Saturday, June 4, 2011

Remote Access Trojans (RAT) removal


Remote Access Trojan Defined
http://technet.microsoft.com/en-us/library/dd632947.aspx

Beware of the following registry key entry......
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F4046E19-9A33-3DA4-5EBC-CD6114454DBA} 

This key F4046E19-9A33-3DA4-5EBC-CD6114454DBA is not deletable using Registry Editor and is a class of null keys. You cannot search for it and delete it, Regedit will complain that it is not found! 

Use GMER tool (is an application that detects and removes rootkits and works with Win7) available at http://www.gmer.net/ to find suspect rootkits and bad registry keys.

To remove a null registry key, you can use the toolkit provided by Mark Russinovich's master tools available from Microsoft  named Sysinternals. 

RegDelNull v1.1 This command-line utility searches for and allows you to delete Registry keys that contain embedded-null characters and that are otherwise undeleteable using standard Registry-editing tools. Note: deleting Registry keys may cause the applications they are associated with to fail.