Solved PC infected with XTreme Rat

chorley

New Member
Messages
3
Hi,

I recently installed AVG on the family computer and ran a virus scan, which came up with a few problems. The biggest one was that the computer was infected with the XTreme RAT trojan. This has been removed, but looking at the capabilities a RAT gives I would like to see what damage has been done.

What do I need to be looking for in the Events Viewer for things like the Webcam being turned off and on, remote access, files being remotely accessed etc?

Do I need to take any further action to protect the computer in the future? I don't know how long it's been on there, my sons keep installing games and things from the internet despite me telling them not to, so I don't know where it's come from.

Any help/advice would be appreciated.
 

My Computer

System One

  • OS
    Windows 8
    Computer type
    PC/Desktop
Hi,

Israeli Defense Systems Hacked with Xtreme RAT Trojan | The State of Security

Wow, if this thing is good enough to mess with Israeli defense systems, your only logical choice is to use Killdisk on the hard drive and then install Windows clean after.

Change passwords to everything local, and otherwise.

Use only Firefox with assorted add-ons such as No-Script, BetterPrivacy, HttpsEverywhere, Adblock Edge, Disconnect, Ghostery, RefControl.

Don't click links in e-mails and don't download torrents that do not have exceptional only reviews.
 

My Computer

System One

  • OS
    7601.18247.x86fre.win7sp1
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Self-built Intel based
    CPU
    Pentium D 925 3.0 GHz socket 775, Presler @ ~ 3.2 GHz
    Motherboard
    Intel DQ965MT
    Memory
    Hyundai 2 GB DDR2 @ 333 MHz
    Graphics Card(s)
    ASUS DirectCU II HD7790-DC2OC-2GD5 Radeon HD 7790 2GB 128-Bit GDDR5
    Sound Card
    MOTU Traveler firewire interface
    Hard Drives
    1 Seagate Barracuda SATA II system/boot drive 80 GB, 2 Western Digital hdds - 1 is SATA II Caviar Black 1 TB attached to card (assorted media, page, temp), other is SATA I 420 GB (games, media, downloads)
    PSU
    Thermaltake 450W
    Cooling
    stock Gateway cooling, extra large fan in rear of case
    Keyboard
    Alienware/Microsoft Internet kb
    Mouse
    Logitech M510
    Internet Speed
    Optimum Online, fast for US
    Browser
    Pale Moon
    Antivirus
    Kaspersky integrated into ZoneAlarm+Antivirus
Hi,

Israeli Defense Systems Hacked with Xtreme RAT Trojan | The State of Security

Wow, if this thing is good enough to mess with Israeli defense systems, your only logical choice is to use Killdisk on the hard drive and then install Windows clean after.

Change passwords to everything local, and otherwise.

Use only Firefox with assorted add-ons such as No-Script, BetterPrivacy, HttpsEverywhere, Adblock Edge, Disconnect, Ghostery, RefControl.

Don't click links in e-mails and don't download torrents that do not have exceptional only reviews.


Yeah I saw that too, and that's probably good advice, but I would still like some info on the Events Viewer - which log do I look at to see if the webcam has been activated? What does the record say? What about remote access events etc etc, I just want to try and get a handle on how much damage has been done first.
 

My Computer

System One

  • OS
    Windows 8
    Computer type
    PC/Desktop
Anyone worth their salt accessing your machine would have cleared logs with a pre-written script they made to have ready.

To me, all that is rather pointless anyhow. Machine has been compromised and as I see it, no need in worrying or picking apart the past. All you can do is move on in the best possible manner as has already been outlined.
 

My Computer

System One

  • OS
    7601.18247.x86fre.win7sp1
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Self-built Intel based
    CPU
    Pentium D 925 3.0 GHz socket 775, Presler @ ~ 3.2 GHz
    Motherboard
    Intel DQ965MT
    Memory
    Hyundai 2 GB DDR2 @ 333 MHz
    Graphics Card(s)
    ASUS DirectCU II HD7790-DC2OC-2GD5 Radeon HD 7790 2GB 128-Bit GDDR5
    Sound Card
    MOTU Traveler firewire interface
    Hard Drives
    1 Seagate Barracuda SATA II system/boot drive 80 GB, 2 Western Digital hdds - 1 is SATA II Caviar Black 1 TB attached to card (assorted media, page, temp), other is SATA I 420 GB (games, media, downloads)
    PSU
    Thermaltake 450W
    Cooling
    stock Gateway cooling, extra large fan in rear of case
    Keyboard
    Alienware/Microsoft Internet kb
    Mouse
    Logitech M510
    Internet Speed
    Optimum Online, fast for US
    Browser
    Pale Moon
    Antivirus
    Kaspersky integrated into ZoneAlarm+Antivirus
I agree 100% with what MasterChief said. The only solution is to completely wipe the drive and reinstall.

However, if your interested in looking into the damage caused you could use some Forensic Tools.

OSFClone is a bootable CD which allows you to make a complete clone of the affected system.

Link: OSFClone - Open source utility to create and clone forensic disk images

You can then use OFSMount to view its contents.

Link: OSFMount - Mount CD and Disk images in Windows, ISO, DD

Finally, use OSForensics to create a detailed report.

Link: OSForensics - Digital investigation for a new era by PassMark Software®
 

My Computer

System One

  • OS
    Windows 8.1 Enterprise
I agree with what these gentlemen have said. Reload Windows and DO NOT rely on log files to give you any information as they have most likely been compromised also...
 

My Computer

System One

  • OS
    Win 10 Pro 64bit
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Home built Intel i7-3770k-based system
    CPU
    Intel i7-3770k, Overclocked to 4.6GHz (46x100) with Corsair H110i GT cooler
    Motherboard
    ASRock Z77 OC Formula 2.30 BIOS
    Memory
    32GB DDR3 2133 Corsair Vengeance Pro
    Graphics Card(s)
    GeForce GTX 980ti SC ACS 6GB DDR5 by EVGA
    Sound Card
    Creative Sound Blaster X-Fi Titanium HD, Corsair SP2500 speakers and subwoofer
    Monitor(s) Displays
    LG 27EA33 [Monitor] (27.2"vis) HDMI
    Screen Resolution
    1920x1080
    Hard Drives
    Samsung SSD 850 EVO 250GB (system drive)
    WD 6TB Red NAS hard drives x 2 in Storage Spaces (redundancy)
    PSU
    Corsair 750ax fully modular power supply with sleeved cables
    Case
    Corsair Air 540 with 7 x 140mm fans on front, rear and top panels
    Cooling
    Corsair H110i GT liquid cooled CPU with 4 x 140" Corsair SP "push-pull" and 3 x 140mm fans
    Keyboard
    Thermaltake Poseidon Z illuminated keyboard
    Mouse
    Corsair M65 wired
    Internet Speed
    85MBps DSL
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender, MalwareBytes Pro and CCleaner Pro
    Other Info
    Client of Windows Server 2012 R2 10 PC's, laptops and smartphones on the WLAN.

    1GBps Ethernet ports
Unfortunately, in some instances even low level formatting will not get rid of some malware. Your system is simply compromised. Best bet is new disk and CPU (if Intel, AMD is o.k.). Of course, no user will go this far, but this just shows that today everybody needs to be very careful.
Let's hope that formatting will be enough.
 

My Computer

System One

  • OS
    windows 8.1
    Computer type
    Laptop
    System Manufacturer/Model
    MSI
    CPU
    i7-4800MQ
    Memory
    32GB
    Graphics Card(s)
    nVidia GeForce GTX 770M
    Browser
    Enhanced Protected Mode IE/protected mode Firefox
    Antivirus
    nope
    Other Info
    OpenNIC/DNSCrypt/VPN/EMET
Unfortunately, in some instances even low level formatting will not get rid of some malware. Your system is simply compromised. Best bet is new disk and CPU (if Intel, AMD is o.k.). Of course, no user will go this far, but this just shows that today everybody needs to be very careful.
Let's hope that formatting will be enough.

Malicious code can be permanently embedded within the Intel CPU? Or am I misinterpreting what you are saying?
 

My Computer

System One

  • OS
    Windows 8.1 Pro 64-bit
    Computer type
    Laptop
    System Manufacturer/Model
    Acer V3 771G-6443
    CPU
    i5-3230m
    Motherboard
    Acer VA70_HC (U3E1)
    Memory
    8GB DDR3 PC3-12800 (800 MHz)
    Graphics Card(s)
    HD4000 + GeForce GT 730M
    Sound Card
    Realtek High Definition Audio
    Monitor(s) Displays
    17" Generic PnP Display on Intel HD Graphics 4000
    Screen Resolution
    1600x900 pixels
    Hard Drives
    Samsung SSD 850 EVO 250 GB
    ADATA SSD SP900 128GB
    PSU
    90 watt brick
    Mouse
    Bluetooth
    Antivirus
    Comodo
    Other Info
    Asus RT-AC56R dual-band WRT router (Merlin firmware). Intel 7260.HMWWB.R dual-band ac wireless adapter.

My Computer

System One

  • OS
    7601.18247.x86fre.win7sp1
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Self-built Intel based
    CPU
    Pentium D 925 3.0 GHz socket 775, Presler @ ~ 3.2 GHz
    Motherboard
    Intel DQ965MT
    Memory
    Hyundai 2 GB DDR2 @ 333 MHz
    Graphics Card(s)
    ASUS DirectCU II HD7790-DC2OC-2GD5 Radeon HD 7790 2GB 128-Bit GDDR5
    Sound Card
    MOTU Traveler firewire interface
    Hard Drives
    1 Seagate Barracuda SATA II system/boot drive 80 GB, 2 Western Digital hdds - 1 is SATA II Caviar Black 1 TB attached to card (assorted media, page, temp), other is SATA I 420 GB (games, media, downloads)
    PSU
    Thermaltake 450W
    Cooling
    stock Gateway cooling, extra large fan in rear of case
    Keyboard
    Alienware/Microsoft Internet kb
    Mouse
    Logitech M510
    Internet Speed
    Optimum Online, fast for US
    Browser
    Pale Moon
    Antivirus
    Kaspersky integrated into ZoneAlarm+Antivirus
Best bet is new disk

Killdisk renders a drive to the extent where it is literally not possible for any data to survive.

Best bet is new disk and CPU (if Intel, AMD is o.k.).

Malicious code can be permanently embedded within the Intel CPU? Or am I misinterpreting what you are saying?

I can answer that. No.

Of course it can, by adding write only registers to the CPU Intel is a reason why TRESSOR in no longer an option for anyone interested in serious disk encryption (which is obviously no reason to worry for average user, but), also Intel already sabotaged the traditionally strong pseudorandom generation under Linux the runs under Intel devices.

Read Bruce Schneider's blogs. I would think that he is an authority on this topic.
 

My Computer

System One

  • OS
    windows 8.1
    Computer type
    Laptop
    System Manufacturer/Model
    MSI
    CPU
    i7-4800MQ
    Memory
    32GB
    Graphics Card(s)
    nVidia GeForce GTX 770M
    Browser
    Enhanced Protected Mode IE/protected mode Firefox
    Antivirus
    nope
    Other Info
    OpenNIC/DNSCrypt/VPN/EMET
You're talking about vulnerability that has to be exploited during manufacturing process by a rogue employee. lol

Malware will never survive Killdisk.

Stop spreading fud.
 

My Computer

System One

  • OS
    7601.18247.x86fre.win7sp1
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Self-built Intel based
    CPU
    Pentium D 925 3.0 GHz socket 775, Presler @ ~ 3.2 GHz
    Motherboard
    Intel DQ965MT
    Memory
    Hyundai 2 GB DDR2 @ 333 MHz
    Graphics Card(s)
    ASUS DirectCU II HD7790-DC2OC-2GD5 Radeon HD 7790 2GB 128-Bit GDDR5
    Sound Card
    MOTU Traveler firewire interface
    Hard Drives
    1 Seagate Barracuda SATA II system/boot drive 80 GB, 2 Western Digital hdds - 1 is SATA II Caviar Black 1 TB attached to card (assorted media, page, temp), other is SATA I 420 GB (games, media, downloads)
    PSU
    Thermaltake 450W
    Cooling
    stock Gateway cooling, extra large fan in rear of case
    Keyboard
    Alienware/Microsoft Internet kb
    Mouse
    Logitech M510
    Internet Speed
    Optimum Online, fast for US
    Browser
    Pale Moon
    Antivirus
    Kaspersky integrated into ZoneAlarm+Antivirus
You're talking about vulnerability that has to be exploited during manufacturing process by a rogue employee. lol

Malware will never survive Killdisk.

Stop spreading fud.
just read Snowden on the topic, some Schneider's articles in the Guardian
 

My Computer

System One

  • OS
    windows 8.1
    Computer type
    Laptop
    System Manufacturer/Model
    MSI
    CPU
    i7-4800MQ
    Memory
    32GB
    Graphics Card(s)
    nVidia GeForce GTX 770M
    Browser
    Enhanced Protected Mode IE/protected mode Firefox
    Antivirus
    nope
    Other Info
    OpenNIC/DNSCrypt/VPN/EMET
You're talking about vulnerability that has to be exploited during manufacturing process by a rogue employee. lol

Malware will never survive Killdisk.

Stop spreading fud.
just read Snowden on the topic, some Schneider's articles in the Guardian

Here at eightforums.com, and I'm sure the admins will correct me if I'm wrong, we like to deal with reality and not some far-off fantasy never-never land proof of concept-only-happens-in-laboratory exploits when helping people with their issues.

It seems to me that you try to show off something you know when in reality the end result makes the unaware confused and steers them down the wrong road completely.

Do you honestly really suggest that a new CPU and hard drive are needed? Really???
 

My Computer

System One

  • OS
    7601.18247.x86fre.win7sp1
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Self-built Intel based
    CPU
    Pentium D 925 3.0 GHz socket 775, Presler @ ~ 3.2 GHz
    Motherboard
    Intel DQ965MT
    Memory
    Hyundai 2 GB DDR2 @ 333 MHz
    Graphics Card(s)
    ASUS DirectCU II HD7790-DC2OC-2GD5 Radeon HD 7790 2GB 128-Bit GDDR5
    Sound Card
    MOTU Traveler firewire interface
    Hard Drives
    1 Seagate Barracuda SATA II system/boot drive 80 GB, 2 Western Digital hdds - 1 is SATA II Caviar Black 1 TB attached to card (assorted media, page, temp), other is SATA I 420 GB (games, media, downloads)
    PSU
    Thermaltake 450W
    Cooling
    stock Gateway cooling, extra large fan in rear of case
    Keyboard
    Alienware/Microsoft Internet kb
    Mouse
    Logitech M510
    Internet Speed
    Optimum Online, fast for US
    Browser
    Pale Moon
    Antivirus
    Kaspersky integrated into ZoneAlarm+Antivirus
For example: does killdisk deal with bad sectors, HPA, DCO?
Windows will use checkdisk feature to recover data (including malware).
Commercial BCWipe is the tool to use. But then you can also get new HDD
People get infected all the time, they don't care how many times as long as after removal all works.


If you suggest to use killdisk, then this is either insufficient or overkill
 

My Computer

System One

  • OS
    windows 8.1
    Computer type
    Laptop
    System Manufacturer/Model
    MSI
    CPU
    i7-4800MQ
    Memory
    32GB
    Graphics Card(s)
    nVidia GeForce GTX 770M
    Browser
    Enhanced Protected Mode IE/protected mode Firefox
    Antivirus
    nope
    Other Info
    OpenNIC/DNSCrypt/VPN/EMET
For example: does killdisk deal with bad sectors, HPA, DCO?
Windows will use checkdisk feature to recover data (including malware).
Commercial BCWipe is the tool to use. But then you can also get new HDD
People get infected all the time, they don't care how many times as long as after removal all works.


If you suggest to use killdisk, then this is either insufficient or overkill

I already asked you once nicely to bust the balls of someone else. Now I'm straight out telling you to leave your incorrect notions far away from me as possible. Next time, I am not going to be nice. I have no need to continue arguing imbecility.

Go help members if you feel you know best. I won't bother you. Let's see how far you get.
 

My Computer

System One

  • OS
    7601.18247.x86fre.win7sp1
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Self-built Intel based
    CPU
    Pentium D 925 3.0 GHz socket 775, Presler @ ~ 3.2 GHz
    Motherboard
    Intel DQ965MT
    Memory
    Hyundai 2 GB DDR2 @ 333 MHz
    Graphics Card(s)
    ASUS DirectCU II HD7790-DC2OC-2GD5 Radeon HD 7790 2GB 128-Bit GDDR5
    Sound Card
    MOTU Traveler firewire interface
    Hard Drives
    1 Seagate Barracuda SATA II system/boot drive 80 GB, 2 Western Digital hdds - 1 is SATA II Caviar Black 1 TB attached to card (assorted media, page, temp), other is SATA I 420 GB (games, media, downloads)
    PSU
    Thermaltake 450W
    Cooling
    stock Gateway cooling, extra large fan in rear of case
    Keyboard
    Alienware/Microsoft Internet kb
    Mouse
    Logitech M510
    Internet Speed
    Optimum Online, fast for US
    Browser
    Pale Moon
    Antivirus
    Kaspersky integrated into ZoneAlarm+Antivirus
Back
Top