GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-03-28 08:20:04 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 TOSHIBA_ rev.LB01 Running: o9hxr56p.exe; Driver: C:\DOCUME~1\Piotr\USTAWI~1\Temp\kgdyqpoc.sys ---- Modules - GMER 1.0.15 ---- Module (noname) (*** hidden *** ) B8669000-B8678000 (61440 bytes) .text ... ---- System - GMER 1.0.15 ---- INT 0x73 ? 89B61BF8 INT 0x94 ? 89B61BF8 INT 0xA4 ? 89B61BF8 INT 0xB4 ? 89B61BF8 INT 0x62 ? 8A691BF8 INT 0x63 ? 8A703BF8 SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwAllocateVirtualMemory [0x9A3AC6E0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwAssignProcessToJobObject [0x9A3AC610] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwConnectPort [0x9A3AC980] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateFile [0x9A3AA1B0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateProcess [0x9A3ABAB0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateProcessEx [0x9A3ABBA0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateSymbolicLinkObject [0x9A3AAAB0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwDebugActiveProcess [0x9A3ACFB0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwEnumerateKey [0x9A3AAE10] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwEnumerateValueKey [0x9A3AAEF0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwFsControlFile [0x9A3AA0C0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwLoadDriver [0x9A3AF000] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwMakeTemporaryObject [0x9A3AA9F0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenFile [0x9A3AA640] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenKey [0x9A3AAC80] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenSection [0x9A3A9EB0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwProtectVirtualMemory [0x9A3AC8A0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryKey [0x9A3AAFD0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueueApcThread [0x9A3AC540] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRenameKey [0x9A3AB5B0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRequestPort [0x9A3ACC50] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSaveKey [0x9A3AB340] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSaveKeyEx [0x9A3AB410] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSecureConnectPort [0x9A3ACA70] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetInformationDebugObject [0x9A3AD080] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetSystemInformation [0x9A3AB760] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSuspendProcess [0x9A3AC2A0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSuspendThread [0x9A3AC360] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwTerminateThread [0x9A3AC150] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwUnloadDriver [0x9A3AB830] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwWriteFile [0x9A3A9FB0] SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwWriteVirtualMemory [0x9A3AC7C0] ---- Devices - GMER 1.0.15 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [B9E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Cdrom \Device\CdRom0 899E0500 Device \Driver\dmio \Device\DmControl\DmConfig 8A7041F8 Device \Driver\dmio \Device\DmControl\DmInfo 8A7041F8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A7041F8 Device \Driver\dmio \Device\DmControl\DmPnP 8A7041F8 Device \Driver\Ftdisk \Device\FtControl 8A6921F8 Device \Driver\Ftdisk \Device\HarddiskVolume1 8A6921F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 8A6921F8 Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [B9D7C580] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\iaStor \Device\Ide\iaStor0 [B9D7C580] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetbiosSmb 86C1A1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{11D107C4-4740-4382-A588-64E971DC6925} 86C1A1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{55E4D3B8-ED1D-4629-9266-307BAE57076E} 86C1A1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{C7CDD6C5-CDCC-4B51-A8F2-D029C708C99F} 86C1A1F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 86C1A1F8 Device \Driver\Tcpip \Device\Ip afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) Device \Driver\Tcpip \Device\IPMULTICAST afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) Device \Driver\Tcpip \Device\RawIp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) Device \Driver\Tcpip \Device\Tcp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) Device \Driver\Tcpip \Device\Udp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) Device \Driver\usbehci \Device\USBFDO-2 89B5F1F8 Device \Driver\usbehci \Device\USBFDO-6 89B5F1F8 Device \Driver\usbehci \Device\USBPDO-2 89B5F1F8 Device \Driver\usbehci \Device\USBPDO-3 89B5F1F8 Device \Driver\usbuhci \Device\USBFDO-0 89B601F8 Device \Driver\usbuhci \Device\USBFDO-1 89B601F8 Device \Driver\usbuhci \Device\USBFDO-3 89B601F8 Device \Driver\usbuhci \Device\USBFDO-4 89B601F8 Device \Driver\usbuhci \Device\USBFDO-5 89B601F8 Device \Driver\usbuhci \Device\USBPDO-0 89B601F8 Device \Driver\usbuhci \Device\USBPDO-1 89B601F8 Device \Driver\usbuhci \Device\USBPDO-4 89B601F8 Device \Driver\usbuhci \Device\USBPDO-5 89B601F8 Device \Driver\usbuhci \Device\USBPDO-6 89B601F8 Device \FileSystem\Cdfs \Cdfs 85A741F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 86BF01F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 86BF01F8 Device \FileSystem\Ntfs \Ntfs 8A7021F8 ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [AA971182] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EC5B90] spwi.sys IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [AA971182] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [AA971182] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [AA971182] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [AA971182] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [AA971182] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [AA971182] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [AA971182] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EB613E] spwi.