ROOTREPEAL (c) AD, 2007-2009 ================================================== Scan Start Time: 2011/01/19 21:57 Program Version: Version 1.3.5.0 Windows Version: Windows Vista SP1 ================================================== Drivers ------------------- Name: dump_iaStor.sys Image Path: C:\Windows\System32\Drivers\dump_iaStor.sys Address: 0x8F90B000 Size: 819200 File Visible: No Signed: - Status: - Name: kwtyapod.sys Image Path: C:\Users\poniat\AppData\Local\Temp\kwtyapod.sys Address: 0xAC989000 Size: 94848 File Visible: No Signed: - Status: - Name: PCI_PNP6434 Image Path: \Driver\PCI_PNP6434 Address: 0x80696000 Size: 0 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\Windows\system32\drivers\rootrepeal.sys Address: 0xAC9A1000 Size: 49152 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: C:\hiberfil.sys Status: Locked to the Windows API! Path: C:\System Volume Information\{1065c5f3-240b-11e0-b51d-001e6887b5d5}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Locked to the Windows API! Path: C:\System Volume Information\{141ee25e-231b-11e0-b773-001e6887b5d5}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Locked to the Windows API! Path: C:\System Volume Information\{141ee264-231b-11e0-b773-001e6887b5d5}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Locked to the Windows API! Path: C:\System Volume Information\{141ee26b-231b-11e0-b773-001e6887b5d5}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Locked to the Windows API! Path: C:\System Volume Information\{141ee271-231b-11e0-b773-001e6887b5d5}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Locked to the Windows API! Path: C:\System Volume Information\{141ee27a-231b-11e0-b773-001e6887b5d5}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Locked to the Windows API! Path: C:\System Volume Information\{a80be9f3-23f4-11e0-87f4-001e6887b5d5}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Locked to the Windows API! Path: C:\System Volume Information\{b2333775-1cd4-11e0-a2a6-001e6887b5d5}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Locked to the Windows API! Path: C:\System Volume Information\{be1b0c53-23f2-11e0-9d35-001e6887b5d5}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Locked to the Windows API! Path: C:\System Volume Information\{be1b0c59-23f2-11e0-9d35-001e6887b5d5}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Locked to the Windows API! Path: C:\System Volume Information\{c127c5f3-1bbe-11e0-b614-001e6887b5d5}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Locked to the Windows API! Path: C:\System Volume Information\{ce3513fd-1f34-11e0-a138-001e6887b5d5}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Locked to the Windows API! Path: C:\System Volume Information\{de1b636f-2266-11e0-a98e-001e6887b5d5}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Locked to the Windows API! Path: C:\System Volume Information\{3c784b77-23f9-11e0-a8de-001e6887b5d5}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Locked to the Windows API! Path: C:\System Volume Information\{546a9678-2264-11e0-b94c-001e6887b5d5}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Locked to the Windows API! Path: C:\System Volume Information\{6d24437a-1ffb-11e0-a14f-001e6887b5d5}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Locked to the Windows API! Path: C:\System Volume Information\{141ee282-231b-11e0-b773-001e6887b5d5}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Locked to the Windows API! Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Locked to the Windows API! Path: C:\System Volume Information\{1452ba74-2090-11e0-b463-001e6887b5d5}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Locked to the Windows API! Path: C:\System Volume Information\{2e3ef974-2258-11e0-a478-001e6887b5d5}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Locked to the Windows API! Path: C:\System Volume Information\{2e3ef97a-2258-11e0-a478-001e6887b5d5}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Locked to the Windows API! Path: C:\System Volume Information\{36b10a71-215a-11e0-b318-001e6887b5d5}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_dcc7eae99ad0d9cf.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_da4695fc507e16e1.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_ecdf8c290e547f39.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.21022.8_none_5d1777c2e857a23b.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.21022.8_none_5926f98ceadc42c2.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_81c25f21d3d46d84.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_7b33aa7d218504d2.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.21022.8_none_bdf22a22ab9e15d5.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_abac38a907ee8801.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8dd7dea5d5a7a18a.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_60a5df56e60dc5df.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_7658964504b9f3b6.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_e163563597edeada.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_e29d1181971ae11e.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.21022.8_none_b59bae9d65014b98.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.21022.8_none_5ce47260749ddc2c.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.21022.8_none_b81d038aaf540e86.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_7ab8cc63a6e4c2a3.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_45e008191e507087.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_7dd1e0ebd6590e0b.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4053_none_516e2e610f48bda6.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_818f59bf601aa775.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_8550c6b5d18a9128.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d08d7da0442a985d.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Manifests\989e628160e12c984a435d2bb2a335ad043e006646150c7b1f3bb52dccd842cc.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Manifests\d5ecf2ab9387e082648bbcccd6eceb9d67b096939150833d0ae3066b3a1a676e.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Manifests\3582cf91bea0e0e7b5f4b8a168a2e4bf248a01f764aa3c5d7c4f352ebc681e9d.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Manifests\935df4549e21123a2efb986a707f54475380a037519679510e4b4dfc4bdb5767.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Manifests\88b03fe13d2710ad787d5d96cd0e5cbeda3a61c2a0a2bdc0c0984a48365242e2.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Manifests\6404bc9cb3e4e1c5b38e2b30c572adc4cfa78ac96aea8997b1e713f62b18ca50.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Manifests\b080e112e69d2e9c8e71acd39a81f0d469d837625ceb8ed73b5b87da1fd1424c.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Manifests\ef483ae0673e2975dd4224fe26749623c1c702b8b3fded10161417459e1771a7.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Manifests\2d3cb7907b1336ea5889a2b731d5e97ad40903a4efd2287c1c117bc30f208f46.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Manifests\f8209ee440679adcdab198fe5262dd5ff95c1d654f488816d0f33c8a45d5e8d8.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Manifests\a951d53950c367acc37622f0dd619a954df5de2c4ec40296e6636605aa33714a.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Manifests\91ca50cec42075fff02b366323bf3b45d2053b24544bd12b622b65621bd0edd5.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Manifests\dd72f7ab2def5f75f58d01b24643b308750c38685daaed50bcddf61c18460dee.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Manifests\5effcbd6bfe308cd94c31922a126a132ef26282a495f9fc0963000a8e158d866.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Manifests\71503c1b988fb27a41668f3ba35468d268daf07e8e79cf7b82a1ef64a8d213a1.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Manifests\f7bf65ca621d8ad32ead1500a08827be239d0f49d83dc20dabf57d2eb17adbd7.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Manifests\8b414e757cb8b153bff77dd00a36556aea3adab25ce15f3e8b184ffbf41ba7a2.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Manifests\70f19edeeb8e3329aad18f744094ea0319d2ecc78dd6a12559a1e765c42418f7.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Manifests\bd83dce340498e7c363093c2fc74dfb58e1ec17770453905172c7471fadd9333.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.0.6000.16386_en-us_8945d572a01e6a1a\$$DeleteMe.authui.dll.mui.01c85bd62bbf0bd4.00fc Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.0.6000.16386_en-us_1652b637b3e9dec3\$$DeleteMe.advapi32.dll.mui.01c85bd62f1a5c34.0106 Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-coreusermodepnp_31bf3856ad364e35_6.0.6000.16609_none_75246f2a2fbd4c23\$$DeleteMe.umpnpmgr.dll.01c85bd6147698d4.00d2 Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-deltapackageexpander_31bf3856ad364e35_6.0.6000.16609_none_68015a2337d92e69\$$DeleteMe.dpx.dll.01c85bd609be0774.008c Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.0.6000.16386_de-de_9bfa581972f74c63\$$DeleteMe.msimsg.dll.mui.01cb2bedd414979c.0004 Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.0.6000.16386_en-us_44eb2e1261d55828\$$DeleteMe.msimsg.dll.mui.01cb2bedd3fa687c.0003 Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.0.6000.16386_pl-pl_443379f2cfffc1e3\$$DeleteMe.msimsg.dll.mui.01cb2bedd441d1bc.0005 Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-installer-engine_31bf3856ad364e35_6.0.6001.18000_none_037a7e2bb384bf01\$$DeleteMe.msi.dll.01cb2bedd3e4fc1c.0000 Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-installer-engine_31bf3856ad364e35_6.0.6001.18000_none_037a7e2bb384bf01\$$DeleteMe.msimsg.dll.01cb2bedd3ee819c.0001 Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-installer-executable_31bf3856ad364e35_6.0.6001.18000_none_498174cc8619e2a5\$$DeleteMe.msiexec.exe.01cb2bedd3f0e2fc.0002 Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-kernel32.resources_31bf3856ad364e35_6.0.6000.16386_en-us_3ae40182285968c3\$$DeleteMe.kernel32.dll.mui.01c85bd62e22cd34.0104 Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-lsa.resources_31bf3856ad364e35_6.0.6000.16386_en-us_8471125599b04653\$$DeleteMe.lsasrv.dll.mui.01c85bd62e0d60d4.0103 Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-n..