GMER 1.0.12.12011 - http://www.gmer.net Rootkit scan 2007-01-31 14:00:46 Windows 5.1.2600 Service Pack 2 ---- System - GMER 1.0.12 ---- SSDT 86E754D8 ZwAlertResumeThread SSDT 86E794B0 ZwAlertThread SSDT 86F651D8 ZwAllocateVirtualMemory SSDT 86E188E8 ZwConnectPort SSDT 86E74D10 ZwCreateMutant SSDT 86F61AF0 ZwCreateThread SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwDeleteValueKey SSDT 86E8E268 ZwFreeVirtualMemory SSDT 86E729F0 ZwImpersonateAnonymousToken SSDT 86E751C8 ZwImpersonateThread SSDT 86F20738 ZwMapViewOfSection SSDT 86E74B98 ZwOpenEvent SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess SSDT 86E8E6C8 ZwOpenProcessToken SSDT 86E8CA70 ZwOpenThreadToken SSDT 86F71F18 ZwQueryValueKey SSDT 86E670B8 ZwResumeThread SSDT 86E7E168 ZwSetContextThread SSDT 86E8E0B8 ZwSetInformationProcess SSDT 86E7C8E8 ZwSetInformationThread SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwSetValueKey SSDT 86E74A20 ZwSuspendProcess SSDT 86E79588 ZwSuspendThread SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess SSDT 86E7B0B0 ZwTerminateThread SSDT 86E8E190 ZwUnmapViewOfSection SSDT 86F64850 ZwWriteVirtualMemory ---- Kernel code sections - GMER 1.0.12 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 235C 80501060 8 Bytes [ D8, 54, E7, 86, B0, 94, E7, ... ] .text ntkrnlpa.exe!ZwCallbackReturn + 2514 80501218 8 Bytes [ AC, 48, CC, F7, C8, E6, E8, ... ] .text ntkrnlpa.exe!ZwCallbackReturn + 26BC 805013C0 8 Bytes CALL 6818FC4B .text ntkrnlpa.exe!ZwCallbackReturn + 2720 80501424 8 Bytes [ 20, 4A, E7, 86, 88, 95, E7, ... ] .text ntkrnlpa.exe!ZwCallbackReturn + 2730 80501434 8 Bytes [ 12, 48, CC, F7, B0, B0, E7, ... ] ---- User code sections - GMER 1.0.12 ---- .text C:\Program Files\SpyCatcher 2006\Protector.exe[2552] USER32.dll!SetScrollInfo 77D49056 7 Bytes JMP 01CFD5F7 C:\Program Files\SpyCatcher 2006\skin.dll .text C:\Program Files\SpyCatcher 2006\Protector.exe[2552] USER32.dll!GetScrollInfo 77D517F8 7 Bytes JMP 01CFD57F C:\Program Files\SpyCatcher 2006\skin.dll .text C:\Program Files\SpyCatcher 2006\Protector.exe[2552] USER32.dll!ShowScrollBar 77D5F2CA 5 Bytes JMP 01CFD67B C:\Program Files\SpyCatcher 2006\skin.dll .text C:\Program Files\SpyCatcher 2006\Protector.exe[2552] USER32.dll!GetScrollPos 77D5F6DC 5 Bytes JMP 01CFD5A7 C:\Program Files\SpyCatcher 2006\skin.dll .text C:\Program Files\SpyCatcher 2006\Protector.exe[2552] USER32.dll!SetScrollPos 77D5F728 5 Bytes JMP 01CFD622 C:\Program Files\SpyCatcher 2006\skin.dll .text C:\Program Files\SpyCatcher 2006\Protector.exe[2552] USER32.dll!GetScrollRange 77D5F75F 5 Bytes JMP 01CFD5CC C:\Program Files\SpyCatcher 2006\skin.dll .text C:\Program Files\SpyCatcher 2006\Protector.exe[2552] USER32.dll!SetScrollRange 77D5F973 5 Bytes JMP 01CFD64D C:\Program Files\SpyCatcher 2006\skin.dll .text C:\Program Files\SpyCatcher 2006\Protector.exe[2552] USER32.dll!EnableScrollBar 77D97BC5 7 Bytes JMP 01CFD557 C:\Program Files\SpyCatcher 2006\skin.dll ---- Processes - GMER 1.0.12 ---- Process C:\Program Files\SpyCatcher 2006\Protector.exe (*** hidden *** ) 2552 Process C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe (*** hidden *** ) 2588 ---- Files - GMER 1.0.12 ---- ADS C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 File C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\HiddenFiles.txt File C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\QuarantinedExecutables.txt File C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\QuarantinedLibraries.txt File C:\Documents and Settings\Student\Application Data\Mozilla\Firefox\Profiles\cs0zd7c6.matt\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll File C:\Program Files\Scansoft\PaperPort\WebEreg\NAVBrowser.exe File C:\Program Files\Windows Media Player\wmpnscfg.exe ---- EOF - GMER 1.0.12 ----