Help
Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.
This topic is locked
COPIED FROM MY LAST THREAD, a summary of my problem question, the rest was back and fourth in the thread
Kaspersky found and deleted trojan.win32.antavmu.gaz on my desktop computer. My laptop is clean, harddrive replaced and everything so its not an issue. The beginning is about an OLD issue, leading up to why I am so paranoid about thing thing that was found because I recognize the term win32 from the last one. But, NOTHING found has virut in the name, so I am not sure if its the same thing or not which is why I am asking. I want to know if I have to reformat my desktop or not. As of now Kasperksy is finding nothing on my computer I just want to make sure it really IS clean before I reconnect my net since I dont want to risk it populating from it. Whatever you need me to do to get more information I can do, unless you know what that term means and can tell me right off if I am screwed or fine.
DDS
Quote
DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 19:31:25.28 on Mon 12/14/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1527.929 [GMT -6:00]
AV: Kaspersky Internet Security *On-access scanning enabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\NCH Swift Sound\VRS\vrs.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\AEIWLSTA.EXE
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.neopets.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://qus10.hpwis.com/
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://srch-qus10.hpwis.com/
uInternet Settings,ProxyOverride = localhost;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
BHO: Yahoo! Companion BHO: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\common\ycomp5,1,1,0.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: FCTB00108Pos Class: {b1be275b-78bf-4a33-81ab-380699cff329} - c:\program files\gaia online toolbar\Toolbar.dll
BHO: Neopets: {cd292324-974f-4224-d074-caca427aa030} - c:\progra~1\neopets\toolbar\Toolbar.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: &Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\common\ycomp5,1,1,0.dll
TB: Neopets: {cd292324-974f-4224-d074-caca427aa030} - c:\progra~1\neopets\toolbar\Toolbar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Gaia Online Toolbar: {b3535c18-0e70-4d4b-b36b-bbfe139bb144} - c:\program files\gaia online toolbar\Toolbar.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
TB: {E1BACF55-35E1-4E47-9247-2D48660E5545} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
mRun: [AEIWLSTA.EXE] AEIWLSTA.EXE START
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 7.0\avp.exe"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\imvu.lnk - c:\documents and settings\owner\application data\imvuclient\IMVUQualityAgent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: &Search
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 7.0\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\owner\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
LSP: SpSubLSP.dll
DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - hxxp://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} - hxxp://www.tricksteronline.com/control/tricksterActiveX.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} - hxxp://www.tricksteronline.com/control/KALogoutComponent.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1.0\adialhk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\68xohs4t.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=19&q=
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: browser.startup.homepage - hxxp://www.neopets.com/
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=19&tid={189BB3EC-69A3-7593-51C7-E6D56A7234DE}&q=
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\68xohs4t.default\extensions\piclens@cooliris.com\components\cooliris.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\68xohs4t.default\extensions\flashplugin@idm\platform\winnt\plugins\npidmdcp.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\68xohs4t.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\68xohs4t.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\owner\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
============= SERVICES / DRIVERS ===============
R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2007-4-28 112144]
R1 klif;Klif;c:\windows\system32\drivers\klif.sys [2007-6-27 194320]
R2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;c:\program files\vmlaunch\BuddyVM.sys [2004-10-5 15872]
R2 AVP;Kaspersky Internet Security 7.0;c:\program files\kaspersky lab\kaspersky internet security 7.0\avp.exe [2007-6-28 218376]
R2 CamthWDM;WebcamMax, WDM Video Capture;c:\windows\system32\drivers\CamthWDM.sys [2007-1-10 243584]
R2 cpqdiag;Compaq Diagnostics Driver;c:\windows\system32\drivers\Cpqdiag.sys [2004-12-29 41344]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-5-15 55152]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]
R2 VRSService;VRS Recording System;c:\program files\nch swift sound\vrs\vrs.exe [2008-2-7 614404]
R3 AEIWL;Actiontec Wireless LAN Driver;c:\windows\system32\drivers\AEIWLNDS.sys [2005-12-12 611328]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [2009-5-13 127496]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\documents and settings\owner\desktop\vcdrom.sys --> c:\documents and settings\owner\desktop\VCdRom.sys [?]
S2 MyWebSearchService;My Web Search Service;c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe --> c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe [?]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-4-4 24344]
S3 Shrfrarasuk;Shrfrarasuk;c:\windows\system32\drivers\hsfdpsp2.sys [2004-8-3 1041536]
=============== Created Last 30 ================
2009-12-14 02:34:34 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2009-12-14 02:34:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-14 02:34:27 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-14 02:34:26 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-14 02:34:26 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-11 16:27:56 0 d-----w- c:\docume~1\owner\applic~1\Digsby
2009-12-11 16:16:31 0 ----a-w- C:\install.rdf
2009-12-11 09:05:50 0 d-----w- c:\program files\Fast Browser Search
2009-12-10 08:38:42 0 d-----w- c:\docume~1\owner\applic~1\FooPetsDesktop.E1A59F4315F58433140DC6A108B4F20995854275.1
2009-12-10 08:38:11 0 d-----w- c:\program files\FooPets Desktop
==================== Find3M ====================
2009-12-15 01:31:32 89632 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-12-15 01:31:18 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-12-15 01:30:37 3381024 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-12-15 01:17:46 318992 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2001-04-04 08:54:02 36864 ----a-w- c:\windows\inf\Option.exe
2006-08-27 17:47:41 0 -csha-w- c:\windows\sminst\HPCD.sys
2008-11-22 05:34:36 952 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-06-02 12:03:01 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-06-02 12:03:01 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-06-02 12:03:01 49152 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
============= FINISH: 19:32:42.68 ===============
Run by Owner at 19:31:25.28 on Mon 12/14/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1527.929 [GMT -6:00]
AV: Kaspersky Internet Security *On-access scanning enabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\NCH Swift Sound\VRS\vrs.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\AEIWLSTA.EXE
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.neopets.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://qus10.hpwis.com/
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://srch-qus10.hpwis.com/
uInternet Settings,ProxyOverride = localhost;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
BHO: Yahoo! Companion BHO: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\common\ycomp5,1,1,0.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: FCTB00108Pos Class: {b1be275b-78bf-4a33-81ab-380699cff329} - c:\program files\gaia online toolbar\Toolbar.dll
BHO: Neopets: {cd292324-974f-4224-d074-caca427aa030} - c:\progra~1\neopets\toolbar\Toolbar.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: &Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\common\ycomp5,1,1,0.dll
TB: Neopets: {cd292324-974f-4224-d074-caca427aa030} - c:\progra~1\neopets\toolbar\Toolbar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Gaia Online Toolbar: {b3535c18-0e70-4d4b-b36b-bbfe139bb144} - c:\program files\gaia online toolbar\Toolbar.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
TB: {E1BACF55-35E1-4E47-9247-2D48660E5545} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
mRun: [AEIWLSTA.EXE] AEIWLSTA.EXE START
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 7.0\avp.exe"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\imvu.lnk - c:\documents and settings\owner\application data\imvuclient\IMVUQualityAgent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: &Search
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 7.0\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\owner\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
LSP: SpSubLSP.dll
DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - hxxp://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} - hxxp://www.tricksteronline.com/control/tricksterActiveX.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} - hxxp://www.tricksteronline.com/control/KALogoutComponent.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1.0\adialhk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\68xohs4t.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=19&q=
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: browser.startup.homepage - hxxp://www.neopets.com/
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=19&tid={189BB3EC-69A3-7593-51C7-E6D56A7234DE}&q=
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\68xohs4t.default\extensions\piclens@cooliris.com\components\cooliris.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\68xohs4t.default\extensions\flashplugin@idm\platform\winnt\plugins\npidmdcp.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\68xohs4t.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\68xohs4t.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\owner\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
============= SERVICES / DRIVERS ===============
R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2007-4-28 112144]
R1 klif;Klif;c:\windows\system32\drivers\klif.sys [2007-6-27 194320]
R2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;c:\program files\vmlaunch\BuddyVM.sys [2004-10-5 15872]
R2 AVP;Kaspersky Internet Security 7.0;c:\program files\kaspersky lab\kaspersky internet security 7.0\avp.exe [2007-6-28 218376]
R2 CamthWDM;WebcamMax, WDM Video Capture;c:\windows\system32\drivers\CamthWDM.sys [2007-1-10 243584]
R2 cpqdiag;Compaq Diagnostics Driver;c:\windows\system32\drivers\Cpqdiag.sys [2004-12-29 41344]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-5-15 55152]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]
R2 VRSService;VRS Recording System;c:\program files\nch swift sound\vrs\vrs.exe [2008-2-7 614404]
R3 AEIWL;Actiontec Wireless LAN Driver;c:\windows\system32\drivers\AEIWLNDS.sys [2005-12-12 611328]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [2009-5-13 127496]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\documents and settings\owner\desktop\vcdrom.sys --> c:\documents and settings\owner\desktop\VCdRom.sys [?]
S2 MyWebSearchService;My Web Search Service;c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe --> c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe [?]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-4-4 24344]
S3 Shrfrarasuk;Shrfrarasuk;c:\windows\system32\drivers\hsfdpsp2.sys [2004-8-3 1041536]
=============== Created Last 30 ================
2009-12-14 02:34:34 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2009-12-14 02:34:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-14 02:34:27 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-14 02:34:26 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-14 02:34:26 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-11 16:27:56 0 d-----w- c:\docume~1\owner\applic~1\Digsby
2009-12-11 16:16:31 0 ----a-w- C:\install.rdf
2009-12-11 09:05:50 0 d-----w- c:\program files\Fast Browser Search
2009-12-10 08:38:42 0 d-----w- c:\docume~1\owner\applic~1\FooPetsDesktop.E1A59F4315F58433140DC6A108B4F20995854275.1
2009-12-10 08:38:11 0 d-----w- c:\program files\FooPets Desktop
==================== Find3M ====================
2009-12-15 01:31:32 89632 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-12-15 01:31:18 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-12-15 01:30:37 3381024 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-12-15 01:17:46 318992 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2001-04-04 08:54:02 36864 ----a-w- c:\windows\inf\Option.exe
2006-08-27 17:47:41 0 -csha-w- c:\windows\sminst\HPCD.sys
2008-11-22 05:34:36 952 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-06-02 12:03:01 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-06-02 12:03:01 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-06-02 12:03:01 49152 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
============= FINISH: 19:32:42.68 ===============
and here is my RootRepeal Log
Quote
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/14 20:22
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================
Drivers
-------------------
Name: dxmorwi.sys
Image Path: dxmorwi.sys
Address: 0xF75F7000 Size: 54016 File Visible: No Signed: -
Status: -
Name: PCI_PNP1146
Image Path: \Driver\PCI_PNP1146
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAF89D000 Size: 49152 File Visible: No Signed: -
Status: -
Name: spis.sys
Image Path: spis.sys
Address: 0xF7436000 Size: 1048576 File Visible: No Signed: -
Status: -
Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
Path: c:\windows\system32\drivers\fidbox.dat
Status: Size mismatch (API: 10660640, Raw: 10658848)
Path: c:\documents and settings\all users\application data\kaspersky lab\avp7\report\4eb5_file_monitoring_eventlog.rpt
Status: Size mismatch (API: 51247827, Raw: 51148396)
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\54\119-{D5224450-DF60-41C4-9338-051809515C30}-v154-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v119-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\00\50-{D5224450-DF60-41C4-9338-051809515C30}-v100-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v50-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\04\171-{D5224450-DF60-41C4-9338-051809515C30}-v204-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v171-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\06\173-{D5224450-DF60-41C4-9338-051809515C30}-v206-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v173-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\06\55-{D5224450-DF60-41C4-9338-051809515C30}-v106-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v55-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\10\77-{D5224450-DF60-41C4-9338-051809515C30}-v110-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v77-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\11\179-{D5224450-DF60-41C4-9338-051809515C30}-v211-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v179-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\12\75-{D5224450-DF60-41C4-9338-051809515C30}-v112-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v75-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\13\79-{D5224450-DF60-41C4-9338-051809515C30}-v113-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v79-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\15\83-{D5224450-DF60-41C4-9338-051809515C30}-v115-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v83-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\16\182-{D5224450-DF60-41C4-9338-051809515C30}-v216-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v182-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\17\183-{D5224450-DF60-41C4-9338-051809515C30}-v217-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v183-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\18\184-{D5224450-DF60-41C4-9338-051809515C30}-v218-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v184-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\19\185-{D5224450-DF60-41C4-9338-051809515C30}-v219-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v185-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\19\82-{D5224450-DF60-41C4-9338-051809515C30}-v119-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v82-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\20\186-{D5224450-DF60-41C4-9338-051809515C30}-v220-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v186-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\20\87-{D5224450-DF60-41C4-9338-051809515C30}-v120-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v87-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\23\189-{D5224450-DF60-41C4-9338-051809515C30}-v223-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v189-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\24\190-{D5224450-DF60-41C4-9338-051809515C30}-v224-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v190-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\25\191-{D5224450-DF60-41C4-9338-051809515C30}-v225-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v191-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\27\93-{D5224450-DF60-41C4-9338-051809515C30}-v127-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v93-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\28\94-{D5224450-DF60-41C4-9338-051809515C30}-v128-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v94-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\29\195-{D5224450-DF60-41C4-9338-051809515C30}-v229-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v195-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\30\196-{D5224450-DF60-41C4-9338-051809515C30}-v230-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v196-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\31\197-{D5224450-DF60-41C4-9338-051809515C30}-v231-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v197-