FOR CUSTOMERS

Close

Library
My library

+ Add to library

Search
Search

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

A query form

Call us

+7 (495) 789-45-86

Forum

Your tickets

New ticket

Call us

+7 (495) 789-45-86

Profile

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY
Close
Support services
Scanners
Dr.Web vxCube
Trial
VCI investigations
Virus library
Knowledge base

Technologies

Terminology

Training and education

Myths

News

Trojan.Siggen25.63161

Added to the Dr.Web virus database: 2024-02-10

Virus description added:

Technical Information

To ensure autorun and distribution
Sets the following service settings
  • [HKLM\System\CurrentControlSet\Services\wscsvc] 'Start' = '00000002'
  • [HKLM\System\CurrentControlSet\Services\AudioSrv] 'Start' = '00000002'
  • [HKLM\System\CurrentControlSet\Services\BFE] 'Start' = '00000002'
  • [HKLM\System\CurrentControlSet\Services\CryptSvc] 'Start' = '00000002'
  • [HKLM\System\CurrentControlSet\Services\Dhcp] 'Start' = '00000002'
  • [HKLM\System\CurrentControlSet\Services\Dnscache] 'Start' = '00000002'
  • [HKLM\System\CurrentControlSet\Services\eventlog] 'Start' = '00000002'
  • [HKLM\System\CurrentControlSet\Services\EventSystem] 'Start' = '00000002'
  • [HKLM\System\CurrentControlSet\Services\KeyIso] 'Start' = '00000002'
  • [HKLM\System\CurrentControlSet\Services\LanmanServer] 'Start' = '00000002'
  • [HKLM\System\CurrentControlSet\Services\LanmanWorkstation] 'Start' = '00000002'
  • [HKLM\System\CurrentControlSet\Services\Power] 'Start' = '00000002'
  • [HKLM\System\CurrentControlSet\Services\AudioEndpointBuilder] 'Start' = '00000002'
  • [HKLM\System\CurrentControlSet\Services\ProfSvc] 'Start' = '00000002'
  • [HKLM\System\CurrentControlSet\Services\SamSs] 'Start' = '00000002'
  • [HKLM\System\CurrentControlSet\Services\ShellHWDetection] 'Start' = '00000002'
  • [HKLM\System\CurrentControlSet\Services\Spooler] 'Start' = '00000002'
  • [HKLM\System\CurrentControlSet\Services\Themes] 'Start' = '00000002'
  • [HKLM\System\CurrentControlSet\Services\VaultSvc] 'Start' = '00000002'
  • [HKLM\System\CurrentControlSet\Services\WinDefend] 'Start' = '00000002'
  • [HKLM\System\CurrentControlSet\Services\Winmgmt] 'Start' = '00000002'
  • [HKLM\System\CurrentControlSet\Services\Wlansvc] 'Start' = '00000002'
  • [HKLM\System\CurrentControlSet\Services\MpsSvc] 'Start' = '00000002'
  • [HKLM\System\CurrentControlSet\Services\nsi] 'Start' = '00000002'
  • [HKLM\System\CurrentControlSet\Services\sppsvc] 'Start' = '00000002'
  • [HKLM\System\CurrentControlSet\Services\SENS] 'Start' = '00000002'
  • [HKLM\SYSTEM\CurrentControlSet\Services\webthreatdefusersvc] 'Start' = '00000002'
Malicious functions
To complicate detection of its presence in the operating system,
adds antivirus exclusion:
  • '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command Add-MpPreference -ExclusionPath "<DRIVERS>\etc\hosts" -Force
  • '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command Add-MpPreference -ExclusionPath "C:\WinInstallHelper" -Force
Executes the following
  • '<SYSTEM32>\taskkill.exe' /F /IM "explorer.exe"
  • '<SYSTEM32>\net.exe' stop dmwappushsvc
  • '<SYSTEM32>\net.exe' stop VSStandardCollectorService150
  • '<SYSTEM32>\net.exe' stop NvTelemetryContainer
  • '<SYSTEM32>\net.exe' stop DiagTrack
Launches a large number of processes
Terminates or attempts to terminate
the following system processes:
  • %WINDIR%\explorer.exe
Modifies file system
Creates the following files
  • C:\wininstallhelper\appx_remover.bat
  • C:\wininstallhelper\winrar_comment.txt
  • C:\wininstallhelper\winkeyloggerdisabler.ps1
  • C:\wininstallhelper\wininstallhelper.ico
  • C:\wininstallhelper\wininstallhelper.bat
  • C:\wininstallhelper\winget_download.bat
  • C:\wininstallhelper\windowsspyblocker.bat
  • C:\wininstallhelper\ultimate_power.bat
  • C:\wininstallhelper\tcp_optimizer.bat
  • C:\wininstallhelper\tasks.bat
  • C:\wininstallhelper\stopedgepdf.ps1
  • C:\wininstallhelper\setacl.exe
  • C:\wininstallhelper\services.bat
  • C:\wininstallhelper\ram_to_svchost.ps1
  • C:\wininstallhelper\not_responding_fix.bat
  • C:\wininstallhelper\move_program.bat
  • C:\wininstallhelper\layout.xml
  • C:\wininstallhelper\hosts.bat
  • C:\wininstallhelper\gettrustedinstaller.exe
  • C:\wininstallhelper\firewall_ips.txt
  • C:\wininstallhelper\firewall_blocker.bat
  • C:\wininstallhelper\finalize.cmd
  • C:\wininstallhelper\edgeremoval.bat
  • C:\wininstallhelper\domains.txt
  • C:\wininstallhelper\disablebackgroundaccess.ps1
  • C:\wininstallhelper\create_an_elevated_shortcut.bat
  • C:\wininstallhelper\compile.bat
  • C:\wininstallhelper\changelog.txt
  • C:\wininstallhelper\blank.ico
  • C:\wininstallhelper\bigtaskmanager.ps1
  • C:\wininstallhelper\_main.bat
  • %HOMEPATH%\desktop\wininstallhelper_logs\service_settings_10-02-24__16_22_23.txt
Miscellaneous
Searches for the following windows
  • ClassName: 'EDIT' WindowName: ''
  • ClassName: '' WindowName: ''
Creates and executes the following
  • '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Start-Process -Verb RunAs -FilePath '"C:\WinInstallHelper\_main.bat"' -ArgumentList 'am_admin'"
Executes the following
  • '<SYSTEM32>\cmd.exe' /c ""C:\WinInstallHelper\_main.bat" "
  • '<SYSTEM32>\sc.exe' config ALG start= demand
  • '<SYSTEM32>\sc.exe' config AppIDSvc start= demand
  • '<SYSTEM32>\sc.exe' config AppMgmt start= disabled
  • '<SYSTEM32>\sc.exe' config AppReadiness start= demand
  • '<SYSTEM32>\sc.exe' config AppVClient start= disabled
  • '<SYSTEM32>\sc.exe' config AppXSvc start= demand
  • '<SYSTEM32>\sc.exe' config Appinfo start= demand
  • '<SYSTEM32>\sc.exe' config AssignedAccessManagerSvc start= disabled
  • '<SYSTEM32>\sc.exe' config AudioEndpointBuilder start= auto
  • '<SYSTEM32>\sc.exe' config AudioSrv start= auto
  • '<SYSTEM32>\sc.exe' config AxInstSV start= demand
  • '<SYSTEM32>\sc.exe' config BDESVC start= demand
  • '<SYSTEM32>\sc.exe' config BFE start= auto
  • '<SYSTEM32>\sc.exe' config "Razer Game Scanner Service" start= disabled
  • '<SYSTEM32>\sc.exe' config AJRouter start= disabled
  • '<SYSTEM32>\sc.exe' config BcastDVRUserService_48486de start= demand
  • '<SYSTEM32>\sc.exe' config BcastDVRUserService_dc2a4 start= demand
  • '<SYSTEM32>\sc.exe' config BluetoothUserService_dc2a4 start= demand
  • '<SYSTEM32>\sc.exe' config BrokerInfrastructure start= auto
  • '<SYSTEM32>\sc.exe' config Browser start= demand
  • '<SYSTEM32>\sc.exe' config BthAvctpSvc start= demand
  • '<SYSTEM32>\sc.exe' config BthHFSrv start= auto
  • '<SYSTEM32>\sc.exe' config CDPSvc start= demand
  • '<SYSTEM32>\sc.exe' config CDPUserSvc_dc2a4 start= auto
  • '<SYSTEM32>\sc.exe' config COMSysApp start= demand
  • '<SYSTEM32>\sc.exe' config CaptureService_48486de start= demand
  • '<SYSTEM32>\sc.exe' config CaptureService_dc2a4 start= demand
  • '<SYSTEM32>\sc.exe' config CertPropSvc start= disabled
  • '<SYSTEM32>\sc.exe' config BITS start= delayed-auto
  • '<SYSTEM32>\sc.exe' config ConsentUxUserSvc_dc2a4 start= demand
  • '<SYSTEM32>\sc.exe' config BcastDVRUserService start= demand
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\DcpSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\diagnosticshub.standardcollector.service" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\dmwappushservice" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\DiagTrack" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\SensorService" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\SensrSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\sc.exe' stop "SensorService"
  • '<SYSTEM32>\sc.exe' stop "SensrSvc"
  • '<SYSTEM32>\sc.exe' config webthreatdefusersvc start= auto
  • '<SYSTEM32>\sc.exe' config cbdhsvc start= demand
  • '<SYSTEM32>\sc.exe' config WpnUserService start= auto
  • '<SYSTEM32>\sc.exe' config UserDataSvc start= demand
  • '<SYSTEM32>\sc.exe' config UdkUserSvc start= demand
  • '<SYSTEM32>\sc.exe' config RasAuto start= demand
  • '<SYSTEM32>\sc.exe' config PrintWorkflowUserSvc start= demand
  • '<SYSTEM32>\sc.exe' config PimIndexMaintenanceSvc start= demand
  • '<SYSTEM32>\sc.exe' config PenService start= demand
  • '<SYSTEM32>\sc.exe' config P9RdrService start= demand
  • '<SYSTEM32>\sc.exe' config NPSMSvc start= demand
  • '<SYSTEM32>\sc.exe' config MessagingService start= demand
  • '<SYSTEM32>\sc.exe' config DiagTrack start= disabled
  • '<SYSTEM32>\sc.exe' config DevicesFlowUserSvc start= demand
  • '<SYSTEM32>\sc.exe' config DevicePickerUserSvc start= demand
  • '<SYSTEM32>\sc.exe' config DeviceAssociationBrokerSvc start= demand
  • '<SYSTEM32>\sc.exe' config CredentialEnrollmentManagerUserSvc start= demand
  • '<SYSTEM32>\sc.exe' config ConsentUxUserSvc start= demand
  • '<SYSTEM32>\sc.exe' config CaptureService start= demand
  • '<SYSTEM32>\sc.exe' config CDPUserSvc start= auto
  • '<SYSTEM32>\sc.exe' config ClipSVC start= demand
  • '<SYSTEM32>\sc.exe' config BTAGService start= demand
  • '<SYSTEM32>\sc.exe' config CoREMessagingRegistrar start= auto
  • '<SYSTEM32>\sc.exe' config CredentialEnrollmentManagerUserSvc_dc2a4 start= demand
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\wercplsupport" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WerSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\sc.exe' config HPSysInfoCap start= demand
  • '<SYSTEM32>\sc.exe' config HomeGroupListener start= disabled
  • '<SYSTEM32>\sc.exe' config HomeGroupProvider start= disabled
  • '<SYSTEM32>\sc.exe' config HpTouchpointAnalyticsService start= demand
  • '<SYSTEM32>\sc.exe' config HvHost start= demand
  • '<SYSTEM32>\sc.exe' config IEEtwCollectorService start= demand
  • '<SYSTEM32>\sc.exe' config IKEEXT start= demand
  • '<SYSTEM32>\sc.exe' config InstallService start= demand
  • '<SYSTEM32>\sc.exe' config InventorySvc start= demand
  • '<SYSTEM32>\sc.exe' config IpxlatCfgSvc start= demand
  • '<SYSTEM32>\sc.exe' config KeyIso start= auto
  • '<SYSTEM32>\sc.exe' config KtmRm start= demand
  • '<SYSTEM32>\sc.exe' config LSM start= auto
  • '<SYSTEM32>\sc.exe' config LanmanServer start= auto
  • '<SYSTEM32>\sc.exe' config LanmanWorkstation start= auto
  • '<SYSTEM32>\sc.exe' config LicenseManager start= demand
  • '<SYSTEM32>\sc.exe' config LogiregistryService start= disabled
  • '<SYSTEM32>\sc.exe' config LxpSvc start= demand
  • '<SYSTEM32>\sc.exe' config MSDTC start= demand
  • '<SYSTEM32>\sc.exe' config MSiSCSI start= disable
  • '<SYSTEM32>\sc.exe' config MapsBroker start= disabled
  • '<SYSTEM32>\sc.exe' config McpManagementService start= demand
  • '<SYSTEM32>\sc.exe' config MessagingService_dc2a4 start= demand
  • '<SYSTEM32>\sc.exe' config MicrosoftEdgeElevationService start= disabled
  • '<SYSTEM32>\sc.exe' config MixedRealityOpenXRSvc start= demand
  • '<SYSTEM32>\sc.exe' config MsKeyboardFilter start= demand
  • '<SYSTEM32>\sc.exe' config NPSMSvc_dc2a4 start= demand
  • '<SYSTEM32>\sc.exe' config NaturalAuthentication start= demand
  • '<SYSTEM32>\sc.exe' config HPNetworkCap start= demand
  • '<SYSTEM32>\sc.exe' config BluetoothUserService start= demand
  • '<SYSTEM32>\sc.exe' config HPAppHelperCap start= demand
  • '<SYSTEM32>\sc.exe' config GraphicsPerfSvc start= demand
  • '<SYSTEM32>\sc.exe' config FrameServerMonitor start= demand
  • '<SYSTEM32>\sc.exe' config CscService start= demand
  • '<SYSTEM32>\sc.exe' config DPS start= demand
  • '<SYSTEM32>\sc.exe' config DcomLaunch start= auto
  • '<SYSTEM32>\sc.exe' config DcpSvc start= demand
  • '<SYSTEM32>\sc.exe' config DevQueryBroker start= demand
  • '<SYSTEM32>\sc.exe' config DeviceAssociationBrokerSvc_dc2a4 start= demand
  • '<SYSTEM32>\sc.exe' config DeviceAssociationService start= demand
  • '<SYSTEM32>\sc.exe' config DeviceInstall start= demand
  • '<SYSTEM32>\sc.exe' config DevicePickerUserSvc_dc2a4 start= demand
  • '<SYSTEM32>\sc.exe' config DevicesFlowUserSvc_dc2a4 start= demand
  • '<SYSTEM32>\sc.exe' config Dhcp start= auto
  • '<SYSTEM32>\sc.exe' config DialogBlockingService start= disabled
  • '<SYSTEM32>\sc.exe' config DispBrokerDesktopSvc start= auto
  • '<SYSTEM32>\sc.exe' config DmEnrollmentSvc start= demand
  • '<SYSTEM32>\sc.exe' config Dnscache start= auto
  • '<SYSTEM32>\sc.exe' config DoSvc start= delayed-auto
  • '<SYSTEM32>\sc.exe' config DsSvc start= demand
  • '<SYSTEM32>\sc.exe' config DsmSvc start= demand
  • '<SYSTEM32>\sc.exe' config DusmSvc start= auto
  • '<SYSTEM32>\sc.exe' config EFS start= demand
  • '<SYSTEM32>\sc.exe' config EapHost start= demand
  • '<SYSTEM32>\sc.exe' config EntAppSvc start= demand
  • '<SYSTEM32>\sc.exe' config EventLog start= auto
  • '<SYSTEM32>\sc.exe' config EventSystem start= auto
  • '<SYSTEM32>\sc.exe' config FDResPub start= demand
  • '<SYSTEM32>\sc.exe' config Fax start= demand
  • '<SYSTEM32>\sc.exe' config FontCache start= demand
  • '<SYSTEM32>\sc.exe' config FrameServer start= demand
  • '<SYSTEM32>\sc.exe' config CryptSvc start= auto
  • '<SYSTEM32>\sc.exe' config WPDBusEnum start= demand
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\XboxGipSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WPDBusEnum" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WSService" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WSearch" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WalletService" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WarpJITSvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WbioSrvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\Wcmsvc" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WcsPlugInService" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WdiServiceHost" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WdiSystemHost" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WebClient" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\Wecsvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WiaRpc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WinRM" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WlanSvc" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WpcMonSvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WpnService" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WwanSvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\XblAuthManager" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\XblGameSave" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\XboxNetApiSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\autotimesvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\bthserv" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WManSvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\camsvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\sc.exe' config NcaSvc start= demand
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\cbdhsvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\SysMain" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\SystemEventsBroker" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\TabletInputService" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\TapiSrv" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\TermService" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\TextInputManagementService" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\Themes" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\TieringEngineService" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\TimeBroker" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\TimeBrokerSvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\TokenBroker" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\TrkWks" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\TroubleshootingSvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\UI0Detect" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\UdkUserSvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\UevAgentService" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\UmRdpService" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\UnistoreSvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\UserDataSvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\UserManager" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\VGAuthService" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\VMTools" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\VSS" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\VSStandardCollectorService150" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\VacSvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\VaultSvc" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\W32Time" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WFDSConMgrSvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\sc.exe' config HPDiagsCap start= demand
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\dbupdate" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\smphost" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\swprv" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\tiledatamodelsvc" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\tzautoupdate" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\uhssvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\upnphost" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\vds" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\vm3dservice" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\vmicguestinterface" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\vmicheartbeat" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\vmickvpexchange" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\vmicrdv" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\vmicshutdown" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\vmictimesync" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\vmicvmsession" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\vmicvss" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\vmvss" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\wbengine" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\wcncsvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\webthreatdefsvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\webthreatdefusersvc" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\wlpasvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\wmiApSrv" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\workfolderssvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\wudfsvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\wisvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\Fax" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\stisvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\cloudidsvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\xbgm" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\svsvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\dbupdatem" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\dcsvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\defragsvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\diagsvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\dot3svc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\edgeupdate" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\edgeupdatem" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\embeddedmode" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\fdPHost" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\fhsvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\gpsvc" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\gupdate" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\gupdatem" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\hidserv" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\icssvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\lltdsvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\lmhosts" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\mpssvc" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\msiserver" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\netprofm" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\nsi" /v "Start" /t REG_DWORD /d "2" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\p2pimsvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\p2psvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\perceptionsimulation" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\pla" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\seclogon" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\shpamsvc" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\spectrum" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\ssh-agent" /v "Start" /t REG_DWORD /d "4" /f
  • '<SYSTEM32>\sc.exe' config NcbService start= demand
  • '<SYSTEM32>\sc.exe' config NcdAutoSetup start= demand
  • '<SYSTEM32>\sc.exe' config Ndu start= disabled
  • '<SYSTEM32>\sc.exe' config wmiApSrv start= demand
  • '<SYSTEM32>\sc.exe' config sppsvc start= delayed-auto
  • '<SYSTEM32>\sc.exe' config ssh-agent start= disabled
  • '<SYSTEM32>\sc.exe' config stisvc start= demand
  • '<SYSTEM32>\sc.exe' config svsvc start= demand
  • '<SYSTEM32>\sc.exe' config swprv start= demand
  • '<SYSTEM32>\sc.exe' config tiledatamodelsvc start= auto
  • '<SYSTEM32>\sc.exe' config tzautoupdate start= disabled
  • '<SYSTEM32>\sc.exe' config uhssvc start= disabled
  • '<SYSTEM32>\sc.exe' config upnphost start= demand
  • '<SYSTEM32>\sc.exe' config vds start= demand
  • '<SYSTEM32>\sc.exe' config vm3dservice start= demand
  • '<SYSTEM32>\sc.exe' config vmicguestinterface start= demand
  • '<SYSTEM32>\sc.exe' config vmicheartbeat start= demand
  • '<SYSTEM32>\sc.exe' config vmickvpexchange start= demand
  • '<SYSTEM32>\sc.exe' config vmicrdv start= demand
  • '<SYSTEM32>\sc.exe' config vmicshutdown start= demand
  • '<SYSTEM32>\sc.exe' config vmictimesync start= demand
  • '<SYSTEM32>\sc.exe' config vmicvmsession start= demand
  • '<SYSTEM32>\sc.exe' config vmicvss start= demand
  • '<SYSTEM32>\sc.exe' config vmvss start= demand
  • '<SYSTEM32>\sc.exe' config wbengine start= demand
  • '<SYSTEM32>\sc.exe' config wcncsvc start= demand
  • '<SYSTEM32>\sc.exe' config webthreatdefsvc start= demand
  • '<SYSTEM32>\sc.exe' config webthreatdefusersvc_dc2a4 start= auto
  • '<SYSTEM32>\sc.exe' config wercplsupport start= demand
  • '<SYSTEM32>\sc.exe' config wisvc start= demand
  • '<SYSTEM32>\sc.exe' config wlidsvc start= demand
  • '<SYSTEM32>\sc.exe' config wlpasvc start= demand
  • '<SYSTEM32>\sc.exe' stop PimIndexMaintenanceSvc
  • '<SYSTEM32>\sc.exe' config smphost start= demand
  • '<SYSTEM32>\sc.exe' config shpamsvc start= disabled
  • '<SYSTEM32>\sc.exe' config seclogon start= demand
  • '<SYSTEM32>\sc.exe' config pla start= demand
  • '<SYSTEM32>\sc.exe' config dbupdatem start= disabled
  • '<SYSTEM32>\sc.exe' config dcsvc start= demand
  • '<SYSTEM32>\sc.exe' config defragsvc start= demand
  • '<SYSTEM32>\sc.exe' config diagnosticshub.standardcollector.service start= disable
  • '<SYSTEM32>\sc.exe' config diagsvc start= demand
  • '<SYSTEM32>\sc.exe' config dmwappushservice start= disabled
  • '<SYSTEM32>\sc.exe' config dot3svc start= demand
  • '<SYSTEM32>\sc.exe' config edgeupdate start= disabled
  • '<SYSTEM32>\sc.exe' config edgeupdatem start= disabled
  • '<SYSTEM32>\sc.exe' config embeddedmode start= demand
  • '<SYSTEM32>\sc.exe' config fdPHost start= demand
  • '<SYSTEM32>\sc.exe' config fhsvc start= demand
  • '<SYSTEM32>\sc.exe' config gpsvc start= auto
  • '<SYSTEM32>\sc.exe' config gupdate start= demand
  • '<SYSTEM32>\sc.exe' config gupdatem start= demand
  • '<SYSTEM32>\sc.exe' config hidserv start= demand
  • '<SYSTEM32>\sc.exe' config icssvc start= demand
  • '<SYSTEM32>\sc.exe' config iphlpsvc start= demand
  • '<SYSTEM32>\sc.exe' config lfsvc start= disabled
  • '<SYSTEM32>\sc.exe' config lltdsvc start= demand
  • '<SYSTEM32>\sc.exe' config lmhosts start= demand
  • '<SYSTEM32>\sc.exe' config mpssvc start= auto
  • '<SYSTEM32>\sc.exe' config msiserver start= demand
  • '<SYSTEM32>\sc.exe' config netprofm start= demand
  • '<SYSTEM32>\sc.exe' config nsi start= auto
  • '<SYSTEM32>\sc.exe' config p2pimsvc start= demand
  • '<SYSTEM32>\sc.exe' config p2psvc start= demand
  • '<SYSTEM32>\sc.exe' config perceptionsimulation start= demand
  • '<SYSTEM32>\sc.exe' config dbupdate start= disabled
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\StorSvc" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\sc.exe' config cloudidsvc start= demand
  • '<SYSTEM32>\sc.exe' config wuauserv start= demand
  • '<SYSTEM32>\sc.exe' stop wscsvc
  • '<SYSTEM32>\sc.exe' stop SysMain
  • '<SYSTEM32>\sc.exe' stop UnistoreSvc
  • '<SYSTEM32>\sc.exe' stop UserDataSvc
  • '<SYSTEM32>\sc.exe' stop VSS
  • '<SYSTEM32>\sc.exe' stop VSStandardCollectorService150
  • '<SYSTEM32>\sc.exe' stop WerSvc
  • '<SYSTEM32>\sc.exe' stop XblAuthManager
  • '<SYSTEM32>\sc.exe' stop XblGameSave
  • '<SYSTEM32>\sc.exe' stop XboxGipSvc
  • '<SYSTEM32>\sc.exe' stop XboxNetApiSvc
  • '<SYSTEM32>\sc.exe' stop dmwappushservice
  • '<SYSTEM32>\sc.exe' stop wercplsupport
  • '<SYSTEM32>\sc.exe' stop wisvc
  • '<SYSTEM32>\sc.exe' stop xbgm
  • '<SYSTEM32>\sc.exe' stop Sgrmbroker
  • '<SYSTEM32>\net1.exe' stop DiagTrack
  • '<SYSTEM32>\net1.exe' stop NvTelemetryContainer
  • '<SYSTEM32>\net1.exe' stop VSStandardCollectorService150
  • '<SYSTEM32>\net1.exe' stop dmwappushsvc
  • '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "(Get-Date).ToString('dd-MM-yy__HH_mm_ss')"
  • '<SYSTEM32>\cmd.exe' /c powershell -Command "(Get-Date).ToString('dd-MM-yy__HH_mm_ss')"
  • '<SYSTEM32>\cmd.exe' /K C:\WinInstallHelper\Services.bat
  • '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "Checkpoint-Computer -Description 'WinInstallHelper' -RestorePointType 'MODIFY_SETTINGS'"
  • '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
  • '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -c "Enable-ComputerRestore -Drive 'C:\'"
  • '<SYSTEM32>\powercfg.exe' /setdcvalueindex scheme_current sub_sleep standbyidle 0
  • '<SYSTEM32>\powercfg.exe' /setacvalueindex scheme_current sub_sleep standbyidle 0
  • '<SYSTEM32>\cmd.exe' /C "C:\WinInstallHelper\_main.bat" am_admin
  • '<SYSTEM32>\sc.exe' config wscsvc start= delayed-auto
  • '<SYSTEM32>\sc.exe' config workfolderssvc start= demand
  • '<SYSTEM32>\sc.exe' stop Schedule
  • '<SYSTEM32>\sc.exe' stop NvTelemetryContainer
  • '<SYSTEM32>\sc.exe' stop Spooler
  • '<SYSTEM32>\sc.exe' config wudfsvc start= demand
  • '<SYSTEM32>\sc.exe' delete DiagTrack
  • '<SYSTEM32>\sc.exe' delete MapsBroker
  • '<SYSTEM32>\sc.exe' delete MessagingService
  • '<SYSTEM32>\sc.exe' delete PcaSvc
  • '<SYSTEM32>\sc.exe' delete RetailDemo
  • '<SYSTEM32>\sc.exe' delete SessionEnv
  • '<SYSTEM32>\sc.exe' delete TermService
  • '<SYSTEM32>\sc.exe' delete TroubleshootingSvc
  • '<SYSTEM32>\sc.exe' delete UmRdpService
  • '<SYSTEM32>\sc.exe' delete WerSvc
  • '<SYSTEM32>\sc.exe' delete XblAuthManager
  • '<SYSTEM32>\sc.exe' delete XblGameSave
  • '<SYSTEM32>\sc.exe' delete XboxGipSvc
  • '<SYSTEM32>\sc.exe' delete XboxNetApiSvc
  • '<SYSTEM32>\sc.exe' delete diagnosticshub.standardcollector.service
  • '<SYSTEM32>\sc.exe' delete diagsvc
  • '<SYSTEM32>\sc.exe' delete dmwappushservice
  • '<SYSTEM32>\sc.exe' delete lfsvc
  • '<SYSTEM32>\sc.exe' delete shpamsvc
  • '<SYSTEM32>\sc.exe' delete wercplsupport
  • '<SYSTEM32>\sc.exe' delete wisvc
  • '<SYSTEM32>\sc.exe' stop "Razer Game Scanner Service"
  • '<SYSTEM32>\sc.exe' stop BcastDVRUserService
  • '<SYSTEM32>\sc.exe' stop DiagTrack
  • '<SYSTEM32>\sc.exe' stop Fax
  • '<SYSTEM32>\sc.exe' stop LogiregistryService
  • '<SYSTEM32>\sc.exe' stop MessagingService
  • '<SYSTEM32>\sc.exe' stop OneSyncSvc
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\WEPHOSTSVC" /v "Start" /t REG_DWORD /d "3" /f
  • '<SYSTEM32>\sc.exe' config cbdhsvc_dc2a4 start= demand
  • '<SYSTEM32>\sc.exe' config bthserv start= demand
  • '<SYSTEM32>\sc.exe' config RmSvc start= demand
  • '<SYSTEM32>\sc.exe' config RpcEptMapper start= auto
  • '<SYSTEM32>\sc.exe' config RpcLocator start= demand
  • '<SYSTEM32>\sc.exe' config RpcSs start= auto
  • '<SYSTEM32>\sc.exe' config RtkBtManServ start= demand
  • '<SYSTEM32>\sc.exe' config SCPolicySvc start= demand
  • '<SYSTEM32>\sc.exe' config SCardSvr start= demand
  • '<SYSTEM32>\sc.exe' config SDRSVC start= demand
  • '<SYSTEM32>\sc.exe' config SEMgrSvc start= demand
  • '<SYSTEM32>\sc.exe' config SENS start= auto
  • '<SYSTEM32>\sc.exe' config SNMPTrap start= disabled
  • '<SYSTEM32>\sc.exe' config SSDPSRV start= demand
  • '<SYSTEM32>\sc.exe' config SamSs start= auto
  • '<SYSTEM32>\sc.exe' config ScDeviceEnum start= demand
  • '<SYSTEM32>\sc.exe' config Schedule start= auto
  • '<SYSTEM32>\sc.exe' config SecurityHealthService start= demand
  • '<SYSTEM32>\sc.exe' config Sense start= demand
  • '<SYSTEM32>\sc.exe' config SensorDataService start= demand
  • '<SYSTEM32>\sc.exe' config SensorService start= demand
  • '<SYSTEM32>\sc.exe' config SensrSvc start= demand
  • '<SYSTEM32>\sc.exe' config SessionEnv start= demand
  • '<SYSTEM32>\sc.exe' config SgrmBroker start= auto
  • '<SYSTEM32>\sc.exe' config SharedAccess start= disabled
  • '<SYSTEM32>\sc.exe' config SharedRealitySvc start= demand
  • '<SYSTEM32>\sc.exe' config ShellHWDetection start= auto
  • '<SYSTEM32>\sc.exe' config SmsRouter start= demand
  • '<SYSTEM32>\sc.exe' config Spooler start= auto
  • '<SYSTEM32>\sc.exe' config SstpSvc start= demand
  • '<SYSTEM32>\sc.exe' config StateRepository start= demand
  • '<SYSTEM32>\sc.exe' config cbdhsvc_48486de start= demand
  • '<SYSTEM32>\sc.exe' config StorSvc start= demand
  • '<SYSTEM32>\sc.exe' config SysMain start= disabled
  • '<SYSTEM32>\sc.exe' config Rasautostart= demand
  • '<SYSTEM32>\sc.exe' config RetailDemo start= demand
  • '<SYSTEM32>\sc.exe' config NetSetupSvc start= demand
  • '<SYSTEM32>\sc.exe' config NetTcpPortSharing start= disabled
  • '<SYSTEM32>\sc.exe' config Netlogon start= demand
  • '<SYSTEM32>\sc.exe' config Netman start= demand
  • '<SYSTEM32>\sc.exe' config NgcCtnrSvc start= demand
  • '<SYSTEM32>\sc.exe' config NgcSvc start= demand
  • '<SYSTEM32>\sc.exe' config NlaSvc start= demand
  • '<SYSTEM32>\sc.exe' config NvTelemetryContainer start= disabled
  • '<SYSTEM32>\sc.exe' config OneSyncSvc start= auto
  • '<SYSTEM32>\sc.exe' config OneSyncSvc_dc2a4 start= auto
  • '<SYSTEM32>\sc.exe' config P9RdrService_dc2a4 start= demand
  • '<SYSTEM32>\sc.exe' config PNRPAutoReg start= demand
  • '<SYSTEM32>\sc.exe' config PNRPsvc start= demand
  • '<SYSTEM32>\sc.exe' config PcaSvc start= demand
  • '<SYSTEM32>\sc.exe' config PeerDistSvc start= disabled
  • '<SYSTEM32>\sc.exe' config PenService_dc2a4 start= demand
  • '<SYSTEM32>\sc.exe' config PerfHost start= demand
  • '<SYSTEM32>\sc.exe' config PhoneSvc start= demand
  • '<SYSTEM32>\sc.exe' config PimIndexMaintenanceSvc_dc2a4 start= demand
  • '<SYSTEM32>\sc.exe' config PlugPlay start= demand
  • '<SYSTEM32>\sc.exe' config PolicyAgent start= demand
  • '<SYSTEM32>\sc.exe' config Power start= auto
  • '<SYSTEM32>\sc.exe' config PrintNotify start= demand
  • '<SYSTEM32>\sc.exe' config PrintWorkflowUserSvc_dc2a4 start= demand
  • '<SYSTEM32>\sc.exe' config ProfSvc start= auto
  • '<SYSTEM32>\sc.exe' config PushToInstall start= demand
  • '<SYSTEM32>\sc.exe' config QWAVE start= demand
  • '<SYSTEM32>\sc.exe' config RasMan start= demand
  • '<SYSTEM32>\sc.exe' config RemoteAccess start= disabled
  • '<SYSTEM32>\sc.exe' config camsvc start= demand
  • '<SYSTEM32>\sc.exe' config RemoteRegistry start= disabled
  • '<SYSTEM32>\sc.exe' config spectrum start= demand
  • '<SYSTEM32>\sc.exe' config WSearch start= delayed-auto
  • '<SYSTEM32>\sc.exe' config WSearch start= demand
  • '<SYSTEM32>\sc.exe' config WaaSMedicSvc start= demand
  • '<SYSTEM32>\sc.exe' config WalletService start= demand
  • '<SYSTEM32>\sc.exe' config WarpJITSvc start= demand
  • '<SYSTEM32>\sc.exe' config WbioSrvc start= disabled
  • '<SYSTEM32>\sc.exe' config Wcmsvc start= auto
  • '<SYSTEM32>\sc.exe' config WcsPlugInService start= demand
  • '<SYSTEM32>\sc.exe' config WdNisSvc start= demand
  • '<SYSTEM32>\sc.exe' config WdiServiceHost start= demand
  • '<SYSTEM32>\sc.exe' config WdiSystemHost start= demand
  • '<SYSTEM32>\sc.exe' config WebClient start= demand
  • '<SYSTEM32>\sc.exe' config Wecsvc start= demand
  • '<SYSTEM32>\sc.exe' config WerSvc start= demand
  • '<SYSTEM32>\sc.exe' config WiaRpc start= demand
  • '<SYSTEM32>\sc.exe' config WinDefend start= auto
  • '<SYSTEM32>\sc.exe' config WinHttpAutoProxySvc start= demand
  • '<SYSTEM32>\sc.exe' config WinRM start= demand
  • '<SYSTEM32>\sc.exe' config Winmgmt start= auto
  • '<SYSTEM32>\sc.exe' config WlanSvc start= auto
  • '<SYSTEM32>\sc.exe' config WpcMonSvc start= demand
  • '<SYSTEM32>\sc.exe' config WpnService start= demand
  • '<SYSTEM32>\sc.exe' config WpnUserService_dc2a4 start= auto
  • '<SYSTEM32>\sc.exe' config WwanSvc start= demand
  • '<SYSTEM32>\sc.exe' config XblAuthManager start= disabled
  • '<SYSTEM32>\sc.exe' config XblGameSave start= disabled
  • '<SYSTEM32>\sc.exe' config XboxGipSvc start= disabled
  • '<SYSTEM32>\sc.exe' config XboxNetApiSvc start= disabled
  • '<SYSTEM32>\sc.exe' config autotimesvc start= demand
  • '<SYSTEM32>\sc.exe' config TapiSrv start= demand
  • '<SYSTEM32>\sc.exe' config SystemEventsBroker start= auto
  • '<SYSTEM32>\sc.exe' config TabletInputService start= demand
  • '<SYSTEM32>\sc.exe' config WMPNetworkSvc start= demand
  • '<SYSTEM32>\sc.exe' config WSService start= demand
  • '<SYSTEM32>\sc.exe' config TermService start= auto
  • '<SYSTEM32>\sc.exe' config TextInputManagementService start= demand
  • '<SYSTEM32>\sc.exe' config Themes start= auto
  • '<SYSTEM32>\sc.exe' config TieringEngineService start= demand
  • '<SYSTEM32>\sc.exe' config TimeBroker start= demand
  • '<SYSTEM32>\sc.exe' config TimeBrokerSvc start= demand
  • '<SYSTEM32>\sc.exe' config TokenBroker start= demand
  • '<SYSTEM32>\sc.exe' config TrkWks start= disabled
  • '<SYSTEM32>\sc.exe' config TroubleshootingSvc start= demand
  • '<SYSTEM32>\sc.exe' config TrustedInstaller start= demand
  • '<SYSTEM32>\sc.exe' config UI0Detect start= demand
  • '<SYSTEM32>\sc.exe' config UdkUserSvc_dc2a4 start= demand
  • '<SYSTEM32>\sc.exe' config UevAgentService start= disabled
  • '<SYSTEM32>\sc.exe' config UmRdpService start= demand
  • '<SYSTEM32>\sc.exe' config UnistoreSvc start= disabled
  • '<SYSTEM32>\sc.exe' config UnistoreSvc_dc2a4 start= demand
  • '<SYSTEM32>\sc.exe' config UserDataSvc_dc2a4 start= demand
  • '<SYSTEM32>\sc.exe' config UserManager start= auto
  • '<SYSTEM32>\sc.exe' config UsoSvc start= demand
  • '<SYSTEM32>\sc.exe' config VGAuthService start= auto
  • '<SYSTEM32>\sc.exe' config VMTools start= auto
  • '<SYSTEM32>\sc.exe' config VSS start= demand
  • '<SYSTEM32>\sc.exe' config VSStandardCollectorService150 start= disabled
  • '<SYSTEM32>\sc.exe' config VacSvc start= demand
  • '<SYSTEM32>\sc.exe' config VaultSvc start= auto
  • '<SYSTEM32>\sc.exe' config W32Time start= demand
  • '<SYSTEM32>\sc.exe' config WEPHOSTSVC start= demand
  • '<SYSTEM32>\sc.exe' config WFDSConMgrSvc start= demand
  • '<SYSTEM32>\sc.exe' config WManSvc start= demand
  • '<SYSTEM32>\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Services\StateRepository" /v "Start" /t REG_DWORD /d "3" /f

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Free trial

 

Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

Free trial

 

Download Dr.Web

Download by serial number

Download on App Store

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

 

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

Free trial

14 days

Download now
Get it on Google Play