Reverse process backdoor [Backdoor.ExcaliburSrvW]

Reverse process backdoor [Backdoor.ExcaliburSrvW]

Registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ExcaliburSvcW.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ExcaliburSvcW

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winlogonw.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winlogonw

Services

Winlogonw.exe
Winlogonw

ExcaliburSvcW.exe
ExcaliburSvcW

Winlogonw.exe
Winlogonw

ExcaliburSvcW.exe
ExcaliburSvcW

Folder
C:\Program Files\Windows Exlogon
C:\Program Files (x86)\Windows Exlogon

Scripts Remove 

reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ExcaliburSvcW.exe /f
reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ExcaliburSvcW /f

reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winlogonw.exe /f
reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winlogonw /f

sc stop Winlogonw.exe
sc stop Winlogonw

sc stop ExcaliburSvcW.exe
sc stop ExcaliburSvcW

sc delete Winlogonw.exe
sc delete Winlogonw

sc delete ExcaliburSvcW.exe
sc delete ExcaliburSvcW


rmdir "C:\Program Files\Windows Exlogon" /S /Q
rmdir "C:\Program Files (x86)\Windows Exlogon" /S /Q