[336] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A4604 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[484] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 007845D8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[484] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 00784554 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[484] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 00784580 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[484] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 00784604 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\spoolsv.exe[508] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A45D8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\spoolsv.exe[508] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A4554 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\spoolsv.exe[508] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A4580 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\spoolsv.exe[508] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A4604 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\Explorer.EXE[1068] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A45D8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\Explorer.EXE[1068] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A4554 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\Explorer.EXE[1068] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A4580 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\Explorer.EXE[1068] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A4604 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe[1228] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A45D8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe[1228] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A4554 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe[1228] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A4580 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe[1228] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A4604 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\ctfmon.exe[1300] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A45D8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\ctfmon.exe[1300] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A4554 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\ctfmon.exe[1300] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A4580 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\ctfmon.exe[1300] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A4604 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\winlogon.exe[1428] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A45D8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\winlogon.exe[1428] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A4554 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\winlogon.exe[1428] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A4580 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\winlogon.exe[1428] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A4604 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\services.exe[1472] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A45D8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\services.exe[1472] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A4554 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\services.exe[1472] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A4580 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\services.exe[1472] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A4604 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\notepad.exe[2268] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A45D8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\notepad.exe[2268] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A4554 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\notepad.exe[2268] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A4580 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\notepad.exe[2268] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A4604 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\wscntfy.exe[3332] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A45D8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\wscntfy.exe[3332] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A4554 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\wscntfy.exe[3332] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A4580 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\wscntfy.exe[3332] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A4604 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\UltraVNC\WinVNC.exe[3768] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A45D8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\UltraVNC\WinVNC.exe[3768] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A4554 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\UltraVNC\WinVNC.exe[3768] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A4580 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\UltraVNC\WinVNC.exe[3768] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A4604 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text D:\Wirusy w komputerze WYKRYWANIE 2011\GMER\x3c0j0pj.exe[3832] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A45D8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text D:\Wirusy w komputerze WYKRYWANIE 2011\GMER\x3c0j0pj.exe[3832] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A4554 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text D:\Wirusy w komputerze WYKRYWANIE 2011\GMER\x3c0j0pj.exe[3832] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A4580 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text D:\Wirusy w komputerze WYKRYWANIE 2011\GMER\x3c0j0pj.exe[3832] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A4604 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [B9D018D8] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B9D018D8] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [B9D018D8] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B9D018D8] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B9D018D8] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B9D018D8] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B9D018D8] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [B195B390] \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [B19481C0] \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs amon.sys (Amon monitor/Eset ) Device \Driver\Tcpip \Device\Ip afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) Device \Driver\Tcpip \Device\Tcp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) Device \Driver\Tcpip \Device\Udp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) Device \Driver\Tcpip \Device\RawIp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) Device \Driver\Tcpip \Device\IPMULTICAST afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat amon.sys (Amon monitor/Eset ) ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk1\DR1 malicious Win32:MBRoot code @ sector 61 ---- EOF - GMER 1.0.15 ----