Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Win32.HLLW.Autoruner3.2266

Added to the Dr.Web virus database: 2020-04-28

Virus description added:

Technical Information

To ensure autorun and distribution
Creates the following files on removable media
  • <Drive name for removable media>:\dblue3.lnk
  • <Drive name for removable media>:\kblue6.lnk
  • <Drive name for removable media>:\jblue6.lnk
  • <Drive name for removable media>:\iblue6.lnk
  • <Drive name for removable media>:\hblue6.lnk
  • <Drive name for removable media>:\gblue6.lnk
  • <Drive name for removable media>:\fblue6.lnk
  • <Drive name for removable media>:\eblue6.lnk
  • <Drive name for removable media>:\blue6.bin
  • <Drive name for removable media>:\dblue6.lnk
  • <Drive name for removable media>:\kblue3.lnk
  • <Drive name for removable media>:\jblue3.lnk
  • <Drive name for removable media>:\iblue3.lnk
  • <Drive name for removable media>:\hblue3.lnk
  • <Drive name for removable media>:\gblue3.lnk
  • <Drive name for removable media>:\fblue3.lnk
  • <Drive name for removable media>:\eblue3.lnk
  • <Drive name for removable media>:\blue3.bin
  • <Drive name for removable media>:\readme.js
Modifies file system
Creates the following files
  • %TEMP%\ppxf5gha.0.cs
  • %TEMP%\kjfoaoyx.dll
  • %TEMP%\res8304.tmp
  • %TEMP%\csc82f3.tmp
  • %TEMP%\kjfoaoyx.out
  • %TEMP%\kjfoaoyx.cmdline
  • %TEMP%\kjfoaoyx.0.cs
  • %TEMP%\v07afzu_.dll
  • %TEMP%\res5e55.tmp
  • %TEMP%\csc5e35.tmp
  • %TEMP%\v07afzu_.out
  • %TEMP%\v07afzu_.cmdline
  • %TEMP%\v07afzu_.0.cs
  • %TEMP%\gphy68dy.dll
  • %TEMP%\res4455.tmp
  • %TEMP%\csc4425.tmp
  • %TEMP%\gphy68dy.out
  • %TEMP%\gphy68dy.cmdline
  • %TEMP%\gphy68dy.0.cs
  • %TEMP%\ppxf5gha.dll
  • %TEMP%\res3e79.tmp
  • %TEMP%\csc3e59.tmp
  • %TEMP%\ppxf5gha.out
  • %TEMP%\ppxf5gha.cmdline
  • %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\metadata\f0accf77cdcbff39f6191887f6d2d357
  • %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\content\f0accf77cdcbff39f6191887f6d2d357
Deletes the following files
  • %TEMP%\res3e79.tmp
  • %TEMP%\kjfoaoyx.0.cs
  • %TEMP%\kjfoaoyx.out
  • %TEMP%\kjfoaoyx.cmdline
  • %TEMP%\csc82f3.tmp
  • %TEMP%\res8304.tmp
  • %TEMP%\v07afzu_.dll
  • %TEMP%\v07afzu_.cmdline
  • %TEMP%\v07afzu_.pdb
  • %TEMP%\v07afzu_.0.cs
  • %TEMP%\v07afzu_.out
  • %TEMP%\csc5e35.tmp
  • %TEMP%\res5e55.tmp
  • %TEMP%\gphy68dy.dll
  • %TEMP%\gphy68dy.pdb
  • %TEMP%\gphy68dy.0.cs
  • %TEMP%\gphy68dy.cmdline
  • %TEMP%\gphy68dy.out
  • %TEMP%\csc4425.tmp
  • %TEMP%\res4455.tmp
  • %TEMP%\ppxf5gha.out
  • %TEMP%\ppxf5gha.0.cs
  • %TEMP%\ppxf5gha.dll
  • %TEMP%\ppxf5gha.cmdline
  • %TEMP%\ppxf5gha.pdb
  • %TEMP%\csc3e59.tmp
  • %TEMP%\kjfoaoyx.dll
  • %TEMP%\kjfoaoyx.pdb
Network activity
TCP
HTTP GET requests
  • http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
  • 'ap#.#pify.org':443
  • UDP
    • DNS ASK ap#.#pify.org
    Miscellaneous
    Creates and executes the following
    • '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\ppxf5gha.cmdline"' (with hidden window)
    • '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES3E79.tmp" "%TEMP%\CSC3E59.tmp"' (with hidden window)
    • '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\gphy68dy.cmdline"' (with hidden window)
    • '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4455.tmp" "%TEMP%\CSC4425.tmp"' (with hidden window)
    • '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\v07afzu_.cmdline"' (with hidden window)
    • '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5E55.tmp" "%TEMP%\CSC5E35.tmp"' (with hidden window)
    • '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\kjfoaoyx.cmdline"' (with hidden window)
    • '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES8304.tmp" "%TEMP%\CSC82F3.tmp"' (with hidden window)
    • '<SYSTEM32>\taskmgr.exe' ' (with hidden window)
    Executes the following
    • '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\ppxf5gha.cmdline"
    • '<SYSTEM32>\sc.exe' Config clr_optimization Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop clr_optimization
    • '<SYSTEM32>\sc.exe' Delete clr_optimization
    • '<SYSTEM32>\sc.exe' Config AxInstSV Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop AxInstSV
    • '<SYSTEM32>\sc.exe' Delete AxInstSV
    • '<SYSTEM32>\sc.exe' Config Zational Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop Zational
    • '<SYSTEM32>\sc.exe' Delete Zational
    • '<SYSTEM32>\sc.exe' Config "DNS Server" Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop "DNS Server"
    • '<SYSTEM32>\sc.exe' Delete "DNS Server"
    • '<SYSTEM32>\sc.exe' Delete WinHelpSvcs
    • '<SYSTEM32>\sc.exe' Config Serhiez Start= Disabled
    • '<SYSTEM32>\sc.exe' Delete Serhiez
    • '<SYSTEM32>\sc.exe' Config SuperProServer Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop SuperProServer
    • '<SYSTEM32>\sc.exe' Delete SuperProServer
    • '<SYSTEM32>\sc.exe' Config ".Net CLR" Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop ".Net CLR"
    • '<SYSTEM32>\sc.exe' Delete ".Net CLR"
    • '<SYSTEM32>\sc.exe' Config WissssssnHelp32 Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop WissssssnHelp32
    • '<SYSTEM32>\sc.exe' Delete WissssssnHelp32
    • '<SYSTEM32>\sc.exe' Config WinHasdadelp32 Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop WinHasdadelp32
    • '<SYSTEM32>\sc.exe' Stop aspnet_staters
    • '<SYSTEM32>\sc.exe' Delete aspnet_staters
    • '<SYSTEM32>\sc.exe' Config aspnet_staters Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop WinHelpSvcs
    • '<SYSTEM32>\sc.exe' Config WinHasdelp32 Start= Disabled
    • '<SYSTEM32>\sc.exe' Delete SRDSL
    • '<SYSTEM32>\sc.exe' Config WifiService Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop WifiService
    • '<SYSTEM32>\sc.exe' Delete WifiService
    • '<SYSTEM32>\sc.exe' Config ALGM Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop ALGM
    • '<SYSTEM32>\sc.exe' Delete ALGM
    • '<SYSTEM32>\sc.exe' Config wmiApSrvs Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop wmiApSrvs
    • '<SYSTEM32>\sc.exe' Delete wmiApSrvs
    • '<SYSTEM32>\sc.exe' Config wmiApServs Start= Disabled
    • '<SYSTEM32>\sc.exe' Delete WinHasdadelp32
    • '<SYSTEM32>\sc.exe' Config SRDSL Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop Serhiez
    • '<SYSTEM32>\sc.exe' Stop wmiApServs
    • '<SYSTEM32>\sc.exe' Delete taskmgr1
    • '<SYSTEM32>\sc.exe' Config WebServers Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop WebServers
    • '<SYSTEM32>\sc.exe' Delete WebServers
    • '<SYSTEM32>\sc.exe' Config ExpressVNService Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop ExpressVNService
    • '<SYSTEM32>\sc.exe' Delete ExpressVNService
    • '<SYSTEM32>\sc.exe' Config WW#.#DOS.CN.COM Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop WW#.#DOS.CN.COM
    • '<SYSTEM32>\sc.exe' Delete WW#.#DOS.CN.COM
    • '<SYSTEM32>\sc.exe' Config WinHelpSvcs Start= Disabled
    • '<SYSTEM32>\sc.exe' Delete wmiApServs
    • '<SYSTEM32>\sc.exe' Config taskmgr1 Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop taskmgr1
    • '<SYSTEM32>\sc.exe' Stop RpcEptManger
    • '<SYSTEM32>\sc.exe' Stop WinHasdelp32
    • '<SYSTEM32>\schtasks.exe' /Delete /TN Update2 /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN Update3 /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN Update4 /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN DNS /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN SYSTEM /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN DNS2 /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN SYSTEMa /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN skycmd /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN Miscfost /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN Netframework /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN Flash /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN RavTask /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN GooglePingConfigs /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN Update1 /F
    • '<SYSTEM32>\sc.exe' Delete MpeSvc
    • '<SYSTEM32>\schtasks.exe' /Delete /TN Update /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN Bluetooths /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN Ddrivers /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN DnsScan /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN WebServers /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN Credentials /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN TablteInputout /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN werclpsyport /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN HispDemorn /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN LimeRAT-Admin /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN DnsCore /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN "Update service for Windows Service" /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN ECDnsCore /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN MiscfostNsi /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN HomeGroupProvider /F
    • '<SYSTEM32>\sc.exe' Stop SRDSL
    • '<SYSTEM32>\schtasks.exe' /Delete /TN WindowsLogTasks /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN gm /F
    • '<SYSTEM32>\sc.exe' Stop ClipBooks
    • '<SYSTEM32>\sc.exe' Delete ClipBooks
    • '<SYSTEM32>\schtasks.exe' /Delete /TN my1 /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN Mysa /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN Mysa1 /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN Mysa2 /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN Mysa3 /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN ok /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN "Oracle Java" /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN "Oracle Java Update" /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN "Microsoft Telemetry" /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN "Spooler SubSystem Service" /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN "System Log Security Check" /F
    • '<SYSTEM32>\sc.exe' Delete WinHasdelp32
    • '<SYSTEM32>\sc.exe' Config ClipBooks Start= Disabled
    • '<SYSTEM32>\schtasks.exe' /Delete /TN ngm /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN Sorry /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN Windows_Update /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN Update_windows /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN WindowsUpdate1 /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN WindowsUpdate2 /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN WindowsUpdate3 /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN AdobeFlashPlayer /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN FlashPlayer1 /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN FlashPlayer2 /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN FlashPlayer3 /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN IIS /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN "Update service for products" /F
    • '<SYSTEM32>\schtasks.exe' /Delete /TN "Oracle Products Reporter" /F
    • '<SYSTEM32>\sc.exe' Stop MpeSvc
    • '<SYSTEM32>\sc.exe' Config MpeSvc Start= Disabled
    • '<SYSTEM32>\sc.exe' Delete IPSECS
    • '<SYSTEM32>\sc.exe' Delete sysmgt
    • '<SYSTEM32>\sc.exe' Config \gm Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop \gm
    • '<SYSTEM32>\sc.exe' Delete \gm
    • '<SYSTEM32>\sc.exe' Config WmdnPnSN Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop WmdnPnSN
    • '<SYSTEM32>\sc.exe' Delete WmdnPnSN
    • '<SYSTEM32>\sc.exe' Config Sougoudl Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop Sougoudl
    • '<SYSTEM32>\sc.exe' Delete Sougoudl
    • '<SYSTEM32>\sc.exe' Config National Start= Disabled
    • '<SYSTEM32>\sc.exe' Delete CLR
    • '<SYSTEM32>\sc.exe' Config "Microsoft Telemetry" Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop sysmgt
    • '<SYSTEM32>\sc.exe' Stop National
    • '<SYSTEM32>\sc.exe' Delete Nationaaal
    • '<SYSTEM32>\sc.exe' Config Natimmonal Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop Natimmonal
    • '<SYSTEM32>\sc.exe' Delete Natimmonal
    • '<SYSTEM32>\sc.exe' Config Nationaloll Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop Nationaloll
    • '<SYSTEM32>\sc.exe' Delete Nationaloll
    • '<SYSTEM32>\sc.exe' Config Nationalmll Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop Nationalmll
    • '<SYSTEM32>\ipconfig.exe' /all
    • '<SYSTEM32>\sc.exe' Delete Nationalmll
    • '<SYSTEM32>\sc.exe' Delete National
    • '<SYSTEM32>\sc.exe' Config Nationaaal Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop Nationaaal
    • '<SYSTEM32>\netstat.exe' -anop TCP
    • '<SYSTEM32>\sc.exe' Config Nationalaie Start= Disabled
    • '<SYSTEM32>\sc.exe' Delete Oracleupdate
    • '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\gphy68dy.cmdline"
    • '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES4455.tmp" "%TEMP%\CSC4425.tmp"
    • '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -s -NoLogo -NoProfile
    • '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\v07afzu_.cmdline"
    • '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5E55.tmp" "%TEMP%\CSC5E35.tmp"
    • '<SYSTEM32>\sc.exe' Config xWinWpdSrv Start= Disabled
    • '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\kjfoaoyx.cmdline"
    • '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES8304.tmp" "%TEMP%\CSC82F3.tmp"
    • '<SYSTEM32>\sc.exe' Stop xWinWpdSrv
    • '<SYSTEM32>\sc.exe' Delete xWinWpdSrv
    • '<SYSTEM32>\sc.exe' Config SVSHost Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop SVSHost
    • '<SYSTEM32>\sc.exe' Config CLR Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop CLR
    • '<SYSTEM32>\sc.exe' Delete SVSHost
    • '<SYSTEM32>\sc.exe' Delete "Microsoft Telemetry"
    • '<SYSTEM32>\sc.exe' Config lsass Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop lsass
    • '<SYSTEM32>\sc.exe' Delete lsass
    • '<SYSTEM32>\sc.exe' Config Microsoft Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop Microsoft
    • '<SYSTEM32>\sc.exe' Delete Microsoft
    • '<SYSTEM32>\sc.exe' Config system Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop system
    • '<SYSTEM32>\sc.exe' Delete system
    • '<SYSTEM32>\sc.exe' Config Oracleupdate Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop Oracleupdate
    • '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES3E79.tmp" "%TEMP%\CSC3E59.tmp"
    • '<SYSTEM32>\sc.exe' Stop "Microsoft Telemetry"
    • '<SYSTEM32>\schtasks.exe' /Delete /TN WwANsvc /F
    • '<SYSTEM32>\sc.exe' Stop Nationalaie
    • '<SYSTEM32>\netstat.exe' -ano
    • '<SYSTEM32>\sc.exe' Delete mssecsvc2.0
    • '<SYSTEM32>\sc.exe' Config Windows_Update Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop Windows_Update
    • '<SYSTEM32>\sc.exe' Delete Windows_Update
    • '<SYSTEM32>\sc.exe' Config "Windows Managers" Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop "Windows Managers"
    • '<SYSTEM32>\sc.exe' Delete "Windows Managers"
    • '<SYSTEM32>\sc.exe' Config SvcNlauser Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop SvcNlauser
    • '<SYSTEM32>\sc.exe' Delete SvcNlauser
    • '<SYSTEM32>\sc.exe' Config WinVaultSvc Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop WinVaultSvc
    • '<SYSTEM32>\ipconfig.exe' /displaydns
    • '<SYSTEM32>\sc.exe' Stop mssecsvc2.0
    • '<SYSTEM32>\sc.exe' Config mssecsvc2.0 Start= Disabled
    • '<SYSTEM32>\sc.exe' Delete Xtfy
    • '<SYSTEM32>\sc.exe' Config Xtfya Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop Xtfya
    • '<SYSTEM32>\sc.exe' Delete Xtfya
    • '<SYSTEM32>\sc.exe' Config Xtfyxxx Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop Xtfyxxx
    • '<SYSTEM32>\sc.exe' Delete Xtfyxxx
    • '<SYSTEM32>\sc.exe' Config 360rTys Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop 360rTys
    • '<SYSTEM32>\sc.exe' Delete 360rTys
    • '<SYSTEM32>\sc.exe' Config IPSECS Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop IPSECS
    • '<SYSTEM32>\sc.exe' Delete WinVaultSvc
    • '<SYSTEM32>\sc.exe' Stop Xtfy
    • '<SYSTEM32>\sc.exe' Delete Nationalaie
    • '<SYSTEM32>\sc.exe' Config Xtfy Start= Disabled
    • '<SYSTEM32>\sc.exe' Config sysmgt Start= Disabled
    • '<SYSTEM32>\sc.exe' Config Nationalwpi Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop Nationalwpi
    • '<SYSTEM32>\sc.exe' Delete Nationalwpi
    • '<SYSTEM32>\sc.exe' Config WinHelp32 Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop WinHelp32
    • '<SYSTEM32>\sc.exe' Delete WinHelp32
    • '<SYSTEM32>\sc.exe' Config WinHelp64 Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop WinHelp64
    • '<SYSTEM32>\sc.exe' Delete WinHelp64
    • '<SYSTEM32>\sc.exe' Config Samserver Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop Samserver
    • '<SYSTEM32>\sc.exe' Delete Samserver
    • '<SYSTEM32>\sc.exe' Config mssecsvc2.1 Start= Disabled
    • '<SYSTEM32>\sc.exe' Delete mssecsvc2.1
    • '<SYSTEM32>\sc.exe' Stop mssecsvc2.1
    • '<SYSTEM32>\sc.exe' Config "NetMsmqActiv Media NVIDIA" Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop "NetMsmqActiv Media NVIDIA"
    • '<SYSTEM32>\sc.exe' Delete "NetMsmqActiv Media NVIDIA"
    • '<SYSTEM32>\sc.exe' Config "Sncryption Media Playeq" Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop "Sncryption Media Playeq"
    • '<SYSTEM32>\sc.exe' Delete "Sncryption Media Playeq"
    • '<SYSTEM32>\sc.exe' Config SxS Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop SxS
    • '<SYSTEM32>\sc.exe' Delete SxS
    • '<SYSTEM32>\sc.exe' Config WinSvc Start= Disabled
    • '<SYSTEM32>\sc.exe' Stop WinSvc
    • '<SYSTEM32>\sc.exe' Delete WinSvc
    • '<SYSTEM32>\sc.exe' Config RpcEptManger Start= Disabled
    • '<SYSTEM32>\sc.exe' Delete RpcEptManger
    • '<SYSTEM32>\taskmgr.exe'
    The Russian developer of Dr.Web anti-viruses
    Doctor Web has been developing anti-virus software since 1992
    Dr.Web is trusted by users around the world in 200+ countries
    The company has delivered an anti-virus as a service since 2007
    24/7 tech support

    Dr.Web © Doctor Web
    2003 — 2020

    Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

    2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125124