0

I was recently helping an older friend fix some issues with her Windows XP computer when I came to realized that it had been infected with some sort of RAT. The RAT had been on the system for about a week, and in that time the user had created a couple of new users accounts, installed Advanced Mass Sender and Dbrute IP scanner. I disconnected her from the internet, deleted all the new accounts, ran two separate virus scans, and uninstalled any new programs that she couldn't explain. The scan found some viruses files which were quarantined and removed.

What other steps do I need to take to make sure she's secure before I reconnect the computer to the internet? Should we just be reinstall the whole OS, or can we guarantee a reasonable level of security short of that?

Improve this question
9
  • 2
    I would just reinstall the operating system if you confirmed it was infected with a RAT tool. Of course I highly suggest not reinstalling Windows XP because the exploit that allowed it to happen likely will never be patched.
    – Ramhound
    Commented Oct 8, 2013 at 13:06
  • Microsoft will stop with its security patches for Windows XP in half a year (around April 2014 I believe). Beside that there is no guarantee that the system is clean, if I were you I would install a newer OS.
    – Mixxiphoid
    Commented Oct 8, 2013 at 13:09
  • I like to use ComboFix but nothing is 100%. I would press them to go for Windows 7 at minimum.
    – MonkeyZeus
    Commented Oct 8, 2013 at 13:10
  • Microsoft seems to have started the complete neglect of Windows XP. Out of the kindness of my heart I am reformatting my parent's PC from 2004 with their XP disc and I cannot even access windows update. I had to find Service Packs 2+3 on a different computer and transfer it via USB stick.
    – MonkeyZeus
    Commented Oct 8, 2013 at 13:12
  • 1
    @DaveRook RAT = Remote Administration Tool. It can refer to legitimate tools to remotely administer computers, but lately it's more frequently referring to a specific type of trojan focused on allowing an attack to remote into a target machine and completely control a computer. en.wikipedia.org/wiki/Remote_administration_software
    – AndrewSwerlick
    Commented Oct 8, 2013 at 13:42

1 Answer 1

Reset to default
2

While an MBR infection or some other low level infection could have happen, its very likely, for the most part the RAT infection was pretty much the only thing that happen. Even if we assume that its safe to say the current installation cannot be used. Its only use is to backup personal files so those can be scanned on a seperate clean system.

I would just reinstall the operating system if you confirmed it was infected with a RAT tool. Of course I highly suggest not reinstalling Windows XP because the exploit that allowed it to happen likely will never be patched.

Improve this answer
3
  • I'd also note that it's best to pull files from backups - even data files (documents, etc.) on the machine can no longer be trusted without through inspection.
    – Bob
    Commented Oct 8, 2013 at 14:43
  • @Bob - I actually already mention this.
    – Ramhound
    Commented Oct 8, 2013 at 14:46
  • Ah, sorry. I didn't read it carefully enough.
    – Bob
    Commented Oct 8, 2013 at 14:54

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .