Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help please

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Help please

Unread postby hema » April 21st, 2010, 9:43 am

comboflix runs and completes all the scan and then when it says Deleting files the blue screen of death appears and system crashes plzz help :O
hema
Regular Member
 
Posts: 15
Joined: April 13th, 2010, 7:38 am
Advertisement
Register to Remove

Re: Help please

Unread postby xixo_12 » April 21st, 2010, 9:56 am

Hi,

First,
Discussion
Can you enter the normal mode?
If can't, please proceed with below instructions

Next,
LKGC
How to boot into Safe Mode:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should come up where you will be given the option to enter Safe Mode, do so.

If any problems refer to this tutorial.

In Safe Mode when the Windows Advanced Options menu appears use the Arrow(On the number pad part of the keyboard)keys to select Last Known Good Configuration (your most recent settings that worked), and then press the Enter/Return key.

Next,
Checklist.
Please post.
  • Post any question/result.
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Help please

Unread postby hema » April 21st, 2010, 10:07 am

If by normal mode you mean the standard windows then YES
hema
Regular Member
 
Posts: 15
Joined: April 13th, 2010, 7:38 am

Re: Help please

Unread postby xixo_12 » April 21st, 2010, 10:22 am

Hi,
Ok, we will try different approach.

First,
Registry related program.

Next,
Remove programs.
Please Click on Start > Control Panel > Add/Remove Programs
Remove the listed program(s) by clicking Remove
Spybot - Search & Destroy

If some programs listed above are not in present, please do not panic and proceed to the next step.

Next,
Reboot into the usual account.

Next,
Malwarebytes' Anti-Malware - Run
  • Double-click Malwarebytes' Anti-Malware to run the program.
  • Click on Update tab > Check for Updates.
  • Once done, click on Scanner tab, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
    Image
  • Refer to above image and then click Remove Selected to proceed.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
Note:
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware.


Next,
GMER.
Please download from HERE and save to the desktop.
  • Unzip/extract the file to its own folder.
  • Disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan,click NO.
  • Click on >>> symbol and choose on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..

Next,
Please perform this step. If there is nothing appear, just forget about it.
Content of the log.
  • Copy the code as below by highlight > right click > copy:
    Code: Select all
    C:\ComboFix.txt
  • Click on start > Run....
  • Paste the code into the box and click OK.
  • The file will be open. Copy and paste the content in your next reply.


Next,
Checklist.
Please post.
  • Content of MBAM log
  • Content of GMER.txt
  • Content of ComboFix.txt (If available)
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Help please

Unread postby hema » April 22nd, 2010, 10:04 am

I had actually used malware removal scan a few days ago and it had this following log

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/16/2010 6:01:50 PM
mbam-log-2010-04-16 (18-01-50).txt

Scan type: Full Scan (C:\|D:\|F:\|)
Objects scanned: 272881
Time elapsed: 1 hour(s), 15 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 50
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 29

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{a043783e-4380-4270-b770-3b457c7d4cdf} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{616ee024-f676-45e5-8933-5be48fa9a60e} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{99806add-c5ef-4632-a3d0-3e778b051f94} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{99806add-c5ef-4632-a3d0-3e778b051f94} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{e7c28ebf-91a9-411a-9293-ce9deb0fd816} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b792a203-fb64-4909-aefe-a9efb2697e55} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{067b5d39-578c-4d25-a119-a475e24d5f95} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{039b7df6-3103-48f0-bd6f-24291bc7e637} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1bd69f2f-96b4-41b3-accf-c46ed55e3a58} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2194682f-acb0-45ce-b900-3fcd2d13bfb5} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{24d4e9fc-5097-483b-b0fe-6e3ef28bff4a} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{382be372-d636-451d-8fa8-54c51569ad88} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3a60359d-0eb2-4437-ad15-a08bee794c14} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{46902815-1008-40c8-ba07-4f3d2276e6d2} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{777421f7-878b-426e-b7f7-593cbe6b543d} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{777421f7-878b-426e-b7f7-593cbe6b543f} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7876dc2b-dd2e-48d3-b182-6e261698aadb} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9b7984e0-1b06-434d-a233-5323ab08f05f} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a0f36689-35ea-4b9b-8b16-2236b0581557} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b1ce34ce-dfa2-4a5e-a99a-5fdef5021994} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ce9cc21b-4f0c-4da5-9a2b-cb4d6a631228} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e0778c77-10e3-4ab3-9077-fe845de401b4} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e5b630a9-c1e3-42f3-b58b-9afa3662c010} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{02aab237-8e24-46ce-bd71-ab4f4df52e3c} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0d37433c-8c73-458e-a7d6-15de1cec0f91} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{11921be2-a0a6-4532-b708-76537c9bb86d} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{37f08bce-c7b2-48e8-88b0-666bc1c58c36} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5b2f6a77-8a7e-4aa7-b6d7-fac7657f58bd} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5e395ec3-30f4-4a0e-a7f6-8878c60e8eb1} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6126a5f4-a096-4f8a-a272-c54fd7f63c17} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{69f34ba8-7ed4-4911-97f4-4b88adf25441} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7aa18156-1945-45af-9ac6-f1a9787ace06} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{841643d5-d102-4b24-917c-0caf6d9dfbf1} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b359b6ea-e892-4018-8cd2-4ecc9bd477a2} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cbabf241-9875-46c8-bb0b-6f90cc8d12fe} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e8cd244f-1836-4ffe-af58-1776580d1622} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f39659cf-699b-47ef-bb19-c15a84bbb143} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{fa150b05-7510-471d-9afb-467b94462fde} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{b3774019-f8c2-4a55-b075-ff0529b79c31} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b373722b-f571-43a6-b51d-15766456ca91} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ba79865a-c1ef-402f-9706-609eb2fb2360} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bae10fb0-a2ac-4c36-92ce-14bd30be0bb6} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f251bed0-0544-42c7-abbc-93556e513238} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f1aa2cad-0e89-4239-85e5-a91b69c5862d} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f92ace0c-4692-4793-bc37-eabc55da988a} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f9458b32-119c-4301-b86d-53a845894d5b} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f4a40134-ed3b-4069-bc86-ed9733bd3217} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f9a9f058-a535-45d3-8414-e80cafd6d31f} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ff7bcf7c-1d4b-4717-a39a-0db1a107b62b} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f817f096-9e9d-45fc-be44-11cef283faea} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\System32 (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\System32\cis-2.4.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\System32\issacapi_bs-2.3.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\System32\issacapi_pe-2.3.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\System32\issacapi_se-2.3.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\System32\MACXMLProto.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\System32\MaDRM.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\System32\MaJGUILib.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\System32\MAMACExtract.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\System32\MASetupCaller.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\System32\MASetupCleaner.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\System32\MaXMLProto.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\System32\MK_Lyric.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\System32\MSCLib.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\System32\MSFLib.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\System32\MSLUR71.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\System32\msvcp60.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\System32\MTTELECHIP.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\System32\MTXSYNCICON.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\System32\muzaf1.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\System32\muzapp.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\System32\muzapp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\System32\muzdecode.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\System32\muzeffect.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\System32\muzmp4sp.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\System32\muzmpgsp.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\System32\muzoggsp.ax (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\System32\muzwmts.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\System32\psapi.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\HEMA\Application Data\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.

