Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RKill - What it does and What it Doesn't - A brief introduction to the program


  • Please log in to reply
827 replies to this topic

#1 Grinler

Grinler

    Bleep Bleep!


  • Admin
  • 40,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:09 AM

Posted 09 April 2010 - 10:05 AM

This topic was created to provide a very brief introduction as to what RKill does and to provide a way a way for people to report false positives of processes that are terminated. Even though false positives may occur, this should not be considered a problem as you can always launch the programs again or reboot your computer as no files are removed by running RKill. This topic is not to be used as a support topic for removing malware. If you need help removing specific malware you can follow the steps here or ask in the Am I Infected? forum.

RKill is a program developed at BleepingComputer.com that was originally designed for the use in our virus removal guides. It was created so that we could have an easy to use tool that kills known processes and remove Windows Registry entries that stop a user from using their normal security applications. Simple as that. Nothing fancy. Just kill known malware processes and clean up some Registry keys so that your security programs can do their job.

So in summary, RKill just kills 32-bit and 64-bit malware processes and scans the registry for entries that would not allow you to run various legitimate programs. When scanning the Registry, Rkill will search for malicious Image File Execution Objects, DisallowRuns entries, executable hijacks, and policies that restrict your use of various Windows utilities. When changing Windows Registry entries it will create a backup of these entries and save them in the rkill folder on your desktop. Each registry backup will contain a time stamp so that the backups are not overwritten on subsequent runs of Rkill. For a list of changes in Rkill, please see the change log at the bottom of this post.

Since RKill only terminates processes and does not remove the offending files, when it is finished you should not reboot your computer. If you do, these malware processes that are set to start automatically, will just start up again. Instead, after running RKill you should scan your computer using your malware removal tool of choice. If there is a problem after running RKill, just reboot your computer and you will be back to where you started before running the program. Some great free tools that you can use to scan your computer after running RKill include MalwareBytes' Anti-Malware, SuperAntiSpyware, and Dr.Web CureIt.

RKill can be downloaded from the following location:

http://www.bleepingcomputer.com/download/rkill/

Please note that the other file names at the link above are RKill as well, but just renamed in order to allow it run by certain malware.

When RKill is run it will display a console screen similar to the one below:
 

rkill.jpg


That console screen will continue to run until it RKill has finished. Once finished, the box will close and a log will be displayed showing all of the processes that were terminated by RKill and while RKill was running.

Depending on the malware that is installed on the computer, when you run RKill you may see a message from the malware stating that the program could not be run because it is a virus or is infected. Examples of these warnings are:
 

antivirus-suite-infected.jpgsecurity-tool-alert.jpg


These warnings are just fake alerts by the malware that has hijacked your computer trying to protect itself. Two methods that you can try to get past this and allow RKill to run are:
  • Rename Rkill so that it has a .com extension.
  • Download a version that is already renamed as files that are commonly white-listed by malware. The main Rkill download page contains individual links to renamed versions.
Rkill is currently detected as malware by 3 anti-virus companies. I have submitted the tool to them so that they can remove the listing. Unfortunately, though, false positives ocassionaly happen. I assue you that there is nothing malicious in Rkill and it only performs the tasks described above.

A scan from virustotal.com as of 08/22/12 shows the following AV vendors flagging RKill with false positives
 
Comodo UnclassifiedMalware 20120822
Kaspersky HEUR:Backdoor.Win64.Generic 20120822
TrendMicro-HouseCall TROJ_GEN.F47V0821 20120822
Also at least SuperAntiSpyware and MalwareBytes may target Rkill when you rename it to a reserved name like iexplore.exe, explorer.exe, winlogon.exe, etc. This is because they have definitions in place that throws a flag when these reserved filenames are used outside their normal path.

If you see these alerts when running Rkill, you can safely ignore the warnings and continue to allow the program to run.

If you have any other questions about RKill, feel free to post them in the topic. Do not, though, ask questions about how to get RKill to run, unless you can provide a better method to get around the malware blocking it. Also please do not ask about how to remove specific malware. Those questions should be asked in the forums listed earlier in the topic.


How to create a custom whitelist file for Rkill

Rkill 2.5.9 added a new white listing component for IT, Consultants, and Enterprise support who are finding some of their remote support or other applications are being terminated by Rkill. Using this feature you can specify a custom white list file that contains a list of processes that should not be terminated.

When creating this file it must be saved in either ANSI or UTF-8. The file should consist of a list of processes with each process being on their own line. Each process you want to whitelist must also be listed using the full path such as C:\Windows\System32\App1.exe. You can specify the whitelist file using the -w command line argument. Please note, there is no need to enclose paths with spaces in quotes. In fact quotes will cause the files not to be properly matched.

An example command to start rkill using a whitelist is:

rkill -w c:\users\user\desktop\wl.txt

When giving the name of the white list, you can also use some variables to make it easier. These are:

%SystemDrive% - This will expand to the drive letter that Windows is installed. Typically expanding to C:.
%WinDir% - Expands to the folder where Windows is installed. IE: C:\Windows
%System% - Expands to the System32 folder in Windows. IE: C:\Windows\System32
%Desktop% - Expands to the desktop folder for the currently logged in user.
%UserProfile% - Expands to the UserProfile folder.
%AllUsersProfile% - Expands to the All Users Profile folder.

An example whitelist file is as simple as:
 
c:\windows\app1.exe
c:\remote.exe
"c:\program files\test.exe"
When you run Rkill using a whitelist, it will state that White List mode is enabled and then display the logfile. If there are any issues with your white list file it will alert you. Last, but not least, is you use a whitelist, rkill will display a list of processes that matched the contents of your whitelist and that were ignored.


Changelog:

12/2/10:
  • Major rewrite of the program to be more effective.
  • Uses a white-list for displaying the processes that were killed. This is so it no longer shows itself as being killed and some other processes that were always displayed in Vista and Windows 7 even though Rkill didn't terminate them.
  • Cleaned up output.
3/1/11:
  • Rkill will fix modified batch file classes so that they can run as normal
3/4/11:
  • If Rkill detects a proxy, it will disable it and make a backup on the desktop as rk-proxy.reg.
05/18/12:
  • Rkill is now located at a new download link
07/30/12: Rkill version 2.0 is released.
This version contains many new features. These features can be found below.
  • Rewritten as a single executable.
  • Much much faster.
  • Better reporting:
    • Rkill now only lists those processes it actually terminates.
    • Writes all actions it takes and any results into rkill.txt log file on the desktop.
    • Details the registry keys it fixes. These are only some policies, executable associations, IFEO, and DisallowRun keys.
  • The ability to use Rkill without remote control apps being terminated. This has been tested with TeamViewer, VNC, and Logmein. If you use a custom application, I still suggest you create a folder for it rather than running it from a Userprofile.
  • Chrome is no longer terminated.
  • Can kill file impersonators found in any directory (svchost.exe, winlogin, etc)
  • Makes a registry backup of any IFEO, Proxy settings, DisallowRun, or Policies that it removes.
  • Has the ability to terminate 64-bit processes as well.
08/16/12: Rkill version 2.2 is released.
This version contains many new features and an important fix.
  • Missing digital signature detection on Windows files.
  • Scan services and reports damaged or missing entries.
  • Usermode ZeroAccess detection.
  • Fixed bug that could cause Rkill to trigger a reboot on machines with ZeroAccess installed.
08/16/12: Rkill version 2.2.1 is released.
  • Display possible patched files
08/21/12: Rkill version 2.3.0 is released.
  • Rewrote Windows Service integrity checks.
  • Added reporting for policies that disable System Restore, Automatic Updates, Windows Firewall, and Windows Defender.
  • Reports when necessary services are stopped.
09/07/12: Rkill version 2.3.8 is released.
  • Fix incorrect reports of services missing in Windows 7 Home Premium
  • Added Recycle Bin ZeroAccess Rootkit detection
09/19/12: Rkill version 2.4.1
  • Added HOSTS file enumeration.
  • Checks permission on the HOSTS file and resets it so that administrators can access it.
09/19/12: Rkill version 2.4.2
  • Will no longer issue a warning about the WinDefend service not running with Microsoft Security Essentials is installed.
  • Will no longer issue a warning about the presence of HKLM\SOFTWARE\Microsoft\Windows Defender "DisableAntiSpyware" when Microsoft Security Essentials is installed.
11/02/12: Rkill version 2.4.4
  • Enabled support for Windows 8.
01/16/13: Rkill version 2.4.6
  • More support for Windows 8.
05/27/13: Rkill version 2.5.0
  • Added Junction/Reparse Point detection for ZeroAccess and other malware.
  • Fixed an issue with the FontCache service not being detected properly due to more than one correct imagepath.
  • Cleaned up system file impersonator code
05/30/13: Rkill version 2.5.1
  • Fixed a bug where unsigned system files were being killed and causing Windows to go into a restart countdown. Unsigned system files are indicative of an issue, but they should not be terminated due to the restarting of Windows.
05/31/13: Rkill version 2.5.2
  • Fixed an issue with the msiserver service not being detected properly due to more than one correct imagepath.
06/03/13: Rkill version 2.5.2
  • Added -s, -l, and -h command line arguments. Use -h to see the help file and what each argument does.
07/12/13: Rkill version 2.5.5
  • Much better ZeroAccess file path detection
  • Better ZA reparse point detection
  • Replacement files for patched services will now show their md5 sum
06/19/14: Rkill version 2.6.7
  • Added more Image File Execution Options entries to be cleaned.
  • Modified one of the process termination routines to properly match processes running from non-standard Windows folder names

Edited by Grinler, 19 June 2014 - 11:31 AM.
Version 2.5.5


BC AdBot (Login to Remove)

 


#2 fallendream

fallendream

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 09 April 2010 - 10:15 AM

I found starting up and logging into the guest account stopped these malwares from stopping things from opening in windows se7en, would this be a way to allow rkill to run and kill the processes for other users?

#3 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:09 AM

Posted 09 April 2010 - 10:27 AM

Another profile, or even safe mode, may bypass the restricting malware and make it so you do not even need to use rkill. Unfortunately, some of these start in some manner in safe mode as well. Even worse, some of these malware make it so you cannot even get into safe mode.

#4 fallendream

fallendream

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 09 April 2010 - 10:29 AM

I see, thanks for that clarification.

-Joe.

#5 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:02:09 AM

Posted 09 April 2010 - 10:43 AM

Is it possible to know what process rkill is killing directly or would you rather that info stay in the blind so not to get out to the malware writers?

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#6 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:09 AM

Posted 09 April 2010 - 10:57 AM

What you said :thumbsup:

#7 Eric RBA

Eric RBA

  • Members
  • 252 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:State College, PA
  • Local time:01:09 AM

Posted 09 April 2010 - 12:02 PM

Grinler, RKill is like nectar from technology heaven for me. I have spent a lot of time trying to figure out how to manually kill processes and malware issues with a little success here and there. In a moderately secured environment with 500+ government employees using Windows XP computers and surfing the net mostly in IE6 I have had to pull out more tools than I knew existed. This has helped tremendously. Thank you!

EricBH
I would never ask a person to do something that I wouldn't do myself.

#8 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:02:09 AM

Posted 09 April 2010 - 12:11 PM

Understand :thumbsup:

Thank you for a great tool.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#9 TheGeeks

TheGeeks

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 09 April 2010 - 02:07 PM

Does RKill ever get updated?

#10 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:09 AM

Posted 09 April 2010 - 02:25 PM

Almost every day.

#11 Eric RBA

Eric RBA

  • Members
  • 252 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:State College, PA
  • Local time:01:09 AM

Posted 09 April 2010 - 02:43 PM

Excellent! Pardon my ignorance but does this mean that we'll need to download periodically?
I would never ask a person to do something that I wouldn't do myself.

#12 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:09 AM

Posted 09 April 2010 - 02:46 PM

Yup, unfortunately there is no autoupdate.

To be safe, I would download it each time you use it, especially if a new rogue is out.

#13 Maxstar

Maxstar

  • Security Colleague
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:09 AM

Posted 10 April 2010 - 05:37 AM

Hi,

Is rkill with all operating systems compatible (x86 - x64)

Edited by Maxstar, 10 April 2010 - 05:38 AM.

Posted Image

#14 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:09 AM

Posted 10 April 2010 - 09:16 AM

Yes, but with some loss of functionality in x64. With current malware this will not make a difference.

#15 rpolunsky

rpolunsky

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 10 April 2010 - 11:20 AM

the download links for the exe and com files give a 404 message. Are they being updated?




4 user(s) are reading this topic

0 members, 4 guests, 0 anonymous users