How to remove NetSupport Manager RAT

Also Known As: NetSupport Manager remote access tool
Type: Trojan
Damage level: Severe

What kind of software is NetSupport Manager?

The NetSupport Manager program is categorized as a Remote Access Tool (RAT). Like most programs of this type, it allow users to access computers, workstations, and servers locally and remotely. This is legitimate software that can be used by anyone, however, RATs are often misused by cyber criminals for malicious purposes, usually to steal various information.

NetSupport Manager recognized by virustotal as a threat

More about NetSupport Manager

Typically, cyber criminals use various ways to trick people into downloading remote access tools so that they can steal information/personal data and use it to generate revenue. NetSupport Manager is capable of monitoring systems and viewing all connected workstations in real time simultaneously.

In summary, it can be used to monitor computing activity and, additionally, to watch, share, and control the screen, mouse, keyboard of any connected computer. It can also record the screen and capture screenshots.

NetSupport Manager can be used to access system information such as Operating System, computer type, name of the country in which it is used, installed hardware and software, and many other details. Furthermore, this RAT can be used to transfer data/files between connected computers/workstations. Therefore, users can move files from one computer to another.

NetSupport Manager users are also offered some other features. As we mentioned above, these tools are often used by cyber criminals with malicious intent. If installed on a computer without users' knowledge, it can be used to steal personal information.

By controlling a computer and transfering files, cyber criminals might download and install malicious programs such as ransomware, high-risk Trojans, and other infections. Having programs of this type installed might cause data/financial loss and other problems.

Some of the installed programs might be capable of stealing logins and passwords of personal accounts (such as banking). Therefore, being tricked into installing RAT software can lead to serious problems relating to finances, privacy, and so on. If you believe that NetSupport Manager, or another tool of this type, was installed without your knowledge, remove it immediately.

Threat Summary:
Name NetSupport Manager remote access tool
Threat Type Remote access tool, trojan, spyware.
Detection Names (client32.exe)
DrWeb (Program.RemoteAdmin.837), Fortinet (Riskware/RemoteAdmin), Kaspersky (not-a-virus:RemoteAdmin.Win32.NetSup.i), Full List (VirusTotal)
Related Domain(s)
bl0kchain[.]review, bl0kchain[.]stream, bl0kchain[.]win, desjardinscourriel818654[.]pw, desjardinscourriel8as4363[.]pw, desjardinscourrielf36ws[.]pw, desjardinsmail6as6545g[.]pw, desjardinsmail6sa4524[.]pw lalka14881112[.]asyx[.]ru, otedehea[.]review
Symptoms Remote access tools allow criminals to remotely manipulate the system and perform various tasks without users' consent.
Distribution methods Infected email attachments, malicious online advertisements, social engineering, software cracks, bundling.
Damage Stolen banking information, passwords, identity theft, victim's computer added to a botnet, malware infections.
Malware Removal (Windows)

To eliminate possible malware infections, scan your computer with legitimate antivirus software. Our security researchers recommend using Combo Cleaner.
▼ Download Combo Cleaner
To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.

Examples of other RATs

There are a number of RATs available, and often they are legitimate tools. Some examples of other RATs are Orcus, Agent Tesla, Imminent Monitor, and CrimsonRAT. Note that cyber criminals often use these tools for malicious purposes (to steal information, cause computer infections, and so on).

How did NetSupport Manager infiltrate my computer?

Cyber criminals trick people into downloading and installing this tool using fake Google Chrome, Mozilla Firefox, Flash Player (and other) updaters. These programs are disguised as legitimate update tools, however, rather than downloading and installing updates, they download and install unwanted software, in this case the NetSupport Manager.

They also proliferate this RAT through the BGTrade application (its installer). In this way, they trick people into installing NetSupport Manager with the BGTrade app. Note, however, that cyber criminals often proliferate malicious programs through emails - they use malicious attachments disguised as harmless files.

Once opened, these attachments (MS Office documents, JavaScript files, executables, archives, and so on) download and install unwanted software. Additionally, they use dubious software download sources. Some examples of dubious download channels are unofficial websites, Peer-to-Peer networks, third party downloaders and other similar sources.

By downloading files using these tools, people often cause download and installation of unwanted software (including computer infections). Software cracking tools are used to bypass paid activation (illegally), however, they often download and install malicious programs.

How to avoid installation of malware?

Update software using implemented, official tools that are provided by software developers only. Download software from official websites and using direct links. Do not use the other channels mentioned above. Do not open attachments (or web links) that are presented in irrelevant emails or that are received from unknown, suspicious email addresses.

Avoid using software cracking tools, since this is a cyber crime and often causes computer infections. Have reputable anti-virus or anti-spyware software installed and enabled - this can detect harmful files before they do any damage. If you believe that your computer is already infected, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate infiltrated malware.

Official website of BGTrade app which is used to promote NetSupport Manager:

BGTrade website used to promote NetSupport Manager

BGTrade app that is used to distribute NetSupport Manager:

NetSupport Manager distributed through BGTrade app

Update September 4th, 2019 - Cyber criminals have recently developed a malicious toolkit called Domen. This toolkit allows threat actors to hijack legitimate websites (at the time of research, most of hijacked websites were based on WordPress CMS) and inject them with a script that displays various fake update notifications. The level of Domen's sophistication is rather high.

It is designed to target both desktop and mobile users. Additionally, the fake update messages can be displayed in 30 different languages.

Now the list of fake update notifications includes browser updates (e.g., "You Are Using An Older Version Of Chrome"), Adobe Flash Player update (similar to this one), and an error claiming that website's content cannot be displayed due to a missing font and encouraging to update/download a font pack (e.g., "The PT Sans Font Wasnt Found").

The displayed update notifications completely overlay visited websites' content and encourage users to download the update immediately. However, the downloaded file is actually a malicious script which runs a number of shell commands that eventually download and install various malware.

At the time of research Domen was used to spread NetSupport Manager RAT. However, the situation may eventually change, especially when the same toolkit can be used by multiple cyber criminals.

Screenshot of a fake update notification ("You Are Using An Older Version Of Chrome") delivered using Domen toolkit:

Domen toolkit delivering fake update notifications to spread NetSupport Manager Rat

Screenshot of a malicious MS Excel document used to spread NetSupport Manager RAT:

NetSupport Manager RAT spreading MS Excel document

Update April 12th, 2022 - We have discovered that NetSupport Manager is a final payload in the Parrot TDS campaign. This campaign is used as a gateway for further malicious campaigns. One of the known campaigns is called FakeUpdate. In this campaign, cybercriminals use deceptive websites (sites claiming that some software is outdated) to trick visitors into downloading malicious code. NetSupport Manager is part of the second-phase payload delivered in the FakeUpdate campaign.

Update January 10, 2023 - Cyber criminals are spreading NetSupport Manager via fake Pokemon NTF card game website - pokemon-go[.]io (other URLs might be used as well). The site is presented as a great tool to both have fun playing and earn profits by winning NTFs.

Screenshot of the fake pokemon-go[.]io website:

Fake Pokemon card game website used to spread NetSupport Manager - pokemon-go[.]io

Screenshot of a fake AnyConnect download website spreading NetSupport Manager RAT:

NetSupport Manager RAT distributed as AnyConnect

Instant automatic malware removal: Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.

Quick menu:

How to remove malware manually?

Manual malware removal is a complicated task - usually it is best to allow antivirus or anti-malware programs to do this automatically. To remove this malware we recommend using Combo Cleaner Antivirus for Windows.

If you wish to remove malware manually, the first step is to identify the name of the malware that you are trying to remove. Here is an example of a suspicious program running on a user's computer:

Malware process running in the Task Manager

If you checked the list of programs running on your computer, for example, using task manager, and identified a program that looks suspicious, you should continue with these steps:

manual malware removal step 1Download a program called Autoruns. This program shows auto-start applications, Registry, and file system locations:

Autoruns application appearance

manual malware removal step 2Restart your computer into Safe Mode:

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Run Windows 7 or Windows XP in Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup.

Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings".

Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Run Windows 8 in Safe Mode with Networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options".

In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.

Run Windows 10 in Safe Mode with Networking

Video showing how to start Windows 10 in "Safe Mode with Networking":

manual malware removal step 3Extract the downloaded archive and run the Autoruns.exe file.

Extract Autoruns.zip archive and run Autoruns.exe application

manual malware removal step 4In the Autoruns application, click "Options" at the top and uncheck "Hide Empty Locations" and "Hide Windows Entries" options. After this procedure, click the "Refresh" icon.

Refresh Autoruns application results

manual malware removal step 5Check the list provided by the Autoruns application and locate the malware file that you want to eliminate.

You should write down its full path and name. Note that some malware hides process names under legitimate Windows process names. At this stage, it is very important to avoid removing system files. After you locate the suspicious program you wish to remove, right click your mouse over its name and choose "Delete".

Delete malware in Autoruns

After removing the malware through the Autoruns application (this ensures that the malware will not run automatically on the next system startup), you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the filename of the malware, be sure to remove it.

Search for malware and delete it

Reboot your computer in normal mode. Following these steps should remove any malware from your computer. Note that manual threat removal requires advanced computer skills. If you do not have these skills, leave malware removal to antivirus and anti-malware programs.

These steps might not work with advanced malware infections. As always it is best to prevent infection than try to remove malware later. To keep your computer safe, install the latest operating system updates and use antivirus software. To be sure your computer is free of malware infections, we recommend scanning it with Combo Cleaner Antivirus for Windows.

Frequently Asked Questions (FAQ)

My computer is infected with malware, should I format my storage device to get rid of it?

Usually, malware can be removed without formatting the storage device. A detailed removal guide is provided above.

What are the biggest issues that malware can cause?

It may lead to identity theft, financial losses, data encryption, decreased computer performance, further infections, and other issues. It depends on the type of malware.

What is the purpose of NetSupport Manager?

NetSupport Manager is a legitimate RAT. However, it can be misused for malicious purposes. Cybercriminals can use this RAT to monitor computing activity (spy on victims), access system information, and transfer files between computers/workstations. NetSupport Manager may be used to infect computers with other malware. In such cases, it could lead to financial losses, data encryption, identity theft, and other problems.

How did a malware infiltrate my computer?

Cybercriminals use phishing and other social engineering techniques (malicious emails, fake system warning messages, etc.) to trick users into executing malware. Also, computers get infected through malicious drive-by downloads, files downloaded via Peer-to-Peer networks, unofficial websites, and similar sources. In some cases, malware can spread via external hard drives, USB flash drives, etc.

Will Combo Cleaner protect me from malware?

Yes, Combo Cleaner will scan your computer and remove malware from it. This antivirus software can detect almost all known malware. Computers infected with high-end malware must be scanned using a full scan. Otherwise, antivirus software may not detect high-end malware that hides deep in the operating system.

▼ Show Discussion

About the author:

Tomas Meskauskas

Tomas Meskauskas - expert security researcher, professional malware analyst.

I am passionate about computer security and technology. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an author and editor for pcrisk.com since 2010. Follow me on Twitter and LinkedIn to stay informed about the latest online security threats. Contact Tomas Meskauskas.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Removal Instructions in other languages
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

QR Code
NetSupport Manager remote access tool QR code
Scan this QR code to have an easy access removal guide of NetSupport Manager remote access tool on your mobile device.
We Recommend:

Get rid of Windows malware infections today:

Download Combo Cleaner

Platform: Windows

Editors' Rating for Combo Cleaner:
Editors ratingOutstanding!

[Back to Top]

To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.