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EB6042] spwi.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EB60C0] spwi.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EB6800] spwi.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EB66D6] spwi.sys SSDT BA74F6E8 ZwOpenProcess SSDT BA74F6ED ZwOpenThread SSDT BA74F6F7 ZwTerminateProcess SSDT BA74F6FC ZwCreateThread SSDT BA74F706 ZwCreateKey SSDT BA74F70B ZwDeleteKey SSDT BA74F710 ZwSetValueKey SSDT BA74F715 ZwDeleteValueKey SSDT BA74F71A ZwLoadKey SSDT BA74F71F ZwRestoreKey SSDT BA74F724 ZwReplaceKey SSDT BA74F747 ZwDuplicateObject SSDT BA74F74C ZwClose SSDT BA74F756 ZwCreateSection SSDT BA74F75B ZwSetContextThread SSDT BA74F760 ZwRequestWaitReplyPort SSDT BA74F765 ZwSetSecurityObject SSDT BA74F76A ZwSystemDebugControl SSDT BA74F76F ZwQueryValueKey ---- User code sections - GMER 1.0.15 ---- .text C:\Documents and Settings\Piotr\Pulpit\o9hxr56p.exe[776] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Documents and Settings\Piotr\Pulpit\o9hxr56p.exe[776] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Documents and Settings\Piotr\Pulpit\o9hxr56p.exe[776] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Documents and Settings\Piotr\Pulpit\o9hxr56p.exe[776] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Apoint2K\Apoint.exe[708] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Apoint2K\Apoint.exe[708] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Apoint2K\Apoint.exe[708] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Apoint2K\Apoint.exe[708] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\ATnotes\ATnotes.exe[1072] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\ATnotes\ATnotes.exe[1072] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\ATnotes\ATnotes.exe[1072] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\ATnotes\ATnotes.exe[1072] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Bonjour\mDNSResponder.exe[2656] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Bonjour\mDNSResponder.exe[2656] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Bonjour\mDNSResponder.exe[2656] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Bonjour\mDNSResponder.exe[2656] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text c:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe[3144] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text c:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe[3144] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text c:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe[3144] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text c:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe[3144] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\OscarG7\program files\OSCARK3G5\OscarEditor.exe[1036] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\OscarG7\program files\OSCARK3G5\OscarEditor.exe[1036] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\OscarG7\program files\OSCARK3G5\OscarEditor.exe[1036] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\OscarG7\program files\OSCARK3G5\OscarEditor.exe[1036] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\PeerBlock\peerblock.exe[1044] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 004314E0 C:\Program Files\PeerBlock\peerblock.exe (PeerBlock/PeerBlock, LLC) .text C:\Program Files\PeerBlock\peerblock.exe[1044] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\PeerBlock\peerblock.exe[1044] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\PeerBlock\peerblock.exe[1044] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\PeerBlock\peerblock.exe[1044] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[3320] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[3320] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[3320] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[3320] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2800] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 007155F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2800] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 00715624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2800] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 00715574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[2800] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 007155A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\TOSHIBA\Controls\VolumeIndicator.exe[728] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\TOSHIBA\Controls\VolumeIndicator.exe[728] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\TOSHIBA\Controls\VolumeIndicator.exe[728] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\TOSHIBA\Controls\VolumeIndicator.exe[728] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe[664] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 00B455F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe[664] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 00B45624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe[664] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 00B45574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe[664] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 