1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

XP Security Tool + Google Redirect + More

Discussion in 'Virus & Other Malware Removal' started by karlds82, Apr 11, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. karlds82

    karlds82 Thread Starter

    Joined:
    May 31, 2004
    Messages:
    25
    Hello, I could really use some assistance. Here's a brief synopsis: my Dell Latitude D620, running Windows XP, is currently infected with the XP Security Tool Virus, the Good Redirect Virus, and something called apntex.exe. There may be more.

    Prior to the XP Security Tool Virus, I ran Malwarebytes but it found nothing. After continuing problems, I tried to run Malwarebytes again, but now it won't open, instead opening the XP Security Tool virus every time I try. This is even true in Safe Mode.

    Prior to the infections, I had McAfee and Spybot S&D running (I have since removed Spybot in case it was conflicting with the McAfee search). I ran several McAfee scans. The first one turned up about 10-12 intstances of "svchost.exe" which it identified as a Trojan. They also note that something to the effect that it appears the system is trying to hide something and I should run Prescan or the scan in safe mode. I ran it in Safe Mode and it found nothing.

    My HJT log follows. Thank you in advance for your assistance!

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:40:18 PM, on 4/11/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Wave Systems Corp\Common\DataServer.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    C:\WINDOWS\system32\mfevtps.exe
    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
    C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\McAfee\Common Framework\udaterui.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\stsystra.exe
    C:\Documents and Settings\Karl\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Apoint\HidFind.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Karl\Local Settings\Application Data\ave.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061101
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061101
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    F2 - REG:system.ini: Shell=
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [Document Manager] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Karl\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: EMBASSY Trust Suite Secure Update.lnk = C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164827851390
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: wxvault.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: DataSvr2 - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
    O23 - Service: Google Desktop Manager 5.9.909.30391 (GoogleDesktopManager-093009-130223) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe

    --
    End of file - 9367 bytes
     
  2. karlds82

    karlds82 Thread Starter

    Joined:
    May 31, 2004
    Messages:
    25
    <bump>
     
  3. karlds82

    karlds82 Thread Starter

    Joined:
    May 31, 2004
    Messages:
    25
    <bump>

    Happy to wait, just want to stay in the queue. My laptop is basically unusable.
     
  4. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Hi,

    Please do the following:


    Please download exeHelper to your desktop.
    • Double-click on exeHelper.com to run the fix.
    • A black window should pop up, press any key to close once the fix is completed.
    • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
    Note If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


    NEXT


    Please download DDS from either of these links

    LINK 1
    LINK 2

    and save it to your desktop.
    • Disable any script blocking protection
    • Double click dds.pif to run the tool.
    • When done, two DDS.txt's will open.
    • Save both reports to your desktop.
    ---------------------------------------------------
    Please include the contents of the following in your next reply:

    DDS.txt
    Attach.txt.


    NEXT


    Download GMER Rootkit Scanner from here to your desktop.
    • Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


      [​IMG]
      Click the image to enlarge it


    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
    • Save it where you can easily find it, such as your desktop, and post it in reply.

    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
     
  5. karlds82

    karlds82 Thread Starter

    Joined:
    May 31, 2004
    Messages:
    25
    Thanks for the help! Unfortunately, on the laptop I cannot open any browser (all say "[program].exe is not a valid Win32 application.") Windows 7 will not allow my desktop to download exeHelper to a flash drive - it says I need permission, but there is only one account on this computer (i.e. the one I'm logged in under). Any way around this to get the file on my laptop?
     
  6. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Hi,

    Right click on your browser on the Win7 desktop and choose "run as an administrator" see if you now have permission to save it.

    download it to your desktop if you can do that, then copy it to the USB and transfer it over.
     
  7. karlds82

    karlds82 Thread Starter

    Joined:
    May 31, 2004
    Messages:
    25
    Still no luck. It says "You require permission from [computer name]\[profile name] to make changes to this file." and allows me to "Try again" or "Cancel." I am logged in under the profile it says I need permission from. The same error appears when opening IE with "Run as administrator" or opening it normally. Any other thoughts?
     
  8. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    have you had any trouble downloading any other files to the desktop?

    Is the account you are on an Administrator's account?
     
  9. karlds82

    karlds82 Thread Starter

    Joined:
    May 31, 2004
    Messages:
    25
    I have not any any troubles; to be sure, I just downloaded another file to the desktop with no problems.

    I don't know if my account is an Administrator's account. It's the only account that appears when I go to "Switch user" on the Start menu.

    I might add that when I try to download exeHelper, a popup appears notifying me that the file I'm downloading has been reported to be unsafe. I think click on "Disregard and download unsafe file (not recommended)". That's when the permission requirement screen appears.
     
  10. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    what security program are you using that is telling you that?

    Please disable that program - then download exeHelper (the file is safe)
     
  11. karlds82

    karlds82 Thread Starter

    Joined:
    May 31, 2004
    Messages:
    25
    Okay, all three accomplished (the security program I disabled was Microsoft Security Essentials). Results follow. And thanks again!

    *****

    exeHelper by Raktor
    Build 20100414
    Run at 20:32:38 on 04/15/10
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Deleting file C:\Documents and Settings\Karl\Local Settings\Application Data\ave.exe
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Removing HKCR\secfile
    Resetting filetype association for .com
    Removing HKCR\secfile
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    *****


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Karl at 20:33:50.81 on Thu 04/15/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.483 [GMT -7:00]

    AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Wave Systems Corp\Common\DataServer.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    C:\WINDOWS\system32\mfevtps.exe
    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
    C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Documents and Settings\Karl\Desktop\dds.com

    ============== Pseudo HJT Report ===============

    uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
    uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
    uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061101
    uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061101
    uInternet Settings,ProxyOverride = *.local
    mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
    uRun: [Google Update] "c:\documents and settings\karl\local settings\application data\google\update\GoogleUpdate.exe" /c
    mRun: [Apoint] c:\program files\apoint\Apoint.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /installquiet
    mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [Document Manager] c:\program files\wave systems corp\services manager\docmgr\bin\docmgr.exe
    mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
    mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
    mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
    mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
    mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
    mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\embass~1.lnk - c:\program files\wave systems corp\services manager\secure update\AutoUpdate.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164827851390
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    AppInit_DLLs: wxvault.dll c:\progra~1\google\google~1\GOEC62~1.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
    LSA: Authentication Packages = msv1_0 wvauth

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\karl\applic~1\mozilla\firefox\profiles\o6oe35qj.default\
    FF - plugin: c:\documents and settings\karl\application data\move networks\plugins\npqmp071701000002.dll
    FF - plugin: c:\documents and settings\karl\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-26 340592]
    R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\engineserver.exe [2008-9-29 19456]
    R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-3-14 103744]
    R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2008-9-29 143088]
    R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2008-9-29 62800]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-1-26 67904]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-1-26 90360]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-1-26 42424]
    S3 APL531;OVT Scanner;c:\windows\system32\drivers\ov550i.sys --> c:\windows\system32\drivers\ov550i.sys [?]
    S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-11-1 30192]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-1-26 64432]

    =============== Created Last 30 ================

    2010-04-12 02:39:40 0 d-----w- c:\program files\Trend Micro
    2010-04-11 00:19:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-11 00:19:35 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-11 00:19:34 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-08 14:36:39 664 ----a-w- c:\windows\system32\d3d9caps.dat

    ==================== Find3M ====================

    2010-04-16 02:26:24 39009 ----a-w- c:\windows\system32\nvModes.dat
    2010-04-11 16:25:57 17153 ----a-w- c:\windows\system32\drivers\omci.sys
    2010-02-25 18:54:36 11070976 ----a-w- c:\windows\system32\dllcache\ieframe.dll
    2010-02-24 09:54:25 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
    2008-08-19 03:29:21 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081820080819\index.dat

    ============= FINISH: 20:36:19.29 ===============

    *****

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-04-15 22:14:25
    Windows 5.1.2600 Service Pack 3
    Running: 0qc5ptyp.exe; Driver: C:\DOCUME~1\Karl\LOCALS~1\Temp\awrdqaob.sys


    ---- System - GMER 1.0.15 ----

    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateFile [0xF71C91C8]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF71C9086]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0xF71C9020]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF71C9034]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF71C909A]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF71C90C6]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF71C9134]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF71C911E]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwLoadKey2 [0xF71C914A]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF71C9176]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF71C9072]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF71C8FE4]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF71C8FF8]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF71C91DC]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryKey [0xF71C91B2]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF71C9108]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF71C90F2]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF71C90B0]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0xF71C919E]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0xF71C918A]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0xF71C905E]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF71C904A]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF71C90DC]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF71C920D]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnloadKey [0xF71C9160]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF71C91F2]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtCreateFile
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

    ---- Kernel code sections - GMER 1.0.15 ----

    PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey + 3 80622907 4 Bytes [BA, 76, 90, 90]
    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6421360, 0x212B5D, 0xE8000020]
    .rsrc C:\WINDOWS\system32\DRIVERS\omci.sys entry point in ".rsrc" section [0xF784DC74]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\svchost.exe[264] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006DCE C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 100072BA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005BBB C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 1000737D C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000724D C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005AF1 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00820FE5
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 008200A2
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00820091
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00820FB7
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00820076
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0082004A
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008200DF
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008200CE
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0082010B
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008200F0
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006C79 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 1000595F C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0082011C
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00820065
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 100061DA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 100065B6 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006AEA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 1000633F C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 10006261 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 100062BB C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00820000
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100066AD C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 10006A54 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 100059B9 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 100064E4 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008200BD
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006725 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007202 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005C61 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005BDA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 1000718A C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006BE5 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00820025
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000644C C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 100069D0 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006135 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10007001 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006D63 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005E5A C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006E31 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005F4C C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 10005A83 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 10007108 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00820FD4
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00820F7C
    .text C:\WINDOWS\system32\svchost.exe[264] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007236 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0081001B
    .text C:\WINDOWS\system32\svchost.exe[264] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00810F80
    .text C:\WINDOWS\system32\svchost.exe[264] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00810FCA
    .text C:\WINDOWS\system32\svchost.exe[264] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0081000A
    .text C:\WINDOWS\system32\svchost.exe[264] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00810F9B
    .text C:\WINDOWS\system32\svchost.exe[264] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00810FEF
    .text C:\WINDOWS\system32\svchost.exe[264] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00810047
    .text C:\WINDOWS\system32\svchost.exe[264] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0081002C
    .text C:\WINDOWS\system32\svchost.exe[264] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[264] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00800FA3
    .text C:\WINDOWS\system32\svchost.exe[264] msvcrt.dll!system 77C293C7 5 Bytes JMP 00800038
    .text C:\WINDOWS\system32\svchost.exe[264] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00800FD9
    .text C:\WINDOWS\system32\svchost.exe[264] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00800000
    .text C:\WINDOWS\system32\svchost.exe[264] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00800FBE
    .text C:\WINDOWS\system32\svchost.exe[264] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00800011
    .text C:\WINDOWS\system32\svchost.exe[264] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00740FE5
    .text C:\WINDOWS\system32\svchost.exe[264] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00740000
    .text C:\WINDOWS\system32\svchost.exe[264] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00740FCA
    .text C:\WINDOWS\system32\svchost.exe[264] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00740FB9
    .text C:\WINDOWS\system32\svchost.exe[264] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007F0FEF
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006DCE C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 100072BA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005BBB C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 1000737D C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000724D C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005AF1 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100073E3 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006C79 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 1000595F C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 100061DA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 100065B6 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006AEA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 1000633F C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 10006261 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 100062BB C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10006035 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100066AD C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 10006A54 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 100059B9 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 100064E4 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006725 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007202 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005C61 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005BDA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 1000718A C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006BE5 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000644C C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 100069D0 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006135 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10007001 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006D63 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005E5A C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006E31 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005F4C C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 10005A83 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 10007108 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007236 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[308] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006DCE C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 100072BA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005BBB C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 1000737D C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000724D C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005AF1 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100073E3 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006C79 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 1000595F C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 100061DA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 100065B6 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006AEA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 1000633F C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 10006261 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 100062BB C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10006035 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100066AD C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 10006A54 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 100059B9 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 100064E4 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006725 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007202 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005C61 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005BDA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 1000718A C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006BE5 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000644C C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 100069D0 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006135 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10007001 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006D63 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005E5A C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006E31 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005F4C C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 10005A83 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 10007108 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007236 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Bonjour\mDNSResponder.exe[340] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 007F6DCE C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 007F72BA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 007F5BBB C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 007F737D C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 007F724D C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 007F5AF1 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007F73E3 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 007F6C79 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 007F595F C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 007F61DA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 007F65B6 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 007F6AEA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 007F633F C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 007F6261 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 007F62BB C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007F6035 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 007F66AD C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 007F6A54 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 007F59B9 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 007F64E4 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 007F6EA5 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 007F6F53 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 007F6725 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 007F7202 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 007F5C61 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 007F5BDA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 007F718A C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 007F6BE5 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 007F644C C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 007F69D0 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 007F6135 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 007F7001 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 007F6D63 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 007F5E5A C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 007F6E31 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 007F5F4C C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 007F5A83 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 007F7108 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 007F7236 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Wave Systems Corp\Common\DataServer.exe[500] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 007F71E7 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006DCE C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 100072BA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005BBB C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 1000737D C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000724D C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005AF1 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100073E3 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006C79 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 1000595F C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 100061DA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 100065B6 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006AEA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 1000633F C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 10006261 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 100062BB C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10006035 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100066AD C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 10006A54 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 100059B9 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 100064E4 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006725 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007202 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005C61 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005BDA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 1000718A C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006BE5 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000644C C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 100069D0 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006135 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10007001 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006D63 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005E5A C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006E31 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005F4C C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 10005A83 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 10007108 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007236 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\Java\jre6\bin\jqs.exe[636] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006DCE C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 100072BA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005BBB C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 1000737D C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000724D C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005AF1 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100073E3 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006C79 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 1000595F C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 100061DA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 100065B6 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006AEA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 1000633F C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 10006261 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 100062BB C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10006035 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100066AD C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 10006A54 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 100059B9 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 100064E4 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006725 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007202 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005C61 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005BDA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 1000718A C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006BE5 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000644C C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 100069D0 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006135 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10007001 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006D63 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005E5A C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006E31 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005F4C C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 10005A83 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 10007108 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007236 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe[672] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006DCE C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 100072BA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005BBB C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 1000737D C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000724D C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005AF1 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01BE0FEF
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01BE0F52
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01BE0F63
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01BE0F80
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01BE003D
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01BE0FA5
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01BE00A4
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01BE007D
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01BE00C9
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01BE0F30
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006C79 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 1000595F C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01BE00E4
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01BE002C
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 100061DA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 100065B6 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006AEA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 1000633F C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 10006261 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 100062BB C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01BE000A
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100066AD C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 10006A54 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 100059B9 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 100064E4 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01BE0062
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006725 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007202 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005C61 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005BDA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 1000718A C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006BE5 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01BE001B
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000644C C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 100069D0 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006135 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10007001 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006D63 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005E5A C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006E31 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005F4C C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 10005A83 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 10007108 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01BE0FCA
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01BE0F41
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007236 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01BD0014
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01BD0F86
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01BD0FC3
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01BD0FD4
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01BD0F97
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01BD0FEF
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01BD0FA8
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DD, 89]
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01BD002F
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01BC0FA1
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] msvcrt.dll!system 77C293C7 5 Bytes JMP 01BC0022
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01BC0FCD
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01BC0FEF
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01BC0FB2
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01BC0FDE
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01BB0000
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01BA0000
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01BA0FE5
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01BA0FD4
    .text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[748] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01BA0FB9
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006DCE C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 100072BA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005BBB C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 1000737D C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000724D C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005AF1 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01670FEF
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01670053
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01670F5E
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01670F6F
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01670F80
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0167002C
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01670F28
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0167006E
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 016700A6
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01670F0D
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006C79 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 1000595F C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 016700B7
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01670FA5
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 100061DA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 100065B6 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006AEA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 1000633F C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 10006261 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 100062BB C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01670FD4
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100066AD C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 10006A54 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 100059B9 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 100064E4 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!CreatePipe 7C81D83F 1 Byte [E9]
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01670F43
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006725 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007202 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005C61 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005BDA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 1000718A C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006BE5 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0167001B
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000644C C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 100069D0 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006135 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10007001 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006D63 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005E5A C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006E31 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005F4C C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 10005A83 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 10007108 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0167000A
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0167008B
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007236 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01660014
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0166006C
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01660FC3
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01660FDE
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0166005B
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01660FEF
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01660040
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0166002F
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01650F81
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] msvcrt.dll!system 77C293C7 5 Bytes JMP 01650FA6
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01650FC1
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01650FE3
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01650016
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01650FD2
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01640FE5
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01630FEF
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0163000A
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0163001B
    .text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[820] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01630FCA
    .text C:\WINDOWS\system32\winlogon.exe[872] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006DCE C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 100072BA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005BBB C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 1000737D C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000724D C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005AF1 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100073E3 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006C79 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 1000595F C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 100061DA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 100065B6 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006AEA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 1000633F C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 10006261 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 100062BB C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10006035 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
    .text C:\WINDOWS\system32\winlogon.exe[872] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100066AD C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 10006A54 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 100059B9 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 100064E4 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006725 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007202 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005C61 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005BDA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 1000718A C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006BE5 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000644C C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
    .text C:\WINDOWS\system32\winlogon.exe[872] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 100069D0 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006135 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10007001 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006D63 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005E5A C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006E31 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005F4C C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 10005A83 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 10007108 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007236 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\winlogon.exe[872] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006DCE C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 100072BA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005BBB C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 1000737D C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000724D C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005AF1 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01250000
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01250F83
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01250F94
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01250062
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01250047
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01250FCA
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0125009F
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01250F4D
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01250F17
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 012500B0
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006C79 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 1000595F C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01250EFC
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01250FAF
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 100061DA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 100065B6 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006AEA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 1000633F C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 10006261 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 100062BB C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0125001B
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100066AD C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 10006A54 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 100059B9 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 100064E4 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01250F5E
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006725 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007202 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005C61 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005BDA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 1000718A C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006BE5 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01250036
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000644C C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 100069D0 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006135 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10007001 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006D63 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005E5A C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006E31 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005F4C C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 10005A83 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 10007108 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01250FE5
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01250F3C
    .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007236 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01240FD4
    .text C:\WINDOWS\system32\services.exe[924] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01240F9E
    .text C:\WINDOWS\system32\services.exe[924] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01240025
    .text C:\WINDOWS\system32\services.exe[924] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01240000
    .text C:\WINDOWS\system32\services.exe[924] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0124005B
    .text C:\WINDOWS\system32\services.exe[924] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01240FEF
    .text C:\WINDOWS\system32\services.exe[924] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0124004A
    .text C:\WINDOWS\system32\services.exe[924] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01240FC3
    .text C:\WINDOWS\system32\services.exe[924] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01230038
    .text C:\WINDOWS\system32\services.exe[924] msvcrt.dll!system 77C293C7 5 Bytes JMP 01230FAD
    .text C:\WINDOWS\system32\services.exe[924] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01230FD2
    .text C:\WINDOWS\system32\services.exe[924] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01230FE3
    .text C:\WINDOWS\system32\services.exe[924] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0123001D
    .text C:\WINDOWS\system32\services.exe[924] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0123000C
    .text C:\WINDOWS\system32\services.exe[924] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\services.exe[924] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FF0FEF
    .text C:\WINDOWS\system32\services.exe[924] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FF000A
    .text C:\WINDOWS\system32\services.exe[924] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FF0FDE
    .text C:\WINDOWS\system32\services.exe[924] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FF002F
    .text C:\WINDOWS\system32\services.exe[924] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01220FE5
    .text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006DCE C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 100072BA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005BBB C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 1000737D C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000724D C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005AF1 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01180000
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01180F6B
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01180F7C
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01180056
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01180F97
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01180FA8
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01180F33
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01180F44
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01180F0E
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0118009D
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006C79 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 1000595F C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 011800C2
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01180039
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 100061DA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 100065B6 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006AEA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 1000633F C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 10006261 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 100062BB C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01180FE5
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100066AD C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 10006A54 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 100059B9 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 100064E4 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0118007B
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006725 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007202 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005C61 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005BDA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 1000718A C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006BE5 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01180FB9
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000644C C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 100069D0 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006135 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10007001 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006D63 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005E5A C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006E31 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005F4C C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 10005A83 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 10007108 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01180FD4
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0118008C
    .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007236 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0117002F
    .text C:\WINDOWS\system32\lsass.exe[936] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0117005B
    .text C:\WINDOWS\system32\lsass.exe[936] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01170FDE
    .text C:\WINDOWS\system32\lsass.exe[936] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01170FEF
    .text C:\WINDOWS\system32\lsass.exe[936] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01170FA8
    .text C:\WINDOWS\system32\lsass.exe[936] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0117000A
    .text C:\WINDOWS\system32\lsass.exe[936] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0117004A
    .text C:\WINDOWS\system32\lsass.exe[936] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01170FC3
    .text C:\WINDOWS\system32\lsass.exe[936] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\lsass.exe[936] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0116001B
    .text C:\WINDOWS\system32\lsass.exe[936] msvcrt.dll!system 77C293C7 5 Bytes JMP 01160F90
    .text C:\WINDOWS\system32\lsass.exe[936] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01160FC6
    .text C:\WINDOWS\system32\lsass.exe[936] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01160000
    .text C:\WINDOWS\system32\lsass.exe[936] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01160FA1
    .text C:\WINDOWS\system32\lsass.exe[936] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01160FD7
    .text C:\WINDOWS\system32\lsass.exe[936] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01150000
    .text C:\WINDOWS\system32\lsass.exe[936] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01140000
    .text C:\WINDOWS\system32\lsass.exe[936] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01140011
    .text C:\WINDOWS\system32\lsass.exe[936] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01140022
    .text C:\WINDOWS\system32\lsass.exe[936] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01140FDB
    .text C:\WINDOWS\system32\mfevtps.exe[1004] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006DCE C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 100072BA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005BBB C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 1000737D C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000724D C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005AF1 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100073E3 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006C79 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 1000595F C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 100061DA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 100065B6 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006AEA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 1000633F C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 10006261 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 100062BB C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10006035 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
    .text C:\WINDOWS\system32\mfevtps.exe[1004] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100066AD C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 10006A54 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 100059B9 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 100064E4 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006725 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007202 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005C61 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005BDA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 1000718A C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006BE5 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000644C C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
    .text C:\WINDOWS\system32\mfevtps.exe[1004] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 100069D0 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006135 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10007001 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006D63 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005E5A C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006E31 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005F4C C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 10005A83 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 10007108 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007236 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\mfevtps.exe[1004] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006DCE C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 100072BA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005BBB C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 1000737D C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000724D C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005AF1 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100073E3 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006C79 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 1000595F C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 100061DA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 100065B6 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006AEA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 1000633F C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 10006261 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 100062BB C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10006035 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100066AD C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 10006A54 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 100059B9 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 100064E4 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006725 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007202 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005C61 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005BDA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 1000718A C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006BE5 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000644C C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 100069D0 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006135 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10007001 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006D63 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005E5A C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006E31 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005F4C C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 10005A83 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 10007108 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe[1072] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007236 C:\WINDOWS\system32\wxvault.dll
    .text
     
