Help
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
This topic was created to provide a very brief introduction as to what RKill does and to provide a way a way for people to report false positives of processes that are terminated. Even though false positives may occur, this should not be considered a problem as you can always launch the programs again or reboot your computer as no files are removed by running RKill. This topic is not to be used as a support topic for getting RKill to run or for removing specific malware. All information that I can provide on getting RKill to run will already be given in this topic and if you need help removing malware you can follow the steps here or ask in the Am I Infected? forum.
RKill is a program developed at BleepingComputer.com that was originally designed for the use in our malware removal guides. It was created so that we could have an easy to use tool that kills known processes that stop the use of our normal anti-malware applications. Simple as that. Nothing fancy. Just kill known malware processes so that anti-malware programs can do their job.
So in summary, RKill just kills processes, imports a Registry file that removes incorrect file associations, removes and backs up proxy settings, and fixes policies that stop us from using certain tools. When done, RKill will then create a log listing all processes that were terminated while the program was running. Please note that this will include processes that were terminated manually by the user as well as RKill. I have whitelisted some processes that are commonly shown as being killed even though they weren't terminated by Rkill, including the program itself, to avoid confusion that a legitimate process was terminated. Other than what is listed above, it does nothing else.
Since RKill only terminates processes, after running it you should not reboot your computer as any malware processes that are set to start automatically, will just start up again. Instead, after running RKill you should scan your computer using your malware removal tool of choice. If there is a problem after running RKill, just reboot your computer and you will be back to where you started before running the program. Some great free tools that you can use to scan your computer after running RKill include MalwareBytes' Anti-Malware, SuperAntiSpyware, and Dr.Web CureIt.
RKill can be downloaded from the following locations. Please note that the other filenames below are RKill as well, just renamed in order to allow it run by certain malware.
When RKill is run it will display a console screen similar to the one below:
That console screen will continue to run until it RKill has finished. Once finished, the box will close and a log will be displayed showing all of the processes that were terminated by RKill and while RKill was running.
Depending on the malware that is installed on the computer, when you run RKill you may see a message from the malware stating that the program could not be run because it is a virus or is infected. Examples of these warnings are:
These warnings are just fake alerts by the malware that has hijacked your computer trying to protect itself. Two methods that you can try to get past this and allow RKill to run are:
On a final note, when you download and run RKill, certain anti-virus programs may state that the program is a security risk. This is because some of the tools used by RKill can be used for good or bad, though the programs themselves are perfectly harmless, and most anti-virus programs just lump them into the bad category. I assure you we are using them only for good purposes
A scan from virustotal.com as of 12/02/10 shows the following AV vendors flagging RKill as:
Please be assured that there are no Trojans or infections within RKill.
Also at least SuperAntiSpyware and MalwareBytes may target Rkill when you rename it to a reserved name like iexplore.exe, explorer.exe, winlogon.exe, etc. This is because they have definitions in place that throws a flag when these reserved filenames are used outside their normal path.
If you see these alerts when running Rkill, you can safely ignore the warnings and continue to allow the program to run.
If you have any other questions about RKill, feel free to post them in the topic. Do not, though, ask questions about how to get RKill to run, unless you can provide a better method to get around the malware blocking it. Also please do not ask about how to remove specific malware. Those questions should be asked in the forums listed earlier in the topic.
Changelog:
12/2/10:
3/1/11:
3/4/11:
RKill is a program developed at BleepingComputer.com that was originally designed for the use in our malware removal guides. It was created so that we could have an easy to use tool that kills known processes that stop the use of our normal anti-malware applications. Simple as that. Nothing fancy. Just kill known malware processes so that anti-malware programs can do their job.
So in summary, RKill just kills processes, imports a Registry file that removes incorrect file associations, removes and backs up proxy settings, and fixes policies that stop us from using certain tools. When done, RKill will then create a log listing all processes that were terminated while the program was running. Please note that this will include processes that were terminated manually by the user as well as RKill. I have whitelisted some processes that are commonly shown as being killed even though they weren't terminated by Rkill, including the program itself, to avoid confusion that a legitimate process was terminated. Other than what is listed above, it does nothing else.
Since RKill only terminates processes, after running it you should not reboot your computer as any malware processes that are set to start automatically, will just start up again. Instead, after running RKill you should scan your computer using your malware removal tool of choice. If there is a problem after running RKill, just reboot your computer and you will be back to where you started before running the program. Some great free tools that you can use to scan your computer after running RKill include MalwareBytes' Anti-Malware, SuperAntiSpyware, and Dr.Web CureIt.
RKill can be downloaded from the following locations. Please note that the other filenames below are RKill as well, just renamed in order to allow it run by certain malware.
- RKill.com Download Link
- RKill.exe Download Link
- RKill.scr Download Link
- eXplorer.exe Download Link - This renamed copy may trigger an alert from MBAM. It can be ignored and is safe.
- iExplore.exe Download Link
- WiNlOgOn.exe Download Link
- uSeRiNiT.exe Download Link
When RKill is run it will display a console screen similar to the one below:
That console screen will continue to run until it RKill has finished. Once finished, the box will close and a log will be displayed showing all of the processes that were terminated by RKill and while RKill was running.
Depending on the malware that is installed on the computer, when you run RKill you may see a message from the malware stating that the program could not be run because it is a virus or is infected. Examples of these warnings are:
These warnings are just fake alerts by the malware that has hijacked your computer trying to protect itself. Two methods that you can try to get past this and allow RKill to run are:
- When you receive the warning message, leave the message on the screen and try running RKill again.
- If that does not work, just keep launching RKill until it catches and stays up long enough to kill the malware
On a final note, when you download and run RKill, certain anti-virus programs may state that the program is a security risk. This is because some of the tools used by RKill can be used for good or bad, though the programs themselves are perfectly harmless, and most anti-virus programs just lump them into the bad category. I assure you we are using them only for good purposes
A scan from virustotal.com as of 12/02/10 shows the following AV vendors flagging RKill as:
ClamAV 0.96.4.0 2010.12.02 PUA.Packed.PECompact-1 eSafe 7.0.17.0 2010.12.02 Suspicious File F-Prot 4.6.2.117 2010.12.01 File is damaged Sophos 4.60.0 2010.12.02 NirCmd
Please be assured that there are no Trojans or infections within RKill.
Also at least SuperAntiSpyware and MalwareBytes may target Rkill when you rename it to a reserved name like iexplore.exe, explorer.exe, winlogon.exe, etc. This is because they have definitions in place that throws a flag when these reserved filenames are used outside their normal path.
If you see these alerts when running Rkill, you can safely ignore the warnings and continue to allow the program to run.
If you have any other questions about RKill, feel free to post them in the topic. Do not, though, ask questions about how to get RKill to run, unless you can provide a better method to get around the malware blocking it. Also please do not ask about how to remove specific malware. Those questions should be asked in the forums listed earlier in the topic.
Changelog:
12/2/10:
- Major rewrite of the program to be more effective.
- Uses a whitelist for displaying the processes that were killed. This is so it no longer shows itself as being killed and some other processes that were always displayed in Vista and Windows 7 even though Rkill didn't terminate them.
- Cleaned up output.
3/1/11:
- Rkill will fix modified batch file classes so that they can run as normal
3/4/11:
- If Rkill detects a proxy, it will disable it and make a backup on the desktop as rk-proxy.reg.
This post has been edited by Grinler: 10 June 2011 - 05:01 PM
Reason for edit: Added proxy removal
Back to top
