Main behavior:
1. Release the file:
C:\WINDOWS\Fonts\ 640106 bytes (backup file)
C:\WINDOWS\system32\ 640106 Bytes
C:\WINDOWS\system32\ 134656 Bytes
2. Register as system service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gressep0
(registry value) DisplayName = REG_SZ, "gressep0"
(registry value) ErrorControl = REG_DWORD, 1
(registry value) ImagePath = REG_EXPAND_SZ, "C:\windows\system32\"
(registry value) ObjectName = REG_SZ, "LocalSystem"
(registry value) Start = REG_DWORD, 2
(registry value) Type = REG_DWORD, 272
3. Record keyboard and other operations.
4. Inject and reverse connection wshk***.
Solution:
1. Download SREng (can be downloaded in down.). Disconnect the network afterwards.
2. End the IE process. And use SREng to delete the service item: gressep0
3. Restart the computer and delete the file:
C:\WINDOWS\Fonts\ 640106 bytes (backup file)
C:\WINDOWS\system32\ 640106 Bytes
C:\WINDOWS\system32\ 134656 Bytes
1. Release the file:
C:\WINDOWS\Fonts\ 640106 bytes (backup file)
C:\WINDOWS\system32\ 640106 Bytes
C:\WINDOWS\system32\ 134656 Bytes
2. Register as system service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gressep0
(registry value) DisplayName = REG_SZ, "gressep0"
(registry value) ErrorControl = REG_DWORD, 1
(registry value) ImagePath = REG_EXPAND_SZ, "C:\windows\system32\"
(registry value) ObjectName = REG_SZ, "LocalSystem"
(registry value) Start = REG_DWORD, 2
(registry value) Type = REG_DWORD, 272
3. Record keyboard and other operations.
4. Inject and reverse connection wshk***.
Solution:
1. Download SREng (can be downloaded in down.). Disconnect the network afterwards.
2. End the IE process. And use SREng to delete the service item: gressep0
3. Restart the computer and delete the file:
C:\WINDOWS\Fonts\ 640106 bytes (backup file)
C:\WINDOWS\system32\ 640106 Bytes
C:\WINDOWS\system32\ 134656 Bytes