This isn't one of those bullshit "Get Malwarebytes" or something, this is quicker and sometimes just fun to do it.
FIRST You need this:
-Msconfig
-The ability to search your computer with admin priv
-See hidden files
-Task Manager
SECOND:
-If not done already go to your Control Panel and search for "Folder Options"
-Click on "Folder Options" and then when opened go to "View" in the tab selection
-Press "Show Hidden files, folders, and drives"
-And uncheck "Hide Protected operating system files" (TEMPORARY)
When you're done with this you're good to go. I will now explain how to remove a RAT with screenshots and words:
Step 1.
1. Open "msconfig" by typing in msconfig in "Search Programs and Files" or if you have WinXP use "Run"
2. Go to "Startup" in msconfig
3. Look for anything phishy looking like the following:
"svchost"
"windefender"
"firewall"
"AVG"
"Adobe"
"Chrome"
"explorer"
Anything weird looking.
As you can see I RATTed myself and my file startup name is "svchost"
QUICK REMINDER: Make sure to scroll the right to see the location of where the startup is. That's the main root of the RAT.
Step 2.
-Do not disable the RAT yet, if it has protected startup or persistence it will just re-appear.
-Go to your "Task Manager" and find anything out of the ordinary
If it comes up in your App Data or anywhere BUT your system32 then you're infected.
Step 3.
-Disconnect your computer from any Internet Connection so the owner of the RAT cannot disable anything or prevent you from removing his RAT
-End the RAT's process and then quickly remove the RAT's startup from "msconfig"
If this is done correctly, then follow the next steps
Step 4.
-Now you should be hoping your PC isn't infected with a protected persistence RAT. These are the worst, and are very hard to remove. Most RAT's don't have good persistence or persistence at all so you don't have to worry about that.
-If you followed the "QUICK REMINDER" above when I was talking about startup you should of already found out where the RAT is located
-Locating the RAT is very easy just go to this location on your computer:
Go to "My Computer"
Double Click on the C:/ drive
Double Click on "Users"
Double Click on the user that was infected (Usually the user account you're on atm)
Double Click on "App Data"
Go to "Roaming"
Go to "Search Roaming" it's the blank textbox in the upper right corner of the folder window
Search for your RAT's startup name, mine was "svchost".
Once found just delete it and then go back to "App Data"
Double Click on "Local"
Scroll Down until you see "Temp" (If you don't see it, go to "Search Files and Programs" at the "Windows Start Menu" For WinXP it's "Run", and type in "%temp%"
Once opened you'll see a shit load of files (If you don't clean out your temp folder weekly then you'll see a shit load of files)
Delete EVERYTHING in that folder (Do Ctrl+A to highlight everything then press DELETE)
If something cannot be deleted press "Skip", usually 1-5 things.
Check to see if any .exe programs couldn't be deleted
If no .exe's are left over then restart your computer and check your Task Manager and Startup for the RAT.
Then Empty your Recycle Bin.
If it's gone then you have successfully deleted the RAT!
Video Guide to Remove RATS
0 comments:
Post a Comment
Note: only a member of this blog may post a comment.