Talking about Windows XP. Comodo Killswitch shows a Boot Start driver in System Services section having a random six letters for a name (new on every reboot (suspicious), always 6 letters). Comodo Autorun Analyzer didn't show this driver. Sysinternals Autoruns didn't show this driver. Msconfig didn't show this driver. Which is suspicious. Any antivirus and antirootkit software i tried didn't find any malware. There are traces of these names in the registry, but no trace of what created these registry entries. Comodo Killswitch never shows their Binary Path, and when i try to launch Killswitch with Loaded Modules tab enabled, these drivers won't show up in the Services section of the System tab (suspicious). I managed to make a memory dump file memory.dmp, but couldn't find a way to open and read it.
How can i find out the source of these registry entries, where in the system is located the component that deploys this suspicious driver?
Update: So, i used Process Monitor and, according to the traces there, it seems that the entries in the registry for this evasive suspicious boot start driver/service were made by services.exe. probably, services.exe is given these instructions by some software or malware. I wonder how do i find out what is the path to the software, responsible for the registry entries made by services.exe.
In order to find the source, i changed the settings of Comodo Security so that services.exe must ask my permission for anything. services.exe asked to make those registry entries after the launch of Comodo Killswitch. services.exe also asked to make the registry entries that contained the path to Comodo Killswitch driver.