Smitfraud-C très récalcitrant

[Thanos]

Oui : l'infection résiste! On va scanner ton pc en mode sans échec avec un antivirus puissant (il ne protègera pas ton pc, on s'en sert juste pour scanner et nettoyer).

 

Va jusqu'au bout et si tu rencontres un problème, n'hésite pas à me le dire

 

Tu as deux possiblités pour consulter les instructions qui suivent:

 

-Soit tu copie/colles le contenu de la procédure dans un fichier texte(que tu met sur le bureau) pour pouvoir le consulter en mode sans échec(tu n'auras pas accès à internet!).

 

-Tu peux également enregistrer la page web complète, sur laquelle se trouve la procédure,

en le faisant à partir de ton navigateur :

 

-Aller en haut de page et cliquer sur le menu"Fichier" : une liste apparait=>

-Choisis "Enregistrer sous" et choisis "Bureau".

-Ensuite cliquer sur le bouton "Enregistrer" à droite du champs "nom du fichier".

 

Pour lire la procédure en mode sans échec, tu n'auras qu'à double cliquer sur le fichier Smitfraud-C très récalcitrant (avec l'icone de ton navigateur) situé sur le bureau.(tu noteras qu'un nouveau dossier va se créer sur le bureau en plus du fichier : c'est normal!) De cette manière, tu conserveras toutes les mises en formes et les couleurs de la procédure, et cela permettra de t'y retrouver.

--------------------------------------------------------------------------------------------------------------------------

 

La procédure:

 

Étape 1:

 

-Expédie stp le dossier suivant présent sur ton bureau > un fichier zippé nommé Submit [Date Heure].zip > à l'adresse suivante > http://upload.malekal.com

clique sur parcourir et sélectionne Submit [Date Heure].zip sur le bureau.

Laisse le répertoire de destination tel quel.

Clic sur envoyer fichier

Merci

 

Si tu ne trouves pas ce fichier, rend toi dans le répertoire C:\ puis fais un clic droit sur le dossier Qoobox > choisis Envoyer vers > dossiers compressés > un fichier zip va apparaitre (Qoobox) > expédie le à la même adresse.

 

-Télécharge ATF Cleaner by Atribune sur ton bureau.

 

-Télécharge eScan Antivirus Toolkit ici. Sauvegarde-le sur ton Bureau.

Avant de lancer le programme, il faut le mettre à jour tel qu'indiqué à l'étape 2.

 

Étape 2:

 

Voici comment mettre l'outil à jour :

 

1.) Double-clique le fichier mwav.exe qui se trouve sur le Bureau; dézippe les fichiers dans le nouveau dossier suggéré (C:\Kaspersky). Le programme va se lancer, et tu dois le quitter (clique sur "Exit" puis "Exit").

2.) Double-clique sur le Poste de travail, puis double-clique sur le lecteur principal (habituellement C:\), double-clique sur le dossier Kaspersky; ensuite, double-clique sur le fichier kavupd.exe. Tu verras maintenant une fenêtre DOS apparaître, et la mise à jour se complètera en quelques minutes.

 

3.) Lorsque la mise à jour sera complétée, tu verras "Press any key to continue"; tape sur une clé pour continuer. Deux nouveaux répertoires (dossiers) ont été créés lors de la mise à jour (C:\Bases et C:\Downloads).

 

4.) Sélectionne/copie tous les fichiers présents dans le dossier C:\Downloads, puis colle-les dans le dossier C:\Kaspersky. Accepte à l'invite de remplacer les fichiers existants.

 

Ne pas lancer le scan tout de suite !

 

Étape 3:

 

Redémarre le PC, impérativement en mode sans échec.

Au redémarrage de l'ordinateur, une fois le chargement du BIOS terminé, il y a un écran noir qui apparaît rapidement > Tapote par alternance les touches [F8] et [F5] jusqu'à l'affichage du menu des options avancées de Windows.

Sélectionne "Mode sans échec" et appuie sur la touche [Entrée].

Choisis ton compte usuel, et non Administrateur

 

Étape 4:

 

Double-clique sur ATF Cleaner afin de lancer le programme.

