Question am I still being RAT'ed?

[Blixeen]

I had Win10 about an hour ago, and it turned out a file I downloaded was a RAT. Shut down my PC, left it for like 10 minutes, and re-installed Windows 7 since I had no Win10 USB. Deleted and formatted all partitions, tried to make sure I got rid of it. Now I have 2 processes with no description running in the background. I'm aware they're Windows processes but I'm worried since they have no file path (open file location does nothing) and no description. Any guesses if i'm still infected or am I good?

Here's a screenshot. Sorry if this seems stupid, but I'm a very cautious person, so I just want to make sure.

 

[gn842a]

CSRSS.exe is a normal windows process (read link) as is, I would assume, the login function, though I didn't check that one. You did the right thing to get rid of the RAT though I am wondering whether Malwarebytes or similar would have gotten it off.

In my system CSRSS shows in the 32 directory and there is no .exe file suffix. I'm showing two instances of client server runtime process in my task manager, where the name is in full. In the link I provided, he gives a screenshot, and his version, dated 2018, shows csrss.exe. So the .exe may have been dropped from the file name in my 2019 update 1903 version of windows.

A search on csrss.exe gives a number of hits identifying it as a trojan, and there is an extensive discussion here. There are also many people in the comments noting that it is an essential file and removing it causes a BSOD. It looks like your best bet is to run Malwarebytes and some other reputed scan and hope for the best. The information out there is conflicting.

Good luck,
Greg N

 

[Blixeen]

CSRSS.exe is a normal windows process (read link) as is, I would assume, the login function, though I didn't check that one. You did the right thing to get rid of the RAT though I am wondering whether Malwarebytes or similar would have gotten it off.

Good luck,
Greg N

I found out what kind of RAT it was, highly undetectable (Qarallax), even Malwarebytes didn't pick it up. That's why I'm very worried rn about whether or not it's actually gone.

 

[gn842a]

I found out what kind of RAT it was, highly undetectable (Qarallax), even Malwarebytes didn't pick it up. That's why I'm very worried rn about whether or not it's actually gone.

I edited my post a couple of times so I don't know if you saw the whole thing.

These guys claim to be able to remove it and also give manual instructions. AFAIK formatting your hard drive and reinstalling OS should remove it, but I don't know its ability (or lack thereof) to reside on other drives that are connected.

Here's the link:

https://spyware-techie.com/qarallax-rat-removal-guide

Greg N

 

[gn842a]

Also here is a Linus Tech video on how to do a complete data wipe. The Windows utility looks pretty good but the Redkey item looks like it is more than pretty good.

They used Recuva to analyze how many files were left.

Greg N