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\33\100-{D5224450-DF60-41C4-9338-051809515C30}-v133-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v100-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\34\101-{D5224450-DF60-41C4-9338-051809515C30}-v134-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v101-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\35\102-{D5224450-DF60-41C4-9338-051809515C30}-v135-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v102-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\36\103-{D5224450-DF60-41C4-9338-051809515C30}-v136-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v103-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\40\107-{D5224450-DF60-41C4-9338-051809515C30}-v140-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v107-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\44\110-{D5224450-DF60-41C4-9338-051809515C30}-v144-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v110-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\49\114-{D5224450-DF60-41C4-9338-051809515C30}-v149-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v114-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\50\115-{D5224450-DF60-41C4-9338-051809515C30}-v150-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v115-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\51\116-{D5224450-DF60-41C4-9338-051809515C30}-v151-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v116-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\52\29-{D5224450-DF60-41C4-9338-051809515C30}-v52-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v29-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\53\118-{D5224450-DF60-41C4-9338-051809515C30}-v153-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v118-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\55\120-{D5224450-DF60-41C4-9338-051809515C30}-v155-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v120-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\56\121-{D5224450-DF60-41C4-9338-051809515C30}-v156-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v121-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\57\122-{D5224450-DF60-41C4-9338-051809515C30}-v157-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v122-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\57\19-{D5224450-DF60-41C4-9338-051809515C30}-v57-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v19-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\58\123-{D5224450-DF60-41C4-9338-051809515C30}-v158-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v123-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\58\21-{D5224450-DF60-41C4-9338-051809515C30}-v58-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v21-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\60\125-{D5224450-DF60-41C4-9338-051809515C30}-v160-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v125-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\61\126-{D5224450-DF60-41C4-9338-051809515C30}-v161-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v126-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\62\27-{D5224450-DF60-41C4-9338-051809515C30}-v62-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v27-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\63\28-{D5224450-DF60-41C4-9338-051809515C30}-v63-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v28-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\64\130-{D5224450-DF60-41C4-9338-051809515C30}-v164-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v130-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\65\31-{D5224450-DF60-41C4-9338-051809515C30}-v65-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v31-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\66\132-{D5224450-DF60-41C4-9338-051809515C30}-v166-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v132-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\67\133-{D5224450-DF60-41C4-9338-051809515C30}-v167-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v133-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\69\135-{D5224450-DF60-41C4-9338-051809515C30}-v169-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v135-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\70\136-{D5224450-DF60-41C4-9338-051809515C30}-v170-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v136-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\70\36-{D5224450-DF60-41C4-9338-051809515C30}-v70-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v36-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\71\137-{D5224450-DF60-41C4-9338-051809515C30}-v171-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v137-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\73\139-{D5224450-DF60-41C4-9338-051809515C30}-v173-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v139-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\74\140-{D5224450-DF60-41C4-9338-051809515C30}-v174-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v140-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\75\41-{D5224450-DF60-41C4-9338-051809515C30}-v75-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v41-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\76\142-{D5224450-DF60-41C4-9338-051809515C30}-v176-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v142-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\77\43-{D5224450-DF60-41C4-9338-051809515C30}-v77-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v43-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\79\145-{D5224450-DF60-41C4-9338-051809515C30}-v179-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v145-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\81\147-{D5224450-DF60-41C4-9338-051809515C30}-v181-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v147-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\83\149-{D5224450-DF60-41C4-9338-051809515C30}-v183-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v149-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\84\150-{D5224450-DF60-41C4-9338-051809515C30}-v184-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v150-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\84\66-{D5224450-DF60-41C4-9338-051809515C30}-v84-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v66-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\85\67-{D5224450-DF60-41C4-9338-051809515C30}-v85-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v67-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\86\152-{D5224450-DF60-41C4-9338-051809515C30}-v186-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v152-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\87\153-{D5224450-DF60-41C4-9338-051809515C30}-v187-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v153-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\87\69-{D5224450-DF60-41C4-9338-051809515C30}-v87-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v69-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\90\156-{D5224450-DF60-41C4-9338-051809515C30}-v190-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v156-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\90\64-{D5224450-DF60-41C4-93SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd51e0
#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd32f0
#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc6750
#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd4f10
#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd5080
#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd5d00
#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd57b0
#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd6600
#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc6860
#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc68e0
#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd5380
#: 071 Function Name: NtEnumerateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc6990
#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc6a40
#: 079 Function Name: NtFlushKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc6af0
#: 092 Function Name: NtInitializeRegistry
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc6b70
#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd2e50
#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc7590
#: 099 Function Name: NtLoadKey2
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc6b90
#: 111 Function Name: NtNotifyChangeKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc6c70
#: 116 Function Name: NtOpenFile
Status: Hooked by "kl1.sys" at address 0xbae28030
#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc6d50
#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd4d00
#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd5b20
#: 160 Function Name: NtQueryKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc6e30
#: 161 Function Name: NtQueryMultipleValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc6ee0
#: 173 Function Name: NtQuerySystemInformation
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd62b0
#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc6f90
#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc7070
#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd3900
#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc7100
#: 206 Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd65b0
#: 207 Function Name: NtSaveKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc7300
#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd6940
#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd6f60
#: 226 Function Name: NtSetInformationKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc7390
#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd1a10
#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd59a0
#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc7430
#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd6560
#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd31b0
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd6150
#: 263 Function Name: NtUnloadKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc7550
#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd5240
Stealth Objects
-------------------
Object: Hidden Thread [ETHREAD: 0x89edad80, TID: 1500]
Process: avp.exe (PID: 1496) Address: 0x0041ee88 Size: -
Object: Hidden Thread [ETHREAD: 0x89664020, TID: 1504]
Process: avp.exe (PID: 1496) Address: 0x77dede99 Size: -
Object: Hidden Thread [ETHREAD: 0x89898aa0, TID: 1680]
Process: avp.exe (PID: 1496) Address: 0x10002490 Size: -
Object: Hidden Thread [ETHREAD: 0x89912508, TID: 1828]
Process: avp.exe (PID: 1496) Address: 0x02e13272 Size: -
Object: Hidden Thread [ETHREAD: 0x8980f6a0, TID: 1836]
Process: avp.exe (PID: 1496) Address: 0x68101131 Size: -
Object: Hidden Thread [ETHREAD: 0x89b1c720, TID: 252]
Process: avp.exe (PID: 1496) Address: 0x68001a50 Size: -
Object: Hidden Thread [ETHREAD: 0x898ed020, TID: 540]
Process: avp.exe (PID: 1496) Address: 0x038120de Size: -
Object: Hidden Thread [ETHREAD: 0x89ee0da8, TID: 1436]
Process: avp.exe (PID: 1496) Address: 0x77e76bf9 Size: -
Object: Hidden Thread [ETHREAD: 0x898675b0, TID: 1512]
Process: avp.exe (PID: 1496) Address: 0x00000000 Size: -
Object: Hidden Thread [ETHREAD: 0x8988a968, TID: 1536]
Process: avp.exe (PID: 1496) Address: 0x68001a50 Size: -
Object: Hidden Thread [ETHREAD: 0x89bfdb70, TID: 1648]
Process: avp.exe (PID: 1496) Address: 0x05a56554 Size: -
Object: Hidden Thread [ETHREAD: 0x8974d5d8, TID: 1652]
Process: avp.exe (PID: 1496) Address: 0x302f6ab0 Size: -
Object: Hidden Thread [ETHREAD: 0x89bb5728, TID: 1668]
Process: avp.exe (PID: 1496) Address: 0x6a104ad0 Size: -
Object: Hidden Thread [ETHREAD: 0x898958e0, TID: 1712]
Process: avp.exe (PID: 1496) Address: 0x6a104590 Size: -
Object: Hidden Thread [ETHREAD: 0x89787588, TID: 2056]
Process: avp.exe (PID: 1496) Address: 0x68001a50 Size: -
Object: Hidden Thread [ETHREAD: 0x89651da8, TID: 2064]
Process: avp.exe (PID: 1496) Address: 0x61f0baac Size: -
Object: Hidden Thread [ETHREAD: 0x89c9f5e8, TID: 2068]
Process: avp.exe (PID: 1496) Address: 0x68001a50 Size: -
Object: Hidden Thread [ETHREAD: 0x8997fda8, TID: 2104]
Process: avp.exe (PID: 1496) Address: 0x6a104ad0 Size: -
Object: Hidden Thread [ETHREAD: 0x89b19980, TID: 2108]
Process: avp.exe (PID: 1496) Address: 0x6a104590 Size: -
Object: Hidden Thread [ETHREAD: 0x89823da8, TID: 2112]
Process: avp.exe (PID: 1496) Address: 0x6a104ad0 Size: -
Object: Hidden Thread [ETHREAD: 0x896ef358, TID: 2120]
Process: avp.exe (PID: 1496) Address: 0x6a104590 Size: -
Object: Hidden Thread [ETHREAD: 0x898865b0, TID: 2124]
Process: avp.exe (PID: 1496) Address: 0x06bd2560 Size: -
Object: Hidden Thread [ETHREAD: 0x898bbda8, TID: 2128]
Process: avp.exe (PID: 1496) Address: 0x06bd2560 Size: -
Object: Hidden Thread [ETHREAD: 0x89846020, TID: 2168]
Process: avp.exe (PID: 1496) Address: 0x68001a50 Size: -
Object: Hidden Thread [ETHREAD: 0x89745868, TID: 2172]
Process: avp.exe (PID: 1496) Address: 0x68001a50 Size: -
Object: Hidden Thread [ETHREAD: 0x898d0468, TID: 2176]
Process: avp.exe (PID: 1496) Address: 0x05fc1990 Size: -
Object: Hidden Thread [ETHREAD: 0x89b4c020, TID: 2340]
Process: avp.exe (PID: 1496) Address: 0x00000000 Size: -
Object: Hidden Thread [ETHREAD: 0x89682770, TID: 3224]
Process: avp.exe (PID: 1496) Address: 0x7c927125 Size: -
Object: Hidden Thread [ETHREAD: 0x896dd768, TID: 3232]
Process: avp.exe (PID: 1496) Address: 0x7c928c87 Size: -
Object: Hidden Thread [ETHREAD: 0x897849d8, TID: 3260]
Process: avp.exe (PID: 1496) Address: 0x00000000 Size: -
Object: Hidden Thread [ETHREAD: 0x89be2810, TID: 3508]
Process: avp.exe (PID: 1496) Address: 0x769c8831 Size: -
Object: Hidden Thread [ETHREAD: 0x89f563e0, TID: 816]
Process: avp.exe (PID: 1496) Address: 0x68001a50 Size: -
Object: Hidden Thread [ETHREAD: 0x8925b548, TID: 3968]
Process: avp.exe (PID: 1496) Address: 0x68001a50 Size: -
Object: Hidden Thread [ETHREAD: 0x892531b0, TID: 4076]
Process: avp.exe (PID: 1496) Address: 0x68001a50 Size: -
Object: Hidden Thread [ETHREAD: 0x874d1020, TID: 532]
Process: avp.exe (PID: 1496) Address: 0x68001a50 Size: -
Object: Hidden Thread [ETHREAD: 0x896bcda8, TID: 2856]
Process: avp.exe (PID: 2852) Address: 0x0041ee88 Size: -
Object: Hidden Thread [ETHREAD: 0x89b36540, TID: 3076]
Process: avp.exe (PID: 2852) Address: 0x10002490 Size: -
Object: Hidden Thread [ETHREAD: 0x89753438, TID: 3156]
Process: avp.exe (PID: 2852) Address: 0x68001a50 Size: -
Object: Hidden Thread [ETHREAD: 0x89b32448, TID: 3196]
Process: avp.exe (PID: 2852) Address: 0x68001a50 Size: -
Object: Hidden Thread [ETHREAD: 0x8965ea90, TID: 3236]
Process: avp.exe (PID: 2852) Address: 0x68001a50 Size: -
Object: Hidden Thread [ETHREAD: 0x89743888, TID: 3240]
Process: avp.exe (PID: 2852) Address: 0x68001a50 Size: -
Object: Hidden Thread [ETHREAD: 0x89999560, TID: 3388]
Process: avp.exe (PID: 2852) Address: 0x68001a50 Size: -
Object: Hidden Thread [ETHREAD: 0x896e6cb0, TID: 3392]
Process: avp.exe (PID: 2852) Address: 0x6bc04e5c Size: -
Object: Hidden Thread [ETHREAD: 0x896b1790, TID: 3404]
Process: avp.exe (PID: 2852) Address: 0x72d230e8 Size: -
Object: Hidden Thread [ETHREAD: 0x89b359c0, TID: 3408]
Process: avp.exe (PID: 2852) Address: 0x76b44dd6 Size: -
Object: Hidden Thread [ETHREAD: 0x8999a388, TID: 3616]
Process: avp.exe (PID: 2852) Address: 0x00012768 Size: -
Object: Hidden Thread [ETHREAD: 0x87f68750, TID: 260]
Process: avp.exe (PID: 2852) Address: 0x00000000 Size: -
Object: Hidden Thread [ETHREAD: 0x86dc62d0, TID: 640]
Process: avp.exe (PID: 2852) Address: 0x00000000 Size: -
Object: Hidden Code [ETHREAD: 0x89bf6a08]
Process: System Address: 0x895f5020 Size: 1584
Object: Hidden Code [ETHREAD: 0x89bf15a0]
Process: System Address: 0x895eb000 Size: 87
Object: Hidden Code [ETHREAD: 0x89be41f0]
Process: System Address: 0x895e0770 Size: 887
Object: Hidden Code [ETHREAD: 0x89be5678]
Process: System Address: 0x895eb000 Size: 87
Object: Hidden Code [ETHREAD: 0x899584e8]
Process: System Address: 0x895b87e0 Size: 87
Object: Hidden Code [ETHREAD: 0x8996bda8]
Process: System Address: 0x895b87e0 Size: 87
Object: Hidden Code [ETHREAD: 0x8963bda8]
Process: System Address: 0x895ba7d0 Size: 2097
Object: Hidden Code [ETHREAD: 0x899b0da8]
Process: System Address: 0x895ba7d0 Size: 2097
Object: Hidden Code [ETHREAD: 0x89794da8]
Process: System Address: 0x895ba7d0 Size: 2097
Object: Hidden Code [ETHREAD: 0x8997e448]
Process: System Address: 0x895b87e0 Size: 87
Object: Hidden Code [ETHREAD: 0x898b4020]
Process: System Address: 0x8941c190 Size: 87
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x89720500 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x89720500 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x89720500 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x89720500 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89720500 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89720500 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x89720500 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x89720500 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89720500 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89720500 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89720500 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89720500 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89720500 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89720500 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89720500 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89720500 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x89720500 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x89720500 Size: 121
Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x89e6e500 Size: 121
Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x89e6e500 Size: 121
Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x89e6e500 Size: 121
Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x89e6e500 Size: 121
Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89e6e500 Size: 121
Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89e6e500 Size: 121
Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89e6e500 Size: 121
Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89e6e500 Size: 121
Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x89e6e500 Size: 121
Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89e6e500 Size: 121
Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x89e6e500 Size: 121
Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x8a0541f8 Size: 121
Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x8a0541f8 Size: 121
Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a0541f8 Size: 121
Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a0541f8 Size: 121
Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x8a0541f8 Size: 121
Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a0541f8 Size: 121
Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x8a0541f8 Size: 121
Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]
Process: System Address: 0x89944500 Size: 121
Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]
Process: System Address: 0x89944500 Size: 121
Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]
Process: System Address: 0x89944500 Size: 121
Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]
Process: System Address: 0x89944500 Size: 121
Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89944500 Size: 121
Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89944500 Size: 121
Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]
Process: System Address: 0x89944500 Size: 121
Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89944500 Size: 121
Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]
Process: System Address: 0x89944500 Size: 121
Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x89ec6500 Size: 121
Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x89ec6500 Size: 121
Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89ec6500 Size: 121
Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89ec6500 Size: 121
Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x89ec6500 Size: 121
Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89ec6500 Size: 121
Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x89ec6500 Size: 121
Object: Hidden Code [Driver: Documents a, IRP_MJ_CREATE]
Process: System Address: 0x89da9500 Size: 121
Object: Hidden Code [Driver: Documents a, IRP_MJ_CLOSE]
Process: System Address: 0x89da9500 Size: 121
Object: Hidden Code [Driver: Documents a, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89da9500 Size: 121
Object: Hidden Code [Driver: Documents a, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89da9500 Size: 121
Object: Hidden Code [Driver: Documents a, IRP_MJ_POWER]
Process: System Address: 0x89da9500 Size: 121
Object: Hidden Code [Driver: Documents a, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89da9500 Size: 121
Object: Hidden Code [Driver: Documents a, IRP_MJ_PNP]
Process: System Address: 0x89da9500 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8a0c51f8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8a0c51f8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8a0c51f8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a0c51f8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a0c51f8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a0c51f8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a0c51f8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8a0c51f8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8a0c51f8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a0c51f8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8a0c51f8 Size: 121
Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x89644368 Size: 121
Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x89644368 Size: 121
Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89644368 Size: 121
Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89644368 Size: 121
Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x89644368 Size: 121
Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x89644368 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x89e7e1f8 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x89e7e1f8 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89e7e1f8 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89e7e1f8 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x89e7e1f8 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89e7e1f8 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x89e7e1f8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః瑎て, IRP_MJ_CREATE]
Process: System Address: 0x89b6e1f8 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః瑎て, IRP_MJ_CLOSE]
Process: System Address: 0x89b6e1f8 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః瑎て, IRP_MJ_READ]
Process: System Address: 0x89b6e1f8 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః瑎て, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89b6e1f8 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః瑎て, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89b6e1f8 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః瑎て, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89b6e1f8 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః瑎て, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89b6e1f8 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః瑎て, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89b6e1f8 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః瑎て, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89b6e1f8 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః瑎て, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89b6e1f8 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః瑎て, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89b6e1f8 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః瑎て, IRP_MJ_CLEANUP]
Process: System Address: 0x89b6e1f8 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః瑎て, IRP_MJ_PNP]
Process: System Address: 0x89b6e1f8 Size: 121
Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd3080
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd39e0
#: 378 Function Name: NtUserFindWindowEx
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd2a20
#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd1920
#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd19a0
#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd1960
#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd2920
#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd6d40
#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd29d0
#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd1e90
#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd6b30
#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd6d90
==EOF==
==================================================
Scan Start Time: 2009/12/14 20:22
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================
Drivers
-------------------
Name: dxmorwi.sys
Image Path: dxmorwi.sys
Address: 0xF75F7000 Size: 54016 File Visible: No Signed: -
Status: -
Name: PCI_PNP1146
Image Path: \Driver\PCI_PNP1146
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAF89D000 Size: 49152 File Visible: No Signed: -
Status: -
Name: spis.sys
Image Path: spis.sys
Address: 0xF7436000 Size: 1048576 File Visible: No Signed: -
Status: -
Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
Path: c:\windows\system32\drivers\fidbox.dat
Status: Size mismatch (API: 10660640, Raw: 10658848)
Path: c:\documents and settings\all users\application data\kaspersky lab\avp7\report\4eb5_file_monitoring_eventlog.rpt
Status: Size mismatch (API: 51247827, Raw: 51148396)
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\54\119-{D5224450-DF60-41C4-9338-051809515C30}-v154-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v119-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\00\50-{D5224450-DF60-41C4-9338-051809515C30}-v100-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v50-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\04\171-{D5224450-DF60-41C4-9338-051809515C30}-v204-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v171-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\06\173-{D5224450-DF60-41C4-9338-051809515C30}-v206-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v173-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\06\55-{D5224450-DF60-41C4-9338-051809515C30}-v106-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v55-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\10\77-{D5224450-DF60-41C4-9338-051809515C30}-v110-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v77-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\11\179-{D5224450-DF60-41C4-9338-051809515C30}-v211-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v179-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\12\75-{D5224450-DF60-41C4-9338-051809515C30}-v112-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v75-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\13\79-{D5224450-DF60-41C4-9338-051809515C30}-v113-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v79-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\15\83-{D5224450-DF60-41C4-9338-051809515C30}-v115-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v83-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\16\182-{D5224450-DF60-41C4-9338-051809515C30}-v216-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v182-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\17\183-{D5224450-DF60-41C4-9338-051809515C30}-v217-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v183-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