Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > alt.comp.os.windows-10 > #184013
| From | Paul <nospam@needed.invalid> |
|---|---|
| Newsgroups | alt.comp.os.windows-10 |
| Subject | Re: SOLVED |
| Date | 2025-04-25 16:19 -0400 |
| Organization | A noiseless patient Spider |
| Message-ID | <vugqoq$om1d$1@dont-email.me> (permalink) |
| References | <vufl3g$3mbqe$1@dont-email.me> <vugdul$d5kg$1@dont-email.me> |
On Fri, 4/25/2025 12:40 PM, Ed Cryer wrote: > Ed Cryer wrote: > > I ran this on Powershell. > > echo off > reg delete "HKCU\Console" /f > reg delete "HKCU\Software\Microsoft\Command Processor" /v "AutoRun" /f > reg delete "HKLM\Software\Microsoft\Command Processor" /v "AutoRun" /f > reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File > Execution Options\cmd.exe" /f > echo done > > Ed The last key in the sequence, is used for exploits. "Image File Execution Options" is used by malware, for persistence. So the item listed in the key, gets run any time there is an attempt to launch a shell. I could put "mallory.exe" in the key in place of "cmd.exe". Instead of executing the renewal of that line, you would want to look in Regedit and see what was previously sandwiched in there. Consider what the most recent "low reputation" installer or executable file might have been. I'm really surprised Windows Defender would let a random EXE near that. Paul
Back to alt.comp.os.windows-10 | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread
No CMD Ed Cryer <ed@somewhere.in.the.uk> - 2025-04-25 10:36 +0100
Re: No CMD Paul <nospam@needed.invalid> - 2025-04-25 06:31 -0400
Re: No CMD VanguardLH <V@nguard.LH> - 2025-04-25 06:05 -0500
Re: No CMD Ed Cryer <ed@somewhere.in.the.uk> - 2025-04-25 14:42 +0100
Re: No CMD MikeS <MikeS@fred.com> - 2025-04-25 15:47 +0100
Re: No CMD Ed Cryer <ed@somewhere.in.the.uk> - 2025-04-25 16:16 +0100
Re: No CMD VanguardLH <V@nguard.LH> - 2025-04-25 12:53 -0500
Re: No CMD Ed Cryer <ed@somewhere.in.the.uk> - 2025-04-25 20:05 +0100
Re: No CMD VanguardLH <V@nguard.LH> - 2025-04-25 20:53 -0500
Re: No CMD Ed Cryer <ed@somewhere.in.the.uk> - 2025-04-26 12:00 +0100
Re: No CMD Frank Slootweg <this@ddress.is.invalid> - 2025-04-26 15:01 +0000
Change of Subject (was: No CMD) VanguardLH <V@nguard.LH> - 2025-04-26 18:50 -0500
Re: Change of Subject Hank Rogers <Hank@nospam.invalid> - 2025-04-26 19:13 -0500
Re: Change of Subject VanguardLH <V@nguard.LH> - 2025-04-26 19:40 -0500
Re: Change of Subject Daniel70 <daniel47@eternal-september.org> - 2025-05-03 22:58 +1000
Re: Change of Subject VanguardLH <V@nguard.LH> - 2025-05-03 09:47 -0500
Re: No CMD Stan Brown <the_stan_brown@fastmail.fm> - 2025-04-26 15:48 -0700
Re: No CMD "...winston" <winstonmvp@gmail.com> - 2025-04-25 11:12 -0400
Re: No CMD Ed Cryer <ed@somewhere.in.the.uk> - 2025-04-25 17:19 +0100
SOLVED Ed Cryer <ed@somewhere.in.the.uk> - 2025-04-25 17:40 +0100
Re: SOLVED Paul <nospam@needed.invalid> - 2025-04-25 16:19 -0400
Re: SOLVED VanguardLH <V@nguard.LH> - 2025-04-25 22:19 -0500
Re: SOLVED Ed Cryer <ed@somewhere.in.the.uk> - 2025-05-13 18:47 +0100
Re: No CMD Stan Brown <the_stan_brown@fastmail.fm> - 2025-04-25 13:14 -0700
Re: No CMD Char Jackson <none@none.invalid> - 2025-04-26 00:14 -0500
Re: No CMD "R.Wieser" <address@is.invalid> - 2025-04-26 11:02 +0200
Re: No CMD Char Jackson <none@none.invalid> - 2025-04-26 20:48 -0500
Re: No CMD "R.Wieser" <address@is.invalid> - 2025-04-27 08:45 +0200
Re: No CMD Stan Brown <the_stan_brown@fastmail.fm> - 2025-04-26 15:52 -0700
Re: No CMD VanguardLH <V@nguard.LH> - 2025-04-26 19:36 -0500
Re: No CMD "R.Wieser" <address@is.invalid> - 2025-04-27 13:12 +0200
Re: No CMD John <Man@the.keyboard> - 2025-04-28 20:11 +0100
Re: No CMD "R.Wieser" <address@is.invalid> - 2025-04-28 23:15 +0200
csiph-web