00B455A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\PROGRA~1\OUTPOS~1\acs.exe[2604] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 005F5098 C:\PROGRA~1\OUTPOS~1\acs.exe (Agnitum Outpost Service/Agnitum Ltd.) .text C:\PROGRA~1\OUTPOS~1\acs.exe[2604] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\PROGRA~1\OUTPOS~1\acs.exe[2604] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\PROGRA~1\OUTPOS~1\acs.exe[2604] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\PROGRA~1\OUTPOS~1\acs.exe[2604] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\PROGRA~1\OUTPOS~1\op_mon.exe[816] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 006286D8 C:\PROGRA~1\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.) .text C:\PROGRA~1\OUTPOS~1\op_mon.exe[816] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 0062879C C:\PROGRA~1\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.) .text C:\PROGRA~1\OUTPOS~1\op_mon.exe[816] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 00C855F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\PROGRA~1\OUTPOS~1\op_mon.exe[816] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 00C85624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\PROGRA~1\OUTPOS~1\op_mon.exe[816] USER32.dll!EnableWindow 7E379849 5 Bytes JMP 0175B8DC C:\PROGRA~1\OUTPOS~1\op_cmn.dll (Outpost Common Controls Library/Agnitum Ltd.) .text C:\PROGRA~1\OUTPOS~1\op_mon.exe[816] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 00C85574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\PROGRA~1\OUTPOS~1\op_mon.exe[816] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 00C855A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\PROGRA~1\OUTPOS~1\op_mon.exe[816] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00628744 C:\PROGRA~1\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.) .text C:\PROGRA~1\OUTPOS~1\op_mon.exe[816] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00628770 C:\PROGRA~1\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.) .text C:\WINDOWS\Explorer.EXE[1904] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\Explorer.EXE[1904] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\Explorer.EXE[1904] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\Explorer.EXE[1904] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\System32\alg.exe[3564] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\System32\alg.exe[3564] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\System32\alg.exe[3564] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\System32\alg.exe[3564] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\ctfmon.exe[932] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\ctfmon.exe[932] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\ctfmon.exe[932] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\ctfmon.exe[932] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) ---- Kernel code sections - GMER 1.0.15 ---- .INIT C:\WINDOWS\system32\DRIVERS\redbook.sys entry point in ".INIT" section [0xBA1C6322] ? C:\WINDOWS\system32\DRIVERS\redbook.sys suspicious PE modification ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\hkcmd.exe[1052] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 009B55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\hkcmd.exe[1052] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 009B5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\hkcmd.exe[1052] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 009B5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\hkcmd.exe[1052] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 009B55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) ---- Processes - GMER 1.0.15 ---- Library c:\windows\system32\imapiservice.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [332] 0x3AFD0000 ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\lsass.exe[1876] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\lsass.exe[1876] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\lsass.exe[1876] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\lsass.exe[1876] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\services.exe[1864] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\services.exe[1864] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\services.exe[1864] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\services.exe[1864] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\spoolsv.exe[1432] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\spoolsv.exe[1432] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\spoolsv.exe[1432] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\spoolsv.exe[1432] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[1776] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[1776] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[1776] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[1776] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\System32\svchost.exe[200] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\System32\svchost.exe[200] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\System32\svchost.exe[200] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\System32\svchost.exe[200] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[208] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[208] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[208] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[208] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[300] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[300] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[300] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[300] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[3084] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[3084] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[3084] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[3084] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[3264] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[3264] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[3264] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[3264] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\System32\svchost.exe[332] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\System32\svchost.exe[332] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\System32\svchost.exe[332] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\System32\svchost.exe[332] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[412] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[412] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[412] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[412] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[532] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[532] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[532] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[532] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[860] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[860] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[860] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\svchost.exe[860] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\TPSBattM.exe[3820] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 009955F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\TPSBattM.exe[3820] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 00995624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\TPSBattM.exe[3820] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 00995574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\TPSBattM.exe[3820] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 009955A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\TPSMain.exe[672] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 009E55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\TPSMain.exe[672] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 009E5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\TPSMain.exe[672] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 009E5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\TPSMain.exe[672] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 009E55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\winlogon.exe[1820] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\winlogon.exe[1820] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\winlogon.exe[1820] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\winlogon.exe[1820] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\wscntfy.exe[168] USER32.dll!ChangeDisplaySettingsExA 7E37384E 5 Bytes JMP 100A55F8 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\wscntfy.exe[168] USER32.dll!ChangeDisplaySettingsExW 7E3A95BD 5 Bytes JMP 100A5624 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\wscntfy.exe[168] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 100A5574 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) .text C:\WINDOWS\system32\wscntfy.exe[168] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 100A55A0 c:\PROGRA~1\OUTPOS~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x13 0x33 0x0F 0xFA ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xE6 0xD6 0x44 0xCF ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xCF 0x59 0xCC 0x3F ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x31 0x15 0x68 0x2A ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x31 0x15 0x68 0x2A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2DCC 80504668 4 Bytes CALL D50ABB63 .text ntkrnlpa.exe!ZwCallbackReturn + 2FD8 80504874 12 Bytes [A0, C2, 3A, 9A, 60, C3, 3A, ...] {MOV AL, [0x609a3ac2]; RET ; CMP BL, [EDX-0x458b0896]} .text redbook.sys BA1B8300 343 Bytes [2E, 72, 65, 6C, 6F, 63, 00, ...] .text redbook.sys BA1B8458 290 Bytes [F8, 52, 8B, 45, 0C, 50, 68, ...] .text redbook.sys BA1B857B 5 Bytes [45, 10, 89, 42, 14] .text redbook.sys BA1B8581 246 Bytes [4D, F0, 8B, 55, FC, 89, 51, ...] .text redbook.sys BA1B8678 594 Bytes [A3, 1B, BA, EB, 06, 8B, 4D, ...] ---- Threads - GMER 1.0.15 ---- Thread services.exe [1864:612] 00FCEE96 ---- Kernel code sections - GMER 1.0.15 ---- ? spwi.sys Nie można odnaleźć określonego pliku. ! ---- Threads - GMER 1.0.15 ---- Thread System [4:176] 899C6540 Thread System [4:180] 899C6540 ---- Kernel code sections - GMER 1.0.15 ---- .text USBPORT.SYS!DllUnload B7FBC8AC 5 Bytes JMP 89B611D8 ---- Files - GMER 1.0.15 ---- File C:\WINDOWS\$NtUninstallKB54984$\2185455058 0 bytes File C:\WINDOWS\$NtUninstallKB54984$\904469726 0 bytes File C:\WINDOWS\$NtUninstallKB54984$\904469726\@ 2048 bytes File C:\WINDOWS\$NtUninstallKB54984$\904469726\L 0 bytes File C:\WINDOWS\$NtUninstallKB54984$\904469726\L\jfihdmcb 58880 bytes File C:\WINDOWS\$NtUninstallKB54984$\904469726\loader.tlb 2632 bytes File C:\WINDOWS\$NtUninstallKB54984$\904469726\U 0 bytes File C:\WINDOWS\$NtUninstallKB54984$\904469726\U\@00000001 45968 bytes File C:\WINDOWS\$NtUninstallKB54984$\904469726\U\@000000c0 2560 bytes File C:\WINDOWS\$NtUninstallKB54984$\904469726\U\@000000cb 704 bytes File C:\WINDOWS\$NtUninstallKB54984$\904469726\U\@000000cf 1536 bytes File C:\WINDOWS\$NtUninstallKB54984$\904469726\U\@80000000 73728 bytes File C:\WINDOWS\$NtUninstallKB54984$\904469726\U\@800000c0 43008 bytes File C:\WINDOWS\$NtUninstallKB54984$\904469726\U\@800000cb 25600 bytes File C:\WINDOWS\$NtUninstallKB54984$\904469726\U\@800000cf 31232 bytes ---- EOF - GMER 1.0.15 ----