Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Antimalware Doctor (Malware.Trace / PWS.LDPinchIE)


  • Please log in to reply
14 replies to this topic

#1 Mork345

Mork345

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 20 August 2010 - 01:56 PM

Hi! I have the Antimalware Doctor infection, habitually it seems pretty easy to remove but it turns out to be more complicated than I thought. I tried your removal procedure for this virus: http://www.bleepingcomputer.com/virus-remo...imalware-doctor but the rkill doesn't work so I can't kill the Antimalware Doctor process (let it ran for 8 hours and nothing was happening - my laptop wasn't frozen though). I booted in safe mode in which the rogue anti-spyware doesn't start and ran MalwareBytes as well as Spybot and tried some other tools (more details after the DDS log).

I have a Dell Latitude D620 Laptop
Microsoft Windows XP Professional
Version 2002 SP3
Model: PP18L

Here is the DDS log:

DDS (Ver_10-03-17.01) - NTFSx86 MINIMAL
Run by Mark at 20:46:13.76 on Wed 08/18/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.811 [GMT -4:00]

AV: PC Tools AntiVirus Free *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Mark\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyServer = 10.10.10.10:8080
uURLSearchHooks: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll
BHO: c:\windows\system32\cy19rny.dll: {c2ba40a2-75f1-51bd-f413-04b15a2c8950} - c:\windows\system32\cy19rny.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools security\bdt\PCTBrowserDefender.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Dxiyomorabu] rundll32.exe "c:\windows\BPLALMI.dll",Startup
uRun: [uiha98uiohf873yuiadnhgjesgregas] c:\docume~1\mark\locals~1\temp\aoth8.exe
uRun: [releaseversion70700.exe] c:\documents and settings\mark\application data\c25fc8459ee7d832bc49a0c6382f2d3e\releaseversion70700.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [RegistryBooster] "c:\program files\uniblue\registrybooster\launcher.exe" delay 20000
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Nqodixeni] rundll32.exe "c:\windows\ajahucucaqi.dll",Startup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes\mbam.exe" /runcleanupscript
mRunOnce: [*upd_debug.exe] "c:\documents and settings\mark\application data\c25fc8459ee7d832bc49a0c6382f2d3e\upd_debug.exe"
dRunOnce: [RunNarrator] Narrator.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 93.188.162.121,93.188.161.211
TCP: {20499F12-351A-4F67-AF61-7C9FA7629B00} = 93.188.162.121,93.188.161.211
TCP: {398088A4-DE37-4362-AC74-DB84158A787F} = 93.188.162.121,93.188.161.211
TCP: {4710355C-13A1-42E5-86F1-544BCA945838} = 93.188.162.121,93.188.161.211
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: wxvault.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\cy19rny.dll: {c2ba40a2-75f1-51bd-f413-04b15a2c8950} - c:\windows\system32\cy19rny.dll
LSA: Authentication Packages = msv1_0 wvauth

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mark\applic~1\mozilla\firefox\profiles\jlgrajx2.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - www.chom.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.ftp - 10.10.10.10
FF - prefs.js: network.proxy.gopher - 10.10.10.10
FF - prefs.js: network.proxy.http - 10.10.10.10
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 10.10.10.10
FF - prefs.js: network.proxy.ssl - 10.10.10.10
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\pc tools security\bdt\firefox\platform\winnt_x86-msvc\components\libheuristic.dll
FF - plugin: c:\documents and settings\mark\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {540C15E0-B553-4E90-B806-F8E1644CB2C3} - c:\documents and settings\mark\local settings\application data\{540C15E0-B553-4E90-B806-F8E1644CB2C3}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-7-27 218592]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\pc tools security\bdt\BDTUpdateService.exe [2010-8-11 198608]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-3-10 47640]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2010-8-11 366840]
S3 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2010-8-11 1142224]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================


==================== Find3M ====================

2010-01-12 18:17:19 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010010420100111\index.dat
2010-01-12 18:17:19 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010011220100113\index.dat

============= FINISH: 20:53:46.98 ===============

Other symptoms caused by viruses:
- IE pop-ups of "paged not displayed" even if I don't use IE, I use firefox.
- My Laptop is slower than normal.
- Sometimes having a random process crash; like Dr.Watson Postmortem Debugger has encountered a problem, csrss.exe and some others I don't remember, but I took of screenshot of the csrss.exe and attached it.
- System restore is disabled.

NOTES: DDS didn't worked in normal mode (it says should take around 3min and I let it ran for 1 - 2 hours... and nothing happened). Rebooted in safe mode and it worked. I had to run GMER 4- 5 times before it worked (in normal mode). I suppose because of the viruses that are still present, it makes my laptop very slow so my laptop stopped responding (frozen nothing to do - ctrl+alt+del wouldn't work).

Troubleshooting done:
- Ran MalwareBytes, it has founded some viruses which can easily be removed except of one called Malware.Trace which keeps reappearing when I reboot (See attached for log).
- Ran Spybot, it finds almost the same viruses except the following See attached for screenshot):

Fraud.AntimalwareDoctor (2 entries Malware)
Microsoft.Window.disableSystemRestore (1 entries SecurityC) (I suppose this is not a virus since my system restore has been disabled)
PWS.LDPinchIE (2 entries Trojans)
Win32.FraudLoad (6 entries MalwareC)

They can easily be removed except of the PWS.LDPinchIE which will reappear if I reboot. This Trojan doesn't seem to be detected by MalwareBytes.

I also tried another spyware removal program: Exterminate-it! This one is suspicious; after the scan it showed me lot of bad viruses which are not detected by MalwareBytes / Spybot (see attached for screenshot) then it asked me to pay if I wanted to have them removed, if not, to remove them manually (I verified half of the malware locations and they do exist. Not sure if they really are viruses?) They garantee to "provide a 14-day money-back guarantee", Does someone knows this program? it is pretty suspicious, they seem to detect lot of false-positive...

For the moment I'm always runing in safe mode, since I can't remove those two viruses and I suspect that one of these two is re-installing all the malware on my laptop when I log in normal mode.

Attached is the attach.txt along with the ark.txt log

Thank you for your help!

Attached Files



BC AdBot (Login to Remove)

 


#2 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:06:50 PM

Posted 26 August 2010 - 08:26 PM

Hi Mork345,

Welcome to Bleeping Computer!

My name is mpascal, and I will be helping you fix your problem.

Before we begin, I would like give a few guidelines so that we can fix your problem as quickly and efficiently as possible:
  • Be sure to follow all my instructions carefully! If there is anything you don't understand, don't hesitate to ask.
  • Please do not do anything or perform other steps unless I have asked you to do so.
  • Please make sure you post all logs I ask you to, and make sure that the entire log gets posted.
  • Don't attach any logs unless asked. Posting them in the forums will make them easier to analyze.
  • If you are unsure of how to reply, or need help with anything regarding the website, please look here.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

STEP 1 - MBAM

Note: In the event that you already have MBAM installed, you do not need to reinstall it. Simply Updating it and doing a Quickscan is sufficient.

Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

STEP 2 - GMER

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

STEP 3 - OTL

Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • In the Custom Scans box, copy and paste the following:
    CODE
    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of the files, and post it with your next reply.
STEP 4 - Reply

Please reply with the following logs:
  • MBAM Log
  • GMER Log
  • OTL Log

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#3 Mork345

Mork345
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 28 August 2010 - 10:08 AM

Hi mpascal,

I know you guys are very busy helping people, thank you so much for helping me.

The issue is still present, so I didn't done anything so far (haven't touched my laptop since my last post).

STEP 1 - MBAM

I had to change the mbam-setup.exe file name otherwise MBAM wouldn't start. Performed a Quick Scan which has founded 9 infections.
MBAM asked me to reboot to terminate the removal process (it took a while to shut down). I have rebooted in normal mode as required, here is the MBAM report:


*****************************************************************************************************
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

8/27/2010 5:40:49 PM
mbam-log-2010-08-27 (17-40-49).txt

Scan type: Quick scan
Objects scanned: 123733
Time elapsed: 7 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.121,93.188.161.211 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{20499f12-351a-4f67-af61-7c9fa7629b00}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.121,93.188.161.211 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{20499f12-351a-4f67-af61-7c9fa7629b00}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.121,93.188.161.211 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{398088a4-de37-4362-ac74-db84158a787f}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.121,93.188.161.211 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{398088a4-de37-4362-ac74-db84158a787f}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.121,93.188.161.211 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4710355c-13a1-42e5-86f1-544bca945838}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.121,93.188.161.211 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

*****************************************************************************************************


After the reboot, Antimalware Doctor is still present. I suppose there is a hidden malware somewhere that re-installed it again...

STEP 2 - GMER

Closed all running programs / disabled real-time active protection. Since rkill wouldn't work, I ended the Antimalware
Doctor process by ending the releaseversion70700.exe process in task manager. Ran GMER, here is the log:


*****************************************************************************************************
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-27 23:44:28
Windows 5.1.2600 Service Pack 3
Running: xcff7ghy.exe; Driver: C:\DOCUME~1\Mark\LOCALS~1\Temp\afxcrkoc.sys