  12. karlds82

    karlds82 Thread Starter

    Joined:
    May 31, 2004
    Messages:
    25
    .text C:\Program Files\McAfee\VirusScan Enterprise\ShStat.exe[1288] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006DCE C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 100072BA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005BBB C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 1000737D C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000724D C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005AF1 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B60FE5
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B6007D
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B60F88
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B60FA5
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B60062
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B60036
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B60F50
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B60F61
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B600DF
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B600C4
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006C79 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 1000595F C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B60F35
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B60047
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 100061DA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 100065B6 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006AEA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 1000633F C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 10006261 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 100062BB C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B60FD4
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100066AD C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 10006A54 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 100059B9 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 100064E4 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B6008E
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006725 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007202 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005C61 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005BDA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 1000718A C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006BE5 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B6001B
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000644C C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 100069D0 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006135 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10007001 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006D63 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005E5A C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006E31 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005F4C C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 10005A83 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 10007108 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B6000A
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B600B3
    .text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007236 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00880FE5
    .text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00880FA8
    .text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00880036
    .text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00880025
    .text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00880FB9
    .text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00880000
    .text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0088005B
    .text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00880FD4
    .text C:\WINDOWS\system32\svchost.exe[1308] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00870F95
    .text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!system 77C293C7 5 Bytes JMP 00870FA6
    .text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00870FD2
    .text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00870000
    .text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00870FC1
    .text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00870FE3
    .text C:\WINDOWS\system32\svchost.exe[1308] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 001B0000
    .text C:\WINDOWS\system32\svchost.exe[1308] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 001B001B
    .text C:\WINDOWS\system32\svchost.exe[1308] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 001B0036
    .text C:\WINDOWS\system32\svchost.exe[1308] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 001B0FE5
    .text C:\WINDOWS\system32\svchost.exe[1308] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00740000
    .text C:\WINDOWS\system32\svchost.exe[1384] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006DCE C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 100072BA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005BBB C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 1000737D C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000724D C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005AF1 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E30FEF
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E30F5C
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E30F6D
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E30F88
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E30047
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E3001B
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E30093
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E30F41
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E30F30
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E300C9
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006C79 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 1000595F C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E300E4
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E3002C
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 100061DA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 100065B6 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006AEA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 1000633F C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 10006261 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 100062BB C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E30FD4
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100066AD C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 10006A54 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 100059B9 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 100064E4 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E3006C
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006725 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007202 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005C61 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005BDA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 1000718A C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006BE5 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E30FAF
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000644C C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 100069D0 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006135 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10007001 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006D63 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005E5A C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006E31 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005F4C C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 10005A83 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 10007108 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E3000A
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E300A4
    .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007236 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00880FDB
    .text C:\WINDOWS\system32\svchost.exe[1384] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00880F8D
    .text C:\WINDOWS\system32\svchost.exe[1384] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0088002C
    .text C:\WINDOWS\system32\svchost.exe[1384] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00880011
    .text C:\WINDOWS\system32\svchost.exe[1384] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00880F9E
    .text C:\WINDOWS\system32\svchost.exe[1384] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00880000
    .text C:\WINDOWS\system32\svchost.exe[1384] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00880FAF
    .text C:\WINDOWS\system32\svchost.exe[1384] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [A8, 88] {TEST AL, 0x88}
    .text C:\WINDOWS\system32\svchost.exe[1384] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00880FCA
    .text C:\WINDOWS\system32\svchost.exe[1384] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1384] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00870FB0
    .text C:\WINDOWS\system32\svchost.exe[1384] msvcrt.dll!system 77C293C7 5 Bytes JMP 0087003B
    .text C:\WINDOWS\system32\svchost.exe[1384] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00870FD2
    .text C:\WINDOWS\system32\svchost.exe[1384] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00870FEF
    .text C:\WINDOWS\system32\svchost.exe[1384] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00870FC1
    .text C:\WINDOWS\system32\svchost.exe[1384] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0087000C
    .text C:\WINDOWS\system32\svchost.exe[1384] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00740FEF
    .text C:\WINDOWS\system32\svchost.exe[1384] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00740FDE
    .text C:\WINDOWS\system32\svchost.exe[1384] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00740014
    .text C:\WINDOWS\system32\svchost.exe[1384] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 0074002F
    .text C:\WINDOWS\system32\svchost.exe[1416] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006DCE C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 100072BA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005BBB C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 1000737D C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000724D C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005AF1 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DB000A
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DB0F72
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DB0F83
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DB0067
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DB004A
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DB002F
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DB0F4B
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DB0093
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DB0F0E
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DB0F1F
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006C79 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 1000595F C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DB0EF3
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DB0FA8
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 100061DA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 100065B6 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006AEA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 1000633F C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 10006261 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 100062BB C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DB0FEF
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100066AD C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 10006A54 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 100059B9 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 100064E4 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DB0082
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006725 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007202 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005C61 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005BDA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 1000718A C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006BE5 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DB0FC3
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000644C C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 100069D0 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006135 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10007001 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006D63 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005E5A C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006E31 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005F4C C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 10005A83 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 10007108 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DB0FD4
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DB0F30
    .text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007236 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00880036
    .text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00880FAF
    .text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00880025
    .text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0088000A
    .text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0088006C
    .text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00880FEF
    .text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00880FCA
    .text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [A8, 88] {TEST AL, 0x88}
    .text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00880047
    .text C:\WINDOWS\system32\svchost.exe[1416] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\svchost.exe[1416] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00870FBE
    .text C:\WINDOWS\system32\svchost.exe[1416] msvcrt.dll!system 77C293C7 5 Bytes JMP 00870049
    .text C:\WINDOWS\system32\svchost.exe[1416] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0087002E
    .text C:\WINDOWS\system32\svchost.exe[1416] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00870000
    .text C:\WINDOWS\system32\svchost.exe[1416] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00870FD9
    .text C:\WINDOWS\system32\svchost.exe[1416] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0087001D
    .text C:\WINDOWS\system32\svchost.exe[1416] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 001B0000
    .text C:\WINDOWS\system32\svchost.exe[1416] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 001B0FEF
    .text C:\WINDOWS\system32\svchost.exe[1416] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 001B0FDE
    .text C:\WINDOWS\system32\svchost.exe[1416] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 001B0FC3
    .text C:\WINDOWS\system32\svchost.exe[1416] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00860FEF
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006DCE C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 100072BA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005BBB C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 1000737D C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000724D C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005AF1 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100073E3 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006C79 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 1000595F C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 100061DA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 100065B6 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006AEA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 1000633F C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 10006261 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 100062BB C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10006035 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100066AD C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 10006A54 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 100059B9 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 100064E4 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006725 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007202 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005C61 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005BDA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 1000718A C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006BE5 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000644C C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 100069D0 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006135 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10007001 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006D63 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005E5A C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006E31 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005F4C C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 10005A83 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 10007108 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007236 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe[1568] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006DCE C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 100072BA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005BBB C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 1000737D C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000724D C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005AF1 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100073E3 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006C79 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 1000595F C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 100061DA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 100065B6 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006AEA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 1000633F C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 10006261 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 100062BB C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10006035 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
    .text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100066AD C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 10006A54 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 100059B9 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 100064E4 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006725 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007202 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005C61 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005BDA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 1000718A C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006BE5 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000644C C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
    .text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 100069D0 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006135 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10007001 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006D63 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005E5A C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006E31 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005F4C C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 10005A83 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 10007108 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007236 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\spoolsv.exe[1712] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006DCE C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 100072BA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005BBB C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 1000737D C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000724D C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005AF1 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100073E3 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006C79 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 1000595F C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 100061DA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 100065B6 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006AEA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 1000633F C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 10006261 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 100062BB C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10006035 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100066AD C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 10006A54 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 100059B9 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 100064E4 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006725 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007202 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005C61 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005BDA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 1000718A C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006BE5 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000644C C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 100069D0 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006135 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10007001 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006D63 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005E5A C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006E31 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005F4C C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 10005A83 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 10007108 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007236 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe[2040] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006DCE C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 100072BA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005BBB C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 1000737D C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000724D C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005AF1 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100073E3 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006C79 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 1000595F C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 100061DA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 100065B6 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006AEA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 1000633F C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 10006261 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 100062BB C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10006035 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100066AD C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 10006A54 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 100059B9 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 100064E4 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006725 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007202 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005C61 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005BDA C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 1000718A C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006BE5 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000644C C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 100069D0 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006135 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10007001 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006D63 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005E5A C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006E31 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005F4C C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 10005A83 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 10007108 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007236 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2108] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006DCE C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 100072BA C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005BBB C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 1000737D C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000724D C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005AF1 C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100073E3 C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006C79 C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 1000595F C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 100061DA C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 100065B6 C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006AEA C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 1000633F C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 10006261 C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 100062BB C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10006035 C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100066AD C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 10006A54 C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 100059B9 C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 100064E4 C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006725 C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007202 C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005C61 C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005BDA C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 1000718A C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006BE5 C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000644C C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 100069D0 C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006135 C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10007001 C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006D63 C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005E5A C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006E31 C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005F4C C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 10005A83 C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 10007108 C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007236 C:\WINDOWS\system32\wxvault.dll
    .text C:\Documents and Settings\Karl\Desktop\0qc5ptyp.exe[2188] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\Explorer.EXE[3328] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D1000A
    .text C:\WINDOWS\Explorer.EXE[3328] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DB000A
    .text C:\WINDOWS\Explorer.EXE[3328] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D0000C
    .text C:\WINDOWS\Explorer.EXE[3328] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006DCE C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 100072BA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005BBB C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 1000737D C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000724D C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005AF1 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100073E3 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006C79 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 1000595F C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 100061DA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 100065B6 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006AEA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 1000633F C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 10006261 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 100062BB C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10006035 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100066AD C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 10006A54 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 100059B9 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 100064E4 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006725 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007202 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005C61 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005BDA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 1000718A C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006BE5 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000644C C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 100069D0 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006135 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10007001 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006D63 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005E5A C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006E31 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005F4C C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 10005A83 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 10007108 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007236 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\UdaterUI.exe[3632] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006DCE C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 100072BA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005BBB C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 1000737D C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000724D C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005AF1 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100073E3 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006C79 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 1000595F C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 100061DA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 100065B6 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006AEA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 1000633F C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 10006261 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 100062BB C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10006035 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100066AD C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 10006A54 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 100059B9 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 100064E4 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006725 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007202 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005C61 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005BDA C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 1000718A C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006BE5 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000644C C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 100069D0 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006135 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10007001 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006D63 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005E5A C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006E31 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005F4C C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 10005A83 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 10007108 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007236 C:\WINDOWS\system32\wxvault.dll
    .text C:\Program Files\McAfee\Common Framework\McTray.exe[3692] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006DCE C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 100072BA C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005BBB C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 1000737D C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000724D C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] kernel32.dll!ReadFile 7C801812 7 Bytes JMP 10005AF1 C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100073E3 C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 10006C79 C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] kernel32.dll!CloseHandle 7C809BE7 5 Bytes JMP 1000595F C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] kernel32.dll!GetDriveTypeW 7C80B370 5 Bytes JMP 100061DA C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 100065B6 C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] kernel32.dll!DuplicateHandle 7C80DE9E 7 Bytes JMP 10006AEA C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 1000633F C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] kernel32.dll!FindClose 7C80EE77 7 Bytes JMP 10006261 C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] kernel32.dll!FindNextFileW 7C80EFDA 7 Bytes JMP 100062BB C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10006035 C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] kernel32.dll!GetFileSizeEx 7C810AA9 1 Byte [E9]
    .text C:\WINDOWS\System32\svchost.exe[3876] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 100066AD C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] kernel32.dll!GetFileInformationByHandle 7C810D0D 5 Bytes JMP 10006A54 C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 100059B9 C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 100064E4 C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] kernel32.dll!GetLongPathNameW 7C8133F3 5 Bytes JMP 10006EA5 C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] kernel32.dll!GetShortPathNameW 7C81F26E 5 Bytes JMP 10006F53 C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10006725 C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 10007202 C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10005C61 C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005BDA C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 1000718A C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006BE5 C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] kernel32.dll!SetFileAttributesW 7C8314DD 5 Bytes JMP 1000644C C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] kernel32.dll!GetOverlappedResult 7C8315CC 1 Byte [E9]
    .text C:\WINDOWS\System32\svchost.exe[3876] kernel32.dll!GetOverlappedResult 7C8315CC 5 Bytes JMP 100069D0 C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10006135 C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 10007001 C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] kernel32.dll!FlushViewOfFile 7C8359A1 5 Bytes JMP 10006D63 C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] kernel32.dll!RemoveDirectoryW 7C836F8B 5 Bytes JMP 10005E5A C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] kernel32.dll!BackupRead 7C85725A 5 Bytes JMP 10006E31 C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] kernel32.dll!CreateDirectoryExW 7C85B5CA 5 Bytes JMP 10005F4C C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] kernel32.dll!WriteFileEx 7C85D6D9 5 Bytes JMP 10005A83 C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] kernel32.dll!GetCompressedFileSizeW 7C85E349 5 Bytes JMP 10007108 C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] kernel32.dll!CreateHardLinkW 7C86C5AC 7 Bytes JMP 10007236 C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\System32\svchost.exe[3876] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 100071E7 C:\WINDOWS\System32\wxvault.dll
    .text C:\WINDOWS\system32\wuauclt.exe[3964] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C4000A
    .text C:\WINDOWS\system32\wuauclt.exe[3964] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C5000A
    .text C:\WINDOWS\system32\wuauclt.exe[3964] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C3000C
    .text C:\WINDOWS\system32\wuauclt.exe[3964] USER32.dll!ExitWindowsEx 7E45A275 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

    Device -> \Driver\atapi \Device\Harddisk0\DR0 86CFAAC8

    ---- Files - GMER 1.0.15 ----

    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\Digital_Ad-Control_160x600_Fla-Adv_BB_32910_R07[1].swf 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\ErrorPageTemplate[1] 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\filefield[1].css 1986 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\ico_play[1].gif 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\ie[1].css 3661 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\page_player_bg[1].jpg 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\ping[1].gif 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\ping[2].gif 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\pixel[1].gif 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\popup[1].js 2812 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\PortalServe[1].htm 1972 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\r02123002323[1].png 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\r02123002332[1].png 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\r0212302003[1].png 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\r02123020101[1].png 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\r02123020110[1].png 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\r0212302012[1].png 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\r0212302013[1].png 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\r0212302102[1].png 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\radiant_assets_25254_introducing_3570[1].jpg 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\radiant_assets_25256_repeating[1].png 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\repeating-l020g5[1].png 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\r02123002322[1].png 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\bg-button-grey[1].jpg 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\bk-static[1].js 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\candice-swanepoel-0410mag-3[1].jpg 3773 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\convpixel[1].jpg 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\crossdomain[1].xml 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\crossdomain[3].xml 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\crossdomain[4].xml 278 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\csjs[1] 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\css[1].css 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\cs[1].htm 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\dashboard[1].htm 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\dashboard[1].js 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\index_part_thum_bg[1].jpg 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\itl-flag[1].gif 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\jump1[1].htm 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\l;!c=hagn;afid=288743725;dsid=534640;cpall=fbv;cp1=fbv;cp2=ret;cp2=fbv;;tt=i;u=b02338nxv7e170efdau,f0f12sa,g10005k;sz=728x90;tile=3;ord=7805774994708973;[1] 2050 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\layout[1].css 6488 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\logging_clicks[1].gif 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\logo_areaconnect[1].gif 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\logo_powered_by_map[1].png 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\more-facets-close[1].png 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\more-facets-shadow[1].png 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\nav_select[1].gif 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\140742_1369[1].jpg 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\300x250_African_profile[1].swf 38886 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\71572;spotx;ddfb7da6a21981fff4af6f93994ca74a;1738958;1b78afe267a3d31e2570304607c9fae3[1].htm 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\71572;spotx;ddfb7da6a21981fff4af6f93994ca74a;1738958;bb06650172e3d72c6c55063316d8d42d[1].htm 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\;!c=hagn;afid=288743725;dsid=534640;cpall=fbv;cp1=fbv;cp2=ret;cp2=fbv;;tt=i;u=b02228nxv7e170efdau,f0f02sa,g10005k;sz=300x250;tile=2;ord=7805774994708973;[1] 79 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\32GZ325Z\adap_list_0813[1].swf 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\AdPlayer[1].swf 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\backcookie[1].js 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\backcookie[2].js 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\poll[1].css 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\PortalServe[1].htm 5779 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\block-editing[1].css 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\bullet[1] 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\candice-swanepoel-0410mag-1[1].jpg 3566 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\candice-swanepoel-0410mag-7[1].jpg 3382 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\candice-swanepoel-0410mag-8[1].jpg 5408 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\cget[1].ashx 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\content-module[1].css 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\crossdomain[2].xml 81 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\jump1[1].htm 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\li[1].gif 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\logging_requests[1].gif 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\Log[1].png 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\maharaja-20100415-01[1].swf 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\map-l020g5[1].png 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\mip_packaged[1].css 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\node[1].css 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\ping[1].gif 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\ping[2].gif 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\ping[3].gif 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\ping[4].gif 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\csjs[1] 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\csjs[2] 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\cs[1].htm 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\CustomSkin_vector[1].swf 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\;afid=288743725;dsid=534640;cpall=fbv;cp1=fbv;cp2=ret;cp2=fbv;;tt=i;u=b02148nxv7e170efdau,f0f12sa,g10005k;sz=160x600,120x600;tile=4;ord=7805774994708973;[1] 2062 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\entertainment-news[1].gif 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\errorPageStrings[1] 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\flashwrite_1_2[1].js 801 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\GetBirdsEyeSceneByLocation[1] 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\GetBirdsEyeSceneByLocation[2] 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\gossip_logo[1].jpg 11002 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\hottest-stories[1].gif 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\html-elements[1].css 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\jsadimp[1].gif 43 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\r02123002233[1].png 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\r0212302101[1].png 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\radiant_assets_25196_yp[1].png 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\rating-sprite[1].png 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\search-header-bg[1].jpg 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\searching[1].gif 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\showad[1].js 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\splash[1].css 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\sta[1].htm 174 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\sta[2].htm 174 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\vecss[1].gif 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\yellowbook_logo[1].gif 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\AJ69L372\ypeek_logo[1].gif 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\INGU826Q\convpixel[2].jpg 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\INGU826Q\crossdomain[1].xml 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\INGU826Q\crossdomain[2].xml 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\INGU826Q\cs[1].htm 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\INGU826Q\date[1].css 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\INGU826Q\DD_roundies_0.0.2a[1].js 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\INGU826Q\defaults[1].css 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\INGU826Q\arrow-down-blue[1].gif 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\INGU826Q\background_gradient[1] 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\INGU826Q\bg-container-newypc[1].jpg 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\INGU826Q\bg-searchbox[1].jpg 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\INGU826Q\blue-arrow[1].png 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\INGU826Q\candice-swanepoel-0410mag-2[1].jpg 4146 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\INGU826Q\candice-swanepoel-0410mag-4[1].jpg 3698 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\INGU826Q\candice-swanepoel-0410mag-6[1].jpg 2972 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\INGU826Q\celebrity-gossip.net.i1[1].js 3027 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\INGU826Q\chartbeat[1].js 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\INGU826Q\comment[1].css 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MCNY7BWL\csjs[1] 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MCNY7BWL\cs[1].htm 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MCNY7BWL\dash_type3[1].htm 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MCNY7BWL\dotted-border-btm[1].gif 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MCNY7BWL\fieldgroup[1].css 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MCNY7BWL\ga[1].js 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MCNY7BWL\print[1].css 1300 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MCNY7BWL\quant[1].js 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MCNY7BWL\r0212300233[1].png 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MCNY7BWL\r0212300322[1].png 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MCNY7BWL\r0212300323[1].png 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MCNY7BWL\r02123020100[1].png 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MCNY7BWL\r0212302011[1].png 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MCNY7BWL\r0212302100[1].png 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MCNY7BWL\gossip[1].css 28847 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MCNY7BWL\header_bg[1].gif 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MCNY7BWL\inaccurate-flag[1].gif 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MCNY7BWL\info_48[1] 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MCNY7BWL\jump1[1].htm 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MCNY7BWL\jump1[2].htm 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MCNY7BWL\latest-headlines-2[1].gif 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MCNY7BWL\launch[1].txt 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MCNY7BWL\li[1].gif 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MCNY7BWL\71572;spotx;ddfb7da6a21981fff4af6f93994ca74a;1738958;bb06650172e3d72c6c55063316d8d42d[1].htm 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MCNY7BWL\71572;spotx;ddfb7da6a21981fff4af6f93994ca74a;1738958;bb06650172e3d72c6c55063316d8d42d[2].htm 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MCNY7BWL\736258[1].jpg 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MCNY7BWL\758254[1].jpg 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MCNY7BWL\AdPlayer8-32.0_033326[1].swf 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MCNY7BWL\adplayer_skin_20090616[1].swf 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MCNY7BWL\adtrackJ[1].js 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MCNY7BWL\ad[1].swf 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MCNY7BWL\ai[1].jpg 16773 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MCNY7BWL\backcookie[1].js 0 bytes
    File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MCNY7BWL\backcookie[2].js 0 bytes
    File C:\WINDOWS\system32\DRIVERS\omci.sys suspicious modification
    File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----
     
  13. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Please do the following:

    Download ComboFix from one of the following locations:
    Link 1
    Link 2

    VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

    * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

    • Double click on ComboFix.exe & follow the prompts.

    Open notepad and copy/paste the text inside the quotebox below into it:

    Save this as CFScript.txt

    [​IMG]
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.


      As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    [​IMG]

    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]

    • Click on Yes, to continue scanning for malware.
    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


    Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
     
  14. karlds82

    karlds82 Thread Starter

    Joined:
    May 31, 2004
    Messages:
    25
    The ComboFix log follows. Everything seems to be running smoothly so far!

    *****

    ComboFix 10-04-15.05 - Karl 04/17/2010 0:27.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.756 [GMT -7:00]
    Running from: c:\documents and settings\Karl\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Karl\Desktop\CFScript.txt
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Karl\Local Settings\Temporary Internet Files\A37GdYJ4.jpg
    c:\documents and settings\Karl\Local Settings\Temporary Internet Files\q3nRm.jpg
    c:\documents and settings\Karl\Local Settings\Temporary Internet Files\rr4JXXA.jpg
    c:\documents and settings\Karl\Local Settings\Temporary Internet Files\yjm0OQo.jpg
    c:\documents and settings\LocalService\Local Settings\Application Data\ave.exe
    c:\documents and settings\NetworkService\Local Settings\Application Data\ave.exe
    c:\windows\wiaserviv.log

    Infected copy of c:\windows\system32\DRIVERS\omci.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    .
    ((((((((((((((((((((((((( Files Created from 2010-03-17 to 2010-04-17 )))))))))))))))))))))))))))))))
    .