-security.resources_31bf3856ad364e35_6.0.6000.16386_en-us_4bff07e547a87678\$$DeleteMe.bfe.dll.mui.01c85bd62a19b874.00f9 Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-ole-automation_31bf3856ad364e35_6.0.6000.16609_none_bb22ee81fe4b8646\$$DeleteMe.oleaut32.dll.01c85bd5fae49394.004a Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-p..-localspl.resources_31bf3856ad364e35_6.0.6000.16386_en-us_6550c2bd9d5506b8\$$DeleteMe.localspl.dll.mui.01c85bd62cce6894.00ff Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-rasdlg.resources_31bf3856ad364e35_6.0.6000.16386_en-us_b3d770224b17bcea\$$DeleteMe.rasdlg.dll.mui.01c85bd62d21b8b4.0100 Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-s..nsing-slc.resources_31bf3856ad364e35_6.0.6000.16386_en-us_cc9601aaa8e38997\$$DeleteMe.SLsvc.exe.mui.01c85bd62a01eab4.00f8 Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-s..stack-msg.resources_31bf3856ad364e35_6.0.6000.16603_en-us_606250c3962a1d2f\$$DeleteMe.CbsMsg.dll.mui.01c85bd2d0dd91d4.0007 Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-s..stack-msg.resources_31bf3856ad364e35_6.0.6000.16609_en-us_6068527f9624b539\$$DeleteMe.CbsMsg.dll.mui.01c85bd63d2e3df4.010b Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-servicingstack-msg_31bf3856ad364e35_6.0.6000.16603_none_3cbc2c2b2dde229a\$$DeleteMe.CbsMsg.dll.01c85bd2d0d8cf14.0006 Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-servicingstack-msg_31bf3856ad364e35_6.0.6000.16609_none_3cc22de72dd8baa4\$$DeleteMe.CbsMsg.dll.01c85bd63d167034.0108 Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-setupapi.resources_31bf3856ad364e35_6.0.6000.16609_en-us_688391467a338aaa\$$DeleteMe.setupapi.dll.mui.01c85bd62cad1554.00fe Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-setupapi_31bf3856ad364e35_6.0.6000.16609_none_33181da4c90f2d73\$$DeleteMe.setupapi.dll.01c85bd60e029e94.00a7 Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-t..installer.resources_31bf3856ad364e35_6.0.6000.16386_en-us_64f3d4fcc5c084a0\$$DeleteMe.TrustedInstaller.exe.mui.01c85bd63d2719d4.010a Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-t..onmanager.resources_31bf3856ad364e35_6.0.6000.16386_en-us_da5b0bda3feb82a8\$$DeleteMe.lsm.exe.mui.01c85bd62df59314.0101 Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-t..r-service.resources_31bf3856ad364e35_6.0.6000.16386_en-us_bd2d20fd727b8e51\$$DeleteMe.schedsvc.dll.mui.01c85bd62ec24954.0105 Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-taskscheduler-service_31bf3856ad364e35_6.0.6000.16609_none_2d23e28599d3cbd6\$$DeleteMe.schedsvc.dll.01c85bd5ffba5e94.0061 Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-trustedinstaller_31bf3856ad364e35_6.0.6000.16609_none_8f2ff7784ff80919\$$DeleteMe.TrustedInstaller.exe.01c85bd63d0a8954.0107 Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-user32.resources_31bf3856ad364e35_6.0.6000.16386_en-us_3bc735ce2e322939\$$DeleteMe.user32.dll.mui.01c85bd629b82014.00f7 Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-vssapi.resources_31bf3856ad364e35_6.0.6000.16386_en-us_e35953a4d64965cf\$$DeleteMe.vsstrace.dll.mui.01c85bd62a9ca414.00fb Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-w..ient-core.resources_31bf3856ad364e35_6.0.6000.16386_en-us_02200873e1481824\$$DeleteMe.wuaueng.dll.mui.01c85bd62c314dd4.00fd Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-w..owsupdateclient-aux_31bf3856ad364e35_6.0.6000.16386_none_92bcd538c06ec160\$$DeleteMe.wuapi.dll.01c85bd5ef74b854.0016 Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_6.0.6000.16386_none_acab9aecacae685d\$$DeleteMe.wuaueng.dll.01c85bd5f157ef74.0023 Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft.windows.winhttp_31bf3856ad364e35_5.1.6000.16386_none_22973772c5385326\$$DeleteMe.winhttp.dll.01c85bd5f8454fd4.003a Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_appdata_b03f5f7f11d50a3a_6.0.6000.20883_none_8469d28baa199a7e\GROUPE~1.XML Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_appdata_b03f5f7f11d50a3a_6.0.6000.16720_none_9b31bbe79077558b\GROUPE~1.XML Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_uninstallsqlstatetem_b03f5f7f11d50a3a_6.0.6000.16720_none_04c87b54ba4ac535\UNINST~1.SQL Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_uninstallsqlstatetem_b03f5f7f11d50a3a_6.0.6000.20883_none_ee0091f8d3ed0a28\UNINST~1.SQL Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_uninstallsqlstatetem_b03f5f7f11d50a3a_6.0.6001.18111_none_04a3600aba9cd1d6\UNINST~1.SQL Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_uninstallsqlstatetem_b03f5f7f11d50a3a_6.0.6001.22230_none_edd7d0a6d4424ae9\UNINST~1.SQL Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6000.16720_none_950a4e2fda3ee0ba\CREATE~1.ASP Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6000.16720_none_950a4e2fda3ee0ba\MANAGE~1.ASP Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6000.20883_none_7e4264d3f3e125ad\CREATE~1.ASP Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6000.20883_none_7e4264d3f3e125ad\MANAGE~1.ASP Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6001.18111_none_94e532e5da90ed5b\CREATE~1.ASP Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6001.18111_none_94e532e5da90ed5b\MANAGE