Removing Malware

Hey Sythe, Pimp here. Wrote this guide for my clan about a month ago and figured i'd share with you all too!


I notice a lot of people thinking they might be ratted, or getting hacked out of the blue and having their pins bypassed, so i'll make a little guide on how to check for malware, and remove it.

First off, you're probably asking what a RAT is. Simply put, a "RAT" is a remote administration tool. Most remote administration tools can be used for legal purposes (Teamviewer is a good example of a remote administration tool that is used legally among many people) but many are used for illegal purposes, such as keylogging, password stealing, using your computer as a slave to mine crypto-currencies, hit people offline, and so on. The possibilities are endless.

Computers usually get infected by opening infected files such as .exe's, .jar's, or .scr's. While it is rare, there is some exploits out there to infect .doc's and .pdf files, so be careful that you do not open these types of extensions from unknown sources. Also please do not get paranoid and think all of these file extensions are infected, as there is many programs that use them and are clean. If you're ever skeptical about running software, run it sandboxed, and/or on a virtual machine. You can download sandboxie here: http://www.sandboxie.com/index.php?DownloadSandboxie I'll write a guide in the future about setting up a virtual machine.

Anyways, upon opening one of these infected files, the malware executes and is USUALLY enabled on startup. The reason people enable startup on malware is so it will re-connect to you next time you boot your computer and they do not lose you as an infect. With that being said, we can check our startup for anything suspicious.

1. Navigate to your windows button, type system configuration, and click it.



2. Now head over to your "Startup" tab and search for anything suspicious. Usually files with HKCU and unknown manufacturers are malware. Below in the picture i've underlined an example of a fake teamspeak on startup. This is how easy you can be tricked into thinking something isn't malware. By default i disable everything here, because these are just the files that load when you boot your computer.



Now that you know the name of the file, you can check for it in your processes. Go to your windows button/search bar and type taskmgr.exe



Search for the name of the file (in this case, we'll be looking for teamspeak.exe, the fake teamspeak) and end the process. Some malware might be renamed, and hidden from startup and you can still be infected, so we aren't done yet. Also some malware might pop up back on your processes after you exit it. Follow me.

We're going to check %appdata% and %temp% for any files outside of folders.

Navigate to %appdata% > Roaming



Search for any files outside of folders, usually .exe or .jar, and delete them.



Now we're going to do the same for %temp%



Go ahead and delete all files in %temp% once you've navigated there. This can speed your PC up a lot if you haven't done this.




Now finally we can check out our registry for anything hidden on startup. This is actually very interesting so pay attention.

Navigate to windows button > type regedit.exe > click regedit.exe (lol)



Click HKEY_CURRENT_USER



Click Software.



Click Microsoft.



Click Windows.



Click CurrentVersion


Check your Run and Runonce folders for any malicious/suspicious files. Delete them.


Congratulations. You've possibly just successfully removed fully undetectable malware all by yourself. Without any software. Cool huh?

Now just to be safe, go run Malwarebytes and Kaspersky so they can pick up any other junk that you may have missed. (junk extensions for chrome/mozilla, etc etc.)

 

Not a bad guide. Actually, you would want to boot into safe mode without network connections and then do these steps. That way if they have persistence on it is easier to kill. If there is persistence, the .exe/'server'/virus will just reboot itself. This USUALLY requires internet to work though.

 

That is true, forgot to include that Thanks!

 

Appreciate this, Nice guide

 

No problem yo