ingmarvanolffen 0 Posted July 12, 2020 Share Posted July 12, 2020 so i accedentally opened a ratted file .exe with my stupid head i didnt know that if u dragged something onto a other file itll open it so that happend but i had my eset anti virus disable for a second but when the exe opened i turned my eset back on and it deleted a file now i ran the ratted file in any.run and it shows that it changed regedit files how do i get my pc clean cus idk if the files are deleted or that my pc is still ratted this is my school laptop and i have alot off files on it so i dont wanna reset it Link to comment Share on other sites More sharing options...
Administrators Marcos 5,272 Posted July 12, 2020 Administrators Share Posted July 12, 2020 It is generally not a good idea to disable AV and play with malware samples on a real machine. What you can do is to check for registry changes reported by app.run on your machine and revert the necessary values. ingmarvanolffen 1 Link to comment Share on other sites More sharing options...
ingmarvanolffen 0 Posted July 12, 2020 Author Share Posted July 12, 2020 10 minutes ago, Marcos said: It is generally not a good idea to disable AV and play with malware samples on a real machine. What you can do is to check for registry changes reported by app.run on your machine and revert the necessary values. yes ill send the changes PID 2928 CMD reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\admin\AppData\Local\Temp\gscmeme\gscmeme.exe.lnk" /f Path C:\Windows\system32\reg.exe Indicators Parent process cmd.exe User admin Integrity Level MEDIUM Exit code 0 Version: Company Microsoft Corporation Description Registry Console Tool Version 6.1.7600.16385 (win7_rtm.090713-1255) file.txt Link to comment Share on other sites More sharing options...
ESET Insiders stackz 115 Posted July 13, 2020 ESET Insiders Share Posted July 13, 2020 To delete the registry value open an admin command prompt and enter: REG DELETE "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /f Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted July 13, 2020 Most Valued Members Share Posted July 13, 2020 (edited) Run a full system deep scan and see if ESET will detect more things or some leftovers by the EXE you have ran. Sometimes having some suspicious files you can just upload it to some places like those : https://virustotal.com/ https://hybrid-analysis.com/ https://app.any.run/ Edited July 13, 2020 by Nightowl Link to comment Share on other sites More sharing options...
itman 1,748 Posted July 13, 2020 Share Posted July 13, 2020 If your "going to play" with malware, at a minimum familiarize with this software: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns. Full write-up on it here: https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2 Link to comment Share on other sites More sharing options...
ingmarvanolffen 0 Posted July 13, 2020 Author Share Posted July 13, 2020 13 hours ago, stackz said: To delete the registry value open an admin command prompt and enter: REG DELETE "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /f what will it do ? Link to comment Share on other sites More sharing options...
itman 1,748 Posted July 13, 2020 Share Posted July 13, 2020 (edited) 3 hours ago, ingmarvanolffen said: what will it do ? It will delete the registry entry the malware added: Quote reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\admin\AppData\Local\Temp\gscmeme\gscmeme.exe.lnk" /f An example of what this reg key does is given in this General Bot! malware analysis: Quote After decrypting the strings it show the following:reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d " FlyFF Bot generalbotstart.exe The registry key that the bot adds prevent the startup programs from running when restarting the computer. It can be resolved by deleting the key in registry. Delete the key named Load in registry located at HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Goto %temp%\FlyFF Bot in the file explorer and delete the shortcut and the duplicated virus.Do not restart your computer before you've done these fixes. Otherwise a empty messagebox will popup and once you hit ok, the virus will kick in and do a bunch of naught stuff. https://www.elitepvpers.com/forum/flyff-private-server/4291006-warning-those-used-general-bot.html Edited July 13, 2020 by itman Link to comment Share on other sites More sharing options...
Recommended Posts