• Sous l'onglet Main, choisis : Select All
  Clique sur le bouton Empty Selected
   
  Si tu utilises le navigateur Firefox :
   
   
  
• Clique Firefox au haut et choisis : Select All
  Clique le bouton Empty Selected
  NOTE : Si tu veux conserver tes mots de passe sauvegardés, clique No à l'invite.
   
  Si tu utilises le navigateur Opera :
   
   
  
• Clique Opera au haut et choisis : Select All
  Clique le bouton Empty Selected
  NOTE : Si tu veux conserver tes mots de passe sauvegardés, clique No à l'invite.
   
  Clique Exit, du menu prinicipal, afin de fermer le programme.
  

Étape 5:

 

Du mode Sans Échec, voici comment utiliser escan antivirus toolkit :

 

1.) Pour lancer "eScan Antivirus Toolkit", trouve le fichier mwavscan.com situé dans le dossier C:\Kaspersky

2.) Double-clique sur mwavscan.com; l'interface d'eScan va apparaître à l'écran.

3.) Il est très important de bien cocher ces boîtes sous Scan Option : Memory, Registry, Startup Folders, System Folders, Services.

 

4.) Coche la boîte Drive, ce qui donne accès à une nouvelle boîte Drive (bouton rond) juste dessous; coche ce bouton "Drive" (très important..), et tu verras une nouvelle boîte de navigation apparaître à la droite. Clique sur la petite flèche de cette boîte and choisi la lettre de ton disque dur, habituellement C:\.

 

5.) Juste au-dessous, assure-toi que Scan All Files est coché, et non Program Files.

 

6.) Clique sur Scan Clean et laisse le tool vérifier tout le disque dur (ça peut être long..). Lorsque terminé, tu verras Scan Completed. Ne pas quitter tout de suite !

 

7.) Ouvre un nouveau fichier Bloc notes (clique sur "Démarrer" >> "Programmes" >>"Accessoires" >> "Bloc notes"), puis copie/colle tout le contenu de la fenêtre Virus Log Information (la deuxième, au bas) dans le fichier texte, et sauvegarde le. eScan génère également un rapport complet dans le dossier C:\Kaspersky (nommé mwav.log), mais il est trop lourd pour poster sur le forum.

 

Ferme le programme. Redémarre ton PC en mode Normal.

 

Étape 6:

 

Poste (copie/colle) le rapport que tu as sauvegardé dans ta prochaine réponse.

Relance ComboFix et hijackthis et poste les rapports stp.

Courage

Modifié le 2 octobre 2007 par charles ingals

[Monsieur Furtif]

J'ai un gros souci après avoir passé eScan.

*Il a bien fait son analyse, a effacé ou renommé des fichiers (j'ai quand même vu passer des autorun.exe et autres fichiers me semblant nécessaires au démarrage d'un système). J'ai redémarré.

 

Sauf que passé le "Bienvenue", le fond d'écran s'affiche, puis plus rien et ça revient sur la page de choix des comptes (avec mon seul compte). Connexion-déconnexion immédiate en somme.

Pareil en mode sans échec, que ce soit sur le compte administrateur ou le compte utilisateur.

 

Autant dire que je suis très inquiet.

[Thanos]

Re!

 

misère!! ca sera bien la première fois qu'escan élimine un fichier légitime! ceci est dû au malware lui même qui a modifié des registres.

(j'ai quand même vu passer des autorun.exe et autres fichiers me semblant nécessaires au démarrage d'un système).

le malware utilise bien des noms de fichiers qui appartiennent à Windows, mais ceux ci ne sont pas placés au bon endroit!(ce qui fait toute la différence )

Tu trouveras un C:\WINDOWS\smss.exe alors que le fichier légitime se trouve dans System32...

 

Est ce que tu as reçu un message au démarrage te disant qu'un fichier était manquant ? (NTLDR est manquant ou endommagé ?)