This is the latest one found 2 malware

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4020

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/22/2010 2:36:26 PM
mbam-log-2010-04-22 (14-36-26).txt

Scan type: Full scan (C:\|D:\|F:\|)
Objects scanned: 251664
Time elapsed: 38 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\NetworkService\Application Data\mvhgkr.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Application Data\mvhgkr.dat (Malware.Trace) -> Quarantined and deleted successfully.

PC crashes as soon as Gmer is executed into blue screen of death
hema
Regular Member
 
Posts: 15
Joined: April 13th, 2010, 7:38 am

Re: Help please

Unread postby xixo_12 » April 22nd, 2010, 10:39 am

Hi,
Try this one.

First,
DeFogger - Disable
Please download from HERE and save to the desktop.
  • Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Next,
GMER.
Please run again in normal mode, if doesn't work, proceed with safe mode. Do let me know if anything occur
Please download from HERE and save to the desktop.
  • Unzip/extract the file to its own folder.
  • Disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan,click NO.
  • Click on >>> symbol and choose on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..


Next,
Checklist.
Please post.
  • Content of GMER.txt
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Help please

Unread postby hema » April 22nd, 2010, 11:02 am

defogger went well
Gmer crash both in normal and safe mode :S
hema
Regular Member
 
Posts: 15
Joined: April 13th, 2010, 7:38 am

Re: Help please

Unread postby xixo_12 » April 22nd, 2010, 11:14 am

Hi,
Ok, We will try different approach

First,
SysProt AntiRootkit© by swatkat
  • Please download from HERE by swatkat and save to the desktop.
  • Unzip it into a folder on your desktop and enter it, then double click on SysProt.exe to start the program.
  • Go to the Log tab and check (tick) all items listed in the Write to log box.
  • Check Hidden Objects Only at the bottom of the window too.
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear. Select Scan root drive only and click Start.
  • When completed, you will be prompted showing the location of SysProtLog.txt, which is the same folder SysProt.exe was extracted to.
  • Post the contents of the log in your reply.

Next,
Reboot into the usual account.

Next,
CCleaner - Clear temp.
  • Double click the CCleaner shortcut on the desktop to start the program.
  • On the Windows tab, under Internet Explorer, uncheck Cookies if you do not want them deleted.
    (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
  • If you use either the Firefox or Mozilla browsers, the box to uncheck for Cookies is on the Applications tab, under Firefox/Mozilla.
  • Click on the Options icon at the left side of the window, then click on Advanced. Untick Only delete files in Windows Temp folders older than 48 hours.
  • Click on the Cleaner icon on the left side of the window, then click Run Cleaner to run the program.
Caution: It is not recommended that you use the Issues feature unless you are very familiar with the registry as it has been known to find legitimate items.
After CCleaner has completed its process, click Exit.

Next,
Kaspersky Online AV Scan
Note: Internet Explorer should be used.
Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan and then put the kettle on!
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Copy and paste the report into your next.

Next,
Checklist.
Please post.
  • Content of SysProtlog.txt
  • Content of Kaspersky scan log
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Help please

Unread postby hema » April 22nd, 2010, 11:52 pm

ok i have done what you want

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\C:\Documents and Settings\HEMA\Desktop\SysProt\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: B428B000
Module End: B4296000
Hidden: Yes

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: PsTerminateSystemThread
At Address: 805807C3
Jump To: 80574F6C
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwWaitForKeyedEvent
At Address: 8065147D
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwReleaseKeyedEvent
At Address: 80651212
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwOpenKeyedEvent
At Address: 8058BA26
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwCreateKeyedEvent
At Address: 805C2921
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwYieldExecution
At Address: 80515AAA
Jump To: 804DC243
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwWriteVirtualMemory
At Address: 805885CB
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwWriteRequestData
At Address: 805E05AB
Jump To: 805E01B9
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwWriteFileGather
At Address: 805CC82B
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwWriteFile
At Address: 8057F76C
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwWaitLowEventPair
At Address: 806503F6
Jump To: 8056C559
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwWaitHighEventPair
At Address: 80650462
Jump To: 8056C559
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwWaitForSingleObject
At Address: 8056DF69
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwWaitForMultipleObjects
At Address: 8056EC57
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwWaitForDebugEvent
At Address: 80661CBC
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwVdmControl
At Address: 805AD70D
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwUnmapViewOfSection
At Address: 8057DF2E
Jump To: 8056C559
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwUnlockVirtualMemory
At Address: 8062ED1C
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwUnlockFile
At Address: 805DD1BF
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwUnloadKeyEx
At Address: 80654FE2
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwUnloadKey
At Address: 80654DB9
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwUnloadDriver
At Address: 8062478A
Jump To: 8050841B
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwTranslateFilePath
At Address: 8064FBDE
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwTraceEvent
At Address: 805499A7
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwTestAlert
At Address: 80586DB2
Jump To: 804E74B6
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwTerminateThread
At Address: 8058392A
Jump To: 8056C559
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwTerminateProcess
At Address: 8058E6D9
Jump To: 8056C559
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwTerminateJobObject
At Address: 80638039
Jump To: 8056C559
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSystemDebugControl
At Address: 80650D9E
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSuspendThread
At Address: 80637602
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSuspendProcess
At Address: 8063770C
Jump To: 8056C559
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwStopProfile
At Address: 80650C63
Jump To: 8056C559
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwStartProfile
At Address: 80650A85
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSignalAndWaitForSingleObject
At Address: 8051C370
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwShutdownSystem
At Address: 8064E5C4
Jump To: 8066F0E7
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSetVolumeInformationFile
At Address: 806220D4
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSetValueKey
At Address: 80582293
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSetUuidSeed
At Address: 805CDACD
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSetTimerResolution
At Address: 805EB385
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSetTimer
At Address: 804E7A3C
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSetThreadExecutionState
At Address: 805EB0BE
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSetSystemTime
At Address: 8064EE50
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSetSystemPowerState
At Address: 8066F0F1
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSetSystemInformation
At Address: 805AABD2
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSetSystemEnvironmentValue
At Address: 8064FE7B
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSetSecurityObject
At Address: 805D9CC7
Jump To: 805D9C78
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSetQuotaInformationFile
At Address: 80621BA2
Jump To: 80624120
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSetLowWaitHighEventPair
At Address: 806504CD
Jump To: 8056C559
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSetLowEventPair
At Address: 806505B4
Jump To: 8056C559
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSetLdtEntries
At Address: 80636659
Jump To: 806363B1
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSetIoCompletion
At Address: 80575FC8
Jump To: 8056C559
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSetIntervalProfile
At Address: 8065081E
Jump To: 8054D612
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSetInformationToken
At Address: 805A617B
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSetInformationThread
At Address: 80578FA9
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSetInformationProcess
At Address: 8057CFCA
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSetInformationObject
At Address: 80589B40
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSetInformationKey
At Address: 80655242
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSetInformationJobObject
At Address: 805D5E34
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSetInformationFile
At Address: 8057F4EC
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSetInformationDebugObject
At Address: 80661F6E
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSetHighWaitLowEventPair
At Address: 80650541
Jump To: 8056C559
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSetHighEventPair
At Address: 80650620
Jump To: 8056C559
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSetEventBoostPriority
At Address: 8057B5E0
Jump To: 8056C559
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSetEvent
At Address: 80570AC7
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSetEaFile
At Address: 8062184E
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSetDefaultUILanguage
At Address: 805D6305
Jump To: 80589200
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSetDefaultLocale
At Address: 805D637E
Jump To: 805898F1
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSetDefaultHardErrorPort
At Address: 805AFD81
Jump To: 805815F4
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSetDebugFilterState
At Address: 80663FC7
Jump To: 805815F4
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSetContextThread
At Address: 80635971
Jump To: 8056C559
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSetBootOptions
At Address: 8064FBDE
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSetBootEntryOrder
At Address: 8064FBDE
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSecureConnectPort
At Address: 8059043B
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSaveMergedKeys
At Address: 80656389
Jump To: 805815F4
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSaveKeyEx
At Address: 8065625A
Jump To: 805815F4
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwSaveKey
At Address: 80656170
Jump To: 805815F4
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwResumeThread
At Address: 805872C3
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwResumeProcess
At Address: 80637767
Jump To: 8056C559
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwRestoreKey
At Address: 8065606F
Jump To: 805815F4
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwResetWriteWatch
At Address: 8053FBB2
Jump To: 8053FDD0
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwResetEvent
At Address: 80598025
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwRequestWakeupLatency
At Address: 80633992
Jump To: 805E3E27
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwRequestWaitReplyPort
At Address: 8057948C
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwRequestPort
At Address: 805E94D7
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwRequestDeviceWakeup
At Address: 80633B94
Jump To: 8056C559
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwReplyWaitReplyPort
At Address: 8062B18B
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwReplyWaitReceivePortEx
At Address: 80575743
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwReplyWaitReceivePort
At Address: 80575C37
Jump To: 8057573C
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwReplyPort
At Address: 80583149
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwReplaceKey
At Address: 806564DA
Jump To: 805815F4
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwRenameKey
At Address: 80655B5D
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwRemoveProcessDebug
At Address: 806625F3
Jump To: 8056C559
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwRemoveIoCompletion
At Address: 8056F553
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwReleaseSemaphore
At Address: 805858E5
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwReleaseMutant
At Address: 8056EB79
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwRegisterThreadTerminatePort
At Address: 805873C2
Jump To: 8056C559
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwReadVirtualMemory
At Address: 805884D3
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwReadRequestData
At Address: 805E0527
Jump To: 805E01B9
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwReadFileScatter
At Address: 80622496
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwReadFile
At Address: 8057CE05
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwRaiseHardError
At Address: 8064F19C
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwRaiseException
At Address: 804E12A3
Jump To: 805182F7
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQueueApcThread
At Address: 805E3BB9
Jump To: 8056C559
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQueryVolumeInformationFile
At Address: 8057C7EE
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQueryVirtualMemory
At Address: 8057D24C
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQueryValueKey
At Address: 8057303E
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQueryTimerResolution
At Address: 8058CE04
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQueryTimer
At Address: 805E3C39
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQuerySystemTime
At Address: 8058ABF7
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQuerySystemInformation
At Address: 80585FFD
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQuerySystemEnvironmentValue
At Address: 8064FBDE
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQuerySymbolicLinkObject
At Address: 80589EB1
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQuerySemaphore
At Address: 8064F460
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQuerySecurityObject
At Address: 805D9EB2
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQuerySection
At Address: 8058804F
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQueryQuotaInformationFile
At Address: 80621BBE
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQueryPerformanceCounter
At Address: 8056F6AB
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQueryOpenSubKeys
At Address: 806558E8
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQueryObject
At Address: 8058A27A
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQueryMutant
At Address: 80650673
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQueryMultipleValueKey
At Address: 806556DF
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQueryKey
At Address: 80578A1B
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQueryIoCompletion
At Address: 8062117B
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQueryIntervalProfile
At Address: 80650CEE
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQueryInstallUILanguage
At Address: 80589BC1
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQueryInformationToken
At Address: 805760F8
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQueryInformationThread
At Address: 80575C4F
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQueryInformationProcess
At Address: 80573EB1
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQueryInformationPort
At Address: 8062B0AC
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQueryInformationJobObject
At Address: 8058BEDE
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQueryInformationFile
At Address: 8057E68F
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQueryInformationAtom
At Address: 805AA819
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQueryFullAttributesFile
At Address: 80584F2B
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQueryEvent
At Address: 80589E27
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQueryEaFile
At Address: 80621307
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQueryDirectoryObject
At Address: 8058FA71
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQueryDirectoryFile
At Address: 80581E9D
Jump To: 80581BD5
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQueryDefaultUILanguage
At Address: 8058948E
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQueryDefaultLocale
At Address: 8056F0D7
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQueryDebugFilterState
At Address: 804FABCE
Jump To: 8052D320
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQueryBootOptions
At Address: 8064FBDE
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQueryBootEntryOrder
At Address: 8064FBDE
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwQueryAttributesFile
At Address: 8057C6D5
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwPulseEvent
At Address: 805AA4B1
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwProtectVirtualMemory
At Address: 80581890
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwPrivilegedServiceAuditAlarm
At Address: 805CD921
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwPrivilegeObjectAuditAlarm
At Address: 805D88CE
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwPrivilegeCheck
At Address: 80596F5F
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwPowerInformation
At Address: 805A43AE
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwPlugPlayControl
At Address: 80596C84
Jump To: 805815F4
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwOpenTimer
At Address: 80650130
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwOpenThreadTokenEx
At Address: 80573CC7
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwOpenThreadToken
At Address: 80573DD6
Jump To: 80573CC0
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwOpenThread
At Address: 805E1943
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwOpenSymbolicLinkObject
At Address: 8058A040
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwOpenSemaphore
At Address: 805E71D1
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwOpenSection
At Address: 8057A8B4
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwOpenProcessTokenEx
At Address: 8057725E
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwOpenProcessToken
At Address: 80577310
Jump To: 80577257
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwOpenProcess
At Address: 8058170C
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwOpenObjectAuditAlarm
At Address: 805E9259
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwOpenMutant
At Address: 8057F46D
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwOpenKey
At Address: 80572BFE
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwOpenJobObject
At Address: 80637EA2
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwOpenIoCompletion
At Address: 806210BA
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwOpenFile
At Address: 8057C4BE
Jump To: 8057C2C6
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwOpenEventPair
At Address: 806502FA
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwOpenEvent
At Address: 80589A58
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwOpenDirectoryObject
At Address: 8058A0BD
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwNotifyChangeMultipleKeys
At Address: 805E1FA8
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwNotifyChangeKey
At Address: 805E21B6
Jump To: 805E1FA1
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwNotifyChangeDirectoryFile
At Address: 805DD2F6
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwMapViewOfSection
At Address: 8057E370
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwMapUserPhysicalPagesScatter
At Address: 8062DF1D
Jump To: 804DA5EA
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwMapUserPhysicalPages
At Address: 8062DAC4
Jump To: 804DA5EA
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwMakeTemporaryObject
At Address: 805E7140
Jump To: 8056C559
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwMakePermanentObject
At Address: 805E7072
Jump To: 805815F4
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwLockVirtualMemory
At Address: 805AE0DF
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwLockRegistryKey
At Address: 805C7178
Jump To: 805815F4
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwLockProductActivationKeys
At Address: 805CDCF1
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwLockFile
At Address: 805DD05F
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwLoadKey2
At Address: 805CE94B
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwLoadKey
At Address: 805CE7F2
Jump To: 805CE944
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwLoadDriver
At Address: 805A8F9D
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwListenPort
At Address: 805A9B9B
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwIsSystemResumeAutomatic
At Address: 80633BFE
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwIsProcessInJob
At Address: 80637B23
Jump To: 8056C559
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwInitiatePowerAction
At Address: 806339CA
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwInitializeRegistry
At Address: 805A9D3E
Jump To: 804E39B2
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwImpersonateThread
At Address: 80588696
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwImpersonateClientOfPort
At Address: 805DFD6D
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwImpersonateAnonymousToken
At Address: 80598C0B
Jump To: 8056C559
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwGetWriteWatch
At Address: 8053F721
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwGetPlugPlayEvent
At Address: 8059B49E
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwGetDevicePowerState
At Address: 80633BFE
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwGetContextThread
At Address: 8063574B
Jump To: 8056C559
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwFsControlFile
At Address: 80580410
Jump To: 805801D9
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwFreeVirtualMemory
At Address: 805713DE
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwFreeUserPhysicalPages
At Address: 8062E81D
Jump To: 804DA5EA
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwFlushVirtualMemory
At Address: 805E8ABD
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwFlushKey
At Address: 805D93C2
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwFlushInstructionCache
At Address: 80587C02
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwFlushBuffersFile
At Address: 80585CF4
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwFindAtom
At Address: 805E26FC
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwFilterToken
At Address: 805CE47A
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwExtendSection
At Address: 8062D400
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwEnumerateValueKey
At Address: 8058769A
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwEnumerateKey
At Address: 80578E1B
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwEnumerateBootEntries
At Address: 8064FBDE
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwDuplicateToken
At Address: 80583450
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwDuplicateObject
At Address: 8058121D
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwDisplayString
At Address: 805B5CDF
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwDeviceIoControlFile
At Address: 805889CD
Jump To: 805801D9
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwDeleteValueKey
At Address: 80591F92
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwDeleteObjectAuditAlarm
At Address: 80641EFC
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwDeleteKey
At Address: 8059333B
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwDeleteFile
At Address: 805D552B
Jump To: 804F2796
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwDeleteAtom
At Address: 805DCC90
Jump To: 80580BE8
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwDelayExecution
At Address: 8056EB0E
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwDebugContinue
At Address: 80662652
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwDebugActiveProcess
At Address: 8066251D
Jump To: 8056C559
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwCreateWaitablePort
At Address: 805AA568
Jump To: 80598E2A
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwCreateToken
At Address: 805A6AE4
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwCreateTimer
At Address: 80597CB9
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwCreateThread
At Address: 80586C4C
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwCreateSymbolicLinkObject
At Address: 805E6E5D
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwCreateSemaphore
At Address: 8057A9E3
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwCreateSection
At Address: 8056DB6D
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwCreateProfile
At Address: 8065083E
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwCreateProcessEx
At Address: 8058B7D4
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwCreateProcess
At Address: 805B04AD
Jump To: 8058B7CD
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwCreatePort
At Address: 80599040
Jump To: 80598E2A
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwCreatePagingFile
At Address: 805B482D
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwCreateNamedPipeFile
At Address: 80588CB3
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwCreateMutant
At Address: 8057F3BF
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwCreateMailslotFile
At Address: 805D6E86
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwCreateKey
At Address: 80577927
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwCreateJobSet
At Address: 80637C4A
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwCreateJobObject
At Address: 805D5CDD
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwCreateIoCompletion
At Address: 805DA669
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwCreateFile
At Address: 8057C353
Jump To: 8057C2C6
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwCreateEventPair
At Address: 80650207
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwCreateEvent
At Address: 8057CD2C
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwCreateDirectoryObject
At Address: 805A9772
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwCreateDebugObject
At Address: 8066137F
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwContinue
At Address: 804E124A
Jump To: 804E72C9
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwConnectPort
At Address: 80585584
Jump To: 80590431
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwCompressKey
At Address: 80655F85
Jump To: 805815F4
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwCompleteConnectPort
At Address: 805877E4
Jump To: 8056C559
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwCompareTokens
At Address: 805DFFFA
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwCompactKeys
At Address: 80655CFB
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwCloseObjectAuditAlarm
At Address: 805E0B6C
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwClose
At Address: 8056FA60
Jump To: 8056F9C0
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwClearEvent
At Address: 80570B79
Jump To: 8056C559
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwCancelTimer
At Address: 804EC829
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwCancelIoFile
At Address: 805CC53E
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwAssignProcessToJobObject
At Address: 805E83D2
Jump To: 8056C559
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwAreMappedFilesTheSame
At Address: 805E727A
Jump To: 804EA1D7
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwAllocateVirtualMemory
At Address: 80570EE7
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwAllocateUuids
At Address: 805D8788
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwAllocateUserPhysicalPages
At Address: 8062E449
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwAllocateLocallyUniqueId
At Address: 805DF8EF
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwAlertThread
At Address: 80585FCC
Jump To: 8056C559
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwAlertResumeThread
At Address: 806377A1
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwAdjustPrivilegesToken
At Address: 805E078E
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwAdjustGroupsToken
At Address: 8063F48A
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwAddBootEntry
At Address: 8064FBDE
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwAddAtom
At Address: 805825B4
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwAccessCheckByTypeResultListAndAuditAlarmByHandle
At Address: 80641ED6
Jump To: 805E0B9F
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwAccessCheckByTypeResultListAndAuditAlarm
At Address: 80641E8B
Jump To: 805E0B9F
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwAccessCheckByTypeResultList
At Address: 8063FCEC
Jump To: 80584048
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwAccessCheckByTypeAndAuditAlarm
At Address: 805E0FF2
Jump To: 805E0B9F
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwAccessCheckByType
At Address: 805DAC6F
Jump To: 80584048
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwAccessCheckAndAuditAlarm
At Address: 805E0F61
Jump To: 805E0B9F
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ZwAccessCheck
At Address: 8058437B
Jump To: 80584048
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsSetProcessWindowStation
At Address: 8058E03C
Jump To: 8058DB43
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsSetProcessSecurityPort
At Address: 805E5620
Jump To: 8061325C
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsSetProcessPriorityByClass
At Address: 80571FF4
Jump To: 804EA0B4
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsSetLoadImageNotifyRoutine
At Address: 80635366
Jump To: 8064C850
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsSetLegoNotifyRoutine
At Address: 805B3678
Jump To: 805D82D4
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsSetCreateThreadNotifyRoutine
At Address: 80635248
Jump To: 8064C850
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsSetCreateProcessNotifyRoutine
At Address: 80635178
Jump To: 8064C957
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsSetContextThread
At Address: 8063579D
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsRestoreImpersonation
At Address: 805DFAC1
Jump To: 8057995F
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsRemoveLoadImageNotifyRoutine
At Address: 806353DB
Jump To: 8064C957
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsRemoveCreateThreadNotifyRoutine
At Address: 806352B4
Jump To: 8064C957
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsReferencePrimaryToken
At Address: 8056C979
Jump To: 8056C933
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsLookupThreadByThreadId
At Address: 80580C36
Jump To: 8056EFDD
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsLookupProcessThreadByCid
At Address: 8057936A
Jump To: 8056EFDD
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsLookupProcessByProcessId
At Address: 8058169D
Jump To: 8056EFDD
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsIsSystemThread
At Address: 80514E53
Jump To: 80528FEC
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsImpersonateClient
At Address: 8057999D
Jump To: 8056C967
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsGetThreadTeb
At Address: 804F0A4C
Jump To: 804EA64B
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsGetThreadSessionId
At Address: 80580C0A
Jump To: 804EA43A
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsGetThreadProcess
At Address: 804E83FE
Jump To: 805223AD
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsGetThreadId
At Address: 804E7D81
Jump To: 804E19CF
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsGetThreadFreezeCount
At Address: 804EA17B
Jump To: 804E20EE
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsGetProcessWin32WindowStation
At Address: 804F41EC
Jump To: FD806070
Module Name: _unknown_

Hooked Function: PsGetProcessSessionId
At Address: 804FE224
Jump To: 804EA43A
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsGetProcessSecurityPort
At Address: 8059842C
Jump To: 804DC400
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsGetProcessPeb
At Address: 804EA4C0
Jump To: 804EA414
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsGetProcessJob
At Address: 804F41EC
Jump To: FD806070
Module Name: _unknown_

Hooked Function: PsGetProcessImageFileName
At Address: 80513356
Jump To: 804E7FA0
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsGetProcessId
At Address: 804FA8F7
Jump To: 804E9CE7
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsGetProcessExitTime
At Address: 80597F88
Jump To: 804F2844
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsGetProcessDebugPort
At Address: 80503913
Jump To: 804DCDB7
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsGetProcessCreateTimeQuadPart
At Address: 80513356
Jump To: 804E7FA0
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsGetCurrentThreadPreviousMode
At Address: 80519163
Jump To: 80514FD5
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsGetCurrentThreadId
At Address: 804E83FE
Jump To: 805223AD
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsGetCurrentThread
At Address: 804E5D91
Jump To: 804E2206
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsGetCurrentProcessSessionId
At Address: 804EA472
Jump To: 804EA43A
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsGetCurrentProcessId
At Address: 804E6993
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsGetContextThread
At Address: 80635505
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsDereferencePrimaryToken
At Address: 8058E070
Jump To: 804E1910
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsDereferenceImpersonationToken
At Address: 806350E3
Jump To: 804E1910
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsCreateSystemThread
At Address: 805756E1
Jump To: 80575149
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsCreateSystemProcess
At Address: 806354DA
Jump To: 8058B2CF
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsChargePoolQuota
At Address: 804F4772
Jump To: 804E8827
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: PsAssignImpersonationToken
At Address: 80579839
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ObSetSecurityDescriptorInfo
At Address: 80599062
Jump To: 8056D91C
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ObSetHandleAttributes
At Address: 80583B8A
Jump To: 80583A8C
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ObReleaseObjectSecurity
At Address: 8056C25B
Jump To: 8056D963
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ObReferenceSecurityDescriptor
At Address: 80597F4B
Jump To: 805D977B
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ObReferenceObjectByName
At Address: 80591072
Jump To: 8056CB68
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ObReferenceObjectByHandle
At Address: 8056C593
Jump To: 8056C508
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ObQueryObjectAuditingByHandle
At Address: 805DEAAA
Jump To: 8056EFDD
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ObQueryNameString
At Address: 8058A543
Jump To: 804E2E83
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ObOpenObjectByPointer
At Address: 80577166
Jump To: 804EA581
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ObOpenObjectByName
At Address: 805702A3
Jump To: 80551005
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ObMakeTemporaryObject
At Address: 805E6A94
Jump To: 804DA3A4
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ObLogSecurityDescriptor
At Address: 805749C3
Jump To: 80574ABC
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ObGetObjectSecurity
At Address: 8056C297
Jump To: 80631312
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ObFindHandleForObject
At Address: 805E7B17
Jump To: 80581408
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ObDereferenceObject
At Address: 80541051
Jump To: 804E1910
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ObCreateObject
At Address: 8056D542
Jump To: 804E130D
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ObCloseHandle
At Address: 80575EA5
Jump To: 8056F9C0
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ObCheckObjectAccess
At Address: 8056DD9F
Jump To: 80631312
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ObCheckCreateObjectAccess
At Address: 805DDB1E
Jump To: 80631312
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ObAssignSecurity
At Address: 80574BB4
Jump To: 805745F1
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: KeTerminateThread
At Address: 804EC337
Jump To: 804E2508
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: KeSetEvent
At Address: 804E20BE
Jump To: 804DC74A
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: KeResetEvent
At Address: 804E851F
Jump To: 804DC74A
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: KeInitializeTimerEx
At Address: 804EC53C
Jump To: 804DC667
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: KeInitializeTimer
At Address: 804EC4E5
Jump To: 804EC4F3
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: KeInitializeMutant
At Address: 804FA823
Jump To: 804D9B85
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: KeInitializeEvent
At Address: 804E7E0D
Jump To: 804E7DEF
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: KeInitializeDeviceQueue
At Address: 80506651
Jump To: 804E23F7
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: KeDetachProcess
At Address: 804F1649
Jump To: 804F1560
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: KeClearEvent
At Address: 804E5AB2
Jump To: 804D9BDC
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: KeAttachProcess
At Address: 804F15EE
Jump To: 804F14D1
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: KeAreApcsDisabled
At Address: 8051AE86
Jump To: 804FB9A2
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: KeAcquireInterruptSpinLock
At Address: 8053641F
Jump To: 804E2407
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: KdEnableDebugger
At Address: 80535FAF
Jump To: 8053606C
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: KdDisableDebugger
At Address: 80535F36
Jump To: 8053606C
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: IoQueueThreadIrp
At Address: 804FEB6F
Jump To: 805511E6
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: IoQueryVolumeInformation
At Address: 805B5368
Jump To: 8058A133
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: IoQueryFileInformation
At Address: 8058A262
Jump To: 8058A133
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: IoQueryFileDosDeviceName
At Address: 80620BE4
Jump To: 8058AA05
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: IoQueryDeviceDescription
At Address: 805AE48A
Jump To: 80551005
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: IoOpenDeviceRegistryKey
At Address: 80597270
Jump To: 80551005
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: IoOpenDeviceInterfaceRegistryKey
At Address: 8059A85A
Jump To: 804DA3A4
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: IoIsSystemThread
At Address: 80514E53
Jump To: 80528FEC
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: IoGetDiskDeviceObject
At Address: 8050A2F3
Jump To: 80505890
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: IoGetDeviceObjectPointer
At Address: 805E1F53
Jump To: 804E3B92
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: IoGetDeviceInterfaces
At Address: 805976AC
Jump To: 805964F5
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: IoGetDeviceInterfaceAlias
At Address: 805D2887
Jump To: 80596BE5
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: IoGetConfigurationInformation
At Address: 805D12D3
Jump To: 804E3692
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: IoGetAttachedDeviceReference
At Address: 8051524C
Jump To: 804E8457
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: IoFreeMdl
At Address: 804EDE8D
Jump To: 804E1331
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: IoFreeIrp
At Address: 804EAF74
Jump To: 804E2089
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: IoDetachDevice
At Address: 80507FD6
Jump To: 80505691
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: IoDeleteSymbolicLink
At Address: 805D2009
Jump To: 804E3C6E
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: IoDeleteDriver
At Address: 8058E070
Jump To: 804E1910
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: IoDeleteDevice
At Address: 80505754
Jump To: 805E6A62
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: IoCreateSynchronizationEvent
At Address: 805C0B2A
Jump To: 804E353E
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: IoCreateSymbolicLink
At Address: 805CD18F
Jump To: 804E3692
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: IoCreateStreamFileObjectEx
At Address: 8050A4DE
Jump To: 804F2EF5
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: IoCreateStreamFileObject
At Address: 805CCF61
Jump To: 8050A4BD
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: IoCreateFileSpecifyDeviceObjectHint
At Address: 80584CC3
Jump To: 8057C07C
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: IoCreateFile
At Address: 8057C310
Jump To: 8057C07C
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: IoCancelIrp
At Address: 80518494
Jump To: 804E81B7
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: IoAttachDeviceByPointer
At Address: 80532C9B
Jump To: 80506BB6
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ExFreeToPagedLookasideList
At Address: 804E9209
Jump To: 804E1331
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ExFreePool
At Address: 805513DE
Jump To: 805511E6
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ExEnumHandleTable
At Address: 805E7A71
Jump To: 8056C4C9
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ExAllocatePoolWithTagPriority
At Address: 804F3C84
Jump To: 804F3BE4
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ExAllocatePoolWithQuotaTag
At Address: 804E87A5
Jump To: 80551005
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ExAllocatePoolWithQuota
At Address: 8054A94B
Jump To: 804E8762
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ExAllocatePool
At Address: 8050D542
Jump To: 80551005
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: Kei386EoiHelper
At Address: 804DE25E
Jump To: 804DCE01
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: ObfDereferenceObject
At Address: 804E1952
Jump To: 8056D6D2
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: IoReadPartitionTable
At Address: 805B8C7B
Jump To: 80551005
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: IoAssignDriveLetters
At Address: 805BAA2E
Jump To: 805D128F
Module Name: \WINDOWS\system32\TUKERNEL.EXE

Hooked Function: Sysenter
At Address: ---
Jump To: 804DD89F
Module Name: \WINDOWS\system32\TUKERNEL.EXE

******************************************************************************************
******************************************************************************************
No IRP Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: HARISH:3196
Remote Address: ZTE:80
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: HARISH:3193
Remote Address: ZTE:80
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: HARISH:2679
Remote Address: ZTE:80
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: HARISH:2451
Remote Address: CHANNEL:80
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: HARISH:2448
Remote Address: CHANNEL:80
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: HARISH:2445
Remote Address: CHANNEL:80
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: HARISH:2442
Remote Address: CHANNEL:80
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: HARISH:2427
Remote Address: ZTE:80
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: HARISH:2424
Remote Address: ZTE:80
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: HARISH:2423
Remote Address: ZTE:80
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: HARISH:2406
Remote Address: WWW:80
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: HARISH:2405
Remote Address: WWW:80
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: HARISH:2404
Remote Address: WWW:80
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: HARISH:139
Remote Address: 0.0.0.0:0
Type: TCP
Process: SYSTEM
State: LISTENING

Local Address: HARISH:12143
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
State: LISTENING

Local Address: HARISH:12119
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
State: LISTENING

Local Address: HARISH:12110
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
State: LISTENING

Local Address: HARISH:12080
Remote Address: LOCALHOST:3195
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: HARISH:12080
Remote Address: LOCALHOST:3192
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: HARISH:12080
Remote Address: LOCALHOST:2678
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: HARISH:12080
Remote Address: LOCALHOST:2450
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: HARISH:12080
Remote Address: LOCALHOST:2447
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: HARISH:12080
Remote Address: LOCALHOST:2444
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: HARISH:12080
Remote Address: LOCALHOST:2441
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: HARISH:12080
Remote Address: LOCALHOST:2426
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: HARISH:12080
Remote Address: LOCALHOST:2422
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: HARISH:12080
Remote Address: LOCALHOST:2421
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: HARISH:12080
Remote Address: LOCALHOST:2403
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: HARISH:12080
Remote Address: LOCALHOST:2402
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: HARISH:12080
Remote Address: LOCALHOST:2400
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: ESTABLISHED

Local Address: HARISH:12080
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
State: LISTENING

Local Address: HARISH:12025
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
State: LISTENING

Local Address: HARISH:5152
Remote Address: LOCALHOST:1047
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: CLOSE_WAIT

Local Address: HARISH:5152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: LISTENING

