This is for newbie pepole, that still need help with starting out.
INTRODUCTION
Some of these scammers are using AnyDesk and blocking your input and your desktop visibility (some of them even got smarter and uses C++ creating an application downloading a QuosarRAT from raw bytes after that they just create a Overlay saying, WAIT or something like that) happend to me with a tech support scammer.
Some of them actually are hiding the RATS/VIRUSES in C:/ProgramData or something like that and adding a registry in RUNS that is easy to delete
How to remove the rats/viruses?
Everything it’s actually pretty simple, all you gotta do it’s download AutoRuns made by Microsoft and after that go to Scheculated tasks or Startup and just uncheck the RED applications, go into CMD and do:
taskkill /f /im rat/virus name.exe
after that do this:
cd “path where the rat/virus is”
del “the rat/virus.exe”
than just restart your virtual machine or in case that is your real computer just do that
THIS WILL WORK EVEN IF IT’S NOT FROM A TECH SUPPORT SCAMMER, YOU CAN USE THIS TO EVEN CHECK IF YOU HAVE ANY VIRUSES/RATS
This will be ineffective for any malware that defends its process. It also makes the assumption that you could find the malware in the first place, and that it is an executable. You are much better off just installing an antivirus. Disabling startup programs at random can break stuff on your pc. Do you really expect a tech illiterate 80 year old victim to get any use out of a guide like this?
Actually, there is a way to do more things but trust me Autoruns good for it. And let’s be serious the scammers got like a turtle brain.
It isn’t neceserly downloading a anti-virus when checking the scheculated tasks or checking the application process digital signeture it’s enough.
you can’t rat a .efi or any other files… You can tho rat a .lib/.sys but it’s easy to detect and actually you could find the malware easily because the application it’s made by Microsoft + checking the certificate of the application (if it’s leaked/self signed it will appear red) and you can just check by there… there is no actually way of bypassing AutoRuns easily when you have 10iq (talking about the scammers) + what do you expect a RAT to do? Hijack notepad let’s be seriously they mostly start when pc starts…
About defending it’s pretty easily, disable the proceess autorun and done, because some of them actually does bluescreen when you stop them, but restarting pc after removing them from auto start it’s enough after that deleting them.
About the 80y old too, yes there isn’t so hard, pressing 3buttons even if you don’t delete the .exe probably the in-built microsoft anti virus will just delete it.
Trust me friend, you got a lot to learn. I am a malware author, analyst and certified computer forensic examiner. You don’t even need to have files to create a persistent rat. They could be side loaded by applications with signed certificates, they could even be using legitimate remote access tools that would be signed but the name could be changed. In any case, an antivirus will fare better than a person trying to remove the stuff themself.
I learnt that the other day about rats and virus from VirtualBox on Windows 10 VM (my main host at that time was stupidly enough windows 10 also). I wish I read/had this sooner. Now I use windows for gaming and education and Linux for scambaiting due for that reason (using dual partition). Now I use Qemu, and I feel more secure also while doing it. I always been a Linux activist in the first place, and I was naive for not making a dual partition in the first place. but for me, my biggest scare is windows deleting my partition after an update (I heard it can happen). What do I do in this case to keep my Linux partition? I know it could probably be rare but second to some obvious stuff (like backup files and all the jargon), what can I do? I haven’t had the best luck finding articles or reddit posts about it.
Not really the right place to ask, but you could just back up your files. There isn’t much to stop Microsoft’s shitty code from destroying your Linux partition. You could also just convert your windows install into a vm and main linux, you can pass through your gpu to your gaming vm and it will run similarly to it being direct on hardware.
You’re right i still have alot to learn, but my knowlage it’s pretty decident for now i am coming from cheating community and i know what i say, even if the rat is very hidden it still can be manually removed.
plus you’re saying that “They could be side loaded by applications with signed certificates, they could even be using legitimate remote access tools that would be signed but the name could be changed.” that won’t be possibile to change a certificate name or anything, it’s like saying “Oh wow i self signed my .exe!” or like saying “I am using a leaked certificate, for my rat” it’s a useless thing to say. That won’t help with much + AV are being bypassed alot of times pretty sure it’s better to double check yourself.
You’re right with one thing, there are alot of leaked certificates out there (EV/OV) and yeah, it’s good of checking it yourself once in a while rather than beliving an AV everytime.
Tho they could be working thru a signed application, and installing a rat with a payload but still right now let’s be serious no one it’s gonna go to every connection if they have a self signed certificate to install the certificate on the victim pc’s.
And let’s be serious we are talking about some scammers not about some professional ratters or anything just some amatures, let’s be serious u won’t see some crazy bypasses or payloads to these guys. Tho thanks for the help.
They can change the name of a legitimate signed executable just fine. You are correct in that they cannot change the name on the certificate. I have seen this in multiple scam operations in the wild. The other stuff I mentioned was a tangent, but the point is that while you are going after an important issue, I don’t think that the instructions are going to be useful to the target audience. I am halfway through making a program to remove abused remote access programs, a format which I think will be more useful to most people. Telling people to install an antivirus is a much more reliable way to remove malware.
What I do is install a Linux distro (any will do - your preference) and then install LinuxFX (looks like Windows) or a highly modified version of Windows 7 in Virtualbox on that external drive (fast 256 GB flash drive or 7200 rpm SATA HDD). I would NEVER use my main OS for scambaiting. I also take a snapshot of the VM before letting them connect so I can revert after they install anything and start fresh each time. These preventatives seem to work well for me.
Rather than using VirtualBox, better use https://azure.microsoft.com it’s best and you get like 200USD free trial too, for virtual machines + you can scare the scammers because you ISP will be Microsoft Corporation.