tRat Removal Guide

Do you know what tRat is?

You need to be cautious about emails carrying tRat because this malicious Trojan can open a Pandora’s Box of malware. This infection can be controlled remotely, and it can be used to download and execute malicious files, which makes it very versatile and unpredictable. Since this threat does not have an interface and pretty much runs silently, you might not learn about its presence until you deliberately inspect your operating system. The threat creates a file named “bfhost.lnk” in the Startup directory, and a file named “fhost.exe” is created in %APPDATA%\Adobe\Flash Player\Services\Frame Host\. You are unlikely to stumble upon these files randomly, but a legitimate malware scanner would have no trouble detecting them. These are the main files you need to get rid of if you want to have tRat deleted successfully. So, are you curious about the distribution of the Trojan, its malicious activity, and removal? Then keep reading.

Let’s start with the entrance of tRat because this malware has a very specific way of slithering into Windows operating systems. It was found that this remote access tool – which is what “rat” stands for – is usually executed by the victims themselves when they open corrupted spam email attachments. These attachments are introduced to them along with misleading messages, and that is not surprising because people have to be tricked into trusting them. The subject line of the message might be scandalous or alluring, and the message inside is completely false and misleading. The goal of the scam is to trick you into clicking an attached file. Once that is done, you are asked to enable macros, and that is something you should not do! If you are ever asked to enable macros, go back and remove the email ASAP. To trick you into taking the wrong move, the scam opens a window suggesting that the file was sent by TripAdvisor, that it is a harmless Word or Publisher file, and that it is protected by some antivirus tool. Do not fall for this trick.tRat Removal GuidetRat screenshot
Scroll down for full removal instructions

When you enable macros, you permit tRat to be downloaded onto your computer, which, of course, happens without your knowledge. The infection was created by a very experienced group (TA505) that is fully responsible for Dridex and Locky malware, which we have written about in the past. The creator of the infection waits for tRat to transfer some information about your computer, after which, they can send in commands and download malicious files. How the Trojan acts afterward is a mystery. Depending on the files executed, the Trojan can transform and be used in various kinds of ways. That could include spying on you, recording information, hijacking login credentials, etc. Unfortunately, if you found the RAT on your operating system, the chances are that other threats exist too. Whether or not they were downloaded by the Trojan itself, you need to remove everything that poses a danger to your security.

You can use the manual removal guide below to remove tRat from your operating system. This, of course, is not an ideal solution. You have other threats to think about, as well as your virtual security hereafter. Handling it all on your own can be too difficult, which is why implementing reliable anti-malware software is the best thing you can do for yourself and your operating system. Remember that tRat is not the only threat in the world. It is not even the only threat of its kind. If you want to make sure that you do not need to face remote access Trojans and other infections again, you need to safeguard your operating system now.

Delete tRat from Windows

  1. Tap Win+E keys at the same time to launch the Explorer window.
  2. Type %APPDATA%\Adobe\Flash Player\Services\Frame Host\ into the quick access bar and tap Enter.
  3. Delete the malicious Trojan’s file named fhost.exe.
  4. Delete a file named bfhost.lnk in the following directories:
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Start Menu\Programs\Startup
    • %APPDATA%\Microsoft\Windows\Start Menu\Startup
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
    • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
  5. Empty Recycle Bin and then perform a full system scan to check if your system is clean.

In non-techie terms:

The malicious tRat is a very powerful instrument in the virtual hands of cyber criminals. Although this remote access Trojan is operated using two unique files, it was found that that is enough to initiate a very elaborate attack. Once this threat gets in, it can seriously jeopardize your virtual security, and we are sure that you want to avoid that. According to our malware research team, although Windows users should be able to delete tRat manually, employing anti-malware software to destroy this threat automatically is the right move. This software will not only clean your operating system from all existing threats but will also ensure that it is protected in the future. As long as you are protected, and you make sure to avoid spam emails, you should be fine on the virtual security front.