Local Address: HARISH:3216
Remote Address: LOCALHOST:12080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: HARISH:3215
Remote Address: LOCALHOST:1083
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: HARISH:3213
Remote Address: LOCALHOST:12080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: HARISH:3212
Remote Address: LOCALHOST:1083
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: HARISH:3210
Remote Address: LOCALHOST:12080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: HARISH:3209
Remote Address: LOCALHOST:1083
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: HARISH:3207
Remote Address: LOCALHOST:12080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: HARISH:3206
Remote Address: LOCALHOST:1083
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: HARISH:3204
Remote Address: LOCALHOST:12080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: HARISH:3203
Remote Address: LOCALHOST:1083
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: HARISH:3201
Remote Address: LOCALHOST:12080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: HARISH:3200
Remote Address: LOCALHOST:1083
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: HARISH:3198
Remote Address: LOCALHOST:12080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: HARISH:3197
Remote Address: LOCALHOST:1083
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: HARISH:3195
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:3194
Remote Address: LOCALHOST:1083
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:3192
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:3191
Remote Address: LOCALHOST:1083
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:3189
Remote Address: LOCALHOST:12080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: HARISH:3188
Remote Address: LOCALHOST:1083
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: HARISH:3186
Remote Address: LOCALHOST:12080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: HARISH:3185
Remote Address: LOCALHOST:1083
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: HARISH:3183
Remote Address: LOCALHOST:12080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: HARISH:3182
Remote Address: LOCALHOST:1083
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: HARISH:3180
Remote Address: LOCALHOST:12080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: HARISH:3179
Remote Address: LOCALHOST:1083
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: HARISH:3177
Remote Address: LOCALHOST:12080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: HARISH:3176
Remote Address: LOCALHOST:1083
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: HARISH:3174
Remote Address: LOCALHOST:12080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: HARISH:3173
Remote Address: LOCALHOST:1083
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: HARISH:3171
Remote Address: LOCALHOST:12080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: HARISH:3170
Remote Address: LOCALHOST:1083
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: HARISH:3168
Remote Address: LOCALHOST:12080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: HARISH:3167
Remote Address: LOCALHOST:1083
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: HARISH:3165
Remote Address: LOCALHOST:12080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: HARISH:3164
Remote Address: LOCALHOST:1083
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: HARISH:3161
Remote Address: LOCALHOST:12080
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: HARISH:3160
Remote Address: LOCALHOST:1083
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: HARISH:2678
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:2677
Remote Address: LOCALHOST:1083
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:2450
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:2449
Remote Address: LOCALHOST:1083
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:2447
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:2446
Remote Address: LOCALHOST:1083
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:2444
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:2443
Remote Address: LOCALHOST:1083
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:2441
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:2440
Remote Address: LOCALHOST:1083
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:2426
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:2425
Remote Address: LOCALHOST:1083
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:2422
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:2421
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:2420
Remote Address: LOCALHOST:1083
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:2419
Remote Address: LOCALHOST:1083
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:2403
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:2402
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:2401
Remote Address: LOCALHOST:1083
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:2400
Remote Address: LOCALHOST:12080
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:2399
Remote Address: LOCALHOST:1083
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:2398
Remote Address: LOCALHOST:1083
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:1083
Remote Address: LOCALHOST:3194
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:1083
Remote Address: LOCALHOST:3191
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:1083
Remote Address: LOCALHOST:2677
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:1083
Remote Address: LOCALHOST:2449
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:1083
Remote Address: LOCALHOST:2446
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:1083
Remote Address: LOCALHOST:2443
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:1083
Remote Address: LOCALHOST:2440
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:1083
Remote Address: LOCALHOST:2425
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:1083
Remote Address: LOCALHOST:2420
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:1083
Remote Address: LOCALHOST:2419
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:1083
Remote Address: LOCALHOST:2401
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:1083
Remote Address: LOCALHOST:2399
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:1083
Remote Address: LOCALHOST:2398
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:1049
Remote Address: LOCALHOST:1048
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:1048
Remote Address: LOCALHOST:1049
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:1046
Remote Address: LOCALHOST:1045
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:1045
Remote Address: LOCALHOST:1046
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: HARISH:1029
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING

Local Address: HARISH:1083
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: LISTENING

Local Address: HARISH:445
Remote Address: 0.0.0.0:0
Type: TCP
Process: SYSTEM
State: LISTENING

Local Address: HARISH:135
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: HARISH:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: HARISH:138
Remote Address: NA
Type: UDP
Process: SYSTEM
State: NA

Local Address: HARISH:137
Remote Address: NA
Type: UDP
Process: SYSTEM
State: NA

Local Address: HARISH:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: HARISH:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: HARISH:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: HARISH:445
Remote Address: NA
Type: UDP
Process: SYSTEM
State: NA

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Documents and Settings\HEMA\Application Data\SecuROM\UserData\???????????p?????????
Status: Hidden

Object: C:\Documents and Settings\HEMA\Application Data\SecuROM\UserData\???????????p?????????
Status: Hidden

Object: C:\Program Files\IObit\IObit SmartDefrag\language\Lietuviu.lng
Status: Hidden



Did CCleaner and Kasperskyscan did not find any virus
hema
Regular Member
 
Posts: 15
Joined: April 13th, 2010, 7:38 am

Re: Help please

Unread postby xixo_12 » April 23rd, 2010, 6:39 am

Hi,

TuneUp Utilities 2009

This is another program equipped with the registry optimizer. I would like to recommend to you once again, reformat and reinstall is the best option. It's not because malware infection, but seem like your system had damaged due to this type of application.
Return logs appear to be clean from any malware, and remaining problem (BSOD) could be one of the effect from registry related programs.
Please let me know if you have any questions.

Next,
Uninstall Combofix
  • Click on Start >> Run...
  • Now type in ComboFix /Uninstall into the and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
    Image

Next,
DeFogger - Enable
  • double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Information.
We have done all we can do to help here. If you need further assistance, I would refer you to one of the Systems/Hardware forums here:

Good System/Hardware Help Forums

You may need to do free registration in order to post at their forum ;)
Good luck!
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Help please

Unread postby hema » April 23rd, 2010, 10:18 am

Well so I believe I was clean in the beginning so I believe I am safe :D well I didn't have any problems with my pc so i believe my defense did well so i gotta install spybot again
Anyways do u know why Gmer crashed everytime? that was weird cause i believe I had used the program successfully a few months ago
hema
Regular Member
 
Posts: 15
Joined: April 13th, 2010, 7:38 am

Re: Help please

Unread postby xixo_12 » April 23rd, 2010, 11:15 am

I had explained in the previous about registry optimizer. That could be one of the reason.

Anyway, I will ask this topic to be close soon. Safe surfing!
User avatar
xixo_12
MRU Master Emeritus
 
Posts: 2340
Joined: October 14th, 2008, 11:40 am
Location: Malaysia

Re: Help please

Unread postby hema » April 23rd, 2010, 11:35 am

tyvm mate good i didn't reformat ;p
hema
Regular Member
 
Posts: 15
Joined: April 13th, 2010, 7:38 am

Re: Help please

Unread postby Dakeyras » April 23rd, 2010, 6:11 pm

As this topic is resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra
Advertisement
Register to Remove

Previous

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 11 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware