Click on screenshot to zoom
Danger level 6
Type: Trojans
Common infection symptoms:
  • Slow Computer
  • System crashes
  • Normal system programs crash immediatelly
  • Connects to the internet without permission
  • Installs itself without permissions
  • Can't be uninstalled via Control Panel


If you receive a threat called WSH RAT, your privacy could be at risk. As you see, the malware can employ specific malicious tools that may help it record various information about you; for example, what you type with your keyboard. Needless to say, if cybercriminals get their hands on data like your passwords, banking details, and so on, they could cause you a lot of troubles. Consequently, we recommend not to waste any time and remove WSH RAT immediately. Experienced users who wish to delete it manually could use the instructions we place below this article. As for those who do not have any experience with Trojans or malware alike, we highly recommend leaving this task to a chosen antimalware tool. Should you need more assistance or have anything else to ask about this malicious application, you can always leave us a comment at the end of this page.

In the rest of the article, we wish to talk more about the Trojan. First of all, we ought to start with its possible distribution channels. It is known that WSH RAT might be a new version of a threat known as Houdini or Hworm. Usually, such malicious applications are spread through obfuscated Javascript that could imitate various files, for example, text documents, pictures, etc. Our researchers say the threat’s developers could send such data to their targeted victims via email. Therefore, users who want to protect their system from similar malware should never open doubtful email attachments. There are a few things that are considered to be red flags in emails, such as grammatical mistakes, tone with intent to scare the reader, unnecessary words or random characters in a sender’s email address, and so on. Even if you feel curious, you should always take a couple of moments to inspect the message a file comes with as well as to scan the attachment in question with a reliable antimalware tool.

Next, we would like to explain what could happen if a system gets infected with WSH RAT. At first, the malicious application may need to create a few files. Our researchers say such data could be added in the following locations: %TEMP%, %APPDATA%, and %APPDATA%\Microsoft\Windows\Start Menu\Startup. Files created in the listed folders should have random names, and they could have either .exe or .js extension. Later on, the malware may start downloading additional malicious tools. Some variants may download a keylogger, email credential viewer, and a browser credential viewer or just one of them. Thus, WSH RAT could be able to collect user’s keystrokes, login credentials stored on a victim’s browser, and so on. The mentioned tools needed to perform these tasks could be disguised so that victims would not suspect them. For example, their launchers could be titled klplu.tar.gz, bpvpl.tar.gz, and similarly.

Another thing users who encounter this threat should know is that WSH RAT might have lots of versions. It appears hackers can purchase it for 50 US dollars per month from the Dark Web. It is possible that each buyer could personalize the malicious application. As a result, each separate version could gather different information, create different files, and so on. Note that the instructions located below this article were based on a sample that we tested, and they may not work for everyone.

We do not mean to say you should not use our provided deletion steps or try to erase WSH RAT manually at all. What we suggest is that you scan your computer with a reliable antimalware tool afterward to check if you were successful in removing the Trojan from your system. Of course, if you prefer using automatic features, you should not hesitate to use a chosen antimalware tool instead of following our provided instructions. Lastly, we would like to remind that while the Trojan was installed it could have reordered various valuable details and it would be a good idea to think about how to protect yourself in case the hackers do anything with them. For instance, if you think they may have obtained some of your passwords (which is likely as one of the tools it uses is a keylogger, and such malware can record keystrokes), it would be smart to change them.

Eliminate WSH RAT

  1. Click Ctrl+Alt+Delete.
  2. Choose Task Manager and select Processes.
  3. Find a process belonging to the threat.
  4. Mark it and click End Task.
  5. Exit Task Manager.
  6. Click Win+E.
  7. Find these locations:
  8. Look for the threat’s installer, right-click it, and press Delete.
  9. Then find these paths:
    %APPDATA%\Microsoft\Windows\Start Menu\Startup
  10. Search for malicious .js files with random names, right-click them, and press Delete.
  11. Check this folder: %TEMP%
  12. Look for a malicious file with either .exe or .js extension, right-click it, and choose Delete.
  13. Exit File Explorer.
  14. Press Win+R.
  15. Type Regedit and press Enter.
  16. Go to this path: HKLM\SOFTWARE\Microsoft\Windows\Current Version\Run
  17. Locate a value name belonging to the Trojan, right-click it and press Delete.
  18. Exit Registry Editor.
  19. Empty Recycle bin.
  20. Restart the system.


Download Spyware Removal Tool to Remove* WSH RAT
  • Quick & tested solution for WSH RAT removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.