Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Trojan.Encoder.29865

Added to the Dr.Web virus database: 2019-10-23

Virus description added:

Technical Information

To ensure autorun and distribution
Creates the following files on removable media
  • <Drive name for removable media>:\h0w_t0_rec0very_files.txt
  • <Drive name for removable media>:\delete.avi
  • <Drive name for removable media>:\correct.avi
  • <Drive name for removable media>:\split.avi
  • <Drive name for removable media>:\default.bmp
  • <Drive name for removable media>:\dialmap.bmp
  • <Drive name for removable media>:\dashborder_192.bmp
  • <Drive name for removable media>:\dashborder_120.bmp
  • <Drive name for removable media>:\contosoroot.cer
  • <Drive name for removable media>:\contoso_1.cer
  • <Drive name for removable media>:\sdkfailsafeemulator.cer
  • <Drive name for removable media>:\contoso.cer
  • <Drive name for removable media>:\testee.cer
  • <Drive name for removable media>:\holycrosschurchinstructions.docx
  • <Drive name for removable media>:\sdszfo.docx
Malicious functions
To complicate detection of its presence in the operating system,
deletes volume shadow copies.
Executes the following
  • '%WINDIR%\syswow64\taskkill.exe' /IM firefox.exe /F
  • '%WINDIR%\syswow64\net.exe' stop sacsvr /y
  • '%WINDIR%\syswow64\net.exe' stop SamSs /y
  • '%WINDIR%\syswow64\net.exe' stop SAVAdminService /y
  • '%WINDIR%\syswow64\net.exe' stop SAVService /y
  • '%WINDIR%\syswow64\net.exe' stop SDRSVC /y
  • '%WINDIR%\syswow64\net.exe' stop SepMasterService /y
  • '%WINDIR%\syswow64\net.exe' stop ShMonitor /y
  • '%WINDIR%\syswow64\net.exe' stop Smcinst /y
  • '%WINDIR%\syswow64\net.exe' stop SMTPSvc /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$PRACTTICEMGT /y
  • '%WINDIR%\syswow64\net.exe' stop SNAC /y
  • '%WINDIR%\syswow64\net.exe' stop SntpService /y
  • '%WINDIR%\syswow64\net.exe' stop sophossps /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$BKUPEXEC /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$CITRIX_METAFRAME /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$CXDB /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$ECWDB2 /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$PRACTTICEBGC /y
  • '%WINDIR%\syswow64\net.exe' stop RESvc /y
  • '%WINDIR%\syswow64\net.exe' stop SmcService /y
  • '%WINDIR%\syswow64\net.exe' stop ReportServer$TPSAMA /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQLServerOLAPService /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQLFDLauncher$SHAREPOINT /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQLFDLauncher$SQL_2008 /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQLFDLauncher$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQLFDLauncher$TPS /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQLFDLauncher$TPSAMA /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQLSERVER /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQLServerADHelper /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQLServerADHelper100 /y
  • '%WINDIR%\syswow64\net.exe' stop MySQL57 /y
  • '%WINDIR%\syswow64\net.exe' stop ReportServer$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\net.exe' stop MySQL80 /y
  • '%WINDIR%\syswow64\net.exe' stop NetMsmqActivator /y
  • '%WINDIR%\syswow64\net.exe' stop ntrtscan /y
  • '%WINDIR%\syswow64\net.exe' stop OracleClientCache80 /y
  • '%WINDIR%\syswow64\net.exe' stop PDVFSService /y
  • '%WINDIR%\syswow64\net.exe' stop POP3Svc /y
  • '%WINDIR%\syswow64\net.exe' stop ReportServer /y
  • '%WINDIR%\syswow64\net.exe' stop ReportServer$SQL_2008 /y
  • '%WINDIR%\syswow64\net.exe' stop ReportServer$TPS /y
  • '%WINDIR%\syswow64\net.exe' stop SQLBrowser /y
  • '%WINDIR%\syswow64\net.exe' stop wbengine /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$SBSMONITORING /y
  • '%WINDIR%\syswow64\net.exe' stop tmlisten /y
  • '%WINDIR%\syswow64\net.exe' stop TrueKey /y
  • '%WINDIR%\syswow64\net.exe' stop TrueKeyScheduler /y
  • '%WINDIR%\syswow64\net.exe' stop TrueKeyServiceHelper /y
  • '%WINDIR%\syswow64\net.exe' stop UI0Detect /y
  • '%WINDIR%\syswow64\net.exe' stop VeeamBackupSvc /y
  • '%WINDIR%\syswow64\net.exe' stop VeeamBrokerSvc /y
  • '%WINDIR%\syswow64\net.exe' stop VeeamCatalogSvc /y
  • '%WINDIR%\syswow64\net.exe' stop VeeamDeploymentService /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$PROFXENGAGEMENT /y
  • '%WINDIR%\syswow64\net.exe' stop VeeamDeploySvc /y
  • '%WINDIR%\syswow64\net.exe' stop VeeamEnterpriseManagerSvc /y
  • '%WINDIR%\syswow64\net.exe' stop VeeamHvIntegrationSvc /y
  • '%WINDIR%\syswow64\net.exe' stop VeeamMountSvc /y
  • '%WINDIR%\syswow64\net.exe' stop VeeamNFSSvc /y
  • '%WINDIR%\syswow64\net.exe' stop VeeamRESTSvc /y
  • '%WINDIR%\syswow64\net.exe' stop VeeamTransportSvc /y
  • '%WINDIR%\syswow64\net.exe' stop W3Svc /y
  • '%WINDIR%\syswow64\net.exe' stop TmCCSF /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQLFDLauncher$SBSMONITORING /y
  • '%WINDIR%\syswow64\net.exe' stop swi_update_64 /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$VEEAMSQL2012 /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$SHAREPOINT /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$SOPHOS /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$SQL_2008 /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$SQLEXPRESS /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$TPS /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$TPSAMA /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$VEEAMSQL2008R2 /y
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$PROD /y
  • '%WINDIR%\syswow64\net.exe' stop swi_service /y
  • '%WINDIR%\syswow64\net.exe' stop SQLSafeOLRService /y
  • '%WINDIR%\syswow64\net.exe' stop SQLSERVERAGENT /y
  • '%WINDIR%\syswow64\net.exe' stop SQLTELEMETRY /y
  • '%WINDIR%\syswow64\net.exe' stop SQLTELEMETRY$ECWDB2 /y
  • '%WINDIR%\syswow64\net.exe' stop SQLWriter /y
  • '%WINDIR%\syswow64\net.exe' stop SstpSvc /y
  • '%WINDIR%\syswow64\net.exe' stop svcGenericHost /y
  • '%WINDIR%\syswow64\net.exe' stop swi_filter /y
  • '%WINDIR%\syswow64\net.exe' stop swi_update /y
  • '%WINDIR%\syswow64\net.exe' stop VeeamCloudSvc /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$PROFXENGAGEMENT /y
  • '%WINDIR%\syswow64\net.exe' stop BackupExecManagementService /y
  • '%WINDIR%\syswow64\net.exe' stop BackupExecRPCService /y
  • '%WINDIR%\syswow64\net.exe' stop BackupExecVSSProvider /y
  • '%WINDIR%\syswow64\net.exe' stop bedbg /y
  • '%WINDIR%\syswow64\net.exe' stop DCAgent /y
  • '%WINDIR%\syswow64\net.exe' stop EhttpSrv /y
  • '%WINDIR%\syswow64\net.exe' stop ekrn /y
  • '%WINDIR%\syswow64\net.exe' stop EPSecurityService /y
  • '%WINDIR%\syswow64\net.exe' stop EraserSvc11710 /y
  • '%WINDIR%\syswow64\net.exe' stop klnagent /y
  • '%WINDIR%\syswow64\net.exe' stop EsgShKernel /y
  • '%WINDIR%\syswow64\net.exe' stop ESHASRV /y
  • '%WINDIR%\syswow64\net.exe' stop FA_Scheduler /y
  • '%WINDIR%\syswow64\net.exe' stop IISAdmin /y
  • '%WINDIR%\syswow64\net.exe' stop IMAP4Svc /y
  • '%WINDIR%\syswow64\net.exe' stop KAVFS /y
  • '%WINDIR%\syswow64\net.exe' stop KAVFSGT /y
  • '%WINDIR%\syswow64\net.exe' stop kavfsslp /y
  • '%WINDIR%\syswow64\net.exe' stop BackupExecJobEngine /y
  • '%WINDIR%\syswow64\net.exe' stop EPUpdateService /y
  • '%WINDIR%\syswow64\net.exe' stop BackupExecDeviceMediaService /y
  • '%WINDIR%\syswow64\net.exe' stop "SQLsafe Backup Service" /y
  • '%WINDIR%\syswow64\net.exe' stop "Acronis VSS Provider" /y
  • '%WINDIR%\syswow64\net.exe' stop "Enterprise Client Service" /y
  • '%WINDIR%\syswow64\net.exe' stop "LanmanServer" /y
  • '%WINDIR%\syswow64\net.exe' stop "LanmanWorkstation" /y
  • '%WINDIR%\syswow64\net.exe' stop "SQLdmCollectionService$Default" /y
  • '%WINDIR%\syswow64\net.exe' stop "SQLdmManagementService$Default" /y
  • '%WINDIR%\syswow64\net.exe' stop "SQLdmPredictiveAnalyticsService$Default" /y
  • '%WINDIR%\syswow64\net.exe' stop "SQL Backups" /y
  • '%WINDIR%\syswow64\net.exe' stop "SQLsafe Filter Service" /y
  • '%WINDIR%\syswow64\net.exe' stop BackupExecAgentAccelerator /y
  • '%WINDIR%\syswow64\net.exe' stop "Symantec System Recovery" /y
  • '%WINDIR%\syswow64\net.exe' stop "Veeam Backup Catalog Data Service" /y
  • '%WINDIR%\syswow64\net.exe' stop "Zoolz 2 Service" /y
  • '%WINDIR%\syswow64\net.exe' stop AcronisAgent /y
  • '%WINDIR%\syswow64\net.exe' stop AcrSch2Svc /y
  • '%WINDIR%\syswow64\net.exe' stop Antivirus /y
  • '%WINDIR%\syswow64\net.exe' stop ARSM /y
  • '%WINDIR%\syswow64\net.exe' stop AVP /y
  • '%WINDIR%\syswow64\net.exe' stop BackupExecAgentBrowser /y
  • '%WINDIR%\syswow64\net.exe' stop MMS /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$VEEAMSQL2012 /y
  • '%WINDIR%\syswow64\net.exe' stop MBAMService /y
  • '%WINDIR%\syswow64\net.exe' stop MSOLAP$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\net.exe' stop MSOLAP$TPS /y
  • '%WINDIR%\syswow64\net.exe' stop MSOLAP$TPSAMA /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$BKUPEXEC /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$ECWDB2 /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$PRACTICEMGT /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$PRACTTICEBGC /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$PROD /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$SBSMONITORING /y
  • '%WINDIR%\syswow64\net.exe' stop masvc /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$SHAREPOINT /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$SOPHOS /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$SQL_2008 /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$SQLEXPRESS /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$TPS /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$TPSAMA /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$VEEAMSQL2008R2 /y
  • '%WINDIR%\syswow64\net.exe' stop MSOLAP$SQL_2008 /y
  • '%WINDIR%\syswow64\net.exe' stop MSSQLFDLauncher /y
  • '%WINDIR%\syswow64\net.exe' stop msftesql$PROD /y
  • '%WINDIR%\syswow64\net.exe' stop mfevtp /y
  • '%WINDIR%\syswow64\net.exe' stop MBEndpointAgent /y
  • '%WINDIR%\syswow64\net.exe' stop McAfeeEngineService /y
  • '%WINDIR%\syswow64\net.exe' stop McAfeeFramework /y
  • '%WINDIR%\syswow64\net.exe' stop McAfeeFrameworkMcAfeeFramework /y
  • '%WINDIR%\syswow64\net.exe' stop McShield /y
  • '%WINDIR%\syswow64\net.exe' stop McTaskManager /y
  • '%WINDIR%\syswow64\net.exe' stop mfefire /y
  • '%WINDIR%\syswow64\net.exe' stop mfemms /y
  • '%WINDIR%\syswow64\net.exe' stop macmnsvc /y
  • '%WINDIR%\syswow64\net.exe' stop MSExchangeSA /y
  • '%WINDIR%\syswow64\net.exe' stop mozyprobackup /y
  • '%WINDIR%\syswow64\net.exe' stop MsDtsServer /y
  • '%WINDIR%\syswow64\net.exe' stop MsDtsServer100 /y
  • '%WINDIR%\syswow64\net.exe' stop MsDtsServer110 /y
  • '%WINDIR%\syswow64\net.exe' stop MSExchangeES /y
  • '%WINDIR%\syswow64\net.exe' stop MSExchangeIS /y
  • '%WINDIR%\syswow64\net.exe' stop MSExchangeMGMT /y
  • '%WINDIR%\syswow64\net.exe' stop MSExchangeMTA /y
  • '%WINDIR%\syswow64\net.exe' stop MSExchangeSRS /y
  • '%WINDIR%\syswow64\net.exe' stop WRSVC /y
Terminates or attempts to terminate
the following user processes:
  • firefox.exe
Modifies file system
Creates the following files
  • D:\h0w_t0_rec0very_files.txt
Modifies user data files (Trojan.Encoder).
Changes user data files extensions (Trojan.Encoder).
Miscellaneous
Searches for the following windows
  • ClassName: '' WindowName: ''
Creates and executes the following
  • '%WINDIR%\syswow64\taskkill.exe' /IM firefox.exe /F' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop SepMasterService /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop ShMonitor /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop Smcinst /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop SmcService /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop SMTPSvc /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop SNAC /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop SntpService /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop sophossps /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$BKUPEXEC /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$CITRIX_METAFRAME /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$CXDB /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$ECWDB2 /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$PRACTTICEBGC /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$PRACTTICEMGT /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$PROD /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$PROFXENGAGEMENT /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$SBSMONITORING /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$SHAREPOINT /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$SOPHOS /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop SDRSVC /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$SQL_2008 /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop SAVService /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop SamSs /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSSQLFDLauncher$TPSAMA /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSSQLSERVER /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSSQLServerADHelper /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSSQLServerADHelper100 /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSSQLServerOLAPService /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MySQL57 /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MySQL80 /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop NetMsmqActivator /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop ntrtscan /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop OracleClientCache80 /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop PDVFSService /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop POP3Svc /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop ReportServer /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop ReportServer$SQL_2008 /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop ReportServer$SYSTEM_BGC /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop ReportServer$TPS /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop ReportServer$TPSAMA /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop RESvc /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop sacsvr /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop SAVAdminService /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop UI0Detect /y' (with hidden window)
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=E: /on=E: /maxsize=unbounded' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$TPS /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop VeeamCatalogSvc /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop VeeamCloudSvc /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop VeeamDeploymentService /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop VeeamDeploySvc /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop VeeamEnterpriseManagerSvc /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop VeeamHvIntegrationSvc /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop VeeamMountSvc /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop VeeamNFSSvc /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop VeeamRESTSvc /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop VeeamTransportSvc /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop W3Svc /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop wbengine /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop WRSVC /y' (with hidden window)
  • '%WINDIR%\syswow64\vssadmin.exe' delete shadows /all /quiet' (with hidden window)
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=A: /on=A: /maxsize=401MB' (with hidden window)
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=A: /on=A: /maxsize=unbounded' (with hidden window)
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=D: /on=D: /maxsize=401MB' (with hidden window)
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=D: /on=D: /maxsize=unbounded' (with hidden window)
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=E: /on=E: /maxsize=401MB' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop VeeamBrokerSvc /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSSQLFDLauncher$TPS /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop VeeamBackupSvc /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop TrueKeyServiceHelper /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$TPSAMA /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$VEEAMSQL2008R2 /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$VEEAMSQL2012 /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop SQLBrowser /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop SQLSafeOLRService /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop SQLSERVERAGENT /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop SQLTELEMETRY /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop SQLTELEMETRY$ECWDB2 /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop SQLWriter /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop SstpSvc /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop svcGenericHost /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop swi_filter /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop swi_service /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop swi_update /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop swi_update_64 /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop TmCCSF /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop tmlisten /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop TrueKey /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop TrueKeyScheduler /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$SQLEXPRESS /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop SQLAgent$SYSTEM_BGC /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSSQLFDLauncher$SYSTEM_BGC /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MBEndpointAgent /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop BackupExecRPCService /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop BackupExecVSSProvider /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop bedbg /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop DCAgent /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop EhttpSrv /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop ekrn /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop EPSecurityService /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop EPUpdateService /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop EraserSvc11710 /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop EsgShKernel /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop ESHASRV /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop FA_Scheduler /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop IISAdmin /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop IMAP4Svc /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop KAVFS /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop KAVFSGT /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop kavfsslp /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop klnagent /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop macmnsvc /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop BackupExecManagementService /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop masvc /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop BackupExecJobEngine /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop BackupExecAgentBrowser /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop "Acronis VSS Provider" /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop "Enterprise Client Service" /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop "LanmanServer" /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop "LanmanWorkstation" /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop "SQLdmCollectionService$Default" /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop "SQLdmManagementService$Default" /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop "SQLdmPredictiveAnalyticsService$Default" /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop "SQL Backups" /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop "SQLsafe Backup Service" /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop "SQLsafe Filter Service" /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop "Symantec System Recovery" /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop "Veeam Backup Catalog Data Service" /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop "Zoolz 2 Service" /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop AcronisAgent /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop AcrSch2Svc /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop Antivirus /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop ARSM /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop AVP /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop BackupExecAgentAccelerator /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop BackupExecDeviceMediaService /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSOLAP$SYSTEM_BGC /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSSQLFDLauncher$SHAREPOINT /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop McAfeeEngineService /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$BKUPEXEC /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$ECWDB2 /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$PRACTICEMGT /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$PRACTTICEBGC /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$PROD /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$PROFXENGAGEMENT /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$SBSMONITORING /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$SHAREPOINT /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$SOPHOS /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$SQL_2008 /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$SQLEXPRESS /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$SYSTEM_BGC /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$TPS /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$TPSAMA /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$VEEAMSQL2008R2 /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSSQL$VEEAMSQL2012 /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSSQLFDLauncher /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSSQLFDLauncher$PROFXENGAGEMENT /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSSQLFDLauncher$SBSMONITORING /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSOLAP$TPSAMA /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSSQLFDLauncher$SQL_2008 /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSOLAP$TPS /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSOLAP$SQL_2008 /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop McAfeeFramework /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop McAfeeFrameworkMcAfeeFramework /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop McShield /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop McTaskManager /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop mfefire /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop mfemms /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop mfevtp /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MMS /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop mozyprobackup /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MsDtsServer /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MsDtsServer100 /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MsDtsServer110 /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSExchangeES /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSExchangeIS /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSExchangeMGMT /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSExchangeMTA /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSExchangeSA /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MSExchangeSRS /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop msftesql$PROD /y' (with hidden window)
  • '%WINDIR%\syswow64\net.exe' stop MBAMService /y' (with hidden window)
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=F: /on=F: /maxsize=401MB' (with hidden window)
Executes the following
  • '%WINDIR%\syswow64\net1.exe' stop "Acronis VSS Provider" /y
  • '%WINDIR%\syswow64\net1.exe' stop Smcinst /y
  • '%WINDIR%\syswow64\net1.exe' stop SmcService /y
  • '%WINDIR%\syswow64\net1.exe' stop SMTPSvc /y
  • '%WINDIR%\syswow64\net1.exe' stop SNAC /y
  • '%WINDIR%\syswow64\net1.exe' stop SntpService /y
  • '%WINDIR%\syswow64\net1.exe' stop sophossps /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$BKUPEXEC /y
  • '%WINDIR%\syswow64\net1.exe' stop SDRSVC /y
  • '%WINDIR%\syswow64\net1.exe' stop ShMonitor /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$CITRIX_METAFRAME /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$PRACTTICEMGT /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$PROFXENGAGEMENT /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$ECWDB2 /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$SBSMONITORING /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$PROD /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$SOPHOS /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$SHAREPOINT /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$CXDB /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$PRACTTICEBGC /y
  • '%WINDIR%\syswow64\net1.exe' stop SepMasterService /y
  • '%WINDIR%\syswow64\net1.exe' stop SAVAdminService /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$SQLEXPRESS /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQLServerADHelper100 /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQLServerOLAPService /y
  • '%WINDIR%\syswow64\net1.exe' stop MySQL57 /y
  • '%WINDIR%\syswow64\net1.exe' stop MySQL80 /y
  • '%WINDIR%\syswow64\net1.exe' stop NetMsmqActivator /y
  • '%WINDIR%\syswow64\net1.exe' stop ntrtscan /y
  • '%WINDIR%\syswow64\net1.exe' stop OracleClientCache80 /y
  • '%WINDIR%\syswow64\net1.exe' stop PDVFSService /y
  • '%WINDIR%\syswow64\net1.exe' stop POP3Svc /y
  • '%WINDIR%\syswow64\net1.exe' stop ReportServer /y
  • '%WINDIR%\syswow64\net1.exe' stop ReportServer$SQL_2008 /y
  • '%WINDIR%\syswow64\net1.exe' stop ReportServer$TPS /y
  • '%WINDIR%\syswow64\net1.exe' stop ReportServer$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\net1.exe' stop ReportServer$TPSAMA /y
  • '%WINDIR%\syswow64\net1.exe' stop RESvc /y
  • '%WINDIR%\syswow64\net1.exe' stop sacsvr /y
  • '%WINDIR%\syswow64\net1.exe' stop SamSs /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$SQL_2008 /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQLSERVER /y
  • '%WINDIR%\syswow64\net1.exe' stop SAVService /y
  • '%WINDIR%\syswow64\net1.exe' stop MSOLAP$TPS /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$TPSAMA /y
  • '%WINDIR%\syswow64\net1.exe' stop VeeamCatalogSvc /y
  • '%WINDIR%\syswow64\net1.exe' stop VeeamCloudSvc /y
  • '%WINDIR%\syswow64\net1.exe' stop VeeamDeploymentService /y
  • '%WINDIR%\syswow64\net1.exe' stop VeeamDeploySvc /y
  • '%WINDIR%\syswow64\net1.exe' stop VeeamEnterpriseManagerSvc /y
  • '%WINDIR%\syswow64\net1.exe' stop VeeamHvIntegrationSvc /y
  • '%WINDIR%\syswow64\net1.exe' stop VeeamMountSvc /y
  • '%WINDIR%\syswow64\net1.exe' stop VeeamNFSSvc /y
  • '%WINDIR%\syswow64\net1.exe' stop VeeamRESTSvc /y
  • '%WINDIR%\syswow64\net1.exe' stop wbengine /y
  • '%WINDIR%\syswow64\net1.exe' stop VeeamTransportSvc /y
  • '%WINDIR%\syswow64\net1.exe' stop W3Svc /y
  • '%WINDIR%\syswow64\net1.exe' stop WRSVC /y
  • '<SYSTEM32>\vssvc.exe'
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=A: /on=A: /maxsize=401MB
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=A: /on=A: /maxsize=unbounded
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=D: /on=D: /maxsize=401MB
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=D: /on=D: /maxsize=unbounded
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=E: /on=E: /maxsize=401MB
  • '%WINDIR%\syswow64\net1.exe' stop VeeamBrokerSvc /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQLFDLauncher$TPSAMA /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQLServerADHelper /y
  • '%WINDIR%\syswow64\net1.exe' stop TrueKeyServiceHelper /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$TPS /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$VEEAMSQL2012 /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLBrowser /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLSafeOLRService /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLSERVERAGENT /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLTELEMETRY$ECWDB2 /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLTELEMETRY /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLWriter /y
  • '%WINDIR%\syswow64\net1.exe' stop SstpSvc /y
  • '%WINDIR%\syswow64\net1.exe' stop svcGenericHost /y
  • '%WINDIR%\syswow64\net1.exe' stop swi_filter /y
  • '%WINDIR%\syswow64\net1.exe' stop swi_update /y
  • '%WINDIR%\syswow64\net1.exe' stop swi_service /y
  • '%WINDIR%\syswow64\net1.exe' stop swi_update_64 /y
  • '%WINDIR%\syswow64\net1.exe' stop TmCCSF /y
  • '%WINDIR%\syswow64\net1.exe' stop tmlisten /y
  • '%WINDIR%\syswow64\net1.exe' stop TrueKey /y
  • '%WINDIR%\syswow64\net1.exe' stop TrueKeyScheduler /y
  • '%WINDIR%\syswow64\net1.exe' stop UI0Detect /y
  • '%WINDIR%\syswow64\net1.exe' stop SQLAgent$VEEAMSQL2008R2 /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQLFDLauncher$TPS /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQLFDLauncher$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQLFDLauncher$SQL_2008 /y
  • '%WINDIR%\syswow64\net1.exe' stop DCAgent /y
  • '%WINDIR%\syswow64\net1.exe' stop EhttpSrv /y
  • '%WINDIR%\syswow64\net1.exe' stop EPUpdateService /y
  • '%WINDIR%\syswow64\net1.exe' stop EPSecurityService /y
  • '%WINDIR%\syswow64\net1.exe' stop EraserSvc11710 /y
  • '%WINDIR%\syswow64\net1.exe' stop ekrn /y
  • '%WINDIR%\syswow64\net1.exe' stop EsgShKernel /y
  • '%WINDIR%\syswow64\net1.exe' stop IISAdmin /y
  • '%WINDIR%\syswow64\net1.exe' stop ESHASRV /y
  • '%WINDIR%\syswow64\net1.exe' stop FA_Scheduler /y
  • '%WINDIR%\syswow64\net1.exe' stop IMAP4Svc /y
  • '%WINDIR%\syswow64\net1.exe' stop KAVFS /y
  • '%WINDIR%\syswow64\net1.exe' stop KAVFSGT /y
  • '%WINDIR%\syswow64\net1.exe' stop kavfsslp /y
  • '%WINDIR%\syswow64\net1.exe' stop klnagent /y
  • '%WINDIR%\syswow64\net1.exe' stop macmnsvc /y
  • '%WINDIR%\syswow64\net1.exe' stop masvc /y
  • '%WINDIR%\syswow64\net1.exe' stop bedbg /y
  • '%WINDIR%\syswow64\net1.exe' stop BackupExecManagementService /y
  • '%WINDIR%\syswow64\net1.exe' stop BackupExecRPCService /y
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=E: /on=E: /maxsize=unbounded
  • '%WINDIR%\syswow64\net1.exe' stop MBAMService /y
  • '%WINDIR%\syswow64\net1.exe' stop BackupExecDeviceMediaService /y
  • '%WINDIR%\syswow64\net1.exe' stop "LanmanServer" /y
  • '%WINDIR%\syswow64\net1.exe' stop "SQLdmCollectionService$Default" /y
  • '%WINDIR%\syswow64\net1.exe' stop "SQLdmPredictiveAnalyticsService$Default" /y
  • '%WINDIR%\syswow64\net1.exe' stop "LanmanWorkstation" /y
  • '%WINDIR%\syswow64\net1.exe' stop "SQL Backups" /y
  • '%WINDIR%\syswow64\net1.exe' stop "SQLdmManagementService$Default" /y
  • '%WINDIR%\syswow64\net1.exe' stop "SQLsafe Backup Service" /y
  • '%WINDIR%\syswow64\net1.exe' stop "SQLsafe Filter Service" /y
  • '%WINDIR%\syswow64\net1.exe' stop "Enterprise Client Service" /y
  • '%WINDIR%\syswow64\net1.exe' stop "Zoolz 2 Service" /y
  • '%WINDIR%\syswow64\net1.exe' stop "Symantec System Recovery" /y
  • '%WINDIR%\syswow64\net1.exe' stop Antivirus /y
  • '%WINDIR%\syswow64\net1.exe' stop ARSM /y
  • '%WINDIR%\syswow64\net1.exe' stop AcronisAgent /y
  • '%WINDIR%\syswow64\net1.exe' stop AcrSch2Svc /y
  • '%WINDIR%\syswow64\net1.exe' stop AVP /y
  • '%WINDIR%\syswow64\net1.exe' stop BackupExecAgentAccelerator /y
  • '%WINDIR%\syswow64\net1.exe' stop BackupExecAgentBrowser /y
  • '%WINDIR%\syswow64\net1.exe' stop "Veeam Backup Catalog Data Service" /y
  • '%WINDIR%\syswow64\net1.exe' stop BackupExecJobEngine /y
  • '%WINDIR%\syswow64\net1.exe' stop VeeamBackupSvc /y
  • '%WINDIR%\syswow64\net1.exe' stop MBEndpointAgent /y
  • '%WINDIR%\syswow64\net1.exe' stop McShield /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$PRACTICEMGT /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$PRACTTICEBGC /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$PROD /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$PROFXENGAGEMENT /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$SBSMONITORING /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$SHAREPOINT /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$SQL_2008 /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$SOPHOS /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$SQLEXPRESS /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$TPS /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$TPSAMA /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$VEEAMSQL2008R2 /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$VEEAMSQL2012 /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQLFDLauncher /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQLFDLauncher$SBSMONITORING /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQLFDLauncher$SHAREPOINT /y
  • '%WINDIR%\syswow64\net1.exe' stop McAfeeEngineService /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$ECWDB2 /y
  • '%WINDIR%\syswow64\net1.exe' stop McAfeeFramework /y
  • '%WINDIR%\syswow64\net1.exe' stop MSSQL$BKUPEXEC /y
  • '%WINDIR%\syswow64\net1.exe' stop BackupExecVSSProvider /y
  • '%WINDIR%\syswow64\net1.exe' stop McAfeeFrameworkMcAfeeFramework /y
  • '%WINDIR%\syswow64\net1.exe' stop McTaskManager /y
  • '%WINDIR%\syswow64\net1.exe' stop mfefire /y
  • '%WINDIR%\syswow64\net1.exe' stop mfemms /y
  • '%WINDIR%\syswow64\net1.exe' stop mfevtp /y
  • '%WINDIR%\syswow64\net1.exe' stop MMS /y
  • '%WINDIR%\syswow64\net1.exe' stop mozyprobackup /y
  • '%WINDIR%\syswow64\net1.exe' stop MsDtsServer /y
  • '%WINDIR%\syswow64\net1.exe' stop MsDtsServer100 /y
  • '%WINDIR%\syswow64\net1.exe' stop MsDtsServer110 /y
  • '%WINDIR%\syswow64\net1.exe' stop MSExchangeIS /y
  • '%WINDIR%\syswow64\net1.exe' stop MSExchangeES /y
  • '%WINDIR%\syswow64\net1.exe' stop MSExchangeMGMT /y
  • '%WINDIR%\syswow64\net1.exe' stop MSExchangeMTA /y
  • '%WINDIR%\syswow64\net1.exe' stop MSExchangeSA /y
  • '%WINDIR%\syswow64\net1.exe' stop msftesql$PROD /y
  • '%WINDIR%\syswow64\net1.exe' stop MSExchangeSRS /y
  • '%WINDIR%\syswow64\net1.exe' stop MSOLAP$SQL_2008 /y
  • '%WINDIR%\syswow64\net1.exe' stop MSOLAP$SYSTEM_BGC /y
  • '%WINDIR%\syswow64\net1.exe' stop MSOLAP$TPSAMA /y
  • '%WINDIR%\syswow64\vssadmin.exe' resize shadowstorage /for=F: /on=F: /maxsize=401MB

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

© Doctor Web
2003 — 2022

Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies