RKill - What it does and What it Doesn't - A brief introduction to the program

The beta is now in release. The download page (http://www.bleepingcomputer.com/download/rkill/) should be pushing the 2.0 version.

You may want to put the version number in the description to avoid confusion.

Rkill will now show the version when you run it so that you can distinguish between the original version and the current 2.0 version.

Rkill will now show the version when you run it so that you can distinguish between the original version and the current 2.0 version.

Thanks!

Added a new routine for restarting Explorer. This routine is more graceful and should restore the notification icons when Explorer starts.

Hi Grinler...Just foud out about RKill.
Nice prog.Very usefull.

When im running RKill on my windows 7 ultimate 64 bit it kils 2 processes...of wich im sure they are harmless.
I use those 2 progs(HotKeyPlus.exe and remark.exe) for years... they are safe and work just fine,never had a problem with them...
Very annoying of course ...cause i have to reboot to get them back...

Is there a fix maybe to this issue?




Here is the txt doc RKill displays


Rkill 2.0.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 08/04/2012 04:58:01 PM in x64 mode.
Windows Version: Windows 7

Checking for Windows services to stop.

* No malware services found to stop.

Checking for processes to terminate.

* C:\Users\Ruudster\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HotKeyPlus.exe (PID: 3600) [UP-HEUR]
* C:\Users\Ruudster\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYQ5NWAA\remark.exe (PID: 872) [UP-HEUR]

2 proccesses terminated!

Checking Registry for malware related settings.

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks.

* No issues found.

Restarting Explorer.exe in order to apply changes.

Program finished at: 08/04/2012 04:58:16 PM
Execution time: 0 hours(s), 0 minute(s), and 14 seconds(s)

Executables are not meant to run from a userprofile and definitely not form the Temporary internet files folder.

The best solution is to create a new folder on your hard drive to store these individual executables. For example, create a folder called C:\utilities and store all your executables in there. Then create shortcuts to them in your Startup folder or elsewhere to have them launch on startup.

This is not only organized, but wont cause programs like Rkill to terminate them. The other issue you may run into with the remark.exe program, is if you you ever decide to clear up your temporary internet files, Windows/IE will attempt to remove that program.

Thx Grinler for your fast reaction.

Maybe i'll just do that.

I find out it just need a logg-of and logg-in to set things back the way they were.

Hello. I am using the new version of RKill (v 2.0.3 I belive) and when it terminates the processes I get a System Shutdown from NT AUTHORITY\SYSTEM.

I could stop this with a shutdown -a from the run command but then everything is tragically slow and I can't seem to run much else.

IS there anything I should try?

The RKill log says that 8 processes were teminated

C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe (five of these with different PID values)
C:\WINDOWS\system32\wbem\wmiprvse.exe

No issues were found in the registry and a SMTMP folder was found so a Fake.HDD spyware program was confirmed.

Leidan

My guess is you are infected with ZeroAccess as well. A new version will be released soon to stop those services being terminated when you are infected with this.

Can you run this version and post the log:

http://download.bleepingcomputer.com/grinler/beta/rkill.exe

Ok, so that seemed to work (though I'm not sure that it wasn't because I had put the code I found elsewhere into the File Recovery program I was infected with, doing this seemed to allow MalWareBytes to run and clean the system).

Still new version of RKill ran without the shutdown. Here is the log.


Rkill 2.1.0 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 08/15/2012 12:32:30 PM in x86 mode.
Windows Version: Windows XP

Checking for Windows services to stop.

* No malware services found to stop.

Checking for processes to terminate.

* No malware processes found to kill.

Checking Registry for malware related settings.

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks.

* SMTMP folder detected. Your machine is or has been infected with the Fake.HDD rogue anti-spyware program. Please see this link for more information about this type of rogue: http://www.bleepingcomputer.com/forums/topic405109.html
* No issues found.