---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF72E4112]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF72C32D6]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF72C34C8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF72E4900]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF72E4BB4]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF72E2E12]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF72E5020]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF72E43D2]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF72C2F44]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\disk.sys entry point in ".rsrc" section [0xF74F6514]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Java\jre6\bin\jqs.exe[184] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006D20 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 1000720C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005B0D C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 100072CF C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000719F C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005A43 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10007335 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006BCB C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 100058B1 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 1000612C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10006508 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006A3C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10006291 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 100061B3 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 1000620D C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10005F87 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100065FF C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 100069A6 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 1000590B C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 10006436 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006DF7 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006677 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007154 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005BB3 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005B2C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 100070DC C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006B37 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000639E C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 10006922 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006087 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006CB5 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005DAC C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006D83 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005E9E C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 100059D5 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 1000705A C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007188 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[184] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 10007139 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006D20 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 1000720C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005B0D C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 0165000A
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 100072CF C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000719F C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005A43 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10007335 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006BCB C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 100058B1 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 1000612C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10006508 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006A3C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10006291 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 100061B3 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 1000620D C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10005F87 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100065FF C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 100069A6 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 1000590B C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 10006436 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006DF7 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006677 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007154 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005BB3 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005B2C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 100070DC C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006B37 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000639E C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 10006922 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006087 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006CB5 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005DAC C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006D83 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005E9E C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 100059D5 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 1000705A C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007188 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[248] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 10007139 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006D20 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 1000720C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005B0D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 100072CF C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000719F C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005A43 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10007335 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006BCB C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 100058B1 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 1000612C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10006508 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006A3C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10006291 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 100061B3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 1000620D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10005F87 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100065FF C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 100069A6 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 1000590B C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 10006436 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006DF7 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006677 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007154 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005BB3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005B2C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 100070DC C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006B37 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000639E C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 10006922 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006087 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006CB5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005DAC C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006D83 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005E9E C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 100059D5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 1000705A C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007188 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[336] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 10007139 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006D20 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 1000720C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005B0D C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 100072CF C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000719F C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005A43 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10007335 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006BCB C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 100058B1 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 1000612C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10006508 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006A3C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10006291 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 100061B3 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 1000620D C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10005F87 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100065FF C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 100069A6 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 1000590B C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 10006436 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006DF7 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006677 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007154 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005BB3 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005B2C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 100070DC C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006B37 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000639E C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 10006922 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006087 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006CB5 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005DAC C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006D83 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005E9E C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 100059D5 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 1000705A C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007188 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe[432] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 10007139 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[864] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006D20 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[864] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 1000720C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[864] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B9000A
.text C:\WINDOWS\Explorer.EXE[864] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005B0D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[864] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 01B6000A
.text C:\WINDOWS\Explorer.EXE[864] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 100072CF C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[864] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000719F C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[864] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C3000A
.text C:\WINDOWS\Explorer.EXE[864] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B8000C
.text C:\WINDOWS\Explorer.EXE[864] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 10007139 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006D20 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 1000720C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005B0D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 100072CF C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000719F C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005A43 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10007335 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006BCB C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 100058B1 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 1000612C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10006508 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006A3C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10006291 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 100061B3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 1000620D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10005F87 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100065FF C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 100069A6 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 1000590B C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 10006436 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006DF7 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006677 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007154 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005BB3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005B2C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 100070DC C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006B37 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000639E C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 10006922 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006087 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006CB5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005DAC C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006D83 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005E9E C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 100059D5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 1000705A C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007188 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\winlogon.exe[960] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 10007139 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006D20 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 1000720C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005B0D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 100072CF C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000719F C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005A43 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10007335 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006BCB C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 100058B1 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 1000612C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10006508 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006A3C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10006291 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 100061B3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 1000620D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10005F87 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100065FF C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 100069A6 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 1000590B C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 10006436 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006DF7 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006677 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007154 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005BB3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005B2C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 100070DC C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006B37 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000639E C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 10006922 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006087 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006CB5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005DAC C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006D83 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005E9E C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 100059D5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 1000705A C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007188 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\services.exe[1008] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 10007139 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006D20 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 1000720C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005B0D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 100072CF C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000719F C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005A43 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10007335 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006BCB C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 100058B1 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 1000612C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10006508 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006A3C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10006291 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 100061B3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 1000620D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10005F87 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100065FF C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 100069A6 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 1000590B C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 10006436 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006DF7 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006677 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007154 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005BB3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005B2C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 100070DC C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006B37 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000639E C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 10006922 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006087 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006CB5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005DAC C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006D83 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005E9E C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 100059D5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 1000705A C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007188 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\lsass.exe[1020] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 10007139 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006D20 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 1000720C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005B0D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 100072CF C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000719F C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005A43 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10007335 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006BCB C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 100058B1 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 1000612C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10006508 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006A3C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10006291 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 100061B3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 1000620D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10005F87 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100065FF C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 100069A6 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 1000590B C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 10006436 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006DF7 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006677 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007154 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005BB3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005B2C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 100070DC C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006B37 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000639E C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 10006922 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006087 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006CB5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005DAC C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006D83 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005E9E C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 100059D5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 1000705A C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007188 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1180] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 10007139 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006D20 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 1000720C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005B0D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 100072CF C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000719F C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005A43 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10007335 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006BCB C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 100058B1 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 1000612C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10006508 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006A3C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10006291 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 100061B3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 1000620D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10005F87 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100065FF C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 100069A6 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 1000590B C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 10006436 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006DF7 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006677 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007154 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005BB3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005B2C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 100070DC C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006B37 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000639E C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 10006922 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006087 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006CB5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005DAC C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006D83 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005E9E C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 100059D5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 1000705A C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007188 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1252] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 10007139 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[1308] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006D20 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[1308] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 1000720C C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[1308] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009C000A
.text C:\WINDOWS\System32\svchost.exe[1308] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005B0D C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[1308] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 100072CF C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[1308] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000719F C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[1308] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009D000A
.text C:\WINDOWS\System32\svchost.exe[1308] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 009B000C
.text C:\WINDOWS\System32\svchost.exe[1308] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00E1000A
.text C:\WINDOWS\System32\svchost.exe[1308] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 10007139 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[1308] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 010D000A
.text C:\WINDOWS\system32\svchost.exe[1412] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006D20 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 1000720C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005B0D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 100072CF C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000719F C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005A43 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10007335 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006BCB C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 100058B1 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 1000612C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10006508 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006A3C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10006291 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 100061B3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 1000620D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10005F87 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100065FF C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 100069A6 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 1000590B C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 10006436 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006DF7 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006677 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007154 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005BB3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005B2C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 100070DC C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006B37 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000639E C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 10006922 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006087 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006CB5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005DAC C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006D83 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005E9E C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 100059D5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 1000705A C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007188 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1412] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 10007139 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006D20 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 1000720C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005B0D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 100072CF C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000719F C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005A43 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10007335 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006BCB C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 100058B1 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 1000612C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10006508 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006A3C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10006291 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 100061B3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 1000620D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10005F87 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100065FF C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 100069A6 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 1000590B C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 10006436 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006DF7 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006677 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007154 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005BB3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005B2C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 100070DC C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006B37 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000639E C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 10006922 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006087 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006CB5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005DAC C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006D83 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005E9E C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 100059D5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 1000705A C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007188 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1556] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 10007139 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006D20 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 1000720C C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005B0D C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 100072CF C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000719F C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005A43 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10007335 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006BCB C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 100058B1 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 1000612C C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10006508 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006A3C C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10006291 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 100061B3 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 1000620D C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10005F87 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100065FF C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 100069A6 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 1000590B C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 10006436 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006DF7 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006EA5 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006677 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007154 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005BB3 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005B2C C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 100070DC C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006B37 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000639E C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 10006922 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006087 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10006F53 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006CB5 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005DAC C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006D83 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005E9E C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 100059D5 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 1000705A C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007188 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1684] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 10007139 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 00A16D20 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 00A1720C C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 00A15B0D C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 00A172CF C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 00A1719F C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 00A15A43 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A17335 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 00A16BCB C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 00A158B1 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 00A1612C C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 00A16508 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 00A16A3C C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 00A16291 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 00A161B3 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 00A1620D C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A15F87 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 00A165FF C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 00A169A6 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00A1590B C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 00A16436 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 00A16DF7 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 00A16EA5 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 00A16677 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 00A17154 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 00A15BB3 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 00A15B2C C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 00A170DC C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 00A16B37 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 00A1639E C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 00A16922 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 00A16087 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 00A16F53 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 00A16CB5 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 00A15DAC C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 00A16D83 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 00A15E9E C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 00A159D5 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 00A1705A C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 00A17188 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\bcmwltry.exe[1708] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 00A17139 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006D20 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 1000720C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005B0D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 0137000A
.text C:\WINDOWS\system32\spoolsv.exe[1760] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 100072CF C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000719F C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005A43 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10007335 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006BCB C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 100058B1 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 1000612C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10006508 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006A3C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10006291 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 100061B3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 1000620D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10005F87 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100065FF C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 100069A6 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 1000590B C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 10006436 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006DF7 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006677 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007154 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005BB3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005B2C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 100070DC C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006B37 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000639E C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 10006922 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006087 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006CB5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005DAC C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006D83 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005E9E C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 100059D5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 1000705A C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007188 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\spoolsv.exe[1760] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 10007139 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\System32\SCardSvr.exe[1816] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 0199000A
.text C:\WINDOWS\system32\svchost.exe[1936] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006D20 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 1000720C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005B0D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 100072CF C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000719F C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005A43 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10007335 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006BCB C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 100058B1 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 1000612C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10006508 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006A3C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10006291 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 100061B3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 1000620D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10005F87 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100065FF C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 100069A6 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 1000590B C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 10006436 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006DF7 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006677 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007154 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005BB3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005B2C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 100070DC C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006B37 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000639E C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 10006922 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006087 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006CB5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005DAC C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006D83 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005E9E C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 100059D5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 1000705A C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007188 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1936] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 10007139 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006D20 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 1000720C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005B0D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 100072CF C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000719F C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005A43 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10007335 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006BCB C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 100058B1 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 1000612C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10006508 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006A3C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10006291 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 100061B3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 1000620D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10005F87 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100065FF C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 100069A6 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 1000590B C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 10006436 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006DF7 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006677 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007154 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005BB3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005B2C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 100070DC C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006B37 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000639E C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 10006922 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006087 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006CB5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005DAC C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006D83 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005E9E C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 100059D5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 1000705A C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007188 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\svchost.exe[1984] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 10007139 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 00806D20 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 0080720C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 00805B0D C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 008072CF C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 0080719F C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 00805A43 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00807335 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 00806BCB C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 008058B1 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 0080612C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 00806508 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 00806A3C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 00806291 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 008061B3 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 0080620D C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00805F87 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 008065FF C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 008069A6 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 0080590B C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 00806436 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 00806DF7 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 00806EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 00806677 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 00807154 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 00805BB3 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 00805B2C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 008070DC C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 00806B37 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 0080639E C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 00806922 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 00806087 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 00806F53 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 00806CB5 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 00805DAC C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 00806D83 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 00805E9E C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 008059D5 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 0080705A C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 00807188 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[2008] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 00807139 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\System32\alg.exe[2092] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00E1000A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006D20 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 1000720C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005B0D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 0195000A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 100072CF C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000719F C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005A43 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10007335 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006BCB C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 100058B1 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 1000612C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10006508 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006A3C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10006291 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 100061B3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 1000620D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10005F87 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100065FF C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 100069A6 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 1000590B C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 10006436 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006DF7 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006677 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007154 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005BB3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005B2C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 100070DC C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006B37 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000639E C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 10006922 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006087 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006CB5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005DAC C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006D83 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005E9E C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 100059D5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 1000705A C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007188 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 10007139 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006D20 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 1000720C C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005B0D C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 100072CF C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000719F C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005A43 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10007335 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006BCB C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 100058B1 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 1000612C C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10006508 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006A3C C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10006291 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 100061B3 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 1000620D C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10005F87 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100065FF C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 100069A6 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 1000590B C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 10006436 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006DF7 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006EA5 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006677 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007154 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005BB3 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005B2C C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 100070DC C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006B37 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000639E C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 10006922 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006087 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10006F53 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006CB5 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005DAC C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006D83 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005E9E C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 100059D5 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 1000705A C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007188 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\System32\svchost.exe[2672] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 10007139 C:\WINDOWS\System32\wxvault.dll
.text C:\WINDOWS\system32\rundll32.exe[2692] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 001A000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006D20 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 1000720C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005B0D C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 0027000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 100072CF C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000719F C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005A43 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10007335 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006BCB C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 100058B1 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 1000612C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10006508 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006A3C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10006291 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 100061B3 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 1000620D C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10005F87 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100065FF C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 100069A6 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 1000590B C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 10006436 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006DF7 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006677 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007154 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005BB3 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005B2C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 100070DC C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006B37 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000639E C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 10006922 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006087 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006CB5 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005DAC C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006D83 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005E9E C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 100059D5 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 1000705A C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007188 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2700] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 10007139 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006D20 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 1000720C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005B0D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 001B000A
.text C:\WINDOWS\system32\ctfmon.exe[2828] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 100072CF C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000719F C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005A43 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10007335 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006BCB C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 100058B1 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 1000612C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10006508 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006A3C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10006291 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 100061B3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 1000620D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10005F87 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100065FF C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 100069A6 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 1000590B C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 10006436 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006DF7 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006677 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007154 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005BB3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005B2C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 100070DC C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006B37 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000639E C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 10006922 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006087 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006CB5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005DAC C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006D83 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005E9E C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 100059D5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 1000705A C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007188 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\ctfmon.exe[2828] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 10007139 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006D20 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 1000720C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005B0D C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 0030000A
.text C:\Program Files\Messenger\msmsgs.exe[2884] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 100072CF C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000719F C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005A43 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10007335 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006BCB C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 100058B1 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 1000612C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10006508 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006A3C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10006291 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 100061B3 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 1000620D C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10005F87 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100065FF C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 100069A6 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 1000590B C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 10006436 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006DF7 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006677 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007154 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005BB3 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005B2C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 100070DC C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006B37 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000639E C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 10006922 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006087 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006CB5 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005DAC C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006D83 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005E9E C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 100059D5 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 1000705A C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007188 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Messenger\msmsgs.exe[2884] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 10007139 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\system32\rundll32.exe[2908] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00B0000A
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006D20 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 1000720C C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005B0D C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 0027000A
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 100072CF C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000719F C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005A43 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10007335 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006BCB C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 100058B1 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 1000612C C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 10006508 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006A3C C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 10006291 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 100061B3 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 1000620D C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10005F87 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100065FF C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 100069A6 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 1000590B C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 10006436 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006DF7 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006677 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007154 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005BB3 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005B2C C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 100070DC C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006B37 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000639E C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 10006922 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006087 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006CB5 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005DAC C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006D83 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005E9E C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 100059D5 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 1000705A C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007188 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe[3996] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 10007139 C:\WINDOWS\system32\wxvault.dll

---- Devices - GMER 1.0.15 ----

Device \Driver\BTHUSB \Device\00000092 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\00000092 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\00000094 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\00000094 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \FileSystem\Fastfat \Fat 9F137D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 86C75EC5

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0021864c593e
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0021864c593e (not active ControlSet)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\disk.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

*****************************************************************************************************

STEP 3 - OTL

I pasted the code in the custom scans to minimal output, did not change any settings. However, the OTL scan didn't went as short as you said; I let it run all night and it is still running right now. I verified my laptop and it isn't frozen, scan is "Looking for newly modified files" in system32.. don't know what is going there. If the scan finishes today, I'll post it later, otherwise, I'll try to run it again.

