[Meriadoc]

load
http://www.virustotal.com/file-scan/rep ... 1293031692

unpacked
http://www.virustotal.com/file-scan/rep ... 1293040601

Process svchost.exe <C:\WINDOWS\system32\svchost.exe> :
Another process is using the same name but a different executable file: <C:\WINDOWS\system32\DirectX\svchost.exe> C:\WINDOWS\system32\DirectX\svchost.exe /service

[760]svchost.exe-->kernel32.dll-->GetModuleFileNameA, Type: IAT modification 0x0042000C-->00000000 [unknown_code_page]
[760]svchost.exe-->kernel32.dll-->GetModuleHandleA, Type: IAT modification 0x00420010-->00000000 [unknown_code_page]
[760]svchost.exe-->kernel32.dll-->GetPrivateProfileIntA, Type: IAT modification 0x00420014-->00000000 [unknown_code_page]
[760]svchost.exe-->kernel32.dll-->lstrcmpA, Type: IAT modification 0x00420004-->00000000 [unknown_code_page]
[760]svchost.exe-->kernel32.dll-->VirtualAlloc, Type: IAT modification 0x00420008-->00000000 [unknown_code_page]
[760]svchost.exe-->kernel32.dll-->VirtualFree, Type: IAT modification 0x00420018-->00000000 [unknown_code_page]
[760]svchost.exe-->kernel32.dll-->WideCharToMultiByte, Type: IAT modification 0x00420000-->00000000 [unknown_code_page]
[760]svchost.exe-->user32.dll-->PostMessageW, Type: IAT modification 0x00420020-->00000000 [unknown_code_page]
[760]svchost.exe-->user32.dll-->SetWindowLongA, Type: IAT modification 0x00420024-->00000000 [unknown_code_page]

strings sample

vmware pointing
vmware svga
Detector de OfficeScanNT
F-Secure Filter
FSORSPClient
McAfee Framework Service
Panda Antivirus
ecure HIPS
klif
F-Secure Gatekeeper Handler Starter
Norton Antivirus Service
F-Secure Recognizer
F-Secure Gatekeeper
WinDefend
OutpostFirewall
ZoneAlarm
Kaspersky Anti-Hacker.lnk
ZoneAlarm Client
Zone Labs Client
AMonitor
Look 'n' Stop

[EP_X0FF]

Just to add: these hooks listed above are not rootkit functionality. It is only cryptor caused.