    2010-04-12 02:43 . 2010-04-12 02:43 182784 --sha-w- c:\documents and settings\Karl\Local Settings\Application Data\332926973.dll
    2010-04-12 02:39 . 2010-04-12 02:39 -------- d-----w- c:\program files\Trend Micro
    2010-04-11 17:40 . 2010-04-11 17:40 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
    2010-04-11 00:19 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-11 00:19 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-11 00:19 . 2010-04-11 00:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-04-08 14:36 . 2010-04-16 02:18 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-04-08 09:05 . 2010-04-08 09:05 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
    2010-04-08 09:04 . 2010-04-08 09:04 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-17 07:37 . 2006-11-01 13:38 39009 ----a-w- c:\windows\system32\nvModes.dat
    2010-04-17 07:11 . 2009-01-26 08:01 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
    2010-04-17 07:10 . 2009-01-26 08:01 -------- d-----w- c:\program files\McAfee
    2010-04-11 17:54 . 2009-01-12 21:37 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-04-11 17:53 . 2009-01-12 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-04-11 16:25 . 2006-11-01 13:59 17153 ----a-w- c:\windows\system32\drivers\omci.sys
    2010-04-08 05:40 . 2010-01-05 04:54 -------- d-----w- c:\documents and settings\Karl\Application Data\Skype
    2010-04-08 04:24 . 2010-01-13 04:28 -------- d-----w- c:\program files\QuickTime
    2010-04-08 04:24 . 2006-12-21 01:00 -------- d-----w- c:\program files\Fallout2
    2010-04-08 04:22 . 2006-12-20 19:58 -------- d-----w- c:\program files\Microsoft Games
    2010-04-08 04:18 . 2006-12-14 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
    2010-04-08 03:51 . 2010-01-05 04:58 -------- d-----w- c:\documents and settings\Karl\Application Data\skypePM
    2010-03-24 02:18 . 2007-08-20 00:45 -------- d-----w- c:\documents and settings\Karl\Application Data\Apple Computer
    2010-03-24 02:18 . 2006-11-08 17:42 22984 ----a-w- c:\documents and settings\Karl\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-03-14 23:27 . 2010-03-14 23:26 -------- d-----w- c:\program files\iTunes
    2010-03-14 23:27 . 2010-03-14 23:26 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
    2010-03-14 23:26 . 2010-03-14 23:26 -------- d-----w- c:\program files\iPod
    2010-03-14 23:26 . 2007-08-20 00:43 -------- d-----w- c:\program files\Common Files\Apple
    2010-03-14 23:12 . 2010-03-14 23:12 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
    2010-03-11 04:59 . 2010-03-11 04:59 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
    2010-03-11 04:59 . 2010-03-11 04:59 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
    2010-03-11 04:59 . 2010-03-11 04:59 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
    2010-03-11 04:59 . 2010-03-11 04:59 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
    2010-03-11 04:59 . 2010-03-11 04:59 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
    2010-03-11 04:59 . 2010-03-11 04:59 300616 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
    2010-03-11 04:59 . 2010-03-11 04:59 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
    2010-03-11 04:59 . 2010-03-11 04:59 329312 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
    2010-03-11 04:59 . 2008-08-28 05:18 -------- d-----w- c:\program files\Common Files\Real
    2010-03-11 04:59 . 2010-03-11 04:58 -------- d-----w- c:\program files\real
    2010-03-11 04:59 . 2010-03-11 04:59 -------- d-----w- c:\program files\Common Files\xing shared
    2010-03-10 06:15 . 2004-08-11 23:00 420352 ----a-w- c:\windows\system32\vbscript.dll
    2010-02-27 21:25 . 2010-02-27 21:25 593920 ----a-w- c:\documents and settings\Karl\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv305hw-0910190-0-main.dll
    2010-02-25 06:24 . 2004-08-11 23:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-02-24 13:11 . 2004-08-11 23:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2010-02-23 06:40 . 2006-11-01 13:49 -------- d-----w- c:\program files\Java
    2010-02-23 06:39 . 2010-02-23 06:39 152576 ----a-w- c:\documents and settings\Karl\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
    2010-02-23 06:38 . 2010-02-23 06:38 79488 ----a-w- c:\documents and settings\Karl\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
    2010-02-16 14:08 . 2004-08-11 23:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-02-16 13:25 . 2004-08-04 04:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-02-09 06:11 . 2008-12-03 05:51 1956072 ----a-w- c:\documents and settings\Karl\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
    2010-01-31 17:14 . 2010-01-31 17:14 16832352 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US55016001dupd.exe
    2009-11-06 05:51 . 2007-08-14 05:11 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
    .

    ------- Sigcheck -------

    [-] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
    [-] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\drivers\atapi.sys
    [-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
    [-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys

    [-] 2008-04-13 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\asyncmac.sys
    [-] 2008-04-13 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\system32\drivers\asyncmac.sys
    [-] 2004-08-04 . 02000ABF34AF4C218C35D257024807D6 . 14336 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\asyncmac.sys

    [-] 2004-08-04 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\drivers\beep.sys

    [-] 2008-04-13 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\kbdclass.sys
    [-] 2008-04-13 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\system32\drivers\kbdclass.sys
    [-] 2004-08-04 . EBDEE8A2EE5393890A1ACEE971C4C246 . 24576 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\kbdclass.sys

    [-] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ndis.sys
    [-] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ndis.sys
    [-] 2004-08-04 . 558635D3AF1C7546D26067D5D9B6959E . 182912 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ndis.sys

    [-] 2008-04-13 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ntfs.sys
    [-] 2008-04-13 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ntfs.sys
    [-] 2007-02-09 . 05AB81909514BFD69CBB1F2C147CF6B9 . 574976 . . [5.1.2600.3081] . . c:\windows\$hf_mig$\KB930916\SP2QFE\ntfs.sys
    [-] 2007-02-09 . 19A811EF5F1ED5C926A028CE107FF1AF . 574464 . . [5.1.2600.3081] . . c:\windows\$NtServicePackUninstall$\ntfs.sys
    [-] 2004-08-04 . B78BE402C3F63DD55521F73876951CDD . 574592 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB930916$\ntfs.sys

    [-] 2004-08-04 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\drivers\null.sys

    [-] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
    [-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
    [-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
    [-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
    [-] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
    [-] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
    [-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
    [-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
    [-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys
    [-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
    [-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
    [-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys
    [-] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB917953$\tcpip.sys

    [-] 2008-04-14 . A06CE3399D16DB864F55FAEB1F1927A9 . 77824 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\browser.dll
    [-] 2008-04-14 . A06CE3399D16DB864F55FAEB1F1927A9 . 77824 . . [5.1.2600.5512] . . c:\windows\system32\browser.dll
    [-] 2004-08-04 . E3CFCCDDA4EDD1D0DC9168B2E18F27B8 . 77312 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\browser.dll

    [-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\lsass.exe
    [-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\system32\lsass.exe
    [-] 2004-08-04 . 84885F9B82F4D55C6146EBF6065D75D2 . 13312 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\lsass.exe

    [-] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\netman.dll
    [-] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\system32\netman.dll
    [-] 2005-08-22 . 36739B39267914BA69AD0610A0299732 . 197632 . . [5.1.2600.2743] . . c:\windows\$NtServicePackUninstall$\netman.dll
    [-] 2005-08-22 . 3516D8A18B36784B1005B950B84232E1 . 197632 . . [5.1.2600.2743] . . c:\windows\$hf_mig$\KB905414\SP2QFE\netman.dll
    [-] 2004-08-04 . DAB9E6C7105D2EF49876FE92C524F565 . 198144 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB905414$\netman.dll

    [-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\ServicePackFiles\i386\qmgr.dll
    [-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\system32\qmgr.dll
    [-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\system32\bits\qmgr.dll
    [-] 2004-08-04 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\$NtServicePackUninstall$\qmgr.dll

    [-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\system32\rpcss.dll
    [-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\system32\dllcache\rpcss.dll
    [-] 2009-02-09 . 9222562D44021B988B9F9F62207FB6F2 . 401408 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\rpcss.dll
    [-] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956572$\rpcss.dll
    [-] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\rpcss.dll
    [-] 2005-07-26 . CE94A2BD25E3E9F4D46A7373FF455C6D . 397824 . . [5.1.2600.2726] . . c:\windows\$NtServicePackUninstall$\rpcss.dll
    [-] 2005-07-26 . C369DF215D352B6F3A0B8C3469AA34F8 . 398336 . . [5.1.2600.2726] . . c:\windows\$hf_mig$\KB902400\SP2QFE\rpcss.dll
    [-] 2005-04-28 . DA383FB39A6F1C445F3AFC94B3EB1248 . 396288 . . [5.1.2600.2665] . . c:\windows\$hf_mig$\KB894391\SP2QFE\rpcss.dll
    [-] 2005-04-28 . C8061F289E000703E7672916B7FE1571 . 395776 . . [5.1.2600.2665] . . c:\windows\$NtUninstallKB902400$\rpcss.dll
    [-] 2004-08-04 . 5C83A4408604F737717AB96371201680 . 395776 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB894391$\rpcss.dll

    [-] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\services.exe
    [-] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\dllcache\services.exe
    [-] 2009-02-06 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
    [-] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956572$\services.exe
    [-] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\services.exe
    [-] 2004-08-04 . C6CE6EEC82F187615D1002BB3BB50ED4 . 108032 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\services.exe

    [-] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe
    [-] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\system32\spoolsv.exe
    [-] 2005-06-11 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
    [-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe

    [-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe
    [-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
    [-] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\winlogon.exe

    [-] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\ServicePackFiles\i386\comctl32.dll
    [-] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\system32\comctl32.dll
    [-] 2006-08-25 . B0124CB21D28B1C9F678B566B6B57D92 . 617472 . . [5.82] . . c:\windows\$NtServicePackUninstall$\comctl32.dll
    [-] 2004-08-04 . A77DFB85FAEE49D66C74DA6024EBC69B . 611328 . . [5.82] . . c:\windows\$NtUninstallKB923191$\comctl32.dll

    [-] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\cryptsvc.dll
    [-] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\system32\cryptsvc.dll
    [-] 2004-08-04 . 10654F9DDCEA9C46CFB77554231BE73B . 60416 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\cryptsvc.dll

    [-] 2008-07-07 20:32 . 60D1A6342238378BFB7545C81EE3606C . 253952 . . [2001.12.4414.320] . . c:\windows\$NtServicePackUninstall$\es.dll
    [-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3GDR\es.dll
    [-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll
    [-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\dllcache\es.dll
    [-] 2008-07-07 20:23 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll
    [-] 2008-07-07 20:06 . A4AB3DCA4A383F0DF4988ABDEB84F9A4 . 253952 . . [2001.12.4414.320] . . c:\windows\$hf_mig$\KB950974\SP2QFE\es.dll
    [-] 2008-04-14 00:11 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\$NtUninstallKB950974$\es.dll
    [-] 2008-04-14 00:11 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\ServicePackFiles\i386\es.dll
    [-] 2005-07-26 04:39 . 34BBD9ACC1538818F2C878898C64E793 . 243200 . . [2001.12.4414.308] . . c:\windows\$NtUninstallKB950974_0$\es.dll
    [-] 2005-07-26 04:20 . 95F5FEA4C6DE2C3F28784D0DCC8F0DD3 . 243200 . . [2001.12.4414.308] . . c:\windows\$hf_mig$\KB902400\SP2QFE\es.dll
    [-] 2004-08-04 11:00 . ACD36A2DD7D1E9D8A060AA651DC07E63 . 243200 . . [2001.12.4414.258] . . c:\windows\$NtUninstallKB902400$\es.dll

    [-] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\imm32.dll
    [-] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\system32\imm32.dll
    [-] 2004-08-04 . 87CA7CE6469577F059297B9D6556D66D . 110080 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\imm32.dll

    [-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\system32\kernel32.dll
    [-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\system32\dllcache\kernel32.dll
    [-] 2009-03-21 . DA11D9D6ECBDF0F93436A4B7C13F7BEC . 991744 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
    [-] 2008-04-14 . C24B983D211C34DA8FCC1AC38477971D . 989696 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB959426$\kernel32.dll
    [-] 2008-04-14 . C24B983D211C34DA8FCC1AC38477971D . 989696 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\kernel32.dll
    [-] 2007-04-16 . 09F7CB3687F86EDAA4CA081F7AB66C03 . 986112 . . [5.1.2600.3119] . . c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
    [-] 2007-04-16 . A01F9CA902A88F7CED06884174D6419D . 984576 . . [5.1.2600.3119] . . c:\windows\$NtServicePackUninstall$\kernel32.dll
    [-] 2006-07-05 . 0FDD84928A5DDE2510761B7EC76CCEC9 . 985088 . . [5.1.2600.2945] . . c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
    [-] 2006-07-05 . D8DB5397DE07577C1CB50BA6D23B3AD4 . 984064 . . [5.1.2600.2945] . . c:\windows\$NtUninstallKB935839$\kernel32.dll
    [-] 2004-08-04 . 888190E31455FAD793312F8D087146EB . 983552 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB917422$\kernel32.dll

    [-] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\linkinfo.dll
    [-] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\linkinfo.dll
    [-] 2005-09-01 . 648BF0B4DDE4F7A1156DAE7174D36EFA . 19968 . . [5.1.2600.2751] . . c:\windows\$hf_mig$\KB900725\SP2QFE\linkinfo.dll
    [-] 2005-09-01 . A1A688EE56CF3BBD24EDEB815D48E9BA . 19968 . . [5.1.2600.2751] . . c:\windows\$NtServicePackUninstall$\linkinfo.dll
    [-] 2004-08-04 . C2BBD044C741EA4292016C36F718D2E4 . 18944 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB900725$\linkinfo.dll

    [-] 2008-04-14 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\lpk.dll
    [-] 2008-04-14 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\system32\lpk.dll
    [-] 2004-08-04 . 74D66B3DE265E8789153414E75175F26 . 22016 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\lpk.dll

    [-] 2008-04-14 . 355EDBB4D412B01F1740C17E3F50FA00 . 343040 . . [7.0.2600.5512] . . c:\windows\ServicePackFiles\i386\msvcrt.dll
    [-] 2008-04-14 . 355EDBB4D412B01F1740C17E3F50FA00 . 343040 . . [7.0.2600.5512] . . c:\windows\system32\msvcrt.dll
    [-] 2004-08-04 . B0FEFA816D61EC66AA765DDF534EAB5E . 343040 . . [7.0.2600.2180] . . c:\windows\$NtServicePackUninstall$\msvcrt.dll

    [-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\mswsock.dll
    [-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\mswsock.dll
    [-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\mswsock.dll
    [-] 2008-06-20 . FCEE5FCB99F7C724593365C706D28388 . 245248 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\mswsock.dll
    [-] 2008-06-20 . 097722F235A1FB698BF9234E01B52637 . 245248 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\mswsock.dll
    [-] 2008-06-20 . 1DFCA7713EA5A70D5D93B436AEA0317A . 245248 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\mswsock.dll
    [-] 2008-04-14 . B4138E99236F0F57D4CF49BAE98A0746 . 245248 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\mswsock.dll
    [-] 2008-04-14 . B4138E99236F0F57D4CF49BAE98A0746 . 245248 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\mswsock.dll
    [-] 2004-08-04 . 4E74AF063C3271FBEA20DD940CFD1184 . 245248 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB951748_0$\mswsock.dll

    [-] 2008-04-14 . 1B7F071C51B77C272875C3A23E1E4550 . 407040 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\netlogon.dll
    [-] 2008-04-14 . 1B7F071C51B77C272875C3A23E1E4550 . 407040 . . [5.1.2600.5512] . . c:\windows\system32\netlogon.dll
    [-] 2004-08-04 . 96353FCECBA774BB8DA74A1C6507015A . 407040 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\netlogon.dll

    [-] 2008-04-14 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\powrprof.dll
    [-] 2008-04-14 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\system32\powrprof.dll
    [-] 2004-08-04 . 1B5F6923ABB450692E9FE0672C897AED . 17408 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\powrprof.dll

    [-] 2008-04-14 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\scecli.dll
    [-] 2008-04-14 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . c:\windows\system32\scecli.dll
    [-] 2004-08-04 . 0F78E27F563F2AAF74B91A49E2ABF19A . 180224 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\scecli.dll

    [-] 2008-04-14 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\sfc.dll
    [-] 2008-04-14 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\system32\sfc.dll
    [-] 2004-08-04 . E8A12A12EA9088B4327D49EDCA3ADD3E . 5120 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\sfc.dll

    [-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\svchost.exe
    [-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
    [-] 2004-08-04 . 8F078AE4ED187AAABC0A305146DE6716 . 14336 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\svchost.exe

    [-] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tapisrv.dll
    [-] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\system32\tapisrv.dll
    [-] 2005-07-08 . 1418A3A6E76E5A2E3F5E43866E793A8B . 249344 . . [5.1.2600.2716] . . c:\windows\$hf_mig$\KB893756\SP2QFE\tapisrv.dll
    [-] 2005-07-08 . FB78839B36025AA286A51289ED28B73E . 249344 . . [5.1.2600.2716] . . c:\windows\$NtServicePackUninstall$\tapisrv.dll
    [-] 2004-08-04 . EB4A4187D74A8EFDCBEA3EA2CB1BDFBD . 246272 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893756$\tapisrv.dll

    [-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\user32.dll
    [-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
    [-] 2007-03-08 . 7AA4F6C00405DFC4B70ED4214E7D687B . 578048 . . [5.1.2600.3099] . . c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
    [-] 2007-03-08 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\$NtServicePackUninstall$\user32.dll
    [-] 2005-03-02 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
    [-] 2005-03-02 . DE2DB164BBB35DB061AF0997E4499054 . 577024 . . [5.1.2600.2622] . . c:\windows\$NtUninstallKB925902$\user32.dll
    [-] 2004-08-04 . C72661F8552ACE7C5C85E16A3CF505C4 . 577024 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB890859$\user32.dll

    [-] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\userinit.exe
    [-] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe
    [-] 2004-08-04 . 39B1FFB03C2296323832ACBAE50D2AFF . 24576 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\userinit.exe

    [-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ws2_32.dll
    [-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\system32\ws2_32.dll
    [-] 2004-08-04 . 2ED0B7F12A60F90092081C50FA0EC2B2 . 82944 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ws2_32.dll

    [-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
    [-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
    [-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
    [-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\$NtServicePackUninstall$\explorer.exe
    [-] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe

    [-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\srsvc.dll
    [-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll
    [-] 2004-08-04 . 92BDF74F12D6CBEC43C94D4B7F804838 . 170496 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\srsvc.dll

    [-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\wscntfy.exe
    [-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\system32\wscntfy.exe
    [-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\wscntfy.exe

    [-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\xmlprov.dll
    [-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\system32\xmlprov.dll
    [-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\xmlprov.dll

    [-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll
    [-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\system32\eventlog.dll
    [-] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

    [-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\sfcfiles.dll
    [-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
    [-] 2004-08-04 . 30A609E00BD1D4FFC49D6B5A432BE7F2 . 1580544 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\sfcfiles.dll

    [-] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ctfmon.exe
    [-] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
    [-] 2004-08-04 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe

    [-] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\shsvcs.dll
    [-] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\system32\shsvcs.dll
    [-] 2006-12-19 . 6815DEF9B810AEFAC107EEAF72DA6F82 . 134656 . . [6.00.2900.3051] . . c:\windows\$NtServicePackUninstall$\shsvcs.dll
    [-] 2006-12-19 . 53D9184A21C5CBF600D918E51EF3A7E5 . 135168 . . [6.00.2900.3051] . . c:\windows\$hf_mig$\KB928255\SP2QFE\shsvcs.dll
    [-] 2004-08-04 . E7518DC542D3EBDCB80EDD98462C7821 . 134656 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB928255$\shsvcs.dll

    [-] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\regsvc.dll
    [-] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\system32\regsvc.dll
    [-] 2004-08-04 . 3151427DB7D87107D1C5BE58FAC53960 . 59904 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\regsvc.dll

    [-] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\schedsvc.dll
    [-] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\system32\schedsvc.dll
    [-] 2004-08-04 . 92360854316611F6CC471612213C3D92 . 190976 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\schedsvc.dll

    [-] 2008-04-14 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ssdpsrv.dll
    [-] 2008-04-14 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\system32\ssdpsrv.dll
    [-] 2004-08-04 . 4B8D61792F7175BED48859CC18CE4E38 . 71680 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ssdpsrv.dll

    [-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\termsrv.dll
    [-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\system32\termsrv.dll
    [-] 2004-08-04 . B60C877D16D9C880B952FDA04ADF16E6 . 295424 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\termsrv.dll

    [-] 2008-04-14 . D8849F77C0B66226335A59D26CB4EDC6 . 167936 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\appmgmts.dll
    [-] 2008-04-14 . D8849F77C0B66226335A59D26CB4EDC6 . 167936 . . [5.1.2600.5512] . . c:\windows\system32\appmgmts.dll
    [-] 2004-08-04 . 9C3C12975C97119412802B181FBEEFFE . 167936 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\appmgmts.dll

    [-] 2004-08-04 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . c:\windows\system32\drivers\acpiec.sys

    [-] 2008-04-13 16:39 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\ServicePackFiles\i386\aec.sys
    [-] 2008-04-13 16:39 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\system32\drivers\aec.sys
    [-] 2006-02-15 00:30 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\$hf_mig$\KB900485\SP2QFE\aec.sys
    [-] 2006-02-15 00:22 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\$NtServicePackUninstall$\aec.sys
    [-] 2004-08-04 04:39 . 841F385C6CFAF66B58FBD898722BB4F0 . 142464 . . [5.1.2601.2078] . . c:\windows\$NtUninstallKB900485$\aec.sys

    [-] 2008-04-13 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\agp440.sys
    [-] 2008-04-13 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\system32\drivers\agp440.sys
    [-] 2004-08-04 . 2C428FA0C3E3A01ED93C9B2A27D8D4BB . 42368 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\agp440.sys

    [-] 2008-04-13 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ip6fw.sys
    [-] 2008-04-13 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ip6fw.sys
    [-] 2004-08-04 . 4448006B6BC60E6C027932CFC38D6855 . 29056 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ip6fw.sys

    [-] 2008-04-14 00:11 . CDDD4416B2B4C7295FE3FDB6DDE57E4E . 927504 . . [4.1.0.61] . . c:\windows\ServicePackFiles\i386\mfc40u.dll
    [-] 2008-04-14 00:11 . CDDD4416B2B4C7295FE3FDB6DDE57E4E . 927504 . . [4.1.0.61] . . c:\windows\system32\mfc40u.dll
    [-] 2006-11-01 19:17 . 925F8B61ED301A317BA850EBEECBDAA0 . 927504 . . [4.1.0.61] . . c:\windows\$NtServicePackUninstall$\mfc40u.dll
    [-] 2004-08-04 11:00 . DDF8D47ACF8FC3FE5F7F2B95C4D4D136 . 924432 . . [4.1.6140] . . c:\windows\$NtUninstallKB924667$\mfc40u.dll

    [-] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\msgsvc.dll
    [-] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\system32\msgsvc.dll
    [-] 2004-08-04 . 95FD808E4AC22ABA025A7B3EAC0375D2 . 33792 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\msgsvc.dll

    [-] 2006-10-19 04:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll
    [-] 2004-08-04 11:00 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\$NtUninstallWMFDist11$\mspmsnsv.dll

    [-] 2008-04-14 00:12 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\ServicePackFiles\i386\ntmssvc.dll
    [-] 2008-04-14 00:12 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\system32\ntmssvc.dll
    [-] 2004-08-04 11:00 . B62F29C00AC55A761B2E45877D85EA0F . 435200 . . [5.1.2400.2180] . . c:\windows\$NtServicePackUninstall$\ntmssvc.dll

    [-] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\upnphost.dll
    [-] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\system32\upnphost.dll
    [-] 2007-02-05 . 36ACA6CDC19C95FF468A1426EB7F32F0 . 185344 . . [5.1.2600.3077] . . c:\windows\$hf_mig$\KB931261\SP2QFE\upnphost.dll
    [-] 2007-02-05 . ACA5D98663D879C6BAAFCEA7E2F1B710 . 185344 . . [5.1.2600.3077] . . c:\windows\$NtServicePackUninstall$\upnphost.dll
    [-] 2004-08-04 . 0546477BDE979E33294FE97F6B3DE84A . 185344 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB931261$\upnphost.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-17 389120]
    "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
    "Google Update"="c:\documents and settings\Karl\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-27 133104]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472]
    "nwiz"="nwiz.exe" [2006-01-19 1519616]
    "NVHotkey"="nvHotkey.dll" [2006-01-19 73728]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
    "Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2006-05-16 102400]
    "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
    "Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-11-06 30192]
    "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-11 202256]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-1 24576]
    EMBASSY Trust Suite Secure Update.lnk - c:\program files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2006-1-30 192512]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 wvauth

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
    "c:\\Program Files\\ExamSoft\\SofTest\\SoftLnch.exe"= c:\\Program Files\\ExamSoft\\SoftLnch.exe
    "c:\\Program Files\\ExamSoft\\SofTest\\softest.exe"= c:\\Program Files\\ExamSoft\\SofTest.exe
    "c:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"=
    "c:\\Documents and Settings\\Karl\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    S3 APL531;OVT Scanner;c:\windows\system32\Drivers\ov550i.sys --> c:\windows\system32\Drivers\ov550i.sys [?]
    S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [11/1/2006 6:59 AM 30192]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-07-22 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

    2010-04-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3664082777-3692669573-1756191606-1005Core.job
    - c:\documents and settings\Karl\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-27 20:55]

    2010-04-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3664082777-3692669573-1756191606-1005UA.job
    - c:\documents and settings\Karl\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-27 20:55]

    2010-04-17 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3664082777-3692669573-1756191606-1005.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 06:09]

    2010-04-08 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3664082777-3692669573-1756191606-1005.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 06:09]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061101
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Karl\Application Data\Mozilla\Firefox\Profiles\o6oe35qj.default\
    FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
    FF - plugin: c:\documents and settings\Karl\Application Data\Move Networks\plugins\npqmp071701000002.dll
    FF - plugin: c:\documents and settings\Karl\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-17 00:34
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'lsass.exe'(720)
    c:\windows\system32\wvauth.dll
    c:\windows\system32\biolsp.dll

    - - - - - - - > 'explorer.exe'(3220)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\System32\SCardSvr.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Wave Systems Corp\Common\DataServer.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
    c:\windows\system32\nvsvc32.exe
    c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
    c:\windows\system32\rundll32.exe
    c:\windows\stsystra.exe
    c:\program files\Apoint\HidFind.exe
    c:\program files\Apoint\Apntex.exe
    c:\documents and settings\Karl\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2010-04-17 00:40:46 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-04-17 07:40

    Pre-Run: 34,737,180,672 bytes free
    Post-Run: 35,426,312,192 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - 8DF71EC225A91818A3422895D9F4920C
     
  15. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Hi,

    Please do the following:

    Go to Start > Run > copy/paste the following into the open run box > OK

    NET START CRYPTSVC


    Let me know if you get any messages


    NEXT




    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
    • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Copy/paste the text inside the Codebox below into notepad:

    Here's how to do that:
    Click Start > Run type Notepad click OK.
    This will open an empty notepad file:

    Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

    Code:
    http://forums.techguy.org/7334373-post14.html
    
    Collect::
    c:\documents and settings\Karl\Local Settings\Application Data\332926973.dll
    
    Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

    Save this file to your desktop, Save this as "CFScript"


    Here's how to do that:

    1.Click File;
    2.Click Save As... Change the directory to your desktop;
    3.Change the Save as type to "All Files";
    4.Type in the file name: CFScript
    5.Click Save ...

    [​IMG]
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you.
    • Copy and paste the contents of the log in your next reply.

    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

    **Note**
    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
    • Ensure you are connected to the internet and click OK on the message box.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/916297

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice