Header Ads

How To See/Remove Infections Of The 3 Most Popular RATs Manually[CG/DC/BS]

Hi guys, today I will be showing you how to see and remove infections(manually) from the three most popular RATs out there; Blackshades, Cybergate and Darkcomet.

For the sake of this tutorial, I've infected myself with a couple RATs, to see how it works.

For the RAT called Cybergate, we will be using the following settings:

 So lets run the virus!

In the settings, you saw that I highlighted 3 things:
-The HKCU, this means the startup name. So when your slave reboots, the HKCU called (in this case) Windows Firewall will be executed again. This startup will be placed in msconfig. We can check this by going to: run and then open ''msconfig''.

Here we see that there is an unknown startup called Windows Firewall, and it runs svchost.exe on every boot of the computer. So an important tip here is, ALWAYS check your msconfig for unknown startups. What we are going to do now is, disabling the startup. But when we do this, it comes back on! This is the second thing that I highlighted, called:
-Persistence, this is an extra process in your task manager which is called explorer.exe in this case. This process will keep the startup alive, so what we need to do is kill that process! Simply go to task manager, and then search for that process. Be careful with what process you end tho, because people who try to RAT you will always try to make the process look legit as possible. 

The one with the less KB is the fake one (The Cybergate one)
So disable this, and now you can remove Windows Firewall from the startup! What also a good tip is, that RATs always use the *32 as default behind the process, so this may also help finding the fake process.
So this was what we all can do about removing Cybergate infections, of course a Virusscanner will also do the same, but crypters bypass virusscanners, so doing this manually is better.

For the RAT Darkcomet, they released a good tool called Darkcomet Remover. You can use this tool to remove infections, download it here:
click here

But we can also remove infections manually, which is in my opinion better.

The settings we will be using for Darkcomet:

So you see we have added persistence to the RAT, and the startup is called ''Startup Test'' in this case. Now after running the virus, the following appears in our MSCONFIG:


If we try to remove this startup, it will come back. Same story as CyberGate, there is a persistence process active. We must kill this process. The persistence process of Darkcomet is called:
-Msdcsc.exe*32, this process is quite obvious. As description it says: Remote Service Application:

Kill this process, and we can remove the Startup from Msconfig!
Darkcomet activates other processes as well, sometimes. The processes are called:
Kill these processes as well.

We will be using the following settings in the Blackshades RAT:


As you can see in the picture, we will be using a startup called: ''Startup Test BS'' and we have activated ''protect process'' this is in other words persistence.

So lets run the virus and then see what comes up in msconfig and task manager:


Again, we can't disable the startup, because there is another process active that keeps the startup alive. The startup is called smss.exe in this case. So lets end that process:


After ending that process, we can close the startup!

But what if a process can't be killed? This can be caused by many crypters. Some crypters will add persistence to the process, so when you try to kill that process it will say it can't end it!

Some useful tools for removing processes without limitations are:
-AVG PC tuneup 2011, download it here:
click here ..
-Unknown Logger Cure, when having the keylogger, you will also get a Unknown Cure, with that tool you can end any process.

So having these tools, just navigate to your process you want to kill, and simply end it!

I hope this tutorial helped all of you out! This is just a simple tutorial about removing RATs manually, so again, a virus scanner will do the same, but as you know that's what we have crypters for. So common knowledge is always better than something else doing it for you!
Please leave some feedback and tell me what I could have done better!
Powered by Blogger.