How Do I Know if I Have the Blackshades RAT on My Computer?

If you find this useful please share it!


It is known that over 500,000 Windows computers worldwide are infected with the Blackshades RAT (Remote Access Tool) malware creepware. This means that if you have a Windows computer, or run Windows on your Mac, you need to check to see whether your computer has been infected with this silent privacy and security killer. The surest way is to check for any of the following files anywhere on your hard drive: dos_sock.bss, nir_cmd.bss, pws_cdk.bss, pws_chro.bss, pws_ff.bss, pws_mail.bss, pws_mess.bss

To search for these files – which you must do one at a time – simply click on the Start menu, and type the file name into the search area.

If you find even one of these files on your computer, the odds are high that your computer is infected with the Blackshades Remote Access Tool (RAT).


You can also search for a modification that Blackshades makes to the Windows registry. To do this, you will need to start up the registery editor, regedit.exe. Once regedit is started, click on “Edit” from the toolbar, then select “Find” from the Edit menu, and search for the following string:

(Article continues below)
Get notified of new Internet Patrol articles for free!
Or Read Internet Patrol Articles Right in Your Inbox!
as Soon as They are Published! Only $1 a Month!

Imagine being able to read full articles right in your email, or on your phone, without ever having to click through to the website unless you want to! Just $1 a month and you can cancel at any time!
How Do I Know if I Have the Blackshades RAT on My Computer?

Computer\HKEY_CURRENT_USER\Software\VBandVBA Program Settings\SrvID\ID\

Or just a fragment of it, such as “SrvID”

The presence of any of these modifications is evidence that Blackshades has been installed on your computer.

If you find that you likely have the Blackshades RAT on your computer, the FBI is “highly recommending” that you “wipe your hard drive and reload your operating system,” (even if your antivirus software claims to detect it) and immediately afterwards, change all of your passwords (if you change your passwords beforehand, Blackshades may just capture the new passwords). You can also change all of your passwords first from a non-infected computer, if that is an option for you.

While you may think that wiping your hard drive is a little extreme, especially if your antivirus software is up-to-date, even the people who intentionally purchased and used Blackshades are saying that the only way to get rid of it is to wipe your hard drive.

We know you're sick of ads on websites. But we still need to pay to keep the lights on for you. So instead of huge ads and video ads, we use smaller, plainer ads. Still, if you'd like to support the Internet Patrol but not the ads, please consider supporting us here:
Donate via Paypal
Other Amount:

No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free? Thank you!

How Do I Know if I Have the Blackshades RAT on My Computer?

Get notified of new Internet Patrol articles!
People also searched for creepware detection

If you find this useful please share it!

2 Replies to “How Do I Know if I Have the Blackshades RAT on My Computer?”

  1. Hi there, its nice paragraph concerning media print, we
    all understand media is a impressive source of information. math-problem-solver,
    This site was… how do you say it? Relevant!! Finally I
    have found something which helped me. Kudos!

  2. Hello,
    Thanks for the info.
    I had someone show me on command.exe – red/black ground data.. said it was black shades.. malware.
    Used all your techniques.. Did not find any of the listed terms:
    To check for Blackshades RAT look for any of these files: dos_sock.bss, nir_cmd.bss, pws_cdk.bss, pws_chro.bss, pws_ff.bss, pws_mail.bss, pws_mess.bss..

    Any direction?

Leave a Reply

Your email address will not be published. Required fields are marked *