Jump to content

Archived

This topic is now archived and is closed to further replies.

ingmarvanolffen

accedentally opened a .exe with rats in it

Recommended Posts

so i accedentally opened a ratted file .exe with my stupid head i didnt know that if u dragged something onto a other file itll open it so that happend but i had my eset anti virus disable for a second but when the exe opened i turned my eset back on and it deleted a file now i ran the ratted file in any.run and it shows that it changed regedit files how do i get my pc clean cus idk if the files are deleted or that my pc is still ratted this is my school laptop and i have alot off files on it so i dont wanna reset it

Share this post


Link to post
Share on other sites

It is generally not a good idea to disable AV and play with malware samples on a real machine. What you can do is to check for registry changes reported by app.run on your machine and revert the necessary values.

Share this post


Link to post
Share on other sites
10 minutes ago, Marcos said:

It is generally not a good idea to disable AV and play with malware samples on a real machine. What you can do is to check for registry changes reported by app.run on your machine and revert the necessary values.

yes ill send the changes

PID
 
2928
CMD
 
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\admin\AppData\Local\Temp\gscmeme\gscmeme.exe.lnk" /f
Path
 
C:\Windows\system32\reg.exe
Indicators
 
 
Parent process
 
cmd.exe
User
 
admin
Integrity Level
 
MEDIUM
Exit code
 
0
Version:
Company
 
Microsoft Corporation
Description
 
Registry Console Tool
Version
 
6.1.7600.16385 (win7_rtm.090713-1255)
 
 

file.txt

Share this post


Link to post
Share on other sites

To delete the registry value open an admin command prompt and enter:

REG DELETE "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /f

Share this post


Link to post
Share on other sites
13 hours ago, stackz said:

To delete the registry value open an admin command prompt and enter:

REG DELETE "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /f

what will it do ?

Share this post


Link to post
Share on other sites
3 hours ago, ingmarvanolffen said:

what will it do ?

It will delete the registry entry the malware added:

Quote

reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\admin\AppData\Local\Temp\gscmeme\gscmeme.exe.lnk" /f

An example of what this reg key does is given in this General Bot! malware analysis:

Quote

After decrypting the strings it show the following:
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "
FlyFF Bot
generalbotstart.exe


The registry key that the bot adds prevent the startup programs from running when restarting the computer. It can be resolved by deleting the key in registry.

Delete the key named Load in registry located at HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Goto %temp%\FlyFF Bot in the file explorer and delete the shortcut and the duplicated virus.


Do not restart your computer before you've done these fixes. Otherwise a empty messagebox will popup and once you hit ok, the virus will kick in and do a bunch of naught stuff.

https://www.elitepvpers.com/forum/flyff-private-server/4291006-warning-those-used-general-bot.html
 

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...