Jump to content

accedentally opened a .exe with rats in it


Recommended Posts

so i accedentally opened a ratted file .exe with my stupid head i didnt know that if u dragged something onto a other file itll open it so that happend but i had my eset anti virus disable for a second but when the exe opened i turned my eset back on and it deleted a file now i ran the ratted file in any.run and it shows that it changed regedit files how do i get my pc clean cus idk if the files are deleted or that my pc is still ratted this is my school laptop and i have alot off files on it so i dont wanna reset it

Link to comment
Share on other sites

  • Administrators

It is generally not a good idea to disable AV and play with malware samples on a real machine. What you can do is to check for registry changes reported by app.run on your machine and revert the necessary values.

Link to comment
Share on other sites

10 minutes ago, Marcos said:

It is generally not a good idea to disable AV and play with malware samples on a real machine. What you can do is to check for registry changes reported by app.run on your machine and revert the necessary values.

yes ill send the changes

PID
 
2928
CMD
 
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\admin\AppData\Local\Temp\gscmeme\gscmeme.exe.lnk" /f
Path
 
C:\Windows\system32\reg.exe
Indicators
 
 
Parent process
 
cmd.exe
User
 
admin
Integrity Level
 
MEDIUM
Exit code
 
0
Version:
Company
 
Microsoft Corporation
Description
 
Registry Console Tool
Version
 
6.1.7600.16385 (win7_rtm.090713-1255)
 
 

file.txt

Link to comment
Share on other sites

  • ESET Insiders

To delete the registry value open an admin command prompt and enter:

REG DELETE "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /f

Link to comment
Share on other sites

  • Most Valued Members

Run a full system deep scan and see if ESET will detect more things or some leftovers by the EXE you have ran.

Sometimes having some suspicious files you can just upload it to some places like those :

https://virustotal.com/

https://hybrid-analysis.com/

https://app.any.run/

Edited by Nightowl
Link to comment
Share on other sites

13 hours ago, stackz said:

To delete the registry value open an admin command prompt and enter:

REG DELETE "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /f

what will it do ?

Link to comment
Share on other sites

3 hours ago, ingmarvanolffen said:

what will it do ?

It will delete the registry entry the malware added:

Quote

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\admin\AppData\Local\Temp\gscmeme\gscmeme.exe.lnk" /f

An example of what this reg key does is given in this General Bot! malware analysis:

Quote

After decrypting the strings it show the following:
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "
FlyFF Bot
generalbotstart.exe


The registry key that the bot adds prevent the startup programs from running when restarting the computer. It can be resolved by deleting the key in registry.

Delete the key named Load in registry located at HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Goto %temp%\FlyFF Bot in the file explorer and delete the shortcut and the duplicated virus.


Do not restart your computer before you've done these fixes. Otherwise a empty messagebox will popup and once you hit ok, the virus will kick in and do a bunch of naught stuff.

https://www.elitepvpers.com/forum/flyff-private-server/4291006-warning-those-used-general-bot.html
 

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...