~1.ASP Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6001.22230_none_7e19a381f436666e\CREATE~1.ASP Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6001.22230_none_7e19a381f436666e\MANAGE~1.ASP Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4cb2b120b7498755\CREATE~1.RES Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4cb2b120b7498755\MANAGE~1.RES Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6000.20883_none_35eac7c4d0ebcc48\CREATE~1.RES Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6000.20883_none_35eac7c4d0ebcc48\MANAGE~1.RES Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4c8d95d6b79b93f6\CREATE~1.RES Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4c8d95d6b79b93f6\MANAGE~1.RES Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6001.22230_none_35c20672d1410d09\CREATE~1.RES Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6001.22230_none_35c20672d1410d09\MANAGE~1.RES Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.16720_none_7325c867d7281910\CHOOSE~1.ASP Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.16720_none_7325c867d7281910\MANAGE~1.ASP Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.16720_none_7325c867d7281910\MANAGE~2.ASP Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.20883_none_5c5ddf0bf0ca5e03\CHOOSE~1.ASP Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.20883_none_5c5ddf0bf0ca5e03\MANAGE~1.ASP Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.20883_none_5c5ddf0bf0ca5e03\MANAGE~2.ASP Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.18111_none_7300ad1dd77a25b1\CHOOSE~1.ASP Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.18111_none_7300ad1dd77a25b1\MANAGE~1.ASP Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.18111_none_7300ad1dd77a25b1\MANAGE~2.ASP Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.22230_none_5c351db9f11f9ec4\CHOOSE~1.ASP Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.22230_none_5c351db9f11f9ec4\MANAGE~1.ASP Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.22230_none_5c351db9f11f9ec4\MANAGE~2.ASP Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_roles_b03f5f7f11d50a3a_6.0.6001.18111_none_75c874a9a137a5f0\MANAGE~2.ASP Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_users_res_b03f5f7f11d50a3a_6.0.6001.22230_none_9a1350e27965368d\MANAGE~1.RES Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webevent_sqlprov_b03f5f7f11d50a3a_6.0.6001.18111_none_a335242e0936a3fd\INSTAL~1.SQL Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webevent_sqlprov_b03f5f7f11d50a3a_6.0.6001.18111_none_a335242e0936a3fd\UNINST~1.SQL Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_secur_res_b03f5f7f11d50a3a_6.0.6000.16720_none_c39efe8a3f927437\SETUPA~1.RES Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_secur_res_b03f5f7f11d50a3a_6.0.6000.20883_none_acd7152e5934b92a\SETUPA~1.RES Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_secur_res_b03f5f7f11d50a3a_6.0.6001.18111_none_c379e3403fe480d8\SETUPA~1.RES Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_secur_res_b03f5f7f11d50a3a_6.0.6001.22230_none_acae53dc5989f9eb\SETUPA~1.RES Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_users_res_b03f5f7f11d50a3a_6.0.6000.16720_none_b103fb905f6db0d9\MANAGE~1.RES Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_users_res_b03f5f7f11d50a3a_6.0.6000.20883_none_9a3c1234790ff5cc\MANAGE~1.RES Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_users_res_b03f5f7f11d50a3a_6.0.6001.18111_none_b0dee0465fbfbd7a\MANAGE~1.RES Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webmintrust_config_b03f5f7f11d50a3a_6.0.6000.16720_none_e2c358ab062e054b\WEB_MI~1.CON Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webmintrust_config_b03f5f7f11d50a3a_6.0.6000.20883_none_cbfb6f4f1fd04a3e\WEB_MI~1.CON Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webmintrust_config_b03f5f7f11d50a3a_6.0.6001.18111_none_e29e3d61068011ec\WEB_MI~1.CON Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webmintrust_config_b03f5f7f11d50a3a_6.0.6001.22230_none_cbd2adfd20258aff\WEB_MI~1.CON Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-installutil_exe_config_rtm_31bf3856ad364e35_6.0.6000.16720_none_c2e2272db9e7b99c\INSTAL~1.CON Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-installutil_exe_config_rtm_31bf3856ad364e35_6.0.6000.20883_none_c32de54ed3334d11\INSTAL~1.CON Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-installutil_exe_config_rtm_31bf3856ad364e35_6.0.6001.18111_none_c4d43609b70547f3\INSTAL~1.CON Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-installutil_exe_config_rtm_31bf3856ad364e35_6.0.6001.22230_none_c54732b2d0340648\INSTAL~1.CON Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-mscoree_dll_31bf3856ad364e35_6.0.6001.18000_none_b55ffc255629a804\$$DeleteMe.mscoree.dll.01cb2b84455cf2e9.0000 Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-mscorsvw_exe_b03f5f7f11d50a3a_6.0.6001.18000_none_1ff6260de878daa7\$$DeleteMe.mscorsvw.exe.01cb2b84474c10e9.0002 Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_networking-mpssvc-svc.resources_31bf3856ad364e35_6.0.6000.16386_en-us_8531f236918d1acc\$$DeleteMe.FirewallAPI.dll.mui.01c85bd62e03db54.0102 Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_policy.1.2.microsof..op.security.azroles_31bf3856ad364e35_6.0.6000.16386_none_ea83414c2e75b887\Microsoft.Interop.Security.AzRoles.config Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_wcf-m_smsvchost_perf_c_ini_31bf3856ad364e35_6.0.6001.18096_none_33db43850c7307a2\_SMSVC~1.INI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_wcf-m_smsvchost_perf_c_ini_31bf3856ad364e35_6.0.6001.22208_none_34c832162545dbc8\_SMSVC~1.INI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_wcf-m_smsvchost_perf_c_reg_31bf3856ad364e35_6.0.6000.16708_none_2e6f68d711833115\_SMSVC~1.REG Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_wcf-m_smsvchost_perf_c_reg_31bf3856ad364e35_6.0.6000.20864_none_2eb424f22ad51329\_SMSVC~1.REG Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_wcf-m_smsvchost_perf_c_reg_31bf3856ad364e35_6.0.6001.18096_none_2ff255b70ef48daa\_SMSVC~1.REG Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_wcf-m_smsvchost_perf_c_reg_31bf3856ad364e35_6.0.6001.22208_none_30df444827c761d0\_SMSVC~1.REG Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_windowssearchengine.resources_31bf3856ad364e35_6.0.6000.16386_en-us_8cee37712b17ca53\$$DeleteMe.tquery.dll.mui.01c85bd62a8737b4.00fa Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_wpf-presentationfontcache_31bf3856ad364e35_6.0.6001.18000_none_059996cf122e11ba\$$DeleteMe.PresentationFontCache.exe.01cb2b844a4f4e69.0006 Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webevent_sqlprov_b03f5f7f11d50a3a_6.0.6001.22230_none_8c6994ca22dc1d10\INSTAL~1.SQL Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webevent_sqlprov_b03f5f7f11d50a3a_6.0.6001.22230_none_8c6994ca22dc1d10\UNINST~1.SQL Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webmedtrust_config_b03f5f7f11d50a3a_6.0.6000.16720_none_2c88b9b71ca44e71\WEB_ME~1.CON Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webmedtrust_config_b03f5f7f11d50a3a_6.0.6000.20883_none_15c0d05b36469364\WEB_ME~1.CON Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webmedtrust_config_b03f5f7f11d50a3a_6.0.6001.18111_none_2c639e6d1cf65b12\WEB_ME~1.CON Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_netfx-aspnet_webmedtrust_config_b03f5f7f11d50a3a_6.0.6001.22230_none_15980f09369bd425\WEB_ME~1.CON Status: Locked to the Windows API! Path: C:\WindProcesses ------------------- Path: System PID: 4 Status: Locked to the Windows API! Path: C:\Windows\System32\audiodg.exe PID: 1308 Status: Locked to the Windows API! SSDT ------------------- #: 012 Function Name: NtAdjustPrivilegesToken Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f647bd0 #: 021 Function Name: NtAlpcConnectPort Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f64952c #: 022 Function Name: NtAlpcCreatePort Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f649782 #: 038 Function Name: NtAlpcSendWaitReceivePort Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f6499fc #: 048 Function Name: NtClose Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f648450 #: 054 Function Name: NtConnectPort Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f648b32 #: 058 Function Name: NtCreateEvent Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f648f3c #: 060 Function Name: NtCreateFile Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f6485f8 #: 067 Function Name: NtCreateMutant Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f648e14 #: 068 Function Name: NtCreateNamedPipeFile Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f6477d6 #: 071 Function Name: NtCreatePort Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f648cd0 #: 075 Function Name: NtCreateSection Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f647992 #: 076 Function Name: NtCreateSemaphore Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f64906e #: 077 Function Name: NtCreateSymbolicLinkObject Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f64acb0 #: 078 Function Name: NtCreateThread Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f6480ee #: 115 Function Name: NtCreateWaitablePort Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f648d72 #: 116 Function Name: NtDebugActiveProcess Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f64a6a2 #: 129 Function Name: NtDuplicateObject Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f64b672 #: 150 Function Name: NtFsControlFile Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f648752 #: 165 Function Name: NtLoadDriver Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f64a734 #: 177 Function Name: NtMapViewOfSection Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f64ad64 #: 184 Function Name: NtOpenEvent Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f648fde #: 186 Function Name: NtOpenFile Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f6484d2 #: 191 Function Name: NtOpenMutant Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f648eac #: 194 Function Name: NtOpenProcess Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f647dd6 #: 197 Function Name: NtOpenSection Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f64acda #: 198 Function Name: NtOpenSemaphore Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f649110 #: 201 Function Name: NtOpenThread Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f647cfa #: 219 Function Name: NtQueryDirectoryObject Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f649c3e #: 242 Function Name: NtQuerySection Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f64b07c #: 255 Function Name: NtQueueApcThread Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f64a9ca #: 270 Function Name: NtReplyPort Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f64949a #: 271 Function Name: NtReplyWaitReceivePort Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f649360 #: 276 Function Name: NtRequestWaitReplyPort Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f64a442 #: 282 Function Name: NtResumeThread Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f64b554 #: 286 Function Name: NtSecureConnectPort Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f64886c #: 289 Function Name: NtSetContextThread Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f64830c #: 307 Function Name: NtSetInformationToken Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f649cf2 #: 314 Function Name: NtSetSecurityObject Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f64a82e #: 317 Function Name: NtSetSystemInformation Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f64b1bc #: 330 Function Name: NtSuspendProcess Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f64b2a0 #: 331 Function Name: NtSuspendThread Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f64b3c8 #: 332 Function Name: NtSystemDebugControl Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f64a5ce #: 334 Function Name: NtTerminateProcess Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f647f4e #: 335 Function Name: NtTerminateThread Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f647ea4 #: 348 Function Name: NtUnmapViewOfSection Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f64af32 #: 358 Function Name: NtWriteVirtualMemory Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f64802e #: 382 Function Name: NtCreateThreadEx Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f6481ee Stealth Objects ------------------- Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE] Process: System Address: 0x863531e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE] Process: System Address: 0x863531e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ] Process: System Address: 0x863531e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE] Process: System Address: 0x863531e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x863531e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION] Process: System Address: 0x863531e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA] Process: System Address: 0x863531e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA] Process: System Address: 0x863531e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x863531e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x863531e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x863531e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x863531e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x863531e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x863531e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN] Process: System Address: 0x863531e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x863531e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP] Process: System Address: 0x863531e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY] Process: System Address: 0x863531e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY] Process: System Address: 0x863531e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA] Process: System Address: 0x863531e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA] Process: System Address: 0x863531e8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP] Process: System Address: 0x863531e8 Size: 121 Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE] Process: System Address: 0x863511e8 Size: 121 Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE] Process: System Address: 0x863511e8 Size: 121 Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x863511e8 Size: 121 Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x863511e8 Size: 121 Object: Hidden Code [Driver: atapi, IRP_MJ_POWER] Process: System Address: 0x863511e8 Size: 121 Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x863511e8 Size: 121 Object: Hidden Code [Driver: atapi, IRP_MJ_PNP] Process: System Address: 0x863511e8 Size: 121 Object: Hidden Code [Driver: cdromS, IRP_MJ_CREATE] Process: System Address: 0x887301e8 Size: 121 Object: Hidden Code [Driver: cdromS, IRP_MJ_CLOSE] Process: System Address: 0x887301e8 Size: 121 Object: Hidden Code [Driver: cdromS, IRP_MJ_READ] Process: System Address: 0x887301e8 Size: 121 Object: Hidden Code [Driver: cdromS, IRP_MJ_WRITE] Process: System Address: 0x887301e8 Size: 121 Object: Hidden Code [Driver: cdromS, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x887301e8 Size: 121 Object: Hidden Code [Driver: cdromS, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x887301e8 Size: 121 Object: Hidden Code [Driver: cdromS, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x887301e8 Size: 121 Object: Hidden Code [Driver: cdromS, IRP_MJ_SHUTDOWN] Process: System Address: 0x887301e8 Size: 121 Object: Hidden Code [Driver: cdromS, IRP_MJ_POWER] Process: System Address: 0x887301e8 Size: 121 Object: Hidden Code [Driver: cdromS, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x887301e8 Size: 121 Object: Hidden Code [Driver: cdromS, IRP_MJ_PNP] Process: System Address: 0x887301e8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE] Process: System Address: 0x886a71e8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE] Process: System Address: 0x886a71e8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x886a71e8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x886a71e8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER] Process: System Address: 0x886a71e8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x886a71e8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP] Process: System Address: 0x886a71e8 Size: 121 Object: Hidden Code [Driver: Smb, IRP_MJ_CREATE] Process: System Address: 0x8b5c91e8 Size: 121 Object: Hidden Code [Driver: Smb, IRP_MJ_CLOSE] Process: System Address: 0x8b5c91e8 Size: 121 Object: Hidden Code [Driver: Smb, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8b5c91e8 Size: 121 Object: Hidden Code [Driver: Smb, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x8b5c91e8 Size: 121 Object: Hidden Code [Driver: Smb, IRP_MJ_CLEANUP] Process: System Address: 0x8b5c91e8 Size: 121 Object: Hidden Code [Driver: Smb, IRP_MJ_PNP] Process: System Address: 0x8b5c91e8 Size: 121 Object: Hidden Code [Driver: netbt, IRP_MJ_CREATE] Process: System Address: 0x8b4b01e8 Size: 121 Object: Hidden Code [Driver: netbt, IRP_MJ_CLOSE] Process: System Address: 0x8b4b01e8 Size: 121 Object: Hidden Code [Driver: netbt, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8b4b01e8 Size: 121 Object: Hidden Code [Driver: netbt, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x8b4b01e8 Size: 121 Object: Hidden Code [Driver: netbt, IRP_MJ_CLEANUP] Process: System Address: 0x8b4b01e8 Size: 121 Object: Hidden Code [Driver: netbt, IRP_MJ_PNP] Process: System Address: 0x8b4b01e8 Size: 121 Object: Hidden Code [Driver: iScsiPrtП牄夨菦㱐跊, IRP_MJ_CREATE] Process: System Address: 0x8873c1e8 Size: 121 Object: Hidden Code [Driver: iScsiPrtП牄夨菦㱐跊, IRP_MJ_CLOSE] Process: System Address: 0x8873c1e8 Size: 121 Object: Hidden Code [Driver: iScsiPrtП牄夨菦㱐跊, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x8873c1e8 Size: 121 Object: Hidden Code [Driver: iScsiPrtП牄夨菦㱐跊, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x8873c1e8 Size: 121 Object: Hidden Code [Driver: iScsiPrtП牄夨菦㱐跊, IRP_MJ_POWER] Process: System Address: 0x8873c1e8 Size: 121 Object: Hidden Code [Driver: iScsiPrtП牄夨菦㱐跊, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x8873c1e8 Size: 121 Object: Hidden Code [Driver: iScsiPrtП牄夨菦㱐跊, IRP_MJ_PNP] Process: System Address: 0x8873c1e8 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE] Process: System Address: 0x886f31e8 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE] Process: System Address: 0x886f31e8 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x886f31e8 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x886f31e8 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER] Process: System Address: 0x886f31e8 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x886f31e8 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP] Process: System Address: 0x886f31e8 Size: 121 Object: Hidden Code [Driver: msahci, IRP_MJ_POWER] Process: System Address: 0x863521e8 Size: 121 Object: Hidden Code [Driver: msahci, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x863521e8 Size: 121 Object: Hidden Code [Driver: msahci, IRP_MJ_PNP] Process: System Address: 0x863521e8 Size: 121 Object: Hidden Code [Driver: mrxsmb❰胟І瑎湦܇$, IRP_MJ_CREATE] Process: System Address: 0x886c91e8 Size: 121 Object: Hidden Code [Driver: mrxsmb❰胟І瑎湦܇$, IRP_MJ_CREATE_NAMED_PIPE] Process: System Address: 0x886c91e8 Size: 121 Object: Hidden Code [Driver: mrxsmb❰胟І瑎湦܇$, IRP_MJ_CLOSE] Process: System Address: 0x886c91e8 Size: 121 Object: Hidden Code [Driver: mrxsmb❰胟І瑎湦܇$, IRP_MJ_READ] Process: System Address: 0x886c91e8 Size: 121 Object: Hidden Code [Driver: mrxsmb❰胟І瑎湦܇$, IRP_MJ_WRITE] Process: System Address: 0x886c91e8 Size: 121 Object: Hidden Code [Driver: mrxsmb❰胟І瑎湦܇$, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x886c91e8 Size: 121 Object: Hidden Code [Driver: mrxsmb❰胟І瑎湦܇$, IRP_MJ_SET_INFORMATION] Process: System Address: 0x886c91e8 Size: 121 Object: Hidden Code [Driver: mrxsmb❰胟І瑎湦܇$, IRP_MJ_QUERY_EA] Process: System Address: 0x886c91e8 Size: 121 Object: Hidden Code [Driver: mrxsmb❰胟І瑎湦܇$, IRP_MJ_SET_EA] Process: System Address: 0x886c91e8 Size: 121 Object: Hidden Code [Driver: mrxsmb❰胟І瑎湦܇$, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x886c91e8 Size: 121 Object: Hidden Code [Driver: mrxsmb❰胟І瑎湦܇$, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x886c91e8 Size: 121 Object: Hidden Code [Driver: mrxsmb❰胟І瑎湦܇$, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x886c91e8 Size: 121 Object: Hidden Code [Driver: mrxsmb❰胟І瑎湦܇$, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x886c91e8 Size: 121 Object: Hidden Code [Driver: mrxsmb❰胟І瑎湦܇$, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x886c91e8 Size: 121 Object: Hidden Code [Driver: mrxsmb❰胟І瑎湦܇$, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x886c91e8 Size: 121 Object: Hidden Code [Driver: mrxsmb❰胟І瑎湦܇$, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x886c91e8 Size: 121 Object: Hidden Code [Driver: mrxsmb❰胟І瑎湦܇$, IRP_MJ_SHUTDOWN] Process: System Address: 0x886c91e8 Size: 121 Object: Hidden Code [Driver: mrxsmb❰胟І瑎湦܇$, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x886c91e8 Size: 121 Object: Hidden Code [Driver: mrxsmb❰胟І瑎湦܇$, IRP_MJ_CLEANUP] Process: System Address: 0x886c91e8 Size: 121 Object: Hidden Code [Driver: mrxsmb❰胟І瑎湦܇$, IRP_MJ_CREATE_MAILSLOT] Process: System Address: 0x886c91e8 Size: 121 Object: Hidden Code [Driver: mrxsmb❰胟І瑎湦܇$, IRP_MJ_QUERY_SECURITY] Process: System Address: 0x886c91e8 Size: 121 Object: Hidden Code [Driver: mrxsmb❰胟І瑎湦܇$, IRP_MJ_SET_SECURITY] Process: System Address: 0x886c91e8 Size: 121 Object: Hidden Code [Driver: mrxsmb❰胟І瑎湦܇$, IRP_MJ_POWER] Process: System Address: 0x886c91e8 Size: 121 Object: Hidden Code [Driver: mrxsmb❰胟І瑎湦܇$, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x886c91e8 Size: 121 Object: Hidden Code [Driver: mrxsmb❰胟І瑎湦܇$, IRP_MJ_DEVICE_CHANGE] Process: System Address: 0x886c91e8 Size: 121 Object: Hidden Code [Driver: mrxsmb❰胟І瑎湦܇$, IRP_MJ_QUERY_QUOTA] Process: System Address: 0x886c91e8 Size: 121 Object: Hidden Code [Driver: mrxsmb❰胟І瑎湦܇$, IRP_MJ_SET_QUOTA] Process: System Address: 0x886c91e8 Size: 121 Object: Hidden Code [Driver: mrxsmb❰胟І瑎湦܇$, IRP_MJ_PNP] Process: System Address: 0x886c91e8 Size: 121 Object: Hidden Code [Driver: cdfsЍ䱋捳, IRP_MJ_CREATE] Process: System Address: 0x868271e8 Size: 121 Object: Hidden Code [Driver: cdfsЍ䱋捳, IRP_MJ_CLOSE] Process: System Address: 0x868271e8 Size: 121 Object: Hidden Code [Driver: cdfsЍ䱋捳, IRP_MJ_READ] Process: System Address: 0x868271e8 Size: 121 Object: Hidden Code [Driver: cdfsЍ䱋捳, IRP_MJ_WRITE] Process: System Address: 0x868271e8 Size: 121 Object: Hidden Code [Driver: cdfsЍ䱋捳, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x868271e8 Size: 121 Object: Hidden Code [Driver: cdfsЍ䱋捳, IRP_MJ_SET_INFORMATION] Process: System Address: 0x868271e8 Size: 121 Object: Hidden Code [Driver: cdfsЍ䱋捳, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x868271e8 Size: 121 Object: Hidden Code [Driver: cdfsЍ䱋捳, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x868271e8 Size: 121 Object: Hidden Code [Driver: cdfsЍ䱋捳, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x868271e8 Size: 121 Object: Hidden Code [Driver: cdfsЍ䱋捳, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x868271e8 Size: 121 Object: Hidden Code [Driver: cdfsЍ䱋捳, IRP_MJ_SHUTDOWN] Process: System Address: 0x868271e8 Size: 121 Object: Hidden Code [Driver: cdfsЍ䱋捳, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x868271e8 Size: 121 Object: Hidden Code [Driver: cdfsЍ䱋捳, IRP_MJ_CLEANUP] Process: System Address: 0x868271e8 Size: 121 Object: Hidden Code [Driver: cdfsЍ䱋捳, IRP_MJ_PNP] Process: System Address: 0x868271e8 Size: 121 Shadow SSDT ------------------- #: 013 Function Name: NtGdiBitBlt Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f658d1c #: 235 Function Name: NtGdiMaskBlt Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f658de6 #: 245 Function Name: NtGdiPlgBlt Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f658e50 #: 301 Function Name: NtGdiStretchBlt Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f658d80 #: 317 Function Name: NtUserAttachThreadInput Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f658930 #: 333 Function Name: NtUserCallOneParam Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f658ce8 #: 391 Function Name: NtUserFindWindowEx Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f658b1e #: 397 Function Name: NtUserGetAsyncKeyState Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f658898 #: 428 Function Name: NtUserGetKeyboardState Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f658c20 #: 430 Function Name: NtUserGetKeyState Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f6588e4 #: 479 Function Name: NtUserMessageCall Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f658a70 #: 497 Function Name: NtUserPostMessage Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f6589c6 #: 498 Function Name: NtUserPostThreadMessage Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f658a1a #: 513 Function Name: NtUserRegisterRawInputDevices Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f658bb0 #: 525 Function Name: NtUserSendInput Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f658ad0 #: 573 Function Name: NtUserSetWindowsHookEx Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f6587e8 #: 576 Function Name: NtUserSetWinEventHook Status: Hooked by "C:\Windows\system32\DRIVERS\klif.sys" at address 0x8f65883e ==EOF==