Removing RAT Manually

Heya Fellas, This tutorial will help you to remove the Infection (RAT) from your computer manually... 

RAT - Remote Administration Tool

Cybergate

For the RAT called Cybergate, we will be using the following settings:



So lets run the virus!

In the settings, you saw that I highlighted 3 things:
-The HKCU, this means the startup name. So when your slave reboots, the HKCU called (in this case) Windows Firewall will be executed again. This startup will be placed in msconfig. We can check this by going to: run and then open ''msconfig''.



Here we see that there is an unknown startup called Windows Firewall, and it runs svchost.exe on every boot of the computer. So an important tip here is, ALWAYS check your msconfig for unknown startups. What we are going to do now is, disabling the startup. But when we do this, it comes back on! This is the second thing that I highlighted, called:
-Persistence, this is an extra process in your task manager which is called explorer.exe in this case. This process will keep the startup alive, so what we need to do is kill that process! Simply go to task manager, and then search for that process. Be careful with what process you end tho, because people who try to RAT you will always try to make the process look legit as possible. 


The one with the less KB is the fake one (The Cybergate one)
So disable this, and now you can remove Windows Firewall from the startup! What also a good tip is, that RATs always use the *32 as default behind the process, so this may also help finding the fake process.
So this was what we all can do about removing Cybergate infections, of course a Virusscanner will also do the same, but crypters bypass virusscanners, so doing this manually is better.

DarkComet

For the RAT Darkcomet, they released a good tool called Darkcomet Remover. You can use this tool to remove infections, download it here:
DarkComet Removal Tool - Download here

But we can also remove infections manually, which is in my opinion better.

The settings we will be using for Darkcomet:


So you see we have added persistence to the RAT, and the startup is called ''Startup Test'' in this case. Now after running the virus, the following appears in our MSCONFIG:


If we try to remove this startup, it will come back. Same story as CyberGate, there is a persistence process active. We must kill this process. The persistence process of Darkcomet is called:
-Msdcsc.exe*32, this process is quite obvious. As description it says: Remote Service Application:


Kill this process, and we can remove the Startup from Msconfig!
Darkcomet activates other processes as well, sometimes. The processes are called:
-hkmcd.exe 
-persistence.exe
Kill these processes as well.

Blackshades

We will be using the following settings in the Blackshades RAT:


As you can see in the picture, we will be using a startup called: ''Startup Test BS'' and we have activated ''protect process'' this is in other words persistence.

So lets run the virus and then see what comes up in msconfig and task manager:


Again, we can't disable the startup, because there is another process active that keeps the startup alive. The startup is called smss.exe in this case. So lets end that process:


After ending that process, we can close the startup!

But what if a process can't be killed? This can be caused by many crypters. Some crypters will add persistence to the process, so when you try to kill that process it will say it can't end it!
Some useful tools for removing processes without limitations are:


AVG PC tuneup 2011 : Download - Here.

Unknown Logger Cure, when having the keylogger, you will also get a Unknown Cure, with that tool you can end any process. Download - Here.

So having these tools, just navigate to your process you want to kill, and simply end it!

Enjoy :)

Basic Computer Security (Windows 7)

Basic Security Applications

You are going to want a few applications to help you out along the way. First off, you will need two anti-malware programs. This is to ensure that if one misses something, you have a second one to make sure. I personally use Microsoft Security Essentials (MSE) and Malwarebytes Anti-Malware (MBAM). Update these as often as they need to be. Run both of these every single day. Once a week minimum, but daily is far more advantageous. 

If you use torrent applications, you will need PeerBlock. PeerBlock basically blocks your peers, especially RIAA, the govt, and other unsavory sorts from tracking who you are and what you're downloading. If you don't use PeerBlock, I can almost guarantee you getting caught at some point.

For web browsing, you should use Mozilla Firefox. Many of them will probably recommend Google Chrome, but Google has been known to extensively spy on users, and keep their data indefinitely. If you want to use Google Chrome for your online banking etc., use in Incognito mode. And for extensions, some good ones would be AdBlock Plus to block ads from displaying, FlashBlock to keep Flash objects from playing and potentially infecting you, HTTPS Everywhere to force websites to use SSL which encrypts your traffic so packet sniffers can't steal your credentials, and NoScript which blocks JavaScript and Java from automatically running which is used to infect many people without their knowledge. These addons, combined with Firefox, will help protect you.


Good Password Practices

It may come as a shock, but many online accounts are compromised simply by brute-force attacks. This is where a program simply forces many possible combination of letters, numbers, and symbols at a website until one of them is the correct password, which unlocks the account. It is relatively easy to stop this, for the most part, however. But remember, nothing is 100%. The best way to protect your online accounts is to use a password manager. I am a huge fan of LastPass because of it's convenience. It may not be the most secure, but it works for my purpose. You will want to go to every account you have online and change the password to something secure (LastPass has a tool where it will generate a random string of numbers, letters, and symbols of any length - use at least 20 characters. 40 is better.). Have LastPass save all of your login credentials and secure your LastPass account with a password you will remember, but is equally difficult to guess. I use Passphra.se for all the passwords I have to remember. Here is a great explanation for why it works so well. 

I only have to remember four passwords, total. One to log in to my computer. One for the wifi. One for LastPass. And one for my school accounts (computer, grade checks online, etc.) All of these come from Passphra.se and I tack on a couple easy to remember numbers at the end and make the first letter a capital (not for security, it's just my habit).


Is there anything else?

Make sure your firewall is on.
Run your anti-malware programs every day.
Never give out a password for any reason.
Most of all, use common sense. If you get an email claiming you just won a $20 million Nigerian lottery, it's probably a fake.