 RKill - What it does and What it Doesn't - A brief introduction to the program |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Want a New HP LaserJet MFP? Trade in your old printer and receive $1,000 in savings!
Trade in your old printer and receive up to $1,000 in saving on a new HP LaserJet Multifunction Printer. Click here for savings!
Forum Rules
When posting your problem, do not run and post a ComboFix log. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.
To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.
  |
 Apr 9 2010, 10:05 AM
Post
#1
|
|
 Bleep Bleep!  Group: Admin Posts: 33,231 Joined: 24-January 04 From: USA Member No.: 3  |
RKill is a program developed at BleepingComputer.com that was originally designed for the use in our malware removal guides. It was created so that we could have an easy to use tool that kills known processes that stop the use of our normal anti-malware applications. Simple as that. Nothing fancy. Just kill known malware processes so that anti-malware programs can do their job. So in summary, RKill just kills processes, imports a Registry file that removes incorrect file associations and fixes policies that stop us from using certain tools. Then it kills Explorer.exe so it will restart and enable some of the Registry changes. When done, RKill will then create a log listing all processes that were terminated while the program was running. Please note that this will include processes that were terminated manually by the user as well as RKill. Other than what is listed above, it does nothing else. Since RKill only terminates processes, after running it you should not reboot your computer as any malware processes that are set to start automatically, will just start up again. Instead, after running RKill you should scan your computer using your malware removal tool of choice. If there is a problem after running RKill, just reboot your computer and you will be back to where you started before running the program. Some great free tools that you can use to scan your computer after running RKill include MalwareBytes' Anti-Malware, SuperAntiSpyware, and Dr.Web CureIt. RKill can be downloaded from the following locations. Please note that the other filenames below are RKill as well, just renamed in order to allow it run by certain malware.
 That console screen will continue to run until it RKill has finished. Once finished, the box will close and a log will be displayed showing all of the processes that were terminated by RKill and while RKill was running. Depending on the malware that is installed on the computer, when you run RKill you may see a message from the malware stating that the program could not be run because it is a virus or is infected. Examples of these warnings are:   These warnings are just fake alerts by the malware that has hijacked your computer trying to protect itself. Two methods that you can try to get past this and allow RKill to run are:
On a final note, when you download and run RKill, certain anti-virus programs may state that the program is a security risk. This is because some of the tools used by RKill can be used for good or bad, though the programs themselves are perfectly harmless, and most anti-virus programs just lump them into the bad category. I assure you we are using them only for good purposes  A scan from virustotal.com as of 8/5/10 shows the following AV vendors flagging RKill as: CODE McAfee 5.400.0.1158 2010.08.05 Artemis!9F7449B5BCF4 McAfee-GW-Edition 2010.1 2010.08.05 Heuristic.BehavesLike.Win32.ModifiedUPX.C Sophos 4.56.0 2010.08.05 NirCmd Please be assured that there are no Trojans or infections within RKill. If you have any other questions about RKill, feel free to post them in the topic. Do not, though, ask questions about how to get RKill to run, unless you can provide a better method to get around the malware blocking it. Also please do not ask about how to remove specific malware. Those questions should be asked in the forums listed earlier in the topic.
Reason for edit: Updated VirusTotal Reports
-------------------- Lawrence
Become a BleepingComputer fan: Facebook Follow us on Twitter! How to detect vulnerable programs using Secunia Personal Software Inspector <- Everyone should do this! |
 |
 
|
|
Apr 9 2010, 10:15 AM
Post
#2
|
|
|
Member Group: Members Posts: 83 Joined: 18-January 10 Member No.: 437,248 |
I found starting up and logging into the guest account stopped these malwares from stopping things from opening in windows se7en, would this be a way to allow rkill to run and kill the processes for other users?
|
|
|
|
|
Apr 9 2010, 10:27 AM
Post
#3
|
|
|
Bleep Bleep! Group: Admin Posts: 33,231 Joined: 24-January 04 From: USA Member No.: 3 |
Another profile, or even safe mode, may bypass the restricting malware and make it so you do not even need to use rkill. Unfortunately, some of these start in some manner in safe mode as well. Even worse, some of these malware make it so you cannot even get into safe mode.
-------------------- Lawrence
Become a BleepingComputer fan: Facebook Follow us on Twitter! How to detect vulnerable programs using Secunia Personal Software Inspector <- Everyone should do this! |
|
|
|
|
Apr 9 2010, 10:29 AM
Post
#4
|
|
|
Member Group: Members Posts: 83 Joined: 18-January 10 Member No.: 437,248 |
I see, thanks for that clarification.
-Joe. |
|
|
|
|
Apr 9 2010, 10:43 AM
Post
#5
|
|
 Bleepin Tech Group: BC Advisor Posts: 1,562 Joined: 9-June 09 From: Pittsburgh, PA Member No.: 340,397 |
Is it possible to know what process rkill is killing directly or would you rather that info stay in the blind so not to get out to the malware writers?
-------------------- Techextreme
"Admire those who attempt great things, even though they fail." -- Seneca |
|
|
|
|
Apr 9 2010, 10:57 AM
Post
#6
|
|
|
Bleep Bleep! Group: Admin Posts: 33,231 Joined: 24-January 04 From: USA Member No.: 3 |
What you said
-------------------- Lawrence
Become a BleepingComputer fan: Facebook Follow us on Twitter! How to detect vulnerable programs using Secunia Personal Software Inspector <- Everyone should do this! |
|
|
|
|
Apr 9 2010, 12:02 PM
Post
#7
|
|
 Forum Regular Group: Members Posts: 246 Joined: 23-December 08 From: State College, PA Member No.: 273,263 |
Grinler, RKill is like nectar from technology heaven for me. I have spent a lot of time trying to figure out how to manually kill processes and malware issues with a little success here and there. In a moderately secured environment with 500+ government employees using Windows XP computers and surfing the net mostly in IE6 I have had to pull out more tools than I knew existed. This has helped tremendously. Thank you!
EricBH -------------------- I would never ask a person to do something that I wouldn't do myself.
|
|
|
|
|
Apr 9 2010, 12:11 PM
Post
#8
|
|
|
Bleepin Tech Group: BC Advisor Posts: 1,562 Joined: 9-June 09 From: Pittsburgh, PA Member No.: 340,397 |
Understand
Thank you for a great tool. -------------------- Techextreme
"Admire those who attempt great things, even though they fail." -- Seneca |
|
|
|
|
Apr 9 2010, 02:07 PM
Post
#9
|
|
|
New Member Group: Members Posts: 1 Joined: 9-April 10 Member No.: 484,056 |
Does RKill ever get updated?
|
|
|
|
|
Apr 9 2010, 02:25 PM
Post
#10
|
|
|
Bleep Bleep! Group: Admin Posts: 33,231 Joined: 24-January 04 From: USA Member No.: 3 |
Almost every day.
-------------------- Lawrence
Become a BleepingComputer fan: Facebook Follow us on Twitter! How to detect vulnerable programs using Secunia Personal Software Inspector <- Everyone should do this! |
|
|
|
|
Apr 9 2010, 02:43 PM
Post
#11
|
|
|
Forum Regular Group: Members Posts: 246 Joined: 23-December 08 From: State College, PA Member No.: 273,263 |
Excellent! Pardon my ignorance but does this mean that we'll need to download periodically?
-------------------- I would never ask a person to do something that I wouldn't do myself.
|
|
|
|
|
Apr 9 2010, 02:46 PM
Post
#12
|
|
|
Bleep Bleep! Group: Admin Posts: 33,231 Joined: 24-January 04 From: USA Member No.: 3 |
Yup, unfortunately there is no autoupdate.
To be safe, I would download it each time you use it, especially if a new rogue is out. -------------------- Lawrence
Become a BleepingComputer fan: Facebook Follow us on Twitter! How to detect vulnerable programs using Secunia Personal Software Inspector <- Everyone should do this! |
|
|
|
|
Apr 10 2010, 05:37 AM
Post
#13
|
|
 New Member Group: Members Posts: 1 Joined: 30-March 10 Member No.: 478,601 |
Hi,
Is rkill with all operating systems compatible (x86 - x64) This post has been edited by Maxstar: Apr 10 2010, 05:38 AM |
|
|
|
|
Apr 10 2010, 09:16 AM
Post
#14
|
|
|
Bleep Bleep! Group: Admin Posts: 33,231 Joined: 24-January 04 From: USA Member No.: 3 |
Yes, but with some loss of functionality in x64. With current malware this will not make a difference.
-------------------- Lawrence
Become a BleepingComputer fan: Facebook Follow us on Twitter! How to detect vulnerable programs using Secunia Personal Software Inspector <- Everyone should do this! |
|
|
|
|
Apr 10 2010, 11:20 AM
Post
#15
|
|
|
New Member Group: Members Posts: 1 Joined: 10-April 10 Member No.: 484,535 |
the download links for the exe and com files give a 404 message. Are they being updated?
|
|
|
|
|
40 User(s) are reading this topic (39 Guests and 0 Anonymous Users)
1 Members: CouchAlmark
| Lo-Fi Version | Time is now: 2nd September 2010 - 05:53 PM |
© 2003-2010 All Rights Reserved Bleeping Computer LLC.