select * from registry where key='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\KernelSEHOPEnabled'

select * from kernel_extensions;

select * from keychain_items;

select * from file where path in ('/proc/knark', '/dev/.pizda', '/dev/.pula', '/dev/.pula');

select * from last;

select * from launchd;

select * from file where path in ('/dev/.kork', '/bin/.login', '/bin/.ps');

select * from launchd where path like '%UserEvent.System.plist';

select * from file where path = '/Users/Shared/UserEvent.app';

select * from launchd where name = 'com.GetFlashPlayer.plist';