Name

Filename

Status

Description The ZeroAccess rootkit. This rootkit terminates any program that scans its processes or files and then changes the permissions on them so you can no longer run them. This infection uses Alternate Data Streams and rootkit technology to hide itself and the service entry. The ZeroAccess rootkit. This rootkit terminates any program that scans its processes or files and then changes the permissions on them so you can no longer run them. This infection uses Alternate Data Streams and rootkit technology to hide itself and the service entry. SkyNet Rootkit. SkyNet Rootkit. Added by the RTKT_DUQU.A rootkit. Added by the RTKT_DUQU.A rootkit. Added by the Trojan-Spy.Win32.Batton.rk spyware and information stealer. Trojan-Spy spies upon user's activity and steals confidential user information. Added by the Troj/Rootkit-IM rootkit. Added by the W32.Zimuse.B worm. W32.Zimuse.B is a worm that deletes files and overwrites the master boot record of the compromised computer. Added by the W32.Zimuse.B worm. W32.Zimuse.B is a worm that deletes files and overwrites the master boot record of the compromised computer. Added by the W32.Zimuse.B worm. W32.Zimuse.B is a worm that deletes files and overwrites the master boot record of the compromised computer. Added by the Troj/Hackda-A Trojan & Rootkit. A variant of the Haxdoor rootkit. A variant of the Haxdoor rootkit. Added by a variant of the Goldun.Fam Trojan. Added by the Backdoor.Rustock backdoor rootkit.

win32k.sys

win32k.sys:2

win32k.sys

win32k.sys:1

Service_SKYNET<rando m chars> Service_SKYNET<rando m chars> cmi4432 JmiNET3

SKYNET<random characters>.sys SKYNET<random characters>.dat cmi4432.sys jminet7.sys

X X X X

PDCOMP

_amdevntas.sys

<not used>

mntsys.exe

Mseu

Mseu.sys

Mstart

Mstart.sys

Self extract service

Mseus.exe

system performance logging for TrueTime Driver Edition Kernel Mode SND msvtcher NGate service CPU FUN Controller glaide32

chkzero.ex

msvtch.sys tage32.sys kryo2.sys glaide32.sys

X X X X

vbagz svitch DirectSound KDriver tdssserv Virtual CD-ROM Driver msdefender.sys XD FileSystemDriver msliksurserv clbdriver pqasghjd Uninterruptible Power Supply CRT narqwe jwzpqng upsctl bzsqlpa hcnwg4u ksnhtr sywtdxaz gsbgqpwwfw WLAN route service nzqtegh iuzqpaf yzbgqap

vbagz.sys svitch.sys asplg.sys tdssserv.sys dwave.sys msdefender.sys fsxxd.sys msliksurserv.sys clbdriver.sys pqasghjd.sys upscr.sys narqwe.sys jwzpqng.sys upsctl.dll bzsqlpa.sys hcnwg4u.sys ksnhtr.sys sywtdxaz.sys gsbgqpwwfw.sys rotr.sys nzqtegh.sys iuzqpaf.sys yzbgqap.sys

X X X X X X X X X X X X X X X X X X X X X X X

Added by the TROJ_ROOTKIT.BA Trojan. A variant of the Haxdoor rootkit. Added by a variant of the Goldun.Fam rootkit. Identified as a variant of the Clbdriver/Troj/NtRootK-DR malware. Identified as a variant of the TrojanSpy.Win32.Goldun.api rootkit. Identified as a variant of the Win32:Rootkitgen rootkit. A variant of the Haxdoor rootkit. Added by the Troj/Agent-HFC Trojan. Identified as a variant of the Rootkit.Win32.Clbd.cx rootkit. Added by the Backdoor.Rustock backdoor rootkit. Identified as a variant of the Trojan.Rootkit.Gen rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Identified as a variant of the Trojan.Rootkit.Gen rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Identified as a variant of the Rootkit.Win32.Agent.ahf rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit.

wzghui pjsapdg zwqcplsp tcpsr bqzpas kzq5re nexkaqf hqiopa uazpiq zzz QANDR Kernel CryptoModule fkjdfje ydhqzop zsqalpdt klite grande48 DTM Protector widuxngq

wzghui.sys pjsapdg.sys zwqcplsp.sys tcpsr.sys bqzpas.sys kzq5re.sys nexkaqf.sys hqiopa.sys uazpiq.sys zzz.sys qandr.sys krnllds.sys fkjdfje.sys ydhqzop.sys zsqalpdt.sys klite.sys grande48.sys dprot.sys widuxngq.sys

X X X X X X X X X X X X X X X X X X X

Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Identified as a variant of the Trojan.Rootkit.Agent.Ack malware. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Hacktool.Rootkit rootkit. Added by a variant of the Rootkit.Win32.Agent.ea rootkit Trojan. Added by a variant of the TR/Rootkit.Gen rootkit Trojan. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. A variant of the Haxdoor rootkit. Added by the Troj/RKAgen-E rootkit Trojan. A variant of the Haxdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Zlob Trojan that infects you with the VirusHeat rogue anti-spyware program. Please use the guide below to remove this infection. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor

hemimorphite

vualf.dll

zeqbqwp zalpqbj serazavr

zeqbqwp.sys zalpqbj.sys serazavr.log

X X X

rootkit. nqaplwj yeTyezzd uerj45kj qalwpmdgt itcoe adapter RDP Host Device Driver trahtibedoh mqzprwe cryptdrv zdegpig ytzpoqw Transfer Service jwlbqzpi e67gdfg yeyqase nqaplwj.sys yeTyezzd.sys uerj45kj.sys qalwpmdgt.sys itcoe.sys rdpdrv.sys trahtibedoh.sys mqzprwe.log cryptdrv.sys zdegpig.ini ytzpoqw.dll uiops.exe jwlbqzpi.dll e67gdfg.ds yeyqase.mis X X X X X X X X X X X X X X X Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. A variant of the Haxdoor rootkit. Added by the Backdoor.Sanjicom backdoor Trojan. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Trojan.Acdropper.C Trojan. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Identified as a variant of the Rootkit.V malware. This file is installed with the latest Zlob infections in order to protect the e404 Helper browser helper object. Identified as a variant of the TrojanDownloader.Win32.Tibs.wu malware. Identified as a variant of the TrojanDownloader.Win32.Tibs.wu malware. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit.

tdidrv32.sys

tdidrv32.sys

SystemDrive DriveSystem hhlmken xseaqwt oqtxde

maxpaynow1.exe maxpaynowti1.exe hhlmken.scp slipmenu1.scp oqtxde.chm

X X X X X

ieqazhew XPROTECTOR Driver kasutio pzqlp merqpo zeqwur guntest aiqpbter apcdli rwtatpl rqksgpu mkwsqp lagednick hqaply cjwriiigqazft accctsggw 3klagia werasqlp riode32 yqzsypbgh uxgrafj rYehhbqzx yutsubk

ieqazhew.dll xprot.sys kasutio pzqlp.chm merqpo.chm zeqwur.chm guntest.chm aiqpbter.chm apcdli.sys rwtatpl.lid rqksgpu.cur mkwsqp.cur lagednick.chm hqaply.chm cjwriiigqazft.cat accctsggw.cat 3klagia.dll werasqlp.cur riode32.sys yqzsypbgh.cat uxgrafj.adm rYehhbqzx.adm yutsubk.cat

X X X X X X X X X X X X X X X X X X X X X X X

Added by the Backdoor.Rustock backdoor rootkit. A variant of the Haxdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Mal/RootKit-A rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Identified as a variant of the Rootkit.Win32.Agent.adm rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor

rootkit. kavsvc nvcoi agehhtd qwetab infoxmid ITCom virtual adapter FT StarForce Protector hipsrv userinfo32 alcop server efidriver pcximg tap64drv tunnet alcom syswindrv Advanced Power Management sysrestore32.exe qtprot hdport wer32 4fdw kavsvc.sys nvcoi.exe agehhtd.cat qwetab.inf wseqnx.inf itcom.sys fprot.sys hipsrv.mm userinfo32.ggt alcop.sys efidriver.drv pcximg.pif tap64drv tunnet.ocx alcom.sys syswindrv.bin powermgmt.sys sysrestore32.exe qtprot.sys hdport.sys jkghje.dll 4fdw.dll X X X X X X X X X X X X X X X X X X X X X X Added by the Hacktool.Rootkit rootkit. Identified as a variant of the Trojan.Downloader.Matcash malware. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Identified as a variant of the TR/Rootkit.Gen rootkit. A variant of the Haxdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by a variant of the Goldun.Fam rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. A variant of the Haxdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit. Identified as a variant of the Rootkit.Agent.X rootkit. Identified as a variant of the TR/Rootkit.Ge rootkit. Identified as a variant of the Trojan.Rootkit.GEY rootkit. Identified as a variant of the Trojan.Rootkit.GEP rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.Rustock backdoor rootkit.

Open Host Controller Miniport USB Driver Open Host Controller Miniport USB Driver Open Host Controller Miniport USB Driver Open Host Controller Miniport USB Driver Open Host Controller Miniport USB Driver (rev.d) Open Host Controller Miniport USB Driver .lnk .lnk jnhjkfrn ro0 Service fnhoje <not used> ellowtab btstack qwer78 FPU emulation service sysldr srtwe khtml retx2 nested nax12

ohcuusb.sys ohctusb.sys ohciusb.sys ohbusb.sys

X X X X

Identified as a variant of the Rootkit.Win32.Agent.uj rootkit. Identified as a variant of the Rootkit.Win32.Agent.uj rootkit. Identified as a variant of the Rootkit.Win32.Agent.uj rootkit. Identified as a variant of the Rootkit.Win32.Agent.uj rootkit. Identified as a variant of the Rootkit.Win32.Agent.uj rootkit. Identified as a variant of the Rootkit.Win32.Agent.uj rootkit. Identified as a variant of the Rootkit.Win32.Agent.uj rootkit. Identified as a variant of the Rootkit.Win32.Agent.uj rootkit. Added by the Backdoor.Rustock backdoor rootkit. Added by the Backdoor.HackDefender rootkit. Identified as a variant of the Backdoor:Win32/Rustock.gen rootkit. Added by the Hacktool.Rootkit rootkit. Identified as a variant of the Backdoor.Rustock backdoor and rootkit. Added by the Mal/RKRustok-A worm and rootkit. Added by the Backdoor.Rustock backdoor rootkit. A variant of the Haxdoor Trojan rootkit. Identified as a variant of the Backdoor:Win32/Rustock.gen!C rootkit. Identified as a variant of the Backdoor:Win32/Rustock.gen rootkit. Identified as a variant of the Backdoor:Win32/Rustock.gen rootkit. Identified as a variant of the Backdoor:Win32/Rustock.gen rootkit. Identified as a variant of the Backdoor:Win32/Rustock.gen rootkit. Identified as a variant of the Backdoor:Win32/Rustock.gen rootkit.

ohdusb.sys

ohcusb.sys msmapibx32.exe msmapiax32.exe jnhjkfrn ro0.exe fnhoje helps.dll ellowtab.txt btstack.ibs qwer78.sys x86emul.sys sysldr srtwe.sys khtml.sys retx2.sys nested.sys nax12.sys

X X X X X X X X X X X X X X X X X

jecsst fvelwow USB2_04 agony ntndis BASFNDD kprof fak32 APC Power Management ntio922 ndisaluo Object memory mapping 8.0 kcp ntload v0.1 mp3 audio srr dhlp Kernel TCP Filtering protocol Nvdia Native Rendering NVidia XTLayer gateway ctl_w32 Object memory mapping 8.0 cjamkm 63cica

jecsst.sys fvelwow.sys nkv2.sys wininit.sys ntndis.sys BASFNDD.sys kprof fak32.sys powerio.sys ntio922.sys ndisaluo.sys isodvstg.sys kcp.sys ntload.sys mp32s.sys srr.sys dhlp.sys necsort.sys nvnatv.sys nvnati.sys ctl_w32.sys ati2kstg.sys cjamkm.sys 63cica.sys

X X X X X X X X X X X X X X X X X X X X X X X X

Identified as a variant of the Backdoor:Win32/Rustock.gen rootkit. Identified as a variant of the Backdoor:Win32/Rustock.gen rootkit. Identified as a variant of the Rootkit.Win32.Agent.tj rootkit. Added by the NTRootKit-K rootkit. Added by the Troj/RKProc-F rootkit. Identified by Kaspersky Antivirus as a variant of the Rootkit.Win32.Agent.to malware. Added by the Trojan-Proxy.Win32.Wopla.ag rootkit. A variant of the Backdoor:Win32/Rustock.gen malware. Identified as a variant of the RKit/Agent.X.5 rootkit. Identified as a variant of the RKIT/Agent.EZ rootkit. Identified as a variant of the TR/Rootkit.Gen rootkit. Added by a variant of the Goldun.Fam rootkit. Added by the ROJ_ROOTKIT.EW rootkit. Identified as a variant of the Trojan.Ntrootkit.AL rootkit. A variant of the TR/Rootkit.Gen rootkit. Added by the Rootkit.Agent rootkit. Identified as a variant of the Win32.Rootkit.Gen rootkit. A variant of the Troj/Haxdor-Gen rootkit. Added by a variant of the Goldun.Fam rootkit. Added by a variant of the Goldun.Fam rootkit. Identified as a variant of the Rootkit.Win32.Agent.pq rootkit. A variant of the Haxdoor rootkit. Added by a variant of the Troj/NTRootK-CM rootkit. Added by a variant of the Troj/NTRootK-CL

rootkit. ke32psag ZZZdrv_lich IPv6 BT converter ini910p Windows Update Check g_rkt ke32psag.sys lich.sys xdrve9d.sys ini910p.sys syslodr.exe win32_rkt.sys X X X X X X A variant of the Haxdoor rootkit. A variant of the Trojan.NtRootKit rootkit. A variant of the Haxdoor rootkit. A variant of the Ascesso Rootkit. Identified as a variant of the W32/Rootkit.ASA.dropper rootkit. Identified as a variant of the Win32.Rootkit.Agent.MO rootkit. Added by the Trojan.Peacomm.D rootkit. Trojan.Peacomm.D is a Trojan horse that gathers system information and email addresses from the compromised computer. Identified as a variant of the Ascesso rootkit. Added by a variant of the Goldun.Fam rootkit. Added by a variant of the Goldun.Fam rootkit. Added by a variant of the Goldun.Fam rootkit. Identified as a variant of the Trojan.Rootkit.Agent rootkit. Identified as the Trojan.Rootkit.Agent.NCY rootkit. Added by the W32.Focelto.A rootkit. This rootkit is a Alternate Data Stream file which requires certain tools to remove it. The ntoskrnl.exe it is attached to is a legitimate Microsoft file and should not be removed. Added by the W32.Focelto.A worm. W32.Focelto.A is a worm that spreads through Microsoft instant messaging clients and uses Rootkit techniques. It opens a back door on the compromised computer. This infection is bundled with the ntoskrnl.exe:kernel ADS rootkit. Added by a variant of the Goldun.Fam rootkit. Added by a variant of the Goldun.Fam rootkit. Identified as the Backdoor.Win32.Small.lu/Rootkit.V malware. Added by the W32.Beagle.GM rootkit. Added by the TROJ_ROOTKIT.JS rootkit.

noskrnl

noskrnl.sys

NdisWon RGB video output YVPB video output Object memory mapping 8.0 asc3550o asc355O

NdisWon.sys ycsrga.sys ycsrgb.sys ati2psag.sys asc3550o.sys asc355O.sys

X X X X X X

Oddysee

ntoskrnl.exe:kernel

<Random CLSID>

sygate.exe

PPA Virtial rendering Rege memory mapper wsnpoem.sys Megadrv3 srosa

nvsystl3.sys flashsmt.sys wsnpoem.sys srosa.sys srosa.sys

X X X X X

protect asc355 NVidia TLayer gateway A2 Memory SCN Memory SCN X1 ro0 Service MSDV Driver SysLibrary Object memory mapping 8.0 ytghyuiokjnmvrq spooldr yscpsdfh yvaeypeb yxwituxh

Protect.sys asc355.sys nvmapi.sys ovwscn.sys ovrscn.sys ro0.exe msdvdr.pif DefLib.sys ati2ksag.sys

X X X X X X X X X

A variant of the Trojan.NtRootKit.361 rootkit. A variant of the TROJ_AGENT.AAND rootkit. Added by a variant of the Goldun.Fam rootkit. Added by a variant of the Goldun.Fam rootkit. Added by a variant of the Goldun.Fam rootkit. Identified as a Spambot variant. A variant of the HackerDefender rootkit. Added by the Troj/NtRootK-CA rootkit. Added by a variant of the Goldun.Fam rootkit. Added by the Mal/RootKit-A rootkit. The service and display name are typically random. Added by the Trojan.Peacomm.C rootkit. Added by the Troj/RKPort-Fam Trojan rootkit. Added by the Troj/Bckdr-QJB rootkit. Added by the Troj/Dropper-QV rootkit. Added by the Backdoor.Ginwui.F backdoor. Backdoor.Ginwui.F is a Trojan horse that opens a back door and uses rootkit techniques to hide its presence. A variant of the Goldun rootkit. Rootkit added by the Troj/Agent-FZV Trojan. A variant of the Goldun rootkit. A variant of the Goldun rootkit. Added by the Troj/NTRootK-BU rootkit. Added by the Troj/Rootkit-BI rootkit. Rootkit used by a variant of the Goldun Trojan. Rootkit found with SmitFraud infections. Added by the Troj/RKAgen-A rootkit. A variant of the Hacker Defender rootkit. Added by the Troj/Rustok-B rootkit. A variant of the Goldun Trojan. This infection utilizes the atixdbxx.sys rootkit to hide itself.

wincab.sys spooldr.sys zscpsdfh.sys zvaeypeb.sys zxwituxh.sys

X X X X X

<not used>

WINFBI32.dll

atietbxx symavc32 UPS COMcontrol rlx6dob6 IsDrv118 runtime2 HDTV video output Windows Notification Service windbg48 Local Network Spooler xpdx system driver atixdaxx

atietbxx.sys symavc32.sys upsctrl3.sys rlx6dob6.sys IsDrv118.sys runtim2.sys mswsaf.sys winntify.exe windbg48.sys lspooldrv.sys xpdx.sys atixdaxx.dll

X X X X X X X X X X X X

ATI Hardware TnL Rendering lololol NVIDIA Compatible Windows Miniport Driver

atixdbxx.sys

A variant of the Goldun rootkit. Added by the Troj/Hideme-A Trojan. This infection is hidden by the rootkit file C:\_hideme_MYFILE.SYS. Added by the PE_CORELINK.C-O rootkit. Identified by Spybot - Search and Destroy as Smitfraud-C.CoreService. This infection is a rootkit found with certain smitfraud infections. Identified by Kaspersky as Rootkit.Win32.Agent.ey. A variant of the Haxdoor rootkit. Added by the Troj/Dorf-H rootkit. Added by the Troj/Rustok-Q Trojan. Variant of the Troj/Haxdor-Fam rootkit. Variant of the Troj/Haxdor-Fam rootkit. Variant of the Troj/Haxdor-Fam rootkit. A variant of the Troj/Haxdor-Fam rootkit. Variant of the Troj/Haxdor-Fam rootkit. Variant of the Troj/Haxdor-Fam rootkit. A variant of the Troj/Haxdor-Fam family of rootkits. Added by the SecurityRisk.Cashmoa rootkit. SecurityRisk.Cashmoa is a security risk that hides any processes that are named cmc.exe. Added by the W32.Niumu worm. W32.Niumu is a worm that spreads through network shares and infects .exe and .scr files. The threat also steals passwords typed into Internet Explorer.

_hideme_imhiddenlololol.exe

nvmini.sys

core

core.sys

runtime2 ATI TnL Rendering windev-b51-433 xpdt system driver <unknown> FPU mainboard extention <unknown> MTdX main controller RGB video output IPSTK driver VISSV

runtime2.sys atiddbxx.sys windev-b51-433.sys xpdt.sys gdow2k.sys ramvxt.sys eps32sys.sys linksrvd.sys mswsaf.sys mswsag.sys symvcs.sys

X X X X X X X X X X X

cmdriver

cmdriver.sys

Routing and Remote Access

muniu.exe

This service is actually a legitimate Microsoft service that was altered by the infection to start the muniu.exe infection. Therefore, instead of deleting the service you should instead changes it's ImagePath value back to %SystemRoot%\System32\svchost.exe -k netsvcs. Added by the Backdoor.Darkmoon.D backdoor. Added by the Troj/NtRootK-M rootkit. Added by the Troj/Agent-ELF rootkit.

Zxftajzo TestUSB lanmandrv

Zxftajzo.sys TestUSB.sys lanmandrv.sys

X X X

EXAMPLE

main.sys

Added by the Troj/SpyAge-B Trojan. Main.sys has been further identified as Troj/NTRootK-BP. Added by the Troj/RKProc-Fam rootkit. More info here. Added by the Troj/RKProc-Fam rootkit. Can be installed with SmitFraud related Trojans. Added by the Troj/RKProc-Fam rootkit. Can be installed with SmitFraud related Trojans. Added by the Troj/Haxdor-Gen rootkit. Added by the Troj/Haxdoor-DO rootkit. A variant of the Troj/Haxdor-Fam rootkit. Added by the Troj/NTRootK-BB rootkit. Added by the TROJ_KILLAV.GG rootkit. This infection will also close running security software. Added by the Troj/NTRootK-BE rootkit Trojan. Added by the Troj/LdPinch-QB rootkit. This program, once loaded, hides other files related to this infection. Added by the Trojan.Peacomm downloader Trojan. This infection contains rootkit functionality that enables it to hide some of its associated files. Rootkit added by the Troj/Agent-DZY Trojan. A variant of the Troj/Haxdor-Fam rootkit. A variant of the Troj/Haxdor-Fam rootkit. A variant of the Troj/Haxdor-Fam rootkit. A variant of the Troj/Haxdor-Fam rootkit. Added by the Troj/HacDef-DR rootkit. A variant of the Troj/Haxdor-Fam of rootkits. A variant of the Haxdoor Trojan rootkit. Added by the Hacktool.Rootkit rootkit. Added by the Hacktool.Rootkit rootkit. A variant of the Haxdoor Trojan rootkit. A variant of the Haxdoor Trojan rootkit. Added by the Troj/RusDrp-H rootkit.

<unknown> <unknown> Plug and Play Support Driver IPODT1000 WDVB 05 rlx66dob msfsr syswav

ppdriver.sys pnpdrv.sys driverpp.sys ssipod1.sys drtw6a.sys rlx66dob.sys msfsr.sys syswav.sys

X X X X X X X X

!!!!

new_drv.sys

drivemngr

drivemngr.sys

wincom32

wincom32.sys

KWatch1 ASUS PCI controller MMX2 virtualization service MMX virtualization service MCRT accelerator ROME ROTYUS IPSTK driver SECURE SHELL access driver MsDLObjDrv HWRegProt STK Bi 002 STK Bi 001 phide_ex.sys

KWatch1.sys mi5035a5.sys mmx19g.sys mmx19g.sys eexvpn.sys hxdefdrv.sys ufgrbe.sys wartamd.sys MsDLObjDrv.sys HWRegProt.sys xcttgm.sys xcttgm.sys phide_ex.sys

X X X X X X X X X X X X X

System SSDP Services wsfit32

<random letters>.sys wsfit32.sys

X X

Added by the Troj/Pardot-A rootkit. Rootkit used by the Rogoo LSP Hijacker to protect it's files. Other associated files are discussed here. Added by the W32.Ovagur virus. This file acts a rootkit to hide the rest of the infection's files. Added by a variant of the Goldun.Fam rootkit. Added by the Troj/NetAtk-F rootkit. Added by a variant of the Goldun.Fam rootkit. Added by a variant of the Goldun.Fam rootkit. A variant of the HaxDoor rootkit. A variant of the Goldun rootkit. Added by the Troj/PWS-ABD rootkit Trojan. Added by the Troj/HacDef-DJ backdoor Trojan and rootkit. Added by the Troj/DwnLdr-FTB downloader Trojan. Added by a variant of the Troj/Haxdor-Gen. rootkit. Added by a variant of the Troj/Haxdor-Gen. rootkit. A variant of the Troj/Haxdor-Gen rookit. Added by the Troj/QQPass-AIS Trojan rootkit. Added by the Infostealer.Blurax Trojan. Infostealer.Blurax is a Trojan horse that logs keystrokes and steals confidential information from the compromised computer. The Trojan may use rootkit techniques to hide its presence on the compromised computer. This part of the infection acts as a rootkit in order to the services. Added by the Backdoor.Ginwui.E rootkit. Added by a variant of the Troj/Haxdor-Gen rootkit. Added by a variant of the Troj/Haxdor-Gen rootkit. Added by a variant of the Troj/Haxdor-Gen rootkit.

NvVideoCenter

NvVid.sys

<unknown> NdisFilter <unknown> <unknown> <unknown> Kernel Objects Manager !!!! Print Spooler Service MZU_RK Miniport FT32 Miniport FT <unknown> <not used>

regepsrvc.sys ndisfilter.sys prt21sks.sys satad645.sys arprmdg5.sys xartcd7.sys hide_evr2.sys <random file name>.exe mzu_drv.sys yvbb01.sys yvbb02.sys fanxctrld.sys myqq_.exe

X X X X X X X X X X X X X

BlueODrv

blueodrv.sys

<not used> MMX virtualization service MMX2 virtualization service FClear Service

winfkhide.dll rmk8ot.sys rmk9ot.sys wnmifc.sys

X X X X

MClear Service CsdDriver USB p79bsksb mm77lgn control service <unknown> <unknown> DCode emulator A37 DCode emulator

wnmicf.sys CsdDriver.sys p79bsksb.sys mm77lgn.sys agpbrdg5.sys scsipsrvc.sys emul37.sys emul65.sys

X X X X X X X X

Added by a variant of the Troj/Haxdor-Gen rootkit. Added by the Troj/Goldun-EE passwordstealing Trojan. Added by a variant of the Troj/Haxdor-Gen rootkit. Added by a variant of the Troj/Haxdor-Gen. rootkit. Added by a variant of Troj/Haxdor-Gen. Added by a variant of the Troj/Haxdor-Gen rootkit. Variant of the Troj/Haxdor-Fam rootkit. Variant of the Troj/Haxdor-Fam rootkit. Added by the Troj/Nebuler-H Trojan. Troj/Nebuler-H gathers details relating to dialup services and sends collected information to a remote site via HTTP. The Trojan may inject code into other processes in an attempt to remain hidden. Added by the Troj/Nebuler-F Spyware Trojan. Troj/Nebuler-F gathers details relating to dialup services and sends collected information to a remote site via HTTP. The Trojan may inject code into other processes in an attempt to remain hidden. A variant of the Troj/Haxdor-Gen rootkit. A variant of the Troj/Haxdor-Gen rootkit. A variant of the Troj/Haxdor-Gen rootkit. A variant of the HaxGen/Goldun rootkit. A variant of the HaxGen/Goldun rootkit. A variant of the Troj/Haxdor-Gen rootkit. Added by the Troj/Nebuler-D Trojan. Troj/Nebuler-D gathers details relating to dialup services and sends collected information to a remote site via HTTP. The Trojan may inject code into other processes in an attempt to remain hidden. A variant of the Troj/Haxdor-Fam rootkit. The Troj/Haxdor-Fam rootkit. Variant of the Troj/Haxdor-Fam rootkit. Variant of the Troj/Haxdor-Fam rootkit. Variant of the Troj/Haxdor-Fam rootkit. Added by a variant of the Goldun rootkit.

winsis32

winsis32.dll

winnok32

winnok32.dll

PRT4701 Printer driver YVPB video output RGB video output MMC card reader Kernel Objects Manager VMemory protect

prt47sys.sys svjvpn.sys svkvpn.sys mmccrd.sys obbf117.sys k53lock.sys

X X X X X X

winxtx32

winxtx32.dll

YVPB video output NDIS OSI <unknown> TCP x IP2 Kernel32 TCP x IP2 Kernel IRDa Modem device #12

xdpptp.sys ycsvgd.sys asusrx25.sys seppgm.sys seppgm.sys se633mxxd.sys

X X X X X X

<unknown> ARM FDCG850 device <unknown> <unknown> ARM TSL device RGB video output YVPB video output IP2 UDPB2 <unknown> <unknown> <Unknown> <Unknown> <Unknown> <Unknown> OPENSSL cryptoapi [Unknown] [Unknown] [Unknown] [Unknown] [Unknown] YVPB video output <unknown> NDIS OSI LAN FW adapter LAN MSFW adapter SATA bus driver UDP32 netbios mapping Win23 lzx files loader

fpuext.sys armrfc.sys estsprt.sys socket573.sys armdvc.sys ycsrga.sys ycsrgb.sys ipudpb2.sys mmx19g.sys mmx17g.sys armdvc.sys vxdgfx.sys nuclab.sys openglssd.sys axdebugld.sys docentd.sys mmlogon.sys socketx113.sys nclaby.sys xcdkernl.sys ycsrgb.sys idersrvc.sys ycsvga.sys lannui.sys lannui.sys satau325.sys twpkbd.sys lzx32.sys

X X X X X X X X X X X X X X X X X X X X X X X X X X X X

Added by a variant of the Goldun rootkit. Added by a variant of the Goldun rootkit. Added by a variant of the Goldun rootkit. Added by a variant of Goldun rootkit. Added by a variant of the Troj/Haxdor-Gen rootkit. Added by a variant of the Troj/Haxdor-Gen rootkit. Added by a variant of the Troj/Haxdor-Gen rootkit. Added by a variant of the Goldun rootkit. Added by a variant of the Troj/Haxdor-Gen rootkit. Added by a variant of the Troj/Haxdor-Gen rootkit. Added by a variant of the Goldun.Fam rootkit. Added by a variant of the Goldun.Fam rootkit. Added by a variant of the Goldun.Fam rootkit. Added by a variant of the Goldun.Fam rootkit. A variant of the Haxdoor rootkit. A variant of the Haxdoor rootkit. A variant of the Haxdoor rootkit. A variant of the Haxdoor rootkit. A variant of the Haxdoor rootkit. A variant of the Haxdoor rootkit. A variant of the Haxdoor rootkit. A variant of the Troj/Haxdor-Gen rootkit. A variant of the Troj/Haxdor-Gen rootkit. A variant of the Troj/Haxdor-Gen rootkit. A variant of the Troj/Haxdor-Gen rootkit. A variant of the Troj/Haxdor-Gen rootkit. A variant of the Troj/Haxdor-Gen rootkit. Added by the Troj/RKRustock-A rootkit. This infection utilizes Alternate Data Streams in order to hide itself.

mvrescue

mvrescue

Related to Multivision Computers back up/restore program. Multivision Computers ceased operating in 2004. Added by a variant of the Troj/Haxdor-Gen rootkit. Added by a variant of the Troj/Haxdor-Gen rootkit. Added by a variant of the Troj/Haxdor-Gen rootkit. Added by a variant of the Troj/Haxdor-Gen rootkit. Added by a variant of the Troj/Haxdor-Gen rootkit. Added by the Troj/RKFu-C rootkit. A variant of the Haxdoor rootkit. Rootkit used by the Troj/IRCBot-HG infection. Rootkit identified by Kaspersky Anti-Virus as Trojan-Spy.Win32.Goldun.kr. A variant of the Troj/Haxdor-Gen rootkit. A variant of the Troj/Haxdor-Gen rootkit. Added by the Trojan.Rootserv rootkit. Added by a variant of the Troj/Haxdor-Gen rootkit. Added by a variant of the Troj/Haxdor-Gen rootkit. Added by a variant of the Troj/Haxdor-Gen rootkit. Added by a variant of the Troj/Haxdor-Gen rootkit. Added by a variant of the Troj/Haxdor-Gen rootkit. Added by a variant of the Troj/Haxdor-Gen rootkit. Added by a variant of the Troj/Haxdor-Gen rootkit. Added by a variant of the Troj/Haxdor-Gen rootkit. Added by a variant of the Troj/Haxdor-Gen rootkit. Added by a variant of the Troj/Haxdor-Gen rootkit.

Registry protect service Registry protect service 2 USB p76xxsks LOGON support service NOD AV service msdirect INPUT/OUTPUT printing <unknown> SECURE SHELL access driver DVBa X11 controller DVB X11 controller m_hook MMX2 virtualization service MMX virtualization service KMX direct access BLUETOOTH IPv4 service GDI kernel srvc OPENGL technology access UDPservice Windows Objects manage SE500 Generic LOGON suport service

regP64.sys regP32.sys p76xxsks.sys iesservice4.sys nodantivir.sys msdirect.sys ddirectxt.sys mkey.sys xkeyshd.sys bmtdhk.sys bmtdhk.sys m_hook.sys dxtpdx.sys dxtpdh.sys sdcardX2.sys wnlogow.sys gdiw2k.sys flashdrv3.sys msudp4.sys obbn13rt.sys se500mdmd.sys ies4service.sys

X X X X X X X X X X X X X X X X X X X X X X

CDRW overrun protection IO Direct printing service MMX2 virtualization service Unknown <non alphabetical characters>IPX/SPX USB prw76sks

cdscsix3r.sys directprt.sys pptp24.sys m32lock.sys usbmini.sys prw76sks.sys

X X X X X X

Added by a variant of the Troj/Haxdor-Gen rootkit. Added by a variant of the Troj/Haxdor-Gen rootkit. Added as variant of the Troj/Haxdor-Gen family of rootkits. A variant of the Troj/Haxdor-Gen rootkit. Added by the Troj/Proxy-CY rootkit. Rootkit component of Backdoor.Haxdoor.L. Added by the Backdoor.Rustock.A backdoor Trojan. This infection uses Alternate Data Streams and rootkit technology to hide itself and the service entry. A variant of the Troj/Rootkit-AA kernel-mode rootkit family. Added by the Trojan.Agentdoc.B rootkit. Added by the TSPY_HAXSPY.AD rootkit. A rootkit driver service. Added by the W32.Naras virus with keylogging and rootkit functionality. A variant of Troj/Haxdor-Fam rootkit. Added by the Troj/NTRootK-AC rootkit. Added by the Haxdoor-gen rootkit. Added by the Haxdoor-gen rootkit. Added by the Troj/Haxdor-Gen rootkit. Added by the Troj/Haxdor-Gen rootkit. Troj/Haxdor-Gen rootkit. Added by the TSPY_GOLDUN.EI rootkit. Added by the TSPY_GOLDUN.EG rootkit. Added by the Troj/Rootkit-W rootkit. Troj/Haxdor-Gen rootkit utilized by the Troj/Haxdoor family. Troj/Haxdor-Gen rootkit utilized by the Troj/Haxdoor family. Added by the Troj/Haxdor-Gen rootkit. Added by the Troj/HacDef-EQ rootkit. Added by the Troj/Haxdor-Fam rootkit

pe386

<random number>

hpdriver vvcxqgpq NK45 file system driver bridges msinfmgr WDVB 05 squell SE 3.0 memory driver SE 3.2 memory driver wxtw PNP DRIVER wxtwdu PNP DRIVER VXV CPU device OPENGL technology access Printer direct access virdr winm TCP winm64 TCP MMX2 virtualization service MSDN Driver XPPTP 0x25 winsock

hpdriver.sys vvcxqgpq.sys nkcfg.sys bridges.sys msinfomgr.sys dvb06a.sys vook.sys vistaj.sys vistaj.sys wxtwdx.sys wxtwdu.sys vxvgfv.sys openglwxd.sys directout.sys virdr.sys winm32.sys winm64.sys mmxF64.sys msdndr.pif xptpmm.sys

X X X X X X X X X X X X X X X X X X X X

variant. XPPTP 0x24 winsock mdojtgmr NDIS OSI32 delphi pptp64 pptp32 Zcjflmoj AVXSearch service xptpmm.sys mdojtgmr.sys yvpp01.sys voot.sys pptp64.sys pptp64.sys Zcjflmoj.sys ke7dnl.sys X X X X X X X X Added by the Troj/Haxdor-Fam rootkit variant. Added by the Keylogger.Mose keylogger with rootkit capabilities. Added by the Troj/Haxdoor-BM rootkit. Added by the W32.Detnat rootkit. May download PWSteal.Lineage and stealth it. Added by the Troj/Haxdor-Fam rootkit. Added by the Troj/Haxdor-Fam rootkit. Added by the Troj/Bckdr-GPJ backdoor Trojan with rootkit capabilities. Added by the Troj/Haxdoor-BH rootkit Trojan. Added by the Trojan.Abwiz.F rootkit/downloading Trojan. This infection has rootkit capabilities that it uses to hide its presence. This infection is marked as a rootkit as it injects the C:\Windows\System32\taskdir.dll file into all running processes. Added by the Trojan.Goldun.K rootkit. Added by the Troj/Haxdoor-BC Trojan. Added by the Backdoor.Hesive.E rootkit driver. This driver will attempt to stealth certain registry keys and files so they are not detectable or visible. Added by the Backdoor.Haxdoor.H rootkit. Added by the Backdoor.Hesive.C backdoor Trojan. This particular part of the infection acts as a rootkit to hide and files or registry entries it creates. Added by the Troj/Haxdor-Fam Trojan. This driver utilizes rootkit stealthing technology to hide other malware. Rootkit used by some infections to hide other files and configuration information. Added by the Troj/Haxdoor-AU rootkit Trojan. Added by the Troj/Haxdoor-AQ backdoor Trojan. This infection utilizes the C:\Windows\System32\iesservice4.sys rootkit. Identified as Trojan.NtRootKit.75. Added by the Trojan.Goldun.I password-

taskdir

taskdir.exe

OPENSSL cryptoapi UDP checksum correction

zopenssld.sys dvdkernl.sys

X X

Zxbnredm

Zxbnredm.sys

xmsk64

xmsk64.sys

Zrwchrhu

Zrwchrhu.sys

InvisibleDrvNT

InvisibleDrvNT.sys

remon HP32X Printer driver

REMON.SYS hpprintdrv.sys

X X

iesdl4l

iesdl4l.dll

EPS Printer driver EPS Printer Driver

epsn2sys.sys EPSONSYS.SYS

X X

stealing Trojan for online banks. This is a rootkit that attempts to hide itself and its components. NetSTrSvc MiniPCI TCPIP2 Kernel32 XRW005 DER005 UDP Packet Correction netsvcs.sys MiniPCI.sys avpe64.sys <random filename> <random filename> Wnlogon.sys X X X X X X Added by the Troj/HacDef-AM rootkit. Added by the Troj/NtRootK-M rootkit. Added by the Troj/Haxdoor-AP rootkit. Added by the Troj/Hackvan-B Trojan rootkit. Added by the Troj/Hackvan-B Trojan rootkit. Identified as part of a variant of Trojan.PWS.Egold. This file will usually be hidden by the rootkit logon032.dll. Added by the Troj/HacDef-AB rootkit. Other files associated with this infection are wdl.exe, wdl.dll, xxxdefdrv.sys, windows.exe, xmlsvc.exe, , mldata.dll ,xmlsvc.dll ,.tmp ,rpcsvc.exe ,ioservice.exe, ioservice.ini, rpcsvr.exe, smap.exe, sv.exe, diketraffic.conf, dikeentry.conf ,bitsm.exe, kern32.dll, bitsm.exe -start, iobanana.exe, and ioA.exe. Added by the Troj/Rootkit-AA rootkit. Added by the PE_THEALS.A file infector. This infection also utilizes rootkit technology. Added by the Sony/XCP DRM Rootkit. This file is the actual rootkit driver for the Sony DRM application. Added by the Troj/Haxdoor-AO Trojan. Added by the Backdoor.Haxdoor.G backdoor Trojan. Added by the W32/Goldax-B worm. Added by the Hacktool.Rootkit rootkit. Added by the Troj/Haxdoor-AJ backdoor Trojan. Added by the W32/Goldax- Peer to Peer (P2P) worm with backdoor functionality. Added by the Troj/Haxdoor-ED. The rootkit logs the keypress in the file klogini.dll. A variant of the Troj/Hackvan-A rootkit. Added by a variant of the Troj/Haxdor-Gen rootkit. Added by the W32/Rbot-AGE worm. When started, this infection connects to a remote IRC server and waits for commands to execute. This particular Rbot also uses rootkit technology to hide itself.

Microsoft Information Driver

xxxdefdrv.sys

SLMDriver [not used]

SLM32.sys stealth.worm.exe

X X

Network Control Manager CPU microcode correction sks2drvr WRM CPU driver rofl IP correction service MCFservice TCPIP Kernel32 VANTI TCPservice

aries.sys cpudev.sys sks2drvr.sys wrmdrv.sys rofl.sys msrdr2.sys mcfdrv.sys avpu32.sys God.sys msftcpip.sys

X X X X X X X X X X

msriv1

msriv1.sys

AVPX64 TCP

AVPX64.SYS

Added by the Troj/Haxdoor-Y backdoor trojan. This infection uses rootkit technology to hide itself from being seen. Added by the Troj/Haxdoor-Y backdoor trojan. This infection uses rootkit technology to hide itself from being seen. Added by the Troj/Haxdoor-R rootkit. This infection makes it so you can not see certain processes, files, or registry keys on your computer. It is usually installed in conjunction with other malware. Added by the W32/Sdbot-XP, W32/SdbotXQ, and W32/Sdbot-XR worms as a new service. They will use the same display name, and exploit IRC channels. Added by the Troj/Goldun-G password stealing trojan. If you have this infection you should change all your passwords. A rootkit bundled with various infections in order to hide them. This infection hijacks Internet Explorer to redirect to search-area.com. More information can be found here - Troj/MalcheA. Added by the HaxDoor.B rootkit/backdoor Trojan. This service is installed as a system driver and is part of the rootkit functionality of this infection. Added by the HaxDoor.B rootkit/backdoor Trojan. This service is installed as a system driver and is part of the rootkit functionality of this infection. Added by the Troj/Haxdoor-CN rootkit infection. This file is installed as system driver and is used to hide processes, files, and registry keys from being seen. Added by the Troj/Haxdoor-CN rootkit infection. This file is installed as system driver and is used to hide processes, files, and registry keys from being seen. Part of the Troj/Haxdoor-AE rootkit. This is installed as a system driver service so will not be seen in the services.msc control panel. Part of the Troj/Haxdoor-AE rootkit. This is installed as a system driver service so will not be seen in the services.msc control panel.

AVPX TCP

AVPX32.SYS

NGate service

tage32.sys

msdirectx

msdirectx.sys

iesprt

IESPRT.SYS

rdriv

rdriv.sys

msdirectx

msdirectx.sys

KeBoot

Boot32.sys

KeSDM

Sdmapi.sys

VIRTwin

VDMT16.SYS

SCNDmem

WINLOW.SYS

MemDRV

vdnt32.sys

LMMngr

memlow.sys

Status Key

Each entry in the database will have a Status assigned to it. The key to this status is the following:

Y - This status flag means that this entry should be left alone and be allowed to run as if it is unchecked it may break the functionality or use of a particular program. N - This status flag means it is unnecessary to run this program automatically when Windows starts as you can run it manually when necessary. U - This status flag means it is up to you whether or not you feel this program needs to run automatically. X - This status flags means the item should definitely not start up automatically. Items that have this flag are generally malware such as viruses, trojans, hijackers, spyware but could also be programs that are not desirable to run on your computer. ? - This status flag means the status of this entry is unknown at this time and more research is necessary.

If you require assistance in removing one of these files you can ask us in the Startup Database Forum.

Disclaimer

It is assumed that users are familiar with the operating system they are using and comfortable with making the suggested changes. BleepingComputer.com will not be held responsible if changes you make cause a system failure. This is NOT a list of tasks/processes taken from Task Manager or the Close Program window (CTRL+ALT+DEL) but a list of startup applications, although you will find some of them listed via this method. Pressing CTRL+ALT+DEL identifies programs that are currently running - not necessarily at startup. Therefore, before ending a task/process via CTRL+ALT+DEL just because it has an "X" recommendation, please check whether it's in MSCONFIG or the registry first. An example would be "svchost.exe" - which doesn't appear in either under normal conditions but does via CTRL+ALT+DEL. If in doubt, don't do anything.