General Question

RZ71's avatar

Suggestions on removing a RAT or KL?

Asked by RZ71 (61points) August 15th, 2016

For those who may be unfamiliar with the acronyms, I am referring to a remote administrative tool and a key logger.
The RAT giving the person on the other end full control of the victim’s computer and the key logger only recording keystrokes and taking screenshots of information that is displayed on your screen at certain intervals.

I used a neat little RAT/KL scanner and apparently it has found a process called “SkypeHost” (not signed) under

C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeHost.exe

Now, let’s be realistic, this appears to be pretty darn suspicious even if it does seem to be a legit Microsoft application (which I know it is not). I mean, you HAVE to make it look legit and like it belongs if you’re going to try and “hack” or keylog or RAT someone. I am convinced this is an obvious RAT or KL. Now, the problem is trying to remove it.
The apparent “RAT”(er) has denied me access to remove the file(s) in the folder or the folder itself. Now we definitely have a problem. Is there any alternative that doesn’t require resetting the entire laptop to factory settings or wiping the drives, or the laptop. I’m not sure, maybe those ARE the only alternatives, but I hope there are other options. Thank you all for responding.

Observing members: 0 Composing members: 0

9 Answers

LuckyGuy's avatar

I did a search for skypehost.exe and found this article about it in Windows 10. It appears to be legit, but wasteful and several methods are suggested to remove it. .
Here is another article about it.
I can’t answer the RAT or KL question but, no doubt, someone will shortly.

Call_Me_Jay's avatar

I don’t know about the specifics of your files, but the general advice is boot from a CD/USB like Knoppix.

Lifehacker – Five Best System Rescue Discs

funkdaddy's avatar

It’s hard to tell without playing with it some, but if you’re sure the file is no good, you should be able to remove it manually.

With an admin account, you should be able to take ownership of the file by right clicking -> properties -> security (depending on OS it’s different from there) You might need to do the folder as well. Then delete it if you’d like.

There’s no guarantee it won’t come back from somewhere else if it really is malware.

You might try removing the message components through windows before removing it manually.

johnpowell's avatar

The system is compromised. You have so idea what was done and would bet some cash you can never actually fully remove it.

It is time to format the disk and reinstall. There is sort of a tactic here. Make it look easy to get rid of so you are comfortable and then the real damage is still being done in a thing that isn’t visible in task.exe.

LuckyGuy's avatar

@johnpowell Is there no scanner for this issue? AVG? Avast? Norton?

johnpowell's avatar

@LuckyGuy :: It might say it is removed.. But I would not trust it.

Response moderated (Spam)
LuckyGuy's avatar

@RZ71 What did you decide to do? Did you ever find a good scanner?

Response moderated (Spam)

Answer this question




to answer.

This question is in the General Section. Responses must be helpful and on-topic.

Your answer will be saved while you login or join.

Have a question? Ask Fluther!

What do you know more about?
Knowledge Networking @ Fluther