I have a friend who has no antivirus installed. His PC has gotten infected with a RAT (remote access trojan) which has been used to send bogus emails to his contacts.

He’d be happy to buy Norton but obviously can’t just go online and install it. I’ve told him to stay offline, in fact. So how can I help him to remove the RAT and then install Norton safely?

@RandySea2 What version of Windows is installed? Is it up to date with the latest security updates?

Lets start with trying to kill that process so an A/V scan can run.

Download RKill to an USB flash drive.

Download Malwarebytes to the same USB drive, use it to run a full system scan at the safe boot startup, AFTER running RKill.

Disable RDP in Windows settings and REVIEW the following information:

AI Overview

To remove a RDP Remote Access Trojan (RAT), immediately disconnect the computer from the internet (unplug cable/turn off Wi-Fi) to stop remote control, boot into Safe Mode with Networking, and run full system scans with reputable anti-malware (e.g., Malwarebytes, [Windows Defender], or [HitmanPro]). Assume all credentials are compromised: change all passwords (email, bank) from a different, secure device and enable 2FA. [1, 2, 3, 4, 5]

Immediate Action Plan (Stop the Threat)

• Disconnect Internet: Physically turn off Wi-Fi or unplug the Ethernet cable immediately to prevent the attacker from sending commands or stealing more data.
• Enter Safe Mode: Restart in Safe Mode to prevent the RAT from loading.
  • Windows: Hold Shift while selecting Restart > Troubleshoot > Advanced Options > Startup Settings > Restart > Press 5 for Safe Mode with Networking.
• Backup Crucial Files: Back up only essential documents (photos, spreadsheets) to a physical drive, but do not backup executables (.exe) or programs, as they may be infected. [1, 2, 3, 4, 5]

Removal Procedure

1. Run Anti-Malware Scans: Run a full scan with your primary antivirus (e.g., [Bitdefender], [Kaspersky]) and Malwarebytes to detect, quarantine, and remove the RAT and associated registry modifications.
2. Remove Suspicious Programs: Go to Control Panel > Uninstall a Program and look for any software installed around the time of the infection.
3. Use Specialized Tools: If the RAT persists, consider using Tron Script for a comprehensive, automated cleanup.
4. Check for Persistence Mechanisms: Check for unrecognized startup items and scheduled tasks that may re-launch the malware. [1, 2, 3, 4, 5]

Post-Removal Security Actions

• Change All Passwords: From a clean device, change all passwords, starting with email and banking.
• Secure RDP: If you use Remote Desktop (RDP), restrict port 3389 access, use a VPN, and ensure you have a strong, complex password.
• Reset/Format PC: If the RAT is deep-seated or you cannot fully remove it, reinstall the operating system (Factory Reset/Nuke from orbit).
• Review Account Activity: Look for unauthorized sessions in your email or Google security checkup. [1, 2, 3, 4, 5]

SA

@RandySea2 I’m following up to see what your progress is.

SA

I forwarded the info to my friend. He decided it was too complicated for him and I couldn’t help him for a week. So he decided to hire someone who supposedly knows how to clean up this kind of problem. I am now out of the loop.

I do appreciate your advice.

Thanks for the post back, glad we could help in some way.

SA