Searching for Missing Digital Signatures:

* C:\WINDOWS\explorer.exe [NoSig]
* C:\WINDOWS\System32\appmgmts.dll [NoSig]
* C:\WINDOWS\System32\browser.dll [NoSig]
* C:\WINDOWS\System32\comctl32.dll [NoSig]
* C:\WINDOWS\System32\comres.dll [NoSig]
* C:\WINDOWS\System32\cryptsvc.dll [NoSig]
* C:\WINDOWS\System32\csrss.exe [NoSig]
* C:\WINDOWS\System32\ctfmon.exe [NoSig]
* C:\WINDOWS\System32\d3d9.dll [NoSig]
* C:\WINDOWS\System32\ddraw.dll [NoSig]
* C:\WINDOWS\System32\dllhost.exe [NoSig]
* C:\WINDOWS\System32\dsound.dll [NoSig]
* C:\WINDOWS\System32\es.dll [NoSig]
* C:\WINDOWS\System32\eventlog.dll [NoSig]
* C:\WINDOWS\System32\hnetcfg.dll [NoSig]
* C:\WINDOWS\System32\imm32.dll [NoSig]
* C:\WINDOWS\System32\kernel32.dll [NoSig]
* C:\WINDOWS\System32\ksuser.dll [NoSig]
* C:\WINDOWS\System32\linkinfo.dll [NoSig]
* C:\WINDOWS\System32\lpk.dll [NoSig]
* C:\WINDOWS\System32\lsass.exe [NoSig]
* C:\WINDOWS\System32\mfc40u.dll [NoSig]
* C:\WINDOWS\System32\midimap.dll [NoSig]
* C:\WINDOWS\System32\msgsvc.dll [NoSig]
* C:\WINDOWS\System32\mshtml.dll [NoSig]
* C:\WINDOWS\System32\mspmsnsv.dll [NoSig]
* C:\WINDOWS\System32\msvcrt.dll [NoSig]
* C:\WINDOWS\System32\mswsock.dll [NoSig]
* C:\WINDOWS\System32\netlogon.dll [NoSig]
* C:\WINDOWS\System32\netman.dll [NoSig]
* C:\WINDOWS\System32\ntkrnlpa.exe [NoSig]
* C:\WINDOWS\System32\ntmssvc.dll [NoSig]
* C:\WINDOWS\System32\ntoskrnl.exe [NoSig]
* C:\WINDOWS\System32\ole32.dll [NoSig]
* C:\WINDOWS\System32\olepro32.dll [NoSig]
* C:\WINDOWS\System32\perfctrs.dll [NoSig]
* C:\WINDOWS\System32\powrprof.dll [NoSig]
* C:\WINDOWS\System32\qmgr.dll [NoSig]
* C:\WINDOWS\System32\rasadhlp.dll [NoSig]
* C:\WINDOWS\System32\regsvc.dll [NoSig]
* C:\WINDOWS\System32\rpcss.dll [NoSig]
* C:\WINDOWS\System32\scecli.dll [NoSig]
* C:\WINDOWS\System32\schedsvc.dll [NoSig]
* C:\WINDOWS\System32\services.exe [NoSig]
* C:\WINDOWS\System32\sfc.dll [NoSig]
* C:\WINDOWS\System32\sfcfiles.dll [NoSig]
* C:\WINDOWS\System32\shsvcs.dll [NoSig]
* C:\WINDOWS\System32\smss.exe [NoSig]
* C:\WINDOWS\System32\spoolsv.exe [NoSig]
* C:\WINDOWS\System32\srsvc.dll [NoSig]
* C:\WINDOWS\System32\ssdpsrv.dll [NoSig]
* C:\WINDOWS\System32\svchost.exe [NoSig]
* C:\WINDOWS\System32\tapisrv.dll [NoSig]
* C:\WINDOWS\System32\termsrv.dll [NoSig]
* C:\WINDOWS\System32\upnphost.dll [NoSig]
* C:\WINDOWS\System32\user32.dll [NoSig]
* C:\WINDOWS\System32\userinit.exe [NoSig]
* C:\WINDOWS\System32\usp10.dll [NoSig]
* C:\WINDOWS\System32\version.dll [NoSig]
* C:\WINDOWS\System32\w32time.dll [NoSig]
* C:\WINDOWS\System32\wiaservc.dll [NoSig]
* C:\WINDOWS\System32\wininet.dll [NoSig]
* C:\WINDOWS\System32\winlogon.exe [NoSig]
* C:\WINDOWS\System32\ws2_32.dll [NoSig]
* C:\WINDOWS\System32\ws2help.dll [NoSig]
* C:\WINDOWS\System32\wscntfy.exe [NoSig]
* C:\WINDOWS\System32\xmlprov.dll [NoSig]
* C:\WINDOWS\System32\drivers\acpiec.sys [NoSig]
* C:\WINDOWS\System32\drivers\aec.sys [NoSig]
* C:\WINDOWS\System32\drivers\agp440.sys [NoSig]
* C:\WINDOWS\System32\drivers\asyncmac.sys [NoSig]
* C:\WINDOWS\System32\Drivers\asyncmac.sys [NoSig]
* C:\WINDOWS\System32\drivers\atapi.sys [NoSig]
* C:\WINDOWS\System32\Drivers\atapi.sys [NoSig]
* C:\WINDOWS\System32\drivers\beep.sys [NoSig]
* C:\WINDOWS\System32\Drivers\beep.sys [NoSig]
* C:\WINDOWS\System32\drivers\ip6fw.sys [NoSig]
* C:\WINDOWS\System32\drivers\ip6fw.sys [NoSig]
* C:\WINDOWS\System32\Drivers\ipsec.sys [NoSig]
* C:\WINDOWS\System32\drivers\kbdclass.sys [NoSig]
* C:\WINDOWS\System32\Drivers\kbdclass.sys [NoSig]
* C:\WINDOWS\System32\drivers\ndis.sys [NoSig]
* C:\WINDOWS\System32\Drivers\ndis.sys [NoSig]
* C:\WINDOWS\System32\drivers\ntfs.sys [NoSig]
* C:\WINDOWS\System32\Drivers\ntfs.sys [NoSig]
* C:\WINDOWS\System32\drivers\null.sys [NoSig]
* C:\WINDOWS\System32\Drivers\null.sys [NoSig]
* C:\WINDOWS\System32\drivers\tcpip.sys [NoSig]
* C:\WINDOWS\System32\Drivers\tcpip.sys [NoSig]
* C:\WINDOWS\System32\wbem\wmiprvse.exe [NoSig]

Restarting Explorer.exe in order to apply changes.

Program finished at: 08/15/2012 12:32:49 PM
Execution time: 0 hours(s), 0 minute(s), and 18 seconds(s)

Sorry, not sure if I am any help here.

Some of the issues I see present in the log, I have already fixed. I don't see why it would have rebooted your computer, but I have some further safety measures in places for the next release.

Ok, hope I could be of some help.
You make a very useful tool and I am glad that it exists.

Leidan

Version 2.2 of Rkill is released.

This version contains some new features and fixes some issues where running Rkill on a box with ZeroAccess installed would trigger a reboot.

The new features are:

1. Missing digital signature detection on Windows files.
2. Scan services and reports damaged or missing entries.
3. Usermode ZeroAccess detection.

An example log:

Rkill 2.2.0 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 08/16/2012 08:40:11 PM in x64 mode.
Windows Version: Windows 7

Checking for Windows services to stop.

 * No malware services found to stop.

Checking for processes to terminate.

 * No malware processes found to kill.

Checking Registry for malware related settings.

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks.

 * ALERT: ZEROACCESS rootkit symptoms found!

     * HKEY_CLASSES_ROOT\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 [ZA Reg Hijack]
     * C:\Users\User\AppData\Local\{10aa7b84-659b-5752-e27e-4d545101a798}\ [ZA Dir]
     * C:\Users\User\AppData\Local\{10aa7b84-659b-5752-e27e-4d545101a798}\@ [ZA File]
     * C:\Users\User\AppData\Local\{10aa7b84-659b-5752-e27e-4d545101a798}\L\ [ZA Dir]
     * C:\Users\User\AppData\Local\{10aa7b84-659b-5752-e27e-4d545101a798}\L\00000004.@ [ZA File]
     * C:\Users\User\AppData\Local\{10aa7b84-659b-5752-e27e-4d545101a798}\n [ZA File]
     * C:\Users\User\AppData\Local\{10aa7b84-659b-5752-e27e-4d545101a798}\U\ [ZA Dir]
     * C:\Users\User\AppData\Local\{10aa7b84-659b-5752-e27e-4d545101a798}\U\00000004.@ [ZA File]
     * C:\Users\User\AppData\Local\{10aa7b84-659b-5752-e27e-4d545101a798}\U\00000008.@ [ZA File]
     * C:\Users\User\AppData\Local\{10aa7b84-659b-5752-e27e-4d545101a798}\U\000000cb.@ [ZA File]
     * C:\Users\User\AppData\Local\{10aa7b84-659b-5752-e27e-4d545101a798}\U\80000000.@ [ZA File]
     * C:\Users\User\AppData\Local\{10aa7b84-659b-5752-e27e-4d545101a798}\U\80000032.@ [ZA File]
     * C:\Users\User\AppData\Local\{10aa7b84-659b-5752-e27e-4d545101a798}\U\80000064.@ [ZA File]
     * C:\Windows\installer\{10aa7b84-659b-5752-e27e-4d545101a798}\ [ZA Dir]
     * C:\Windows\installer\{10aa7b84-659b-5752-e27e-4d545101a798}\@ [ZA File]
     * C:\Windows\installer\{10aa7b84-659b-5752-e27e-4d545101a798}\L\ [ZA Dir]
     * C:\Windows\installer\{10aa7b84-659b-5752-e27e-4d545101a798}\L\00000004.@ [ZA File]
     * C:\Windows\installer\{10aa7b84-659b-5752-e27e-4d545101a798}\L\201d3dde [ZA File]
     * C:\Windows\installer\{10aa7b84-659b-5752-e27e-4d545101a798}\n [ZA File]
     * C:\Windows\installer\{10aa7b84-659b-5752-e27e-4d545101a798}\U\ [ZA Dir]
     * C:\Windows\installer\{10aa7b84-659b-5752-e27e-4d545101a798}\U\00000004.@ [ZA File]
     * C:\Windows\installer\{10aa7b84-659b-5752-e27e-4d545101a798}\U\00000008.@ [ZA File]
     * C:\Windows\installer\{10aa7b84-659b-5752-e27e-4d545101a798}\U\000000cb.@ [ZA File]
     * C:\Windows\installer\{10aa7b84-659b-5752-e27e-4d545101a798}\U\80000000.@ [ZA File]
     * C:\Windows\installer\{10aa7b84-659b-5752-e27e-4d545101a798}\U\80000032.@ [ZA File]
     * C:\Windows\installer\{10aa7b84-659b-5752-e27e-4d545101a798}\U\80000064.@ [ZA File]
     * C:\Windows\assembly\GAC_32\Desktop.ini [ZA File]
     * C:\Windows\assembly\GAC_64\Desktop.ini [ZA File]

Checking Windows Service Integrity: 

 * BFE [Missing Service]
 * BITS [Missing Service]
 * iphlpsvc [Missing Service]
 * MpsSvc [Missing Service]
 * WatAdminSvc [Missing Service]
 * WinDefend [Missing Service]
 * wscsvc [Missing Service]
 * wuauserv [Missing Service]
 * SharedAccess [Missing ImagePath]

Searching for Missing Digital Signatures: 

 * C:\Windows\System32\services.exe [NoSig]
 +-> C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe : 328,704 : 07/13/2009 09:39 PM : 24acb7e5be595468e3b9aa488b9b4fcb [Pos Repl]

Program finished at: 08/16/2012 08:40:49 PM
Execution time: 0 hours(s), 0 minute(s), and 36 seconds(s)