\18\184-{D5224450-DF60-41C4-9338-051809515C30}-v218-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v184-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\19\185-{D5224450-DF60-41C4-9338-051809515C30}-v219-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v185-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\19\82-{D5224450-DF60-41C4-9338-051809515C30}-v119-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v82-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\20\186-{D5224450-DF60-41C4-9338-051809515C30}-v220-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v186-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\20\87-{D5224450-DF60-41C4-9338-051809515C30}-v120-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v87-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\23\189-{D5224450-DF60-41C4-9338-051809515C30}-v223-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v189-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\24\190-{D5224450-DF60-41C4-9338-051809515C30}-v224-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v190-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\25\191-{D5224450-DF60-41C4-9338-051809515C30}-v225-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v191-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\27\93-{D5224450-DF60-41C4-9338-051809515C30}-v127-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v93-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\28\94-{D5224450-DF60-41C4-9338-051809515C30}-v128-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v94-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\29\195-{D5224450-DF60-41C4-9338-051809515C30}-v229-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v195-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\30\196-{D5224450-DF60-41C4-9338-051809515C30}-v230-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v196-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\31\197-{D5224450-DF60-41C4-9338-051809515C30}-v231-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v197-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\33\100-{D5224450-DF60-41C4-9338-051809515C30}-v133-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v100-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\34\101-{D5224450-DF60-41C4-9338-051809515C30}-v134-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v101-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\35\102-{D5224450-DF60-41C4-9338-051809515C30}-v135-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v102-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\36\103-{D5224450-DF60-41C4-9338-051809515C30}-v136-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v103-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\40\107-{D5224450-DF60-41C4-9338-051809515C30}-v140-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v107-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\44\110-{D5224450-DF60-41C4-9338-051809515C30}-v144-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v110-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\49\114-{D5224450-DF60-41C4-9338-051809515C30}-v149-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v114-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\50\115-{D5224450-DF60-41C4-9338-051809515C30}-v150-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v115-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\51\116-{D5224450-DF60-41C4-9338-051809515C30}-v151-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v116-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\52\29-{D5224450-DF60-41C4-9338-051809515C30}-v52-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v29-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\53\118-{D5224450-DF60-41C4-9338-051809515C30}-v153-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v118-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\55\120-{D5224450-DF60-41C4-9338-051809515C30}-v155-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v120-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\56\121-{D5224450-DF60-41C4-9338-051809515C30}-v156-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v121-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\57\122-{D5224450-DF60-41C4-9338-051809515C30}-v157-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v122-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\57\19-{D5224450-DF60-41C4-9338-051809515C30}-v57-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v19-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\58\123-{D5224450-DF60-41C4-9338-051809515C30}-v158-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v123-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\58\21-{D5224450-DF60-41C4-9338-051809515C30}-v58-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v21-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\60\125-{D5224450-DF60-41C4-9338-051809515C30}-v160-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v125-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\61\126-{D5224450-DF60-41C4-9338-051809515C30}-v161-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v126-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\62\27-{D5224450-DF60-41C4-9338-051809515C30}-v62-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v27-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\63\28-{D5224450-DF60-41C4-9338-051809515C30}-v63-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v28-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\64\130-{D5224450-DF60-41C4-9338-051809515C30}-v164-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v130-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\65\31-{D5224450-DF60-41C4-9338-051809515C30}-v65-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v31-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\66\132-{D5224450-DF60-41C4-9338-051809515C30}-v166-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v132-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\67\133-{D5224450-DF60-41C4-9338-051809515C30}-v167-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v133-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\69\135-{D5224450-DF60-41C4-9338-051809515C30}-v169-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v135-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\70\136-{D5224450-DF60-41C4-9338-051809515C30}-v170-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v136-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\70\36-{D5224450-DF60-41C4-9338-051809515C30}-v70-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v36-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\71\137-{D5224450-DF60-41C4-9338-051809515C30}-v171-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v137-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\73\139-{D5224450-DF60-41C4-9338-051809515C30}-v173-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v139-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\74\140-{D5224450-DF60-41C4-9338-051809515C30}-v174-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v140-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\75\41-{D5224450-DF60-41C4-9338-051809515C30}-v75-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v41-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\76\142-{D5224450-DF60-41C4-9338-051809515C30}-v176-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v142-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\77\43-{D5224450-DF60-41C4-9338-051809515C30}-v77-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v43-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\79\145-{D5224450-DF60-41C4-9338-051809515C30}-v179-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v145-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\81\147-{D5224450-DF60-41C4-9338-051809515C30}-v181-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v147-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\83\149-{D5224450-DF60-41C4-9338-051809515C30}-v183-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v149-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\84\150-{D5224450-DF60-41C4-9338-051809515C30}-v184-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v150-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\84\66-{D5224450-DF60-41C4-9338-051809515C30}-v84-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v66-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\85\67-{D5224450-DF60-41C4-9338-051809515C30}-v85-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v67-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\86\152-{D5224450-DF60-41C4-9338-051809515C30}-v186-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v152-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\87\153-{D5224450-DF60-41C4-9338-051809515C30}-v187-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v153-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\87\69-{D5224450-DF60-41C4-9338-051809515C30}-v87-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v69-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\90\156-{D5224450-DF60-41C4-9338-051809515C30}-v190-{896DD5E4-B0F2-4467-BCB5-54C050F70A86}-v156-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.
Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\agirl3003@hotmail.com\SharingMetadata\ray_raye07@msn.com\DFSR\Staging\CS{7AD02A17-F3D2-5DFB-631C-3375E25C4DA1}\90\64-{D5224450-DF60-41C4-93SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd51e0
#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd32f0
#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc6750
#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd4f10
#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd5080
#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd5d00
#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd57b0
#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd6600
#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc6860
#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc68e0
#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd5380
#: 071 Function Name: NtEnumerateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc6990
#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc6a40
#: 079 Function Name: NtFlushKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc6af0
#: 092 Function Name: NtInitializeRegistry
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc6b70
#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd2e50
#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc7590
#: 099 Function Name: NtLoadKey2
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc6b90
#: 111 Function Name: NtNotifyChangeKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc6c70
#: 116 Function Name: NtOpenFile
Status: Hooked by "kl1.sys" at address 0xbae28030
#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc6d50
#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd4d00
#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd5b20
#: 160 Function Name: NtQueryKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc6e30
#: 161 Function Name: NtQueryMultipleValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc6ee0
#: 173 Function Name: NtQuerySystemInformation
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd62b0
#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc6f90
#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc7070
#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd3900
#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc7100
#: 206 Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd65b0
#: 207 Function Name: NtSaveKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc7300
#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd6940
#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd6f60
#: 226 Function Name: NtSetInformationKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc7390
#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd1a10
#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd59a0
#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc7430
#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd6560
#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd31b0
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd6150
#: 263 Function Name: NtUnloadKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffc7550
#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd5240
Stealth Objects
-------------------
Object: Hidden Thread [ETHREAD: 0x89edad80, TID: 1500]
Process: avp.exe (PID: 1496) Address: 0x0041ee88 Size: -
Object: Hidden Thread [ETHREAD: 0x89664020, TID: 1504]
Process: avp.exe (PID: 1496) Address: 0x77dede99 Size: -
Object: Hidden Thread [ETHREAD: 0x89898aa0, TID: 1680]
Process: avp.exe (PID: 1496) Address: 0x10002490 Size: -
Object: Hidden Thread [ETHREAD: 0x89912508, TID: 1828]
Process: avp.exe (PID: 1496) Address: 0x02e13272 Size: -
Object: Hidden Thread [ETHREAD: 0x8980f6a0, TID: 1836]
Process: avp.exe (PID: 1496) Address: 0x68101131 Size: -
Object: Hidden Thread [ETHREAD: 0x89b1c720, TID: 252]
Process: avp.exe (PID: 1496) Address: 0x68001a50 Size: -
Object: Hidden Thread [ETHREAD: 0x898ed020, TID: 540]
Process: avp.exe (PID: 1496) Address: 0x038120de Size: -
Object: Hidden Thread [ETHREAD: 0x89ee0da8, TID: 1436]
Process: avp.exe (PID: 1496) Address: 0x77e76bf9 Size: -
Object: Hidden Thread [ETHREAD: 0x898675b0, TID: 1512]
Process: avp.exe (PID: 1496) Address: 0x00000000 Size: -
Object: Hidden Thread [ETHREAD: 0x8988a968, TID: 1536]
Process: avp.exe (PID: 1496) Address: 0x68001a50 Size: -
Object: Hidden Thread [ETHREAD: 0x89bfdb70, TID: 1648]
Process: avp.exe (PID: 1496) Address: 0x05a56554 Size: -
Object: Hidden Thread [ETHREAD: 0x8974d5d8, TID: 1652]
Process: avp.exe (PID: 1496) Address: 0x302f6ab0 Size: -
Object: Hidden Thread [ETHREAD: 0x89bb5728, TID: 1668]
Process: avp.exe (PID: 1496) Address: 0x6a104ad0 Size: -
Object: Hidden Thread [ETHREAD: 0x898958e0, TID: 1712]
Process: avp.exe (PID: 1496) Address: 0x6a104590 Size: -
Object: Hidden Thread [ETHREAD: 0x89787588, TID: 2056]
Process: avp.exe (PID: 1496) Address: 0x68001a50 Size: -
Object: Hidden Thread [ETHREAD: 0x89651da8, TID: 2064]
Process: avp.exe (PID: 1496) Address: 0x61f0baac Size: -
Object: Hidden Thread [ETHREAD: 0x89c9f5e8, TID: 2068]
Process: avp.exe (PID: 1496) Address: 0x68001a50 Size: -
Object: Hidden Thread [ETHREAD: 0x8997fda8, TID: 2104]
Process: avp.exe (PID: 1496) Address: 0x6a104ad0 Size: -
Object: Hidden Thread [ETHREAD: 0x89b19980, TID: 2108]
Process: avp.exe (PID: 1496) Address: 0x6a104590 Size: -
Object: Hidden Thread [ETHREAD: 0x89823da8, TID: 2112]
Process: avp.exe (PID: 1496) Address: 0x6a104ad0 Size: -
Object: Hidden Thread [ETHREAD: 0x896ef358, TID: 2120]
Process: avp.exe (PID: 1496) Address: 0x6a104590 Size: -
Object: Hidden Thread [ETHREAD: 0x898865b0, TID: 2124]
Process: avp.exe (PID: 1496) Address: 0x06bd2560 Size: -
Object: Hidden Thread [ETHREAD: 0x898bbda8, TID: 2128]
Process: avp.exe (PID: 1496) Address: 0x06bd2560 Size: -
Object: Hidden Thread [ETHREAD: 0x89846020, TID: 2168]
Process: avp.exe (PID: 1496) Address: 0x68001a50 Size: -
Object: Hidden Thread [ETHREAD: 0x89745868, TID: 2172]
Process: avp.exe (PID: 1496) Address: 0x68001a50 Size: -
Object: Hidden Thread [ETHREAD: 0x898d0468, TID: 2176]
Process: avp.exe (PID: 1496) Address: 0x05fc1990 Size: -
Object: Hidden Thread [ETHREAD: 0x89b4c020, TID: 2340]
Process: avp.exe (PID: 1496) Address: 0x00000000 Size: -
Object: Hidden Thread [ETHREAD: 0x89682770, TID: 3224]
Process: avp.exe (PID: 1496) Address: 0x7c927125 Size: -
Object: Hidden Thread [ETHREAD: 0x896dd768, TID: 3232]
Process: avp.exe (PID: 1496) Address: 0x7c928c87 Size: -
Object: Hidden Thread [ETHREAD: 0x897849d8, TID: 3260]
Process: avp.exe (PID: 1496) Address: 0x00000000 Size: -
Object: Hidden Thread [ETHREAD: 0x89be2810, TID: 3508]
Process: avp.exe (PID: 1496) Address: 0x769c8831 Size: -
Object: Hidden Thread [ETHREAD: 0x89f563e0, TID: 816]
Process: avp.exe (PID: 1496) Address: 0x68001a50 Size: -
Object: Hidden Thread [ETHREAD: 0x8925b548, TID: 3968]
Process: avp.exe (PID: 1496) Address: 0x68001a50 Size: -
Object: Hidden Thread [ETHREAD: 0x892531b0, TID: 4076]
Process: avp.exe (PID: 1496) Address: 0x68001a50 Size: -
Object: Hidden Thread [ETHREAD: 0x874d1020, TID: 532]
Process: avp.exe (PID: 1496) Address: 0x68001a50 Size: -
Object: Hidden Thread [ETHREAD: 0x896bcda8, TID: 2856]
Process: avp.exe (PID: 2852) Address: 0x0041ee88 Size: -
Object: Hidden Thread [ETHREAD: 0x89b36540, TID: 3076]
Process: avp.exe (PID: 2852) Address: 0x10002490 Size: -
Object: Hidden Thread [ETHREAD: 0x89753438, TID: 3156]
Process: avp.exe (PID: 2852) Address: 0x68001a50 Size: -
Object: Hidden Thread [ETHREAD: 0x89b32448, TID: 3196]
Process: avp.exe (PID: 2852) Address: 0x68001a50 Size: -
Object: Hidden Thread [ETHREAD: 0x8965ea90, TID: 3236]
Process: avp.exe (PID: 2852) Address: 0x68001a50 Size: -
Object: Hidden Thread [ETHREAD: 0x89743888, TID: 3240]
Process: avp.exe (PID: 2852) Address: 0x68001a50 Size: -
Object: Hidden Thread [ETHREAD: 0x89999560, TID: 3388]
Process: avp.exe (PID: 2852) Address: 0x68001a50 Size: -
Object: Hidden Thread [ETHREAD: 0x896e6cb0, TID: 3392]
Process: avp.exe (PID: 2852) Address: 0x6bc04e5c Size: -
Object: Hidden Thread [ETHREAD: 0x896b1790, TID: 3404]
Process: avp.exe (PID: 2852) Address: 0x72d230e8 Size: -
Object: Hidden Thread [ETHREAD: 0x89b359c0, TID: 3408]
Process: avp.exe (PID: 2852) Address: 0x76b44dd6 Size: -
Object: Hidden Thread [ETHREAD: 0x8999a388, TID: 3616]
Process: avp.exe (PID: 2852) Address: 0x00012768 Size: -
Object: Hidden Thread [ETHREAD: 0x87f68750, TID: 260]
Process: avp.exe (PID: 2852) Address: 0x00000000 Size: -
Object: Hidden Thread [ETHREAD: 0x86dc62d0, TID: 640]
Process: avp.exe (PID: 2852) Address: 0x00000000 Size: -
Object: Hidden Code [ETHREAD: 0x89bf6a08]
Process: System Address: 0x895f5020 Size: 1584
Object: Hidden Code [ETHREAD: 0x89bf15a0]
Process: System Address: 0x895eb000 Size: 87
Object: Hidden Code [ETHREAD: 0x89be41f0]
Process: System Address: 0x895e0770 Size: 887
Object: Hidden Code [ETHREAD: 0x89be5678]
Process: System Address: 0x895eb000 Size: 87
Object: Hidden Code [ETHREAD: 0x899584e8]
Process: System Address: 0x895b87e0 Size: 87
Object: Hidden Code [ETHREAD: 0x8996bda8]
Process: System Address: 0x895b87e0 Size: 87
Object: Hidden Code [ETHREAD: 0x8963bda8]
Process: System Address: 0x895ba7d0 Size: 2097
Object: Hidden Code [ETHREAD: 0x899b0da8]
Process: System Address: 0x895ba7d0 Size: 2097
Object: Hidden Code [ETHREAD: 0x89794da8]
Process: System Address: 0x895ba7d0 Size: 2097
Object: Hidden Code [ETHREAD: 0x8997e448]
Process: System Address: 0x895b87e0 Size: 87
Object: Hidden Code [ETHREAD: 0x898b4020]
Process: System Address: 0x8941c190 Size: 87
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8a0c31f8 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x89720500 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x89720500 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x89720500 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x89720500 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89720500 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89720500 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x89720500 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x89720500 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89720500 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89720500 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89720500 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89720500 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89720500 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89720500 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89720500 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89720500 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x89720500 Size: 121
Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x89720500 Size: 121
Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x89e6e500 Size: 121
Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x89e6e500 Size: 121
Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x89e6e500 Size: 121
Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x89e6e500 Size: 121
Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89e6e500 Size: 121
Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89e6e500 Size: 121
Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89e6e500 Size: 121
Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89e6e500 Size: 121
Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x89e6e500 Size: 121
Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89e6e500 Size: 121
Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x89e6e500 Size: 121
Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x8a0541f8 Size: 121
Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x8a0541f8 Size: 121
Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a0541f8 Size: 121
Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a0541f8 Size: 121
Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x8a0541f8 Size: 121
Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a0541f8 Size: 121
Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x8a0541f8 Size: 121
Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]
Process: System Address: 0x89944500 Size: 121
Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]
Process: System Address: 0x89944500 Size: 121
Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]
Process: System Address: 0x89944500 Size: 121
Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]
Process: System Address: 0x89944500 Size: 121
Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89944500 Size: 121
Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89944500 Size: 121
Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]
Process: System Address: 0x89944500 Size: 121
Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89944500 Size: 121
Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]
Process: System Address: 0x89944500 Size: 121
Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x89ec6500 Size: 121
Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x89ec6500 Size: 121
Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89ec6500 Size: 121
Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89ec6500 Size: 121
Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x89ec6500 Size: 121
Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89ec6500 Size: 121
Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x89ec6500 Size: 121
Object: Hidden Code [Driver: Documents a, IRP_MJ_CREATE]
Process: System Address: 0x89da9500 Size: 121
Object: Hidden Code [Driver: Documents a, IRP_MJ_CLOSE]
Process: System Address: 0x89da9500 Size: 121
Object: Hidden Code [Driver: Documents a, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89da9500 Size: 121
Object: Hidden Code [Driver: Documents a, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89da9500 Size: 121
Object: Hidden Code [Driver: Documents a, IRP_MJ_POWER]
Process: System Address: 0x89da9500 Size: 121
Object: Hidden Code [Driver: Documents a, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89da9500 Size: 121
Object: Hidden Code [Driver: Documents a, IRP_MJ_PNP]
Process: System Address: 0x89da9500 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8a0c51f8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8a0c51f8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8a0c51f8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a0c51f8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a0c51f8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a0c51f8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a0c51f8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8a0c51f8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8a0c51f8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a0c51f8 Size: 121
Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8a0c51f8 Size: 121
Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x89644368 Size: 121
Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x89644368 Size: 121
Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89644368 Size: 121
Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89644368 Size: 121
Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x89644368 Size: 121
Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x89644368 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x89e7e1f8 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x89e7e1f8 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89e7e1f8 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89e7e1f8 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x89e7e1f8 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89e7e1f8 Size: 121
Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x89e7e1f8 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x89684500 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః瑎て, IRP_MJ_CREATE]
Process: System Address: 0x89b6e1f8 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః瑎て, IRP_MJ_CLOSE]
Process: System Address: 0x89b6e1f8 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః瑎て, IRP_MJ_READ]
Process: System Address: 0x89b6e1f8 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః瑎て, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89b6e1f8 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః瑎て, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89b6e1f8 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః瑎て, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89b6e1f8 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః瑎て, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89b6e1f8 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః瑎て, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89b6e1f8 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః瑎て, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89b6e1f8 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః瑎て, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89b6e1f8 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః瑎て, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89b6e1f8 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః瑎て, IRP_MJ_CLEANUP]
Process: System Address: 0x89b6e1f8 Size: 121
Object: Hidden Code [Driver: Cdfsࠅః瑎て, IRP_MJ_PNP]
Process: System Address: 0x89b6e1f8 Size: 121
Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd3080
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd39e0
#: 378 Function Name: NtUserFindWindowEx
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd2a20
#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd1920
#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd19a0
#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd1960
#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd2920
#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd6d40
#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd29d0
#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd1e90
#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd6b30
#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xaffd6d90
==EOF==
Attached File(s)
-
Attach.txt (16.23K)
Number of downloads: 11
Back to top
