Wednesday, April 15, 2015

How To Get Rid Of A RAT!



Introduction
Well this is a kinda short tutorial on a few different methods of detecting a RAT. This will not work 100% but nothing does.

Step one:
Check to see if your computer is trying to connect with a remote host. First close everything that could make a connection IE: Web-browsers, torrents, java, etc. Now there are two ways that I like to use to check this.

Using a batch file:
Open notepad and type

Code:

:loop
chdir /d Z:\
cls
netstat -b >> Z:\netstat_log.txt
@ping 127.0.0.1 -n 2 -w 2000 > nul
@ping 127.0.0.1 -n %1% -w 2000> nul
goto loop

Now change the "Z:\" directory to anything you want. This script will make a log-file called: netstat_log.txt in the location you specify. I used the: "@ping 127.0.0.1 -n %1% -w 2000> nul" to create a delay. I use windows xp so I don't have the wait, or sleep command. So this is my work around. I suggest opening this script and letting it run all night. Now open the log file and look at the connections. It will have a file that is responsible for the connections, if you see a file that looks suspicious Google the file name and scan it on virustotal if it is detected as a virus then delete it and see if there is a registry entry to delete. (Will explain in a minute)

Using Myports 2010:
This is a cool software that will tell you any incoming or outgoing connections, and the files location. Go here and download: http://www.fewbyte.com/myports.html, install and open. Now click the check box that says "Automatic scan" then click the button that looks like cross hairs. Now just like before look for anything out of the ordinary and scan the file with virustotal, delete if needed.

Registry:
This is the best way in my opinion of finding a RAT. It seems that almost all RATs use a registry entry to enable it to open on startup. There are two ways of checking the registry startup: msconfig and manually. I will go over both.

msconfig:
go to start > run > then type msconfig and press enter. Click the startup tab, these are all of the programs that run on startup. Some are needed and some could be a RAT. If you see something suspicious or just do not know what it is search google for the file name or scan it with virustotal. If it has been confirmed as a virus. Write down the location of the file and the using msconfig uncheck it, and save. Now go to the location of the file and delete it.

Manually (recommended):
Now go to start > run > and type regedit > press enter. Now there are two places in the registry that a RAT could possibly be: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or HKEY_CURRENT_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (Most Common). As before check both places for a file that you are not familiar with, scan it delete files if necessary then in regedit right click the entry and delete.

Final steps:
Now I know some of you pros are thinking these are not the only way RATs can infect, and that's true. But the majority of rats will be detected this way. Now the next few steps you should be doing any ways so I really will not explain much, just give you the tools.

CCleaner: http://www.piriform.com/ccleaner/download
Use this to clean up unneeded files (TEMP files, cookies, etc)

Malwarebytes: http://www.malwarebytes.org/mbam.php
This is a great anti malware software update then scan your PC one time a week at least.

SuperaAntiSpyware: http://www.superantispyware.com/download.html
This is an anti spyware software use this after MB once a week also.

virustotal uploader: http://www.virustotal.com/advanced.html
This a a great software to scan suspicious files from your desktop. Use this to scan the suspicious files.


Thanks to the original Author.
http://hackforums.net/showthread.php?tid=981343