#4 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:06:50 PM

Posted 28 August 2010 - 04:18 PM

Hi there,

The OTL scan really shouldn't take that long. If it's still going then just skip it for now.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#5 Mork345

Mork345
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 29 August 2010 - 01:12 PM

Hi,

When I double-click the ComboFix.exe (which I renamed explorer.exe - otherwise it wouldn't start) I got following error:
Some files could not be created.
Please close all application, reboot Windows and restart this installation

When I reboot my laptop, I got the following:
Program - C:\32788R22FWJFW\cmd.cfxxe (Windows cannot end this program)

I'll try to run ComboFix in safe mode

#6 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:06:50 PM

Posted 29 August 2010 - 01:28 PM

Did you disable all your antivirus software?

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#7 Mork345

Mork345
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 29 August 2010 - 02:58 PM

Yes, I have closed and disable AV software (only have spybot and malwarebytes for the moment), but ComoFix reported that McAfee was still running.. I hade uninstalled McAfee a little while ago since it has expired. Before starting the ComboFix scanm I searched if McAfee was still present, but couldn't find anything about a temp file which I deleted (verified in program files, add/remove programs, searched for foles and folders for McAfee). It was still telling me that it was still present and active I don't understand.. Anyway, it worked in safe mode;

2 min after the scan started, Combofix had detected the present of a rootkit and needed
to reboot. Rebooted again in safe mode. After stage_5, a certain PEV.exe "encountered a problem and needed to close"
Here is the ComboFix log:

ComboFix 10-08-28.02 - Mark 08/29/2010 15:15:44.1.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.827 [GMT -4:00]
Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: PC Tools AntiVirus Free *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mark\Application Data\5fcf3222.exe
c:\documents and settings\Mark\Application Data\C25FC8459EE7D832BC49A0C6382F2D3E
c:\documents and settings\Mark\Application Data\C25FC8459EE7D832BC49A0C6382F2D3E\enemies-names.txt
c:\documents and settings\Mark\Application Data\C25FC8459EE7D832BC49A0C6382F2D3E\local.ini
c:\documents and settings\Mark\Application Data\C25FC8459EE7D832BC49A0C6382F2D3E\lsrslt.ini
c:\documents and settings\Mark\Application Data\C25FC8459EE7D832BC49A0C6382F2D3E\releaseversion70700.exe
c:\documents and settings\Mark\Application Data\C25FC8459EE7D832BC49A0C6382F2D3E\upd_debug.exe
c:\documents and settings\Mark\Application Data\Sky-Banners
c:\documents and settings\Mark\Application Data\Street-Ads
c:\documents and settings\Mark\Local Settings\Application Data\{540C15E0-B553-4E90-B806-F8E1644CB2C3}
c:\documents and settings\Mark\Local Settings\Application Data\{540C15E0-B553-4E90-B806-F8E1644CB2C3}\chrome.manifest
c:\documents and settings\Mark\Local Settings\Application Data\{540C15E0-B553-4E90-B806-F8E1644CB2C3}\chrome\content\_cfg.js
c:\documents and settings\Mark\Local Settings\Application Data\{540C15E0-B553-4E90-B806-F8E1644CB2C3}\chrome\content\overlay.xul
c:\documents and settings\Mark\Local Settings\Application Data\{540C15E0-B553-4E90-B806-F8E1644CB2C3}\install.rdf
c:\windows\ajahucucaqi.dll
c:\windows\BPLALMI.dll
c:\windows\system32\cy19rny.dll
c:\windows\system32\ernel32.dll
c:\windows\system32\system

Infected copy of c:\windows\system32\drivers\disk.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-07-28 to 2010-08-29 )))))))))))))))))))))))))))))))
.

2010-08-27 21:12 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-27 21:12 . 2010-08-27 21:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-27 21:12 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-18 02:56 . 2010-08-18 02:59 -------- d-----w- c:\windows\system32\NtmsData
2010-08-15 16:54 . 2010-08-15 20:13 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-12 19:41 . 2010-08-12 19:41 -------- d-----w- c:\documents and settings\Mark\Application Data\Uniblue
2010-08-12 19:25 . 2010-08-12 19:25 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-08-12 17:20 . 2010-08-16 04:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-12 17:20 . 2010-08-12 17:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-12 01:24 . 2010-08-12 01:24 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-08-11 06:50 . 2010-04-08 18:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-08-11 06:47 . 2010-08-27 21:47 -------- d-----w- c:\program files\PC Tools Security
2010-08-11 06:47 . 2010-08-11 06:47 -------- d-----w- c:\documents and settings\Mark\Application Data\PC Tools
2010-08-11 06:47 . 2010-08-11 06:47 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-08-10 22:01 . 2010-08-10 22:01 -------- d-----w- c:\documents and settings\Mark\Application Data\Malwarebytes
2010-08-02 17:00 . 2010-08-02 17:00 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-29 16:53 . 2010-07-27 19:06 0 ----a-w- c:\windows\Lzoyite.bin
2010-08-27 20:44 . 2010-07-27 20:45 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-27 20:35 . 2010-07-29 15:24 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2010-08-11 07:14 . 2010-07-27 20:46 -------- d-----w- c:\program files\Common Files\PC Tools
2010-08-06 23:00 . 2010-07-27 19:06 120 ----a-w- c:\windows\Rjifikere.dat
2010-07-31 19:53 . 2010-01-19 15:19 -------- d-----w- c:\documents and settings\Mark\Application Data\LimeWire
2010-07-29 03:36 . 2010-07-27 20:46 -------- d-----w- c:\program files\Spyware Doctor
2010-07-29 02:46 . 2010-07-29 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-27 19:04 . 2010-07-27 19:51 196096 ----a-w- c:\windows\Gcojeb.exe
2010-07-27 19:04 . 2010-07-27 19:04 196096 ----a-w- c:\windows\Gcojea.exe
2010-06-14 14:31 . 2010-01-05 05:58 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-29 00:34 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wxvault.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EMBASSY Trust Suite Secure Update.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EMBASSY Trust Suite Secure Update.lnk
backup=c:\windows\pss\EMBASSY Trust Suite Secure Update.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mark^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Mark\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Mark^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\Mark\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2005-10-07 22:13 176128 ----a-r- c:\program files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2005-12-19 17:08 1347584 ----a-w- c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Document Manager]
2006-03-09 20:26 98304 ----a-w- c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-12-14 01:41 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-12-14 01:45 118784 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-12-14 01:44 98304 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-03-25 01:30 282624 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"idsvc"=3 (0x3)
"Browser Defender Update Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Packet Tracer 5.2\\bin\\PacketTracer5.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [7/27/2010 4:46 PM 218592]
S2 Browser Defender Update Service;Browser Defender Update Service;"c:\program files\PC Tools Security\BDT\BDTUpdateService.exe" --> c:\program files\PC Tools Security\BDT\BDTUpdateService.exe [?]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 2:19 PM 50704]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [8/11/2010 2:47 AM 366840]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = 10.10.10.10:8080
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\jlgrajx2.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - www.chom.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.ftp - 10.10.10.10
FF - prefs.js: network.proxy.gopher - 10.10.10.10
FF - prefs.js: network.proxy.http - 10.10.10.10
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 10.10.10.10
FF - prefs.js: network.proxy.ssl - 10.10.10.10
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\Mark\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-Dxiyomorabu - c:\windows\BPLALMI.dll
HKCU-Run-releaseversion70700.exe - c:\documents and settings\Mark\Application Data\C25FC8459EE7D832BC49A0C6382F2D3E\releaseversion70700.exe
HKCU-Run-RegistryBooster - c:\program files\Uniblue\RegistryBooster\launcher.exe
HKLM-Run-Nqodixeni - c:\windows\ajahucucaqi.dll
HKLM-Run-upd_debug.exe - c:\documents and settings\Mark\Application Data\C25FC8459EE7D832BC49A0C6382F2D3E\upd_debug.exe
HKLM-RunOnce-*upd_debug.exe - c:\documents and settings\Mark\Application Data\C25FC8459EE7D832BC49A0C6382F2D3E\upd_debug.exe
MSConfigStartUp-5DR8ZAD8GX - c:\docume~1\Mark\LOCALS~1\Temp\Gku.exe
MSConfigStartUp-Dxiyomorabu - c:\windows\BPLALMI.dll
MSConfigStartUp-ewrgetuj - c:\docume~1\Mark\LOCALS~1\Temp\geurge.exe
MSConfigStartUp-hsehf98u34i9tjioaugy987iuegdsg - c:\docume~1\Mark\LOCALS~1\Temp\win16.exe
MSConfigStartUp-LogMeIn GUI - c:\program files\LogMeIn\x86\LogMeInSystray.exe
MSConfigStartUp-mcexecwin - c:\docume~1\Mark\LOCALS~1\Temp\jkp6tkm8.dll
MSConfigStartUp-MChk - c:\windows\system32\pbyap.exe
MSConfigStartUp-Nqodixeni - c:\windows\ajahucucaqi.dll
MSConfigStartUp-releaseversion70700 - c:\documents and settings\Mark\Application Data\C25FC8459EE7D832BC49A0C6382F2D3E\releaseversion70700.exe
MSConfigStartUp-sta - cbyap.dll
MSConfigStartUp-TG0PTF86JH - c:\docume~1\Mark\LOCALS~1\Temp\Gkt.exe
MSConfigStartUp-uiha98uiohf873yuiadnhgjesgregas - c:\docume~1\Mark\LOCALS~1\Temp\aoth8.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-29 15:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(852)
c:\windows\system32\LMIinit.dll

- - - - - - - > 'lsass.exe'(908)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
.
Completion time: 2010-08-29 15:42:42
ComboFix-quarantined-files.txt 2010-08-29 19:42

Pre-Run: 47,778,615,296 bytes free
Post-Run: 47,823,687,680 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 03BF25C0F849E9C4B0ED172A9B9FD23F


Would this have been better to be ran in normal mode?

thanks,

#8 Mork345

Mork345
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 29 August 2010 - 03:04 PM

Hey,

Just to let you know that it seems we got rid of Antimalware Doctor with ComboFix smile.gif I booted in normal mode and it didn't popped up as usual. I will wait for you to check the ComboFix log before running any other scans.

#9 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:06:50 PM

Posted 29 August 2010 - 03:17 PM

Hi there,

Yep, looks like CF got rid of it. From what I can see, hopefully just a few more things to clean up.

Close any open browsers, and close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open notepad and copy/paste the text in the codebox below into it:

CODE
File::
c:\windows\Lzoyite.bin
c:\windows\Rjifikere.dat
c:\windows\Gcojeb.exe
c:\windows\Gcojea.exe
  • Save this as CFScript.txt, in the same location as ComboFix.exe


Refering to the picture above, drag CFScript into ComboFix.exe.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#10 Mork345

Mork345
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 29 August 2010 - 04:40 PM

Hi,

Here is the new ComboFix log:

ComboFix 10-08-28.02 - Mark 08/29/2010 17:26:25.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.700 [GMT -4:00]
Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mark\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: PC Tools AntiVirus Free *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\Gcojea.exe"
"c:\windows\Gcojeb.exe"
"c:\windows\Lzoyite.bin"
"c:\windows\Rjifikere.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Gcojea.exe
c:\windows\Gcojeb.exe
c:\windows\Lzoyite.bin
c:\windows\Rjifikere.dat

.
((((((((((((((((((((((((( Files Created from 2010-07-28 to 2010-08-29 )))))))))))))))))))))))))))))))
.

2010-08-27 21:12 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-27 21:12 . 2010-08-27 21:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-27 21:12 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-18 02:56 . 2010-08-18 02:59 -------- d-----w- c:\windows\system32\NtmsData
2010-08-15 16:54 . 2010-08-15 20:13 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-12 19:41 . 2010-08-12 19:41 -------- d-----w- c:\documents and settings\Mark\Application Data\Uniblue
2010-08-12 19:25 . 2010-08-12 19:25 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-08-12 17:20 . 2010-08-29 21:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-12 01:24 . 2010-08-12 01:24 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-08-11 06:50 . 2010-04-08 18:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-08-11 06:47 . 2010-08-27 21:47 -------- d-----w- c:\program files\PC Tools Security
2010-08-11 06:47 . 2010-08-11 06:47 -------- d-----w- c:\documents and settings\Mark\Application Data\PC Tools
2010-08-11 06:47 . 2010-08-11 06:47 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-08-10 22:01 . 2010-08-10 22:01 -------- d-----w- c:\documents and settings\Mark\Application Data\Malwarebytes
2010-08-02 17:00 . 2010-08-02 17:00 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-27 20:44 . 2010-07-27 20:45 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-27 20:35 . 2010-07-29 15:24 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2010-08-11 07:14 . 2010-07-27 20:46 -------- d-----w- c:\program files\Common Files\PC Tools
2010-07-31 19:53 . 2010-01-19 15:19 -------- d-----w- c:\documents and settings\Mark\Application Data\LimeWire
2010-07-29 03:36 . 2010-07-27 20:46 -------- d-----w- c:\program files\Spyware Doctor
2010-07-29 02:46 . 2010-07-29 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-14 14:31 . 2010-01-05 05:58 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-08-29_19.34.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-29 20:55 . 2010-08-29 20:55 16384 c:\windows\temp\Perflib_Perfdata_750.dat
+ 2004-08-04 10:00 . 2010-08-29 20:59 72306 c:\windows\system32\perfc009.dat
+ 2004-08-04 10:00 . 2010-08-29 20:59 444596 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-09-29 00:34 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wxvault.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EMBASSY Trust Suite Secure Update.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EMBASSY Trust Suite Secure Update.lnk
backup=c:\windows\pss\EMBASSY Trust Suite Secure Update.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mark^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Mark\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Mark^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\Mark\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2005-10-07 22:13 176128 ----a-r- c:\program files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2005-12-19 17:08 1347584 ----a-w- c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Document Manager]
2006-03-09 20:26 98304 ----a-w- c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-12-14 01:41 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-12-14 01:45 118784 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-12-14 01:44 98304 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-03-25 01:30 282624 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)
"idsvc"=3 (0x3)
"Browser Defender Update Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Packet Tracer 5.2\\bin\\PacketTracer5.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [7/27/2010 4:46 PM 218592]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 2:19 PM 50704]
S2 Browser Defender Update Service;Browser Defender Update Service;"c:\program files\PC Tools Security\BDT\BDTUpdateService.exe" --> c:\program files\PC Tools Security\BDT\BDTUpdateService.exe [?]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [8/11/2010 2:47 AM 366840]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = 10.10.10.10:8080
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\jlgrajx2.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - www.chom.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.ftp - 10.10.10.10
FF - prefs.js: network.proxy.gopher - 10.10.10.10
FF - prefs.js: network.proxy.http - 10.10.10.10
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 10.10.10.10
FF - prefs.js: network.proxy.ssl - 10.10.10.10
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\Mark\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-29 17:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(896)
c:\windows\system32\wxvault.dll
c:\windows\system32\detoured.dll
c:\windows\system32\sxs.dll
c:\windows\system32\LMIinit.dll

- - - - - - - > 'lsass.exe'(952)
c:\windows\system32\wxvault.dll
c:\windows\system32\detoured.dll
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
Completion time: 2010-08-29 17:34:58
ComboFix-quarantined-files.txt 2010-08-29 21:34
ComboFix2.txt 2010-08-29 19:42

Pre-Run: 47,898,963,968 bytes free
Post-Run: 47,887,265,792 bytes free

- - End Of File - - B766358C9ED5B2920EDF5C2833FDBBCB


#11 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:06:50 PM

Posted 29 August 2010 - 04:43 PM

Hi there,

STEP 1 - TFC

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean
STEP 2 - MBAM

Open Malwarebyte's Anti-Malware.
  • Under the Updates tab, click Check for Updates. Let the updates install (if any).
  • After that, under the Scanner tab, click Perform Quick Scan and then Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

STEP 3 - Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.
3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.
  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases
  • Click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View report... at the bottom.
  • Click the Save report... button.



  • Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply
STEP 4 - Reply

Please reply with the following log:
  • MBAM Log
  • Kaspersky Log

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#12 Mork345

Mork345
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 30 August 2010 - 08:36 PM

Here is the MBAM log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Version de la base de données: 4504

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

8/29/2010 6:51:17 PM
mbam-log-2010-08-29 (18-51-17).txt

Type d'examen: Examen rapide
Elément(s) analysé(s): 139092
Temps écoulé: 25 minute(s), 16 seconde(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 6
Valeur(s) du Registre infectée(s): 0
Elément(s) de données du Registre infecté(s): 0
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 3

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
HKEY_CLASSES_ROOT\AppID\{84c3c236-f588-4c93-84f4-147b2abbe67b} (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{7b6a2552-e65b-4a9e-add4-c45577ffd8fd} (Adware.EZLife) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\5DR8ZAD8GX (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Sky-Banners (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\TG0PTF86JH (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Sky-Banners (Adware.Adrotator) -> Quarantined and deleted successfully.

Valeur(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Elément(s) de données du Registre infecté(s):
(Aucun élément nuisible détecté)

Dossier(s) infecté(s):
(Aucun élément nuisible détecté)

Fichier(s) infecté(s):
C:\WINDOWS\system32\spool\prtprocs\w32x86\GMYW3u7m.dll (Trojan.PWS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\GMYW5.dll (Trojan.PWS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\K7yW1u.dll (Trojan.PWS) -> Quarantined and deleted successfully.




The Kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, August 30, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, August 30, 2010 19:17:29
Records in database: 4168191
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 51858
Threats found: 8
Infected objects found: 11
Suspicious objects found: 0
Scan duration: 01:52:46


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\Documents and Settings\Mark\Application Data\5fcf3222.exe.vir Infected: Backdoor.Win32.TDSS.vj 1
C:\Qoobox\Quarantine\C\Documents and Settings\Mark\Application Data\C25FC8459EE7D832BC49A0C6382F2D3E\releaseversion70700.exe.vir Infected: Trojan-GameThief.Win32.Tibia.gre 1
C:\Qoobox\Quarantine\C\Documents and Settings\Mark\Application Data\C25FC8459EE7D832BC49A0C6382F2D3E\upd_debug.exe.vir Infected: Trojan-GameThief.Win32.Tibia.grl 1
C:\Qoobox\Quarantine\C\WINDOWS\BPLALMI.dll.vir Infected: Trojan-Downloader.Win32.Mufanom.yti 1
C:\Qoobox\Quarantine\C\WINDOWS\Gcojea.exe.vir Infected: Trojan.Win32.Genome.kkhy 1
C:\Qoobox\Quarantine\C\WINDOWS\Gcojeb.exe.vir Infected: Trojan.Win32.Genome.kkhy 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\cy19rny.dll.vir Infected: Trojan-Ransom.Win32.XBlocker.awa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\disk.sys.vir Infected: Virus.Win32.TDSS.b 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ernel32.dll.vir Infected: Backdoor.Win32.TDSS.vl 1
C:\System Volume Information\_restore{DE752484-106E-4E2D-B0A1-41B097DC4709}\RP1\A0000027.exe Infected: Trojan.Win32.Genome.kkhy 1
C:\System Volume Information\_restore{DE752484-106E-4E2D-B0A1-41B097DC4709}\RP1\A0000028.exe Infected: Trojan.Win32.Genome.kkhy 1

Selected area has been scanned.


thanks,

#13 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:06:50 PM

Posted 30 August 2010 - 08:56 PM

Hi there,

Everything looks good, are you still having problems?

Open up OTL and push the Quickscan button. Post the resulting log here.

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#14 Mork345

Mork345
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 30 August 2010 - 10:28 PM

No, everything looks fine! just one more thing: I am using MBAM, Spybot and will be going with Avast or AVG. Is there a combo of AV / anti-malware free softwares you would recommend me? Thank you so much for you help smile.gif


Here is the OTL log:

OTL logfile created on: 8/30/2010 11:14:34 PM - Run 1
OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\Mark\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 702.00 Mb Available Physical Memory | 69.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.84 Gb Total Space | 44.57 Gb Free Space | 79.81% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 7.47 Gb Total Space | 5.22 Gb Free Space | 69.84% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: RYCOM-BF83CAFC4
Current User Name: Mark
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Mark\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Dell\QuickSet\NicConfigSvc.exe (Dell Inc.)
PRC - C:\Program Files\Wave Systems Corp\common\DataServer.exe (Wave Systems Corp.)
PRC - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe ()


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Mark\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)
MOD - C:\WINDOWS\system32\wxvault.dll ()
MOD - C:\WINDOWS\system32\detoured.dll ()


========== Win32 Services (SafeList) ==========

SRV - (Browser Defender Update Service) -- C:\Program Files\PC Tools Security\BDT\BDTUpdateService.exe File not found
SRV - (sdCoreService) -- C:\Program Files\PC Tools Security\pctsSvc.exe (PC Tools)
SRV - (sdAuxService) -- C:\Program Files\PC Tools Security\pctsAuxs.exe (PC Tools)
SRV - (rpcapd) Remote Packet Capture Protocol v.0 (experimental) -- C:\Program Files\WinPcap\rpcapd.exe (CACE Technologies, Inc.)
SRV - (NICCONFIGSVC) -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe (Dell Inc.)
SRV - (DataSvr2) -- C:\Program Files\Wave Systems Corp\Common\DataServer.exe (Wave Systems Corp.)
SRV - (tcsd_win32.exe) -- C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe ()


========== Driver Services (SafeList) ==========

DRV - (UIUSys) -- C:\WINDOWS\System32\DRIVERS\UIUSYS.SYS File not found
DRV - (LMIInfo) -- C:\Program Files\LogMeIn\x86\RaInfo.sys File not found
DRV - (catchme) -- C:\DOCUME~1\Mark\LOCALS~1\Temp\catchme.sys File not found
DRV - (PCTCore) -- C:\WINDOWS\system32\drivers\PCTCore.sys (PC Tools)
DRV - (NPF) -- C:\WINDOWS\system32\drivers\npf.sys (CACE Technologies, Inc.)
DRV - (LMIRfsClientNP) -- C:\WINDOWS\System32\LMIRfsClientNP.dll (LogMeIn, Inc.)
DRV - (LMIRfsDriver) -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys (LogMeIn, Inc.)
DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\USBAUDIO.sys (Microsoft Corporation)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)
DRV - (PCASp50) -- C:\WINDOWS\system32\drivers\PCASp50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (NWADI) -- C:\WINDOWS\system32\drivers\NWADIenum.sys (Novatel Wireless Inc)
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)
DRV - (Tosrfusb) -- C:\WINDOWS\system32\drivers\tosrfusb.sys (TOSHIBA CORPORATION)
DRV - (Tosrfbd) -- C:\WINDOWS\system32\drivers\tosrfbd.sys (TOSHIBA CORPORATION)
DRV - (Tosrfhid) -- C:\WINDOWS\system32\drivers\tosrfhid.sys (TOSHIBA Corporation.)
DRV - (PBADRV) -- C:\WINDOWS\system32\drivers\pbadrv.sys (Dell Inc)
DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSX_DPV.sys (Conexant Systems, Inc.)
DRV - (HSXHWAZL) -- C:\WINDOWS\system32\drivers\HSXHWAZL.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSX_CNXT.sys (Conexant Systems, Inc.)
DRV - (tosporte) -- C:\WINDOWS\system32\drivers\tosporte.sys (TOSHIBA Corporation)
DRV - (BCM43XX) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation)
DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
DRV - (BCOREUSB) -- C:\WINDOWS\system32\drivers\BCOREUSB.sys (CSR)
DRV - (ApfiltrService) -- C:\WINDOWS\system32\drivers\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (Tosrfbnp) -- C:\WINDOWS\system32\drivers\tosrfbnp.sys (TOSHIBA Corporation)
DRV - (APPDRV) -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS (Dell Inc)
DRV - (Tosrfcom) -- C:\WINDOWS\system32\drivers\tosrfcom.sys (TOSHIBA Corporation)
DRV - (toshidpt) -- C:\WINDOWS\system32\drivers\toshidpt.sys (TOSHIBA Corporation.)
DRV - (USBCCID) -- C:\WINDOWS\system32\drivers\usbccid.sys (Microsoft Corporation)
DRV - (TosRfSnd) Bluetooth Audio Device (WDM) -- C:\WINDOWS\system32\drivers\tosrfsnd.sys (TOSHIBA Corporation)
DRV - (tosrfnds) -- C:\WINDOWS\system32\drivers\tosrfnds.sys (TOSHIBA Corporation.)
DRV - (OMCI) -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS (Dell Computer Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 10.10.10.10:8080

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Secure Search"
FF - prefs.js..browser.search.selectedEngine: "Secure Search"
FF - prefs.js..browser.startup.homepage: "www.chom.com"
FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=mcafee&p="
FF - prefs.js..network.proxy.ftp: "10.10.10.10"
FF - prefs.js..network.proxy.gopher: "10.10.10.10"
FF - prefs.js..network.proxy.http: "10.10.10.10"
FF - prefs.js..network.proxy.http_port: 8080
FF - prefs.js..network.proxy.socks: "10.10.10.10"
FF - prefs.js..network.proxy.ssl: "10.10.10.10"
FF - prefs.js..network.proxy.type: 4

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.11\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/20 23:07:16 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.11\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/20 23:07:16 | 000,000,000 | ---D | M]

[2010/01/19 11:19:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Mozilla\Extensions
[2010/01/19 11:19:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/03/03 14:35:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mark\Application Data\Mozilla\Firefox\Profiles\jlgrajx2.default\extensions
[2010/08/30 19:25:31 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/06/07 22:15:22 | 000,002,024 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\McSiteAdvisor.xml

O1 HOSTS File: ([2010/08/29 17:31:50 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 207.164.234.129 207.164.234.193
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\WINDOWS\system32\wxvault.dll) - C:\WINDOWS\system32\wxvault.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O30 - LSA: Authentication Packages - (wvauth) - C:\WINDOWS\System32\wvauth.dll (Wave Systems Corp.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/01/05 02:01:28 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (56308606093492224)

========== Files/Folders - Created Within 30 Days ==========

[2010/08/29 17:57:32 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/08/29 17:56:55 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Mark\Desktop\TFC.exe
[2010/08/29 15:42:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/08/29 15:01:59 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/08/29 14:35:48 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/08/29 14:35:48 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/08/29 14:35:47 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/08/29 14:35:47 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/08/29 14:34:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/08/29 13:02:10 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/08/27 23:45:47 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Mark\Desktop\OTL.exe
[2010/08/27 17:12:27 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/08/27 17:12:26 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/08/27 17:12:26 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/08/27 17:11:28 | 006,153,376 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Mark\Desktop\mbam-setup-1.46.exe
[2010/08/27 17:04:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mark\Desktop\Posted
[2010/08/18 21:03:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mark\Desktop\gmer
[2010/08/18 19:54:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mark\Desktop\Startup Programs
[2010/08/17 22:56:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2010/08/15 12:14:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mark\Desktop\desktop
[2010/08/12 15:41:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mark\Application Data\Uniblue
[2010/08/12 15:25:06 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2010/08/12 13:20:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/08/12 11:35:50 | 128,750,008 | ---- | C] (Lavasoft ) -- C:\Documents and Settings\Mark\Desktop\Ad-AwareInstall.exe
[2010/08/12 11:35:12 | 016,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\Mark\Desktop\spybotsd162.exe
[2010/08/11 23:04:49 | 000,000,000 | ---D | C] -- C:\Program Files\HijackThis
[2010/08/11 21:24:01 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
[2010/08/11 02:50:02 | 000,063,360 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys
[2010/08/11 02:47:20 | 000,000,000 | ---D | C] -- C:\Program Files\PC Tools Security
[2010/08/11 02:47:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mark\Application Data\PC Tools
[2010/08/11 02:47:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2010/08/10 18:01:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Mark\Application Data\Malwarebytes
[2010/08/02 13:00:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe

========== Files - Modified Within 30 Days ==========

[2010/08/30 23:09:39 | 000,075,776 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\Plan travail educ.doc
[2010/08/30 18:58:25 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/08/30 18:57:40 | 000,000,440 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.ics
[2010/08/30 18:57:27 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/30 18:57:25 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/29 21:13:55 | 003,932,160 | -H-- | M] () -- C:\Documents and Settings\Mark\NTUSER.DAT
[2010/08/29 21:13:55 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Mark\ntuser.ini
[2010/08/29 21:13:50 | 004,829,132 | -H-- | M] () -- C:\Documents and Settings\Mark\Local Settings\Application Data\IconCache.db
[2010/08/29 18:11:20 | 000,525,946 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/08/29 18:11:20 | 000,444,596 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/08/29 18:11:20 | 000,072,306 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/08/29 17:55:38 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mark\Desktop\TFC.exe
[2010/08/29 17:32:04 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/08/29 17:31:50 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/08/29 15:02:06 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/08/29 14:14:00 | 000,000,857 | ---- | M] () -- C:\WINDOWS\lsrslt.ini
[2010/08/29 13:21:30 | 003,830,790 | R--- | M] () -- C:\Documents and Settings\Mark\Desktop\ComboFix.exe
[2010/08/27 20:04:38 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mark\Desktop\OTL.exe
[2010/08/27 18:02:11 | 000,000,720 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/27 17:45:16 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe
[2010/08/27 17:09:33 | 000,012,235 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\DrWatson.PNG
[2010/08/27 16:59:54 | 000,363,520 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\rkill.scr
[2010/08/27 16:58:12 | 006,153,376 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Mark\Desktop\mbam-setup-1.46.exe
[2010/08/18 19:59:19 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Mark\defogger_reenable
[2010/08/17 23:40:22 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\Defogger.exe
[2010/08/17 22:33:50 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\gmer.zip
[2010/08/17 22:32:20 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\dds.scr
[2010/08/15 16:13:44 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/08/15 16:12:56 | 000,024,576 | ---- | M] () -- C:\Documents and Settings\Mark\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/11 23:23:46 | 016,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\Mark\Desktop\spybotsd162.exe
[2010/08/11 23:04:50 | 000,001,580 | ---- | M] () -- C:\Documents and Settings\Mark\Desktop\HijackThis.lnk
[2010/08/11 20:27:36 | 128,750,008 | ---- | M] (Lavasoft ) -- C:\Documents and Settings\Mark\Desktop\Ad-AwareInstall.exe

========== Files Created - No Company Name ==========

[2010/08/30 21:47:03 | 000,075,776 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\Plan travail educ.doc
[2010/08/29 15:02:05 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/08/29 15:02:01 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/08/29 14:35:48 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/08/29 14:35:48 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/08/29 14:35:48 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/08/29 14:35:48 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/08/29 14:35:48 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/08/29 13:17:48 | 003,830,790 | R--- | C] () -- C:\Documents and Settings\Mark\Desktop\ComboFix.exe
[2010/08/27 17:51:59 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\xcff7ghy.exe
[2010/08/27 17:12:31 | 000,000,720 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/27 17:11:28 | 000,363,520 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\rkill.scr
[2010/08/27 17:09:33 | 000,012,235 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\DrWatson.PNG
[2010/08/18 19:59:19 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Mark\defogger_reenable
[2010/08/18 19:54:04 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\dds.scr
[2010/08/18 19:54:04 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\gmer.zip
[2010/08/18 19:54:04 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\Defogger.exe
[2010/08/15 12:54:34 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/08/11 23:04:50 | 000,001,580 | ---- | C] () -- C:\Documents and Settings\Mark\Desktop\HijackThis.lnk
[2010/08/11 02:50:03 | 000,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctplsg.cat
[2010/07/29 00:19:11 | 000,000,857 | ---- | C] () -- C:\WINDOWS\lsrslt.ini
[2010/05/16 05:19:07 | 000,000,146 | ---- | C] () -- C:\WINDOWS\CAPTURE.INI
[2010/01/25 17:32:25 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/01/09 02:26:18 | 000,024,576 | ---- | C] () -- C:\Documents and Settings\Mark\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/06 00:11:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\tosOBEX.INI
[2010/01/06 00:08:52 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\bioapi_mds300.dll
[2010/01/06 00:08:52 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\bioapi100.dll
[2010/01/06 00:08:48 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\Mark\Local Settings\Application Data\fusioncache.dat
[2010/01/06 00:01:32 | 000,000,004 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare
[2010/01/05 23:39:05 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2010/01/05 23:39:05 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2009/10/20 14:19:30 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2006/03/25 21:19:50 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\Internationalization_en.dll
[2006/03/24 19:19:22 | 000,184,320 | ---- | C] () -- C:\WINDOWS\System32\AmRes_en.dll
[2006/03/24 19:14:34 | 000,184,320 | ---- | C] () -- C:\WINDOWS\System32\AmRes_es.dll
[2006/03/24 19:14:28 | 000,176,128 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ko.dll
[2006/03/24 19:14:22 | 000,184,320 | ---- | C] () -- C:\WINDOWS\System32\AmRes_de.dll
[2006/03/24 19:14:18 | 000,184,320 | ---- | C] () -- C:\WINDOWS\System32\AmRes_pt-BR.dll
[2006/03/24 19:14:12 | 000,184,320 | ---- | C] () -- C:\WINDOWS\System32\AmRes_fr.dll
[2006/03/24 19:14:08 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ja.dll
[2006/03/24 19:14:02 | 000,184,320 | ---- | C] () -- C:\WINDOWS\System32\AmRes_ru.dll
[2006/03/24 19:13:58 | 000,184,320 | ---- | C] () -- C:\WINDOWS\System32\AmRes_it.dll
[2006/03/24 19:13:52 | 000,176,128 | ---- | C] () -- C:\WINDOWS\System32\AmRes_zh-CHS.dll
[2006/03/24 19:13:46 | 000,176,128 | ---- | C] () -- C:\WINDOWS\System32\AmRes_zh-CHT.dll
[2006/03/09 16:25:24 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\wxvault.dll
[2006/03/09 16:24:10 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\detoured.dll
[2005/12/01 18:41:20 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\pbadrvdll.dll
[2005/11/30 17:33:06 | 000,348,160 | ---- | C] () -- C:\WINDOWS\System32\Tsp.dll
[2005/11/30 17:33:06 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_RUS.dll
[2005/11/30 17:33:06 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_ITA.dll
[2005/11/30 17:33:06 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_FRA.dll
[2005/11/30 17:33:06 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_ESN.dll
[2005/11/30 17:33:06 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_ENU.dll
[2005/11/30 17:33:06 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_DEU.dll
[2005/11/30 17:33:06 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\TspPopup_CHS.dll
[2005/09/20 17:36:06 | 000,798,720 | ---- | C] () -- C:\WINDOWS\System32\DemoLicense.dll
[2005/01/21 16:02:28 | 000,013,312 | ---- | C] () -- C:\WINDOWS\System32\RMDevice.dll
[2004/07/21 19:03:14 | 000,917,504 | ---- | C] () -- C:\WINDOWS\System32\lmgr10.dll
[2004/07/20 18:27:52 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ADsSecurity.dll
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/10/20 21:45:49 | 000,000,046 | ---- | C] () -- C:\WINDOWS\hpsfx.ini

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2010/03/10 12:54:42 | 000,001,024 | ---- | M] () -- C:\.rnd
[2010/01/05 02:01:28 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/07/29 11:27:10 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/08/29 15:02:06 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr
[2010/08/29 17:34:59 | 000,012,915 | ---- | M] () -- C:\ComboFix.txt
[2010/01/05 02:01:28 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/01/05 02:01:28 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/02/22 14:22:58 | 000,000,638 | ---- | M] () -- C:\MPUsbSIn.log
[2010/01/05 02:01:28 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 06:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2010/01/12 13:57:45 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/08/30 18:57:23 | 1598,029,824 | -HS- | M] () -- C:\pagefile.sys
[2010/08/27 17:56:59 | 000,000,267 | ---- | M] () -- C:\rkill.log
[2010/07/27 15:07:26 | 000,000,150 | ---- | M] () -- C:\zrpt.xml

< %systemroot%\Fonts\*.com >
[2006/04/18 16:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 15:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 16:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 15:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2010/01/05 02:01:07 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2008/07/06 08:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2009/09/28 20:34:40 | 000,047,416 | ---- | M] (LogMeIn, Inc.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\LMIproc.dll
[2007/04/09 14:23:54 | 000,028,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
[2008/07/06 06:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >
[2009/07/10 16:15:46 | 000,306,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WLXPGSS.SCR

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2010/01/04 17:11:53 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2010/01/04 17:11:53 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2010/01/04 17:11:53 | 000,901,120 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2010/01/12 14:02:12 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-07-14 07:02:37

========== Files - Unicode (All) ==========
[2010/06/05 15:04:18 | 000,000,000 | ---D | M](C:\WINDOWS\System32\??) -- C:\WINDOWS\System32\퍀̫
[2010/06/05 15:04:18 | 000,000,000 | ---D | C](C:\WINDOWS\System32\??) -- C:\WINDOWS\System32\퍀̫

========== Alternate Data Streams ==========

@Alternate Data Stream - 163 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:430C6D84
< End of report >


#15 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:06:50 PM

Posted 30 August 2010 - 10:35 PM

Hi there,

No problem, glad I could help you out. smile.gif

Now that your system appears to be clean, I'll give you some instructions to remove the tools we have used and I'll offer some advice to help prevent future infection.

STEP 1 - Clear Restore Points

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    CODE
    :Commands
    [CLEARALLRESTOREPOINTS]

  • Then click the Run Fix button at the top.
STEP 2 - Uninstall ComboFix
  • Rename the Combo-Fix file on your desktop to Uninstall.
  • Double click on Uninstall to uninstall the program.
STEP 3 - Remove Tools

Run OTL
  • Click Clean Up in the upper right corner.
  • This will remove most if not all the tools we used while we were fixing your computer. Feel free to delete any others it leaves behind.
Now that you have a clean system, I would like to share with you some advice to help reduce the risk of future infection.

+++++++++++++++++++++++++++++++++++++++++++++++

I recommend that you install both of the following free programs if you haven''t already, as they can greatly increase the security of your system. It is not essential that you have these programs installed, but they do a very good job at preventing infection if your system is scanned regularly.+++++++++++++++++++++++++++++++++++++++++++++++

A good firewall is also useful for keeping a system infection free. You should only have ONE firewall installed on your computer - having more than one will not increase the security of your system. Here is a small list of some free firewallsAn antivirus program is also a program that should be installed on all computers. These will help reduce the risk that your computer gets infected by viruses or trojans in the future. Keep in mind that you only need ONE antivirus program installed on your computer. If you have more than one installed, they can often conflict and leave your system unprotected.Having up to date Antivirus and Firewall software is vital to keeping a healthy, infection free system

+++++++++++++++++++++++++++++++++++++++++++++++

To find out more information on how your system got infected, or how to protect yourself on the internet in the future, this article by Tony Klein provides some great information.

Good luck and safe surfing!

-mpascal

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users