Return to Level1Techs.com

I think I have a RAT(trojan) inside my PC. I have no idea what I should do, any and all help is appreciated


#1

I have my suspicions that my computer has a ratting trojan inside somewhere monitoring my behavior and what all I do on my PC. I really need help as I do not know what to do from here.


#2

what operating system
what version of it
what symptom[s] is the computer showing
when did this begin
have you done anything to attempt to correct it so far


#3

I am using Windows 10
version 1803

I am a musician/producer, and I have seen some of my work show up under some one else’s account on YouTube and soundcloud. They have changed minor details, but none the less I am able to tell that these certain individuals have somehow copied what I have done and have claimed it as their own.

I started noticing these symptoms almost 3-4 years ago when I was still friends with certain individuals (whom I am no longer friends with). They would come over to my house and sometimes I would leave my computer on. I am assuming this is when they installed the RAT. Either that or they obtained some info on my network to hack in and do it that way.

I have installed Bitdefender antivirus, but from my understanding (what little I do understand) that won’t necessarily fix this problem.

Thank you for responding.


#4

I also feel that I should mention that I noticed a folder for TeamViewer in my user folder. I do not have TeamViewer on my cpu (that I know of) nor have I ever attempted to download it. I had no idea what it even was until I started doing research on this stuff.


#5

delete it


#6

I have tried. I do not see event viewer in my list of programs nor can I delete the old log from TeamViewer.

Also I directly answered your post asking me those questions. Do you have a solution?


#7

The purpose of me asking my original questions is to the get the information out so someone with potentially more knowledge may see it and help you, I’m a nothing special trouble shooter but I know what questions to ask

however this is fishy, I’d boot into safe mode and try to delete it again as that has worked for me in past situations


#8

I just deleted the folder and that worked fine.

I keep checking task manager and programs and I still don’t see TeamViewer. How could that file even exist on my machine?


#9

Event viewer is a standard part of all windows installations and is not a separate program but a part of windows.

Teamviewer can in fact be used as a rat, although it is a legitimate and useful program for many people.


#10

But the folder said TeamViewer. I found it in my AppData folder under local.


#11

I have never attempted to install TeamViewer on my machine.


#12

You’d have to assume that someone tricked you into downloading and installing malware. You have to be pretty careful downloading stuff from links in YouTube videos, or you know, getting software from less than traditional means.

It would be worth downloading and installing malwarebytes and giving your PC a good scan.

Don’t worry too much about all the pro features, just run the free version. Unless you don’t trust yourself.


#13

First you could use other Malwarescan Tools. I personally tend to like Malwarebyte’s scanner, though it tends to be on the false-positive side. Additionally, you could create a Kaspersky boot-stick and do another round of scanning:
https://support.kaspersky.com/14227

If your attacker is proficient enough, he might have been able to create custom malware, through tools of his own. (Or just enough tries with Metasploit). If this is the case, finding the malware could almost be impossible (sadly). Meterpreter is able to infect other processes, open VNC sessions and create boot entries. (If it has admin privileges). If you truly suspect an infection, the best thing to do would be a complete re-instal of Windows.

(You could watch your network traffic and also look for suspicious files anywhere on your PC. Be sure to enable “show hidden files”. Furthermore, the network traffic of the malware is probably encrypted and uses port 443. If you do however stumble on port 4444 activity, it is a telltale sign for malware :smiley: )


#14

Ok, thank you for the post. How do I check those ports to see whats going on?


#15

Malwarebytes didn’t detect anything on the scan.


#16

You can use Wireshark for that. You should keep it running for quite a while. (Especially when your PC is idle).
https://www.wireshark.org/download.html


#17

Backup all your files from the computer onto a flash stick, then go to windows settings, “refresh my PC”, and choose to save nothing. This will give you a completely clean computer, after which you will need to reinstall all your programs and copy your files back.

if you aren’t comfortable doing this, something like geek squad should be able to do it for you.


#18

I have given this some thought before. Will this remove all of the .exe programs on my cpu?

Also, if I backup all of my files on the stick whats to say that the RAT won’t be on that with all of my old files?


#19

Wireshark monitors my ports?


#20

Yes, it will remove everything. Don’t copy any programs onto the stick, just your documents and media.