 

Si tu possèdes le cd d'XP, voilà ce que tu vas faire >

 

1) Met le cd d'Xp dans le lecteur et redémarre le pc, puis suis les infos sur cette page afin d'accéder à la console de récupération de Windows > http://www.zebulon.fr/dossiers/61-3-demarr...cuperation.html

 

2) Quelques infos sur l'utilisation de la console de récupération (répond au questions qui te sont posées afin de la démarrer) > http://www.zebulon.fr/dossiers/61-4-utilis...cuperation.html

 

3) Une fois dans la console, tape ceci > fixboot c: puis clique sur la touche [Entrée]

A la demande de confirmation, répond O

En image ici > http://www.zebulon.fr/dossiers/61-6-repare...cteur-boot.html

 

Une fois ceci fait, redémarre le pc : le problème doit être rêglé.

Si ca fonctionne, tu peux poste le rapports demandés

 

Dis moi ce qu'il en est stp: si ca ne fonctionne pas, on fera autrement

[Monsieur Furtif]

Ca ne marche pas. Puisque en fait, ce n'est pas le secteur de boot qui est en cause mais plutôt le chargement de paramètres des comptes.

En gros, il se connecte au compte local, fait même la petite musique d'intro... et se délogue immédiatement pour me ramener au panel de compte initial.

[Monsieur Furtif]

En parcourant d'autres forums, j'ai trouvé quelqu'un qui avait un problème similaire. Et qui donne cette solution :

 

Trouvé !

Si ça peut aider un autre imprudent...qui joue avec le registre !

 

Il faut restaurer la clé:

 

Citation:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon

 

Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,

(la virgule finale existe, ce n'est pas une faute de frappe)

 

Mais je me demande bien comment accéder à Regedit, sans avoir accès à un compte Windows valide...

[Thanos]

salut

 

Oui il s'agit bien de restaurer cette valeur dans la base de registre: en fait escan a viré le fichier loggué sous userinit mais la valeur de la clé n'a pas été restaurée > du coup pas moyen d'ouvrir une session dans Windows XP!

le fichier éliminé était un malware bien sûr!

 

Il existe bien une méthode afin de modifier le registre depuis la console de récupération, mais c'est un peu compliqué (il y a une image ISO à graver pour pouvoir utiliser le programme NTpassword )

 

Le plus simple est de faire ceci > http://www.bellamyjc.org/fr/windows2000.html#repair

 

Si ca ne fonctionne pas, il faudra utiliser NTPassword je pense.

 

Monsieur Furtif, je suis désolé pour ce plantage...c'est bien la première fois que escan antivirus toolkit esquinte un pc

je recherche s'il n'y a pas d'autres méthodes...

[Monsieur Furtif]

Le plus simple est de faire ceci > http://www.bellamyjc.org/fr/windows2000.html#repair

 

Alors, aux premières minutes de cette méthode, elle a l'air de fonctionner.

J'ai deux messages d'erreur me disant que regedit.exe (dans Windows/) et services.exe (situé dans mon dossier "user/Local Settings/" n'ont pu se lancer, sans aucun doute après la désinfection. As-tu une idée de comment corriger la base de registre afin de ne plus avoir ces messages.

 

D'autre part, je vais encore faire un Hijackthis et je poste ça très très vite.

[Monsieur Furtif]

Voilà le HiJackThis et à la suite, je mets le rapport de Escan que j'ai récupéré en même temps que le compte

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:53:40, on 03/10/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe

C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe

C:\Program Files\Softwin\BitDefender10\vsserv.exe

C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\user\My Documents\Securite\HijackThis.exe

C:\WINDOWS\SoftwareDistribution\Download5dc5f0b39a115d1962503e7297cdba7\update\update.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.co.th/

F3 - REG:win.ini: load=C:\DOCUME~1\user\LOCALS~1\services.exe

F3 - REG:win.ini: run=explorer.exe C:\WINDOWS\System\regedit.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [statusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto

O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [bDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKLM\..\Policies\Explorer\Run: [(Default)] C:\DOCUME~1\user\LOCALS~1\winlogon.exe

O4 - HKCU\..\Policies\Explorer\Run: [(Default)] win.com C:\WINDOWS\system32\msdp32.dll

O4 - HKUS\S-1-5-18\..\Run: [sYSTEM] C:\WINDOWS\TEMP\Tmp.com (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [(Default)] win.com C:\WINDOWS\system32\msdp32.dll (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [sYSTEM] C:\WINDOWS\TEMP\Tmp.com (User 'Default user')

O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [(Default)] win.com C:\WINDOWS\system32\msdp32.dll (User 'Default user')

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1191429778056

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Password - Unknown owner - C:\WINDOWS\System32\PwdServ.exe (file missing)

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe

O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe

O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

 

--

End of file - 8807 bytes

 

Le rapport eScan, pour mémoire.

J'ai parfois coupé au milieu parce que les valeurs étaient quasiment identique dans le restore.

 

 

 

File C:\WINDOWS\system32\CAMBO-1.exe infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\WINDOWS\user.exe infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\DOCUME~1\user\LOCALS~1\svchost.exe infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\DOCUME~1\user\LOCALS~1\smss.exe infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\WINDOWS\win.pif infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Deleted.

File C:\DOCUME~1\user\LOCALS~1\Temp\Tmp.com infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\WINDOWS\Fonts\font.bat infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Deleted.

File C:\WINDOWS\.exe infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\WINDOWS\services.exe infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\WINDOWS\smss.exe infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\WINDOWS\svchost.exe infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\WINDOWS\SYSTEM.exe infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\WINDOWS\winlogon.exe infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\WINDOWS\system32\command.cmd infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\WINDOWS\system32\msdp32.dll infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\AutoRun.exe infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\Documents and Settings\Administrator\Local Settings\explorer.exe infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\Documents and Settings\Administrator\Local Settings\services.exe infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\Documents and Settings\Administrator\Local Settings\smss.exe infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\Documents and Settings\Administrator\Local Settings\svchost.exe infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\Documents and Settings\Administrator\Local Settings\winlogon.exe infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\Documents and Settings\user\Local Settings\explorer.exe infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\Documents and Settings\user\Local Settings\services.exe infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\Documents and Settings\user\Local Settings\winlogon.exe infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\Documents and Settings\user\My Documents\Securite\SmitfraudFix\Reboot.exe tagged as not-a-virus:RiskTool.Win32.Reboot.f. No Action Taken.

File C:\Documents and Settings\user\My Documents\Securite\SmitfraudFix.exe tagged as not-a-virus:RiskTool.Win32.Reboot.f. No Action Taken.

File C:\qoobox\Quarantine\C\AutoRun.exe.vir infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\qoobox\Quarantine\C\Documents and Settings\user\Local Settings\services.exe.vir infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\qoobox\Quarantine\C\Documents and Settings\user\Local Settings\smss.exe.vir infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\qoobox\Quarantine\C\Documents and Settings\user\Local Settings\winlogon.exe.vir infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\qoobox\Quarantine\C\WINDOWS\.exe.vir infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\qoobox\Quarantine\C\WINDOWS\Administrator.exe.vir infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\qoobox\Quarantine\C\WINDOWS\Fonts\font.bat.vir infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\qoobox\Quarantine\C\WINDOWS\services.exe.vir infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\qoobox\Quarantine\C\WINDOWS\smss.exe.vir infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\qoobox\Quarantine\C\WINDOWS\svchost.exe.vir infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\qoobox\Quarantine\C\WINDOWS\system\regedit.exe.vir infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\qoobox\Quarantine\C\WINDOWS\system\wininit.com.vir infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\qoobox\Quarantine\C\WINDOWS\SYSTEM.exe.vir infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\qoobox\Quarantine\C\WINDOWS\system32\CAMBO-1.exe.vir infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\qoobox\Quarantine\C\WINDOWS\system32\command.cmd.vir infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\qoobox\Quarantine\C\WINDOWS\system32\msdp32.dll.vir infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\qoobox\Quarantine\C\WINDOWS\Temp\Tmp.com.vir infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\qoobox\Quarantine\C\WINDOWS\user.exe.vir infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\qoobox\Quarantine\C\WINDOWS\Web\Picture.exe.vir infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\qoobox\Quarantine\C\WINDOWS\win.pif.vir infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\qoobox\Quarantine\C\WINDOWS\winlogon.exe.vir infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\qoobox\Quarantine\D\AutoRun.exe.vir infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\qoobox.zip infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\Share\..exe infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\Share\..exe.exe infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\Share\..exe.exe.exe infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\Share\..exe.exe.exe.exe infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\Share\..exe.exe.exe.exe.exe infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\Share\..exe.exe.exe.exe.exe.exe infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\Share\..exe.exe.exe.exe.exe.exe.exe infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\Share\electeur politique.doc.exe infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\Share\electeur politique.doc.exe.exe infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\Share\electeur politique.doc.exe.exe.exe infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\Share\electeur politique.doc.exe.exe.exe.exe infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\Share\electeur politique.doc.exe.exe.exe.exe.exe infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

 

Etc.

 

 

File C:\System Volume Information\_restore{9AB9C5BD-55D5-4F7B-8C6E-AD3E36441EDA}\RP52\A0015848.exe infected by "IM-Worm.Win32.Sohanad.t" Virus. Action Taken: File Deleted.

File C:\System Volume Information\_restore{9AB9C5BD-55D5-4F7B-8C6E-AD3E36441EDA}\RP52\A0015849.exe infected by "IM-Worm.Win32.Sohanad.t" Virus. Action Taken: File Deleted.

 

File C:\System Volume Information\_restore{9AB9C5BD-55D5-4F7B-8C6E-AD3E36441EDA}\RP56\A0016725.exe tagged as not-a-virus:RiskTool.Win32.Reboot.f. No Action Taken.

 

File C:\System Volume Information\_restore{9AB9C5BD-55D5-4F7B-8C6E-AD3E36441EDA}\RP57\A0016840.cmd infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\System Volume Information\_restore{9AB9C5BD-55D5-4F7B-8C6E-AD3E36441EDA}\RP57\A0016841.exe infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

 

File C:\WINDOWS\system\regedit.exe infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\WINDOWS\system\wininit.com infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\WINDOWS\Temp\Tmp.com infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

File C:\WINDOWS\Web\Picture.exe infected by "Virus.Win32.AutoRun.lr" Virus. Action Taken: File Renamed.

[Thanos]

ouf!!

A présent, on va rechercher un peu dans la base de registre pour voir ou se sont planqué les malwares >

 

1) Télécharge RegSearch.exe (Registry Search de Bobbi Flekman)

• dézippe dans un répertoire dédié tel que C:\Program Files
  
• double clique sur RegSearch.exe
  
• copie colle les entrées en bleu dans les lignes de la zone de recherche:
  (n'entre qu'un seul élément par ligne!)
  services.exe
  regedit.exe
  winlogon.exe
  msdp32.dll
  
  
• rien dans la ligne "Enter string to exclude from results" et clique sur "OK".
  
• après recherche, le bloc-notes ouvre une fenêtre "RegSearch.txt" avec toutes les instances trouvées
  
• le fichier est en outre sauvegardé dans le même répertoire que celui de RegSearch
  
• copie-colle le contenu de la fenêtre dans un post, ici
  
• ferme le bloc-notes et ferme RegSearch par Cancel
  
• Si la manipulation ne marche pas, entre les éléments un par un.
  

Poste le rapport: une fois ceci fait, fais la recherche sur ces éléments de la même manière >

smss.exe

svchost.exe

Tmp.com

PwdServ.exe

On ne peux entrer que 4 éléments dans les champs de recherche : aussi fait le en deux fois.

 

2) Après ca, (pour éviter tout effacement! on ne prend pas de risque), fais ce scan Kaspersky en ligne pour détecter les fichiers infectés restants >

• Fais un scan en ligne Kaspersky avec Internet Explorer :
  
• Clique sur
  
• Clique maintenant sur J'accepte.
  
• Valide l'installation d'un ou de plusieurs ActiveX si c'est nécessaire.
  
• Patiente pendant l'installation des Mises à jour.
  
• Choisis par la suite l'analyse du Poste de travail
  
• Sauvegarde puis colle le rapport généré en fin d'analyse.
  

AIDE : Configurer le contrôle des ActiveX

Note : Si tu reçois le message "La licence de Kaspersky On-line Scanner est périmée", vas dans Ajout/Suppression de programmes et désinstalle On-Line Scanner, reconnecte toi sur le site de Kaspersky pour retenter le scan en ligne.

Modifié le 3 octobre 2007 par charles ingals

[Monsieur Furtif]

Je poste ici les rapports de RegSearch.

 

Mais pour lancer Kaspersky, je me retrouve face à un problème.

Lorsque je lancer Internet Explorer (visiblement downgradé à cause de la réparation), je rentre l'URL et ça me renvoie

"This file does not have a program associated with it for performing this action. Create an association in the Folder Options control panel."

 

D'autant plus bizarre que cela avait fonctionné à la toute première reconnexion post-réparation.

Je vais voir si je peux régler ça...

 

Windows Registry Editor Version 5.00

 

; Registry Search 2.0 by Bobbi Flekman © 2005

; Version: 2.0.5.0

 

; Results at 04/10/2007 09:12:33 for strings:

; 'services.exe'

; 'regedit.exe'

; 'winlogon.exe'

; 'msdp32.dll'

; Strings excluded from search:

; (None)

; Search in:

; Registry Keys Registry Values Registry Data

; HKEY_LOCAL_MACHINE HKEY_USERS

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\regedit.exe]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regedit\shell\open\command]

@="regedit.exe %1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\DefaultIcon]

; Contents of value:

; %SystemRoot%\regedit.exe,1

@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\

00,5c,00,72,00,65,00,67,00,65,00,64,00,69,00,74,00,2e,00,65,00,78,00,65,00,\

2c,00,31,00,00,00

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\open\command]

@="regedit.exe \"%1\""

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]

"(Default)"="C:\\DOCUME~1\\user\\LOCALS~1\\winlogon.exe"

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\regedit.exe]

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\services.exe]

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\winlogon.exe]

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\SysProcs]

"winlogon.exe"=dword:00000000

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog]

; Contents of value:

; %SystemRoot%\system32\services.exe

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,65,00,72,00,76,00,69,00,63,00,65,00,73,00,2e,00,65,00,78,00,65,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\Autochk]

; Contents of value:

; %SystemRoot%\System32\winlogon.exe

"EventMessageFile"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\

00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\

5c,00,77,00,69,00,6e,00,6c,00,6f,00,67,00,6f,00,6e,00,2e,00,65,00,78,00,65,\

00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\Winlogon]

; Contents of value:

; %SystemRoot%\System32\winlogon.exe

"EventMessageFile"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\

00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\

5c,00,77,00,69,00,6e,00,6c,00,6f,00,67,00,6f,00,6e,00,2e,00,65,00,78,00,65,\

00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PlugPlay]

; Contents of value:

; %SystemRoot%\system32\services.exe

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,65,00,72,00,76,00,69,00,63,00,65,00,73,00,2e,00,65,00,78,00,65,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\regedit.exe]

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\services.exe]

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\winlogon.exe]

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Terminal Server\SysProcs]

"winlogon.exe"=dword:00000000

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog]

; Contents of value:

; %SystemRoot%\system32\services.exe

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,65,00,72,00,76,00,69,00,63,00,65,00,73,00,2e,00,65,00,78,00,65,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\Autochk]

; Contents of value:

; %SystemRoot%\System32\winlogon.exe

"EventMessageFile"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\

00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\

5c,00,77,00,69,00,6e,00,6c,00,6f,00,67,00,6f,00,6e,00,2e,00,65,00,78,00,65,\

00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\Winlogon]

; Contents of value:

; %SystemRoot%\System32\winlogon.exe

"EventMessageFile"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\

00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\

5c,00,77,00,69,00,6e,00,6c,00,6f,00,67,00,6f,00,6e,00,2e,00,65,00,78,00,65,\

00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\PlugPlay]

; Contents of value:

; %SystemRoot%\system32\services.exe

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,65,00,72,00,76,00,69,00,63,00,65,00,73,00,2e,00,65,00,78,00,65,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\regedit.exe]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\services.exe]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\winlogon.exe]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\SysProcs]

"winlogon.exe"=dword:00000000

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog]

; Contents of value:

; %SystemRoot%\system32\services.exe

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,65,00,72,00,76,00,69,00,63,00,65,00,73,00,2e,00,65,00,78,00,65,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Autochk]

; Contents of value:

; %SystemRoot%\System32\winlogon.exe

"EventMessageFile"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\

00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\

5c,00,77,00,69,00,6e,00,6c,00,6f,00,67,00,6f,00,6e,00,2e,00,65,00,78,00,65,\

00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Winlogon]

; Contents of value:

; %SystemRoot%\System32\winlogon.exe

"EventMessageFile"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\

00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\

5c,00,77,00,69,00,6e,00,6c,00,6f,00,67,00,6f,00,6e,00,2e,00,65,00,78,00,65,\

00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PlugPlay]

; Contents of value:

; %SystemRoot%\system32\services.exe

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,65,00,72,00,76,00,69,00,63,00,65,00,73,00,2e,00,65,00,78,00,65,00,00,00

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]

"(Default)"="win.com C:\\WINDOWS\\system32\\msdp32.dll"

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]

"run"="explorer.exe C:\\WINDOWS\\System\\regedit.exe"

"load"="C:\\DOCUME~1\\user\\LOCALS~1\\services.exe"

 

; End Of The Log...

 

 

 

Windows Registry Editor Version 5.00

 

; Registry Search 2.0 by Bobbi Flekman © 2005

; Version: 2.0.5.0

 

; Results at 04/10/2007 09:17:48 for strings:

; 'smss.exe'

; 'svchost.exe'

; 'tmp.com'

; 'pwdserv.exe'

; Strings excluded from search:

; (None)

; Search in:

; Registry Keys Registry Values Registry Data

; HKEY_LOCAL_MACHINE HKEY_USERS

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A1E75357-881A-419E-83E2-BB16DB197C68}\LocalServer32]

@="C:\\WINDOWS\\system32\\svchost.exe"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A1F4E726-8CF1-11D1-BF92-0060081ED811}\LocalServer32]

@="C:\\WINDOWS\\system32\\svchost.exe"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9376CC6-121A-447e-81CF-D8BCC200007C}\LocalServer32]

@="C:\\WINDOWS\\system32\\svchost.exe"

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\SysProcs]

"smss.exe"=dword:00000000

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Alerter]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k LocalService

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\

00,65,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AppMgmt]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AudioSrv]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BITS]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Browser]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CryptSvc]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dhcp]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dmserver]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k NetworkService

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,53,00,65,00,72,00,76,\

00,69,00,63,00,65,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ERSvc]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventSystem]

; Contents of value:

; C:\WINDOWS\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,\

5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,76,00,63,\

00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,6b,00,20,00,\

6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\helpsvc]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\HidServ]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\HTTPFilter]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k HTTPFilter

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,48,00,54,00,54,00,50,00,46,00,69,00,6c,00,74,00,65,00,72,00,00,\

00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanworkstation]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LmHosts]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k LocalService

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\

00,65,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Messenger]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netman]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nla]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NtmsSvc]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Password]

; Contents of value:

; %SystemRoot%\System32\PwdServ.exe

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,50,\

00,77,00,64,00,53,00,65,00,72,00,76,00,2e,00,65,00,78,00,65,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RasAuto]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RasMan]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteRegistry]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k LocalService

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\

00,65,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\seclogon]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SENS]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ShellHWDetection]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srservice]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SSDPSRV]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k LocalService

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\

00,65,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\stisvc]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k imgsvc

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,69,00,6d,00,67,00,73,00,76,00,63,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TapiSrv]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Themes]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TrkWks]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\upnphost]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k LocalService

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\

00,65,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WebClient]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k LocalService

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\

00,65,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winmgmt]

; Contents of value:

; %systemroot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WmdmPmSN]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Wmi]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv]

; Contents of value:

; %systemroot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WudfSvc]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k WudfServiceGroup

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,57,00,75,00,64,00,66,00,53,00,65,00,72,00,76,00,69,00,63,00,65,\

00,47,00,72,00,6f,00,75,00,70,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WZCSVC]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\xmlprov]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Terminal Server\SysProcs]

"smss.exe"=dword:00000000

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Alerter]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k LocalService

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\

00,65,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AppMgmt]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AudioSrv]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BITS]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Browser]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\CryptSvc]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Dhcp]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\dmserver]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Dnscache]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k NetworkService

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,53,00,65,00,72,00,76,\

00,69,00,63,00,65,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ERSvc]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\EventSystem]

; Contents of value:

; C:\WINDOWS\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,\

5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,76,00,63,\

00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,6b,00,20,00,\

6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\FastUserSwitchingCompatibility]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\helpsvc]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\HidServ]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\HTTPFilter]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k HTTPFilter

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,48,00,54,00,54,00,50,00,46,00,69,00,6c,00,74,00,65,00,72,00,00,\

00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\lanmanserver]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\lanmanworkstation]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\LmHosts]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k LocalService

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\

00,65,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Messenger]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Netman]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Nla]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NtmsSvc]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Password]

; Contents of value:

; %SystemRoot%\System32\PwdServ.exe

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,50,\

00,77,00,64,00,53,00,65,00,72,00,76,00,2e,00,65,00,78,00,65,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\RasAuto]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\RasMan]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\RemoteAccess]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\RemoteRegistry]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k LocalService

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\

00,65,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Schedule]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\seclogon]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SENS]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ShellHWDetection]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\srservice]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SSDPSRV]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k LocalService

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\

00,65,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\stisvc]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k imgsvc

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,69,00,6d,00,67,00,73,00,76,00,63,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TapiSrv]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Themes]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TrkWks]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\upnphost]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k LocalService

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\

00,65,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\W32Time]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WebClient]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k LocalService

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\

00,65,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\winmgmt]

; Contents of value:

; %systemroot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WmdmPmSN]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Wmi]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wscsvc]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wuauserv]

; Contents of value:

; %systemroot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WudfSvc]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k WudfServiceGroup

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,57,00,75,00,64,00,66,00,53,00,65,00,72,00,76,00,69,00,63,00,65,\

00,47,00,72,00,6f,00,75,00,70,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WZCSVC]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\xmlprov]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\SysProcs]

"smss.exe"=dword:00000000

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alerter]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k LocalService

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\

00,65,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AudioSrv]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmserver]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k NetworkService

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,53,00,65,00,72,00,76,\

00,69,00,63,00,65,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventSystem]

; Contents of value:

; C:\WINDOWS\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,\

5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,76,00,63,\

00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,6b,00,20,00,\

6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\helpsvc]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HidServ]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTPFilter]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k HTTPFilter

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,48,00,54,00,54,00,50,00,46,00,69,00,6c,00,74,00,65,00,72,00,00,\

00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LmHosts]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k LocalService

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\

00,65,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netman]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nla]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtmsSvc]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Password]

; Contents of value:

; %SystemRoot%\System32\PwdServ.exe

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,50,\

00,77,00,64,00,53,00,65,00,72,00,76,00,2e,00,65,00,78,00,65,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k LocalService

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\

00,65,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SENS]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ShellHWDetection]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srservice]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k LocalService

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\

00,65,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\stisvc]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k imgsvc

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,69,00,6d,00,67,00,73,00,76,00,63,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TapiSrv]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Themes]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrkWks]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k LocalService

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\

00,65,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k LocalService

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\

00,65,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winmgmt]

; Contents of value:

; %systemroot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wmi]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]

; Contents of value:

; %systemroot%\system32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WudfSvc]

; Contents of value:

; %SystemRoot%\system32\svchost.exe -k WudfServiceGroup

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,57,00,75,00,64,00,66,00,53,00,65,00,72,00,76,00,69,00,63,00,65,\

00,47,00,72,00,6f,00,75,00,70,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WZCSVC]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov]

; Contents of value:

; %SystemRoot%\System32\svchost.exe -k netsvcs

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\

00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\

6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00

 

; End Of The Log...

 

Je te souhaite bien du courage pour déchiffrer tout ça

Et merci pour l'aide apportée jusqu'ici.