Main behavior:
1. Release the file:
C:\Windows\System32\ 21,984 byte
C:\Windows\System32\ 8,816 bytes
2. Add startup item:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\datmps]
DllName = 64 61 74 6D 70 73 2E 64 6C 6C 00 00
Startup = "datmps"
Impersonate = 0x00000001
Asynchronous = 0x00000001
MaxWait = 0x00000001
NGIX = "[1062522C5803A23AD]"
64 61 74 6D 70 73 2E 64 6C 6C 00 00 Decrypted:
3. Register driver:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wlite\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01
00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00
FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wlite]
Type = 0x00000001
Start = 0x00000001
ErrorControl = 0x00000000
ImagePath = "system32\"
DisplayName = "WMV9 Codec"
4. Add the registry to ensure that the safe mode is still loading:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\]
(Default) = "Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\]
(Default) = "Driver"
5. Call the IE puppet process and connect to the outside of the background: rushprot***.net
Solution:
1. Download PowerRmv and disconnect the network:
as follows:
2. Delete C:\Windows\System32\ and in turn.
3. Delete the start item (Start menu - Run - Enter "regedit" to enter the registry and find the instructions options in turn and follow the prompts):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\datmps]