Analysis by: Roland Marco Dela Paz

ALIASES:

Worm:Win32/Pykspa.C (Microsoft); W32/Pykse.worm (Mcafee)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

This worm arrives by accessing affected shared networks. It may be dropped by other malware.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

  TECHNICAL DETAILS

File Size: 327,680 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 12 Mar 2012

Arrival Details

This worm arrives by accessing affected shared networks.

It may be dropped by the following malware:

  • TROJ_KILLAV.ARB

Installation

This worm drops the following copies of itself into the affected system:

  • %User Temp%\{random}.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\RunOnce
{random} = {random}.exe .

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\RunOnce
{random} = %User Temp%\{random}.exe .

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random} = {random}.exe

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random} = %User Temp%\{random}.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random} = {random}.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random} = %User Temp%\{random}.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunOnce
{random} = {random}.exe .

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunOnce
{random} = %User Temp%\{random}.exe .

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
{random} = {random}.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
{random} = %User Temp%\{random}.exe

Other System Modifications

This worm adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegistryTools = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\Security Center
AntiVirusOverride = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\Security Center
FirewallOverride = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\Security Center
UacDisableNotify = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\Security Center
AntiVirusDisableNotify = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\Security Center
FirewallDisableNotify = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\Security Center
UpdatesDisableNotify = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableLUA = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
DisableRegistryTools = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
ConsentPromptBehaviorAdmin = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
ConsentPromptBehaviorUser = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableInstallerDetection = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableSecureUIAPaths = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableVirtualization = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
PromptOnSecureDesktop = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
ValidateAdminCodeSignatures = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
FilterAdministratorToken = 0

It modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoDriveTypeAutoRun = 91

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\
SHOWALL
CheckedValue = 1

(Note: The default value data of the said registry entry is 91.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer
NoDriveTypeAutoRun = ff

(Note: The default value data of the said registry entry is 1.)

It deletes the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot

Propagation

This worm creates the following folder in all physical and removable drives:

  • {random}.bat

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

{garbage}
[AutoRun]
{garbage}
open={garbage}.bat
{garbage}
shell\open\Command={garbage}.bat _
{garbage}
shell\open\Default=1
shell\explore\Default=2
{garbage}
shell\explore\Command={random}.bat _
{garbage}

Process Termination

This worm terminates the following services if found on the affected system:

  • SharedAccess
  • WinDefend
  • Wuauserv
  • TrustedInstaller
  • MpsSvc
  • BITS
  • ERSvc
  • WerSvc
  • wscsvc

Other Details

This worm connects to the following URL(s) to get the affected system's IP address:

  • http://whatismyipaddress.com/
  • http://www.showmyipaddress.com/
  • http://whatismyip.ca/
  • http://whatismyip.everdot.org/

NOTES:

Upon execution, it opens the %User Temp% folder and subsequently opens it every time a user closes the folder.

It drops encrypted components at the following directories:

  • %Application Data%
  • %User Temp%
  • %Program Files%
  • %Windows%
  • %System%

The dropped files have random filenames and file extensions.

It searches for files having the following file extensions in the My Documents folder:

  • .gif
  • .ppt
  • .xls
  • .jpg
  • .jpeg
  • .bmp
  • .3gp
  • .doc
  • .rtf
  • .txt

It then archives the files it finds including a copy of itself using WinRAR. The created archive is dropped to available network shares.

It closes windows with the following strings in its title:

  • Antivir
  • Eset
  • Firewall
  • Hiajck
  • Hijack
  • IceSword
  • NetTools
  • Process Ex
  • Process Ha
  • Procexp
  • Procmon
  • Regedit
  • Registry
  • Regmon
  • Restauration du sy
  • Rstrui
  • Sistemos atk
  • Spyware
  • Sysclean
  • Sysinternals
  • Zonealarm
  • antianti
  • antivirus
  • avg
  • computer management
  • dr. web
  • dr.web
  • esetsmart
  • internet security
  • security center
  • soft security e
  • system configuration
  • system restore
  • trend micro
  • virus
  • worm

It blocks access to sites that contains the following strings in the address bar:

  • Kaspersky
  • Malware
  • Virus
  • Wilderssecurity
  • ahnlab
  • arcabit
  • avast
  • avg.
  • avira
  • avp.
  • bit9.
  • castlecops
  • centralcommand
  • cert.
  • clamav
  • comodo
  • computerassociates
  • cpsecure
  • defender
  • drweb
  • emsisoft
  • esafe
  • eset –
  • etrust
  • ewido
  • f-prot
  • f-secure
  • fortinet
  • gdata
  • grisoft
  • hacksoft
  • hauri
  • ikarus
  • jotti
  • k7computing
  • mcafee
  • networkassociates
  • nod32
  • norman
  • norton
  • panda
  • pctools
  • prevx
  • quickheal
  • rising
  • rootkit
  • sans.
  • securecomputing
  • sophos
  • spamhaus
  • spyware
  • sunbelt
  • symantec
  • tcpview
  • threatexpert
  • trendmicro
  • vet.
  • windowsupdate

It is capable of propagating via Skype by sending the following pre-defined messages along with a link where a copy of itself may be downloaded:

  • hello
  • how are you
  • hello again
  • you skype version is old
  • what are you?
  • from where are you?
  • what are you doing in my contacts?
  • as I said %s
  • so %s
  • %s :D
  • look %s
  • here %s
  • so what do you think?
  • what is in that link on your skype?
  • do you have camera on skype?
  • is it really your web site?
  • what do you think about that?
  • what is there?
  • pudge women ;)
  • piece of shit
  • now everyone know ;)
  • idiot
  • what are you doing
  • crazy bitch
  • why dont you speak
  • I saw you photo. I would like to speak with you
  • I saw you last week. I would like to speak with you
  • I watching you long time. I would like to speak with you
  • %s
  • I know what you did
  • 191:%s :D :D :D
  • idiot name
  • i lost my job..
  • i am idiot..
  • i want to die..
  • (beer)
  • nice ass :*
  • muhahahaaahaha
  • little boy :]]]]
  • I know about your little problem :D
  • gay
  • what new?
  • what the fuck is that ?
  • bad news
  • dude
  • bitch
  • niger
  • impotent

It can also send these messages using native languages of specific countries in Europe.

This worm connacts to any of the following sites to get the current date and time:

  • www.ebay.com
  • www.baidu.com
  • www.imdb.com
  • www.bbc.co.uk
  • www.adobe.com
  • www.blogger.com
  • www.wikipediga.or
  • www.yahoo.com
  • www.youtube.com
  • www.myspace.com
  • www.facebook.com
  • www.google.com

It is capable of deleting System Restore points by deleting the contents of %System Root%\System Volume Information folder.

It reads the affected user's Skype configuration in order to steal personal information from the user as well as his/her Skype contacts.

This malware generates random domains using an algorithm in order to connect to its C&C server. It is capable of executing the following commands:

  • Download and execute possibly malicious files
  • Execute a file
  • Steal information
  • Terminate processes
  • Terminate Itself
  • Delete files
  • Modify registries
  • Modify clipboard data
  • Shut down the system
  • Sleep
  • Modify Windows hosts file
  • Propagate via mapped drives
  • Propagate via network shares
  • Propagate via Skype
  • Propagate via Twitter

  SOLUTION

Minimum Scan Engine: 9.200

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Remove malware files dropped/downloaded by WORM_SKYTWI.A

     TROJ_KILLAV.ARB

Step 3

Identify and delete files detected as WORM_SKYTWI.A using either the Startup Disk or Recovery Console

[ Learn More ]

Step 4

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    • {random} = {random}.exe .
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    • {random} = %User Temp%\{random}.exe .
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • {random} = {random}.exe .
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • {random} = %User Temp%\{random}.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • {random} = {random}.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • {random} = %User Temp%\{random}.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
    • {random} = {random}.exe .
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
    • {random} = %User Temp%\{random}.exe .
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
    • {random} = {random}.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
    • {random} = %User Temp%\{random}.exe
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
    • DisableRegistryTools = 1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center
    • AntiVirusOverride = 1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center
    • FirewallOverride = 1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center
    • UacDisableNotify = 1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center
    • AntiVirusDisableNotify = 1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center
    • FirewallDisableNotify = 1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security Center
    • UpdatesDisableNotify = 1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    • EnableLUA = 0
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    • DisableRegistryTools = 1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    • ConsentPromptBehaviorAdmin = 0
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    • ConsentPromptBehaviorUser = 0
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    • EnableInstallerDetection = 0
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    • EnableSecureUIAPaths = 0
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    • EnableVirtualization = 0
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    • PromptOnSecureDesktop = 0
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    • ValidateAdminCodeSignatures = 0
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    • FilterAdministratorToken = 0

Step 5

Restore this modified registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • From: NoDriveTypeAutoRun = 91
      To: NoDriveTypeAutoRun = 1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
    • From: CheckedValue = 91
      To: CheckedValue = 1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    • From: NoDriveTypeAutoRun = ff
      To: NoDriveTypeAutoRun = 1

Step 6

Search and delete AUTORUN.INF files created by WORM_SKYTWI.A that contain these strings

[ Learn More ]
{garbage}
[AutoRun]
{garbage}
open={garbage}.bat
{garbage}
shell\open\Command={garbage}.bat _
{garbage}
shell\open\Default=1
shell\explore\Default=2
{garbage}
shell\explore\Command={random}.bat _
{garbage}

Step 7

Scan your computer with your Trend Micro product to delete files detected as WORM_SKYTWI.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

NOTES:

Restoring the deleted Safe Mode Registry Key

  1. Open a text editor like notepad.exe
  2. Copy and paste the following and save it as restore.vbs.

    const HKEY_CURRENT_USER = &H80000001
    const HKEY_LOCAL_MACHINE = &H80000002
    strComputer = "."



    Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_ strComputer & "\root\default:StdRegProv")



    strMainKeyPath = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal"



    oReg.CreateKey HKEY_LOCAL_MACHINE,strMainKeyPath



    Dim arrKeyPath(44)
    dim arrValue(44)



    arrKeyPath(0) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    {36FC9E60-C465-11CF-8056-444553540000}"
    arrKeyPath(1) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    {4D36E965-E325-11CE-BFC1-08002BE10318}"
    arrKeyPath(2) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    {4D36E967-E325-11CE-BFC1-08002BE10318}"
    arrKeyPath(3) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    {4D36E969-E325-11CE-BFC1-08002BE10318}"
    arrKeyPath(4) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    {4D36E96A-E325-11CE-BFC1-08002BE10318}"
    arrKeyPath(5) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    {4D36E96B-E325-11CE-BFC1-08002BE10318}"
    arrKeyPath(6) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    {4D36E96F-E325-11CE-BFC1-08002BE10318}"
    arrKeyPath(7) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    {4D36E977-E325-11CE-BFC1-08002BE10318}"
    arrKeyPath(8) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    {4D36E97B-E325-11CE-BFC1-08002BE10318}"
    arrKeyPath(9) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    {4D36E97D-E325-11CE-BFC1-08002BE10318}"
    arrKeyPath(10) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    {4D36E980-E325-11CE-BFC1-08002BE10318}"
    arrKeyPath(11) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    {533C5B84-EC70-11D2-9505-00C04F79DEAF}"
    arrKeyPath(12) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    {71A27CDD-812A-11D0-BEC7-08002BE2092F}"
    arrKeyPath(13) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    {745A17A0-74D3-11D0-B6FE-00A0C90F57DA}"
    arrKeyPath(14) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    AppMgmt"
    arrKeyPath(15) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    Base"
    arrKeyPath(16) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    Boot Bus Extender"
    arrKeyPath(17) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    Boot file system"
    arrKeyPath(18) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    CryptSvc"
    arrKeyPath(19) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    DcomLaunch"
    arrKeyPath(20) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    dmadmin"
    arrKeyPath(21) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    dmboot.sys"
    arrKeyPath(22) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    dmio.sys"
    arrKeyPath(23) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    dmload.sys"
    arrKeyPath(24) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    dmserver"
    arrKeyPath(25) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    EventLog"
    arrKeyPath(26) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    File system"
    arrKeyPath(27) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    Filter"
    arrKeyPath(28) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    HelpSvc"
    arrKeyPath(29) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    Netlogon"
    arrKeyPath(30) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    PCI Configuration"
    arrKeyPath(31) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    PlugPlay"
    arrKeyPath(32) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    PNP Filter"
    arrKeyPath(33) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    Primary disk"
    arrKeyPath(34) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    RpcSs"
    arrKeyPath(35) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    SCSI Class"
    arrKeyPath(36) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    sermouse.sys"
    arrKeyPath(37) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    sr.sys"
    arrKeyPath(38) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    SRService"
    arrKeyPath(39) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    System Bus Extender"
    arrKeyPath(40) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    vds"
    arrKeyPath(41) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    vga.sys"
    arrKeyPath(42) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    vgasave.sys"
    arrKeyPath(43) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    WinMgmt"
    arrValue(0) = "Universal Serial Bus controllers"
    arrValue(1) = "CD-ROM Drive"
    arrValue(2) = "DiskDrive"
    arrValue(3) = "Standard floppy disk controller"
    arrValue(4) = "Hdc"
    arrValue(5) = "Keyboard"
    arrValue(6) = "Mouse"
    arrValue(7) = "PCMCIA Adapters"
    arrValue(8) = "SCSIAdapter"
    arrValue(9) = "System"
    arrValue(10) = "Floppy disk drive"
    arrValue(11) = "Volume shadow copy"
    arrValue(12) = "Volume"
    arrValue(13) = "Human Interface Devices"
    arrValue(14) = "Service"
    arrValue(15) = "Driver Group"
    arrValue(16) = "Driver Group"
    arrValue(17) = "Driver Group"
    arrValue(18) = "Service"
    arrValue(19) = "Service"
    arrValue(20) = "Service"
    arrValue(21) = "Driver"
    arrValue(22) = "Driver"
    arrValue(23) = "Driver"
    arrValue(24) = "Service"
    arrValue(25) = "Service"
    arrValue(26) = "Driver Group"
    arrValue(27) = "Driver Group"
    arrValue(28) = "Service"
    arrValue(29) = "Service"
    arrValue(30) = "Driver Group"
    arrValue(31) = "Service"
    arrValue(32) = "Driver Group"
    arrValue(33) = "Driver Group"
    arrValue(34) = "Service"
    arrValue(35) = "Driver Group"
    arrValue(36) = "Driver"
    arrValue(37) = "FSFilter System Recovery"
    arrValue(38) = "Service"
    arrValue(39) = "Driver Group"
    arrValue(40) = "Service"
    arrValue(41) = "Driver"
    arrValue(42) = "Driver"
    arrValue(43) = "Service"



    strValueName = ""
    For i = 0 to 43
    oReg.CreateKey HKEY_LOCAL_MACHINE,arrKeyPath(i)
    oReg.SetStringValue HKEY_LOCAL_MACHINE, arrKeyPath(i), StrValueName, arrValue(i)
    Next



    strMainKeyPath = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network"

    oReg.CreateKey HKEY_LOCAL_MACHINE,strMainKeyPath


    Dim arrNKeyPath(80)
    dim arrNValue(80)



    arrNKeyPath(0) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    {36FC9E60-C465-11CF-8056-444553540000}"
    arrNKeyPath(1) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    {4D36E965-E325-11CE-BFC1-08002BE10318}"
    arrNKeyPath(2) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    {4D36E967-E325-11CE-BFC1-08002BE10318}"
    arrNKeyPath(3) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    {4D36E969-E325-11CE-BFC1-08002BE10318}"
    arrNKeyPath(4) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    {4D36E96A-E325-11CE-BFC1-08002BE10318}"
    arrNKeyPath(5) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    {4D36E96B-E325-11CE-BFC1-08002BE10318}"
    arrNKeyPath(6) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    {4D36E96F-E325-11CE-BFC1-08002BE10318}"
    arrNKeyPath(7) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    {4D36E972-E325-11CE-BFC1-08002BE10318}"
    arrNKeyPath(8) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    {4D36E973-E325-11CE-BFC1-08002BE10318}"
    arrNKeyPath(9) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    {4D36E974-E325-11CE-BFC1-08002BE10318}"
    arrNKeyPath(10) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    {4D36E975-E325-11CE-BFC1-08002BE10318}"
    arrNKeyPath(11) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    {4D36E977-E325-11CE-BFC1-08002BE10318}"
    arrNKeyPath(12) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    {4D36E97B-E325-11CE-BFC1-08002BE10318}"
    arrNKeyPath(13) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    {4D36E97D-E325-11CE-BFC1-08002BE10318}"
    arrNKeyPath(14) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    {4D36E980-E325-11CE-BFC1-08002BE10318}"
    arrNKeyPath(15) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    {71A27CDD-812A-11D0-BEC7-08002BE2092F}"
    arrNKeyPath(16) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    {745A17A0-74D3-11D0-B6FE-00A0C90F57DA}"
    arrNKeyPath(17) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    AFD"
    arrNKeyPath(18) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    AppMgmt"
    arrNKeyPath(19) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    Base"
    arrNKeyPath(20) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    Boot Bus Extender"
    arrNKeyPath(21) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    Boot file system"
    arrNKeyPath(22) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    Browser"
    arrNKeyPath(23) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    CryptSvc"
    arrNKeyPath(24) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    DcomLaunch"
    arrNKeyPath(25) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    Dhcp"
    arrNKeyPath(26) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    dmadmin"
    arrNKeyPath(27) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    dmboot.sys"
    arrNKeyPath(28) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    dmio.sys"
    arrNKeyPath(29) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    dmload.sys"
    arrNKeyPath(30) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    dmserver"
    arrNKeyPath(31) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    DnsCache"
    arrNKeyPath(32) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    EventLog"
    arrNKeyPath(33) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    File system"
    arrNKeyPath(34) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    Filter"
    arrNKeyPath(35) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    HelpSvc"
    arrNKeyPath(36) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    ip6fw.sys"
    arrNKeyPath(37) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    ipnat.sys"
    arrNKeyPath(38) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    LanmanServer"
    arrNKeyPath(39) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    LanmanWorkstation"
    arrNKeyPath(40) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    LmHosts"
    arrNKeyPath(41) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    Messenger"
    arrNKeyPath(42) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    NDIS"
    arrNKeyPath(43) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    NDIS Wrapper"
    arrNKeyPath(44) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    Ndisuio"
    arrNKeyPath(45) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    NetBIOS"
    arrNKeyPath(46) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    NetBIOSGroup"
    arrNKeyPath(47) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    NetBT"
    arrNKeyPath(48) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    NetDDEGroup"
    arrNKeyPath(49) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    Netlogon"
    arrNKeyPath(50) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    NetMan"
    arrNKeyPath(51) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    Network"
    arrNKeyPath(52) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    NetworkProvider" arrNKeyPath(53) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    NtLmSsp"
    arrNKeyPath(54) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    PCI Configuration"
    arrNKeyPath(55) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    PlugPlay"
    arrNKeyPath(56) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    PNP Filter"
    arrNKeyPath(57) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    PNP_TDI"
    arrNKeyPath(58) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    Primary disk"
    arrNKeyPath(59) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    rdpcdd.sys"
    arrNKeyPath(60) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    rdpdd.sys"
    arrNKeyPath(61) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    rdpwd.sys"
    arrNKeyPath(62) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    rdsessmgr"
    arrNKeyPath(63) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    RpcSs"
    arrNKeyPath(64) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    SCSI Class"
    arrNKeyPath(65) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    sermouse.sys"
    arrNKeyPath(66) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    SharedAccess"
    arrNKeyPath(67) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    sr.sys"
    arrNKeyPath(68) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    SRService"
    arrNKeyPath(69) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    Streams Drivers"
    arrNKeyPath(70) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    System Bus Extender"
    arrNKeyPath(71) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    Tcpip"
    arrNKeyPath(72) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    TDI"
    arrNKeyPath(73) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    tdpipe.sys"
    arrNKeyPath(74) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    tdtcp.sys"
    arrNKeyPath(75) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    termservice"
    arrNKeyPath(76) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    vga.sys"
    arrNKeyPath(77) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    vgasave.sys"
    arrNKeyPath(78) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    WinMgmt"
    arrNKeyPath(79) = "SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
    WZCSVC"



    arrNValue(0) = "Universal Serial Bus controllers"
    arrNValue(1) = "CD-ROM Drive"
    arrNValue(2) = "DiskDrive"
    arrNValue(3) = "Standard floppy disk controller"
    arrNValue(4) = "Hdc"
    arrNValue(5) = "Keyboard"
    arrNValue(6) = "Mouse"
    arrNValue(7) = "Net"
    arrNValue(8) = "NetClient"
    arrNValue(9) = "NetService"
    arrNValue(10)= "NetTrans"
    arrNValue(11)= "PCMCIA Adapters"
    arrNValue(12)= "SCSIAdapter"
    arrNValue(13)= "System"
    arrNValue(14)= "Floppy disk drive"
    arrNValue(15)= "Volume"
    arrNValue(16)= "Human Interface Devices"
    arrNValue(17)= "Service"
    arrNValue(18)= "Service"
    arrNValue(19)= "Driver Group"
    arrNValue(20)= "Driver Group"
    arrNValue(21)= "Driver Group"
    arrNValue(22)= "Service"
    arrNValue(23)= "Service"
    arrNValue(24)= "Service"
    arrNValue(25)= "Service"
    arrNValue(26)= "Service"
    arrNValue(27)= "Driver"
    arrNValue(28)= "Driver"
    arrNValue(29)= "Driver"
    arrNValue(30)= "Service"
    arrNValue(31)= "Service"
    arrNValue(32)= "Service"
    arrNValue(33)= "Driver Group"
    arrNValue(34)= "Driver Group"
    arrNValue(35)= "Service"
    arrNValue(36)= "Driver"
    arrNValue(37)= "Driver"
    arrNValue(38)= "Service"
    arrNValue(39)= "Service"
    arrNValue(40)= "Service"
    arrNValue(41)= "Service"
    arrNValue(42)= "Driver Group"
    arrNValue(43)= "Driver Group"
    arrNValue(44)= "Service"
    arrNValue(45)= "Service"
    arrNValue(46)= "Driver Group"
    arrNValue(47)= "Service"
    arrNValue(48)= "Driver Group"
    arrNValue(49)= "Service"
    arrNValue(50)= "Service"
    arrNValue(51)= "Driver Group"
    arrNValue(52)= "Driver Group"
    arrNValue(53)= "Service"
    arrNValue(54)= "Driver Group"
    arrNValue(55)= "Service"
    arrNValue(56)= "Driver Group"
    arrNValue(57)= "Driver Group"
    arrNValue(58)= "Driver Group"
    arrNValue(59)= "Driver"
    arrNValue(60)= "Driver"
    arrNValue(61)= "Driver"
    arrNValue(62)= "Service"
    arrNValue(63)= "Service"
    arrNValue(64)= "Driver Group"
    arrNValue(65)= "Driver"
    arrNValue(66)= "Service"
    arrNValue(67)= "FSFilter System Recovery"
    arrNValue(68)= "Service"
    arrNValue(69)= "Driver Group"
    arrNValue(70)= "Driver Group"
    arrNValue(71)= "Service"
    arrNValue(72)= "Driver Group"
    arrNValue(73)= "Driver"
    arrNValue(74)= "Driver"
    arrNValue(75)= "Service"
    arrNValue(76)= "Driver"
    arrNValue(77)= "Driver"
    arrNValue(78)= "Service"
    arrNValue(79)= "Service"



    strValueName = ""
    For i = 0 to 79
    oReg.CreateKey HKEY_LOCAL_MACHINE,arrNKeyPath(i)
    oReg.SetStringValue HKEY_LOCAL_MACHINE, arrNKeyPath(i), StrValueName, arrNValue(i)
    Next

  3. Execute restore.vbs by double clicking the file.


Did this